Question 1082 - CISA discussion

An IS auditor has identified deficiencies within the organization's software development life cycle (SDLC) policies.The SDLC is the process of planning, developing, testing, and deploying software applications1.SDLC policies are the guidelines and standards that govern the SDLC process and ensure its quality, security, and compliance2. Deficiencies in SDLC policies can lead to various risks, such as:

Software errors, bugs, or vulnerabilities that can affect the functionality, reliability, or security of the applications3

Software failures, delays, or overruns that can affect the delivery, performance, or customer satisfaction of the applications3

Software non-compliance that can result in legal, regulatory, or contractual violations or penalties3

The next step that the IS auditor should do after identifying deficiencies in SDLC policies is to communicate the observation to the auditee.The auditee is the person or entity that is subject to the audit and is responsible for the area being audited4. In this case, the auditee could be the software development manager, the project manager, or the senior management of the organization. Communicating the observation to the auditee is important for several reasons:

It allows the IS auditor to verify the accuracy and validity of the observation and gather additional evidence or information from the auditee4

It gives the auditee an opportunity to respond to the observation and provide their perspective, explanation, or justification for the deficiencies4

It enables the IS auditor to discuss with the auditee the potential impact, root cause, and remediation plan for the deficiencies4

It fosters a collaborative and constructive relationship between the IS auditor and the auditee and promotes transparency and accountability in the audit process4

The other options are not as appropriate as communicating the observation to the auditee. Documenting the findings in the audit report is a later step that should be done after communicating with the auditee and finalizing the observation. Identifying who approved the policies is not relevant for addressing the deficiencies and may imply blame or fault on a specific person or group. Escalating the situation to the lead auditor is not necessary unless there is a serious disagreement or conflict with the auditee that cannot be resolved by normal communication. Therefore, option D is the correct answer.

What Is The Software Development Life Cycle? | PagerDuty

Software Development Life Cycle (SDLC) Policy | StrongDM

What Is SDLC? Best Phases, Methodologies, and Benefits Revealed - Kellton

Communicating Audit Findings