An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
After identifying deficiencies within the organization's software development life cycle policies, the next logical step is to communicate the observation to the auditee. This allows the auditee the opportunity to address the identified issues and provide their perspective or take corrective action. Once this communication has taken place, the auditor can proceed with documenting the findings in the audit report, ensuring that all necessary information and responses from the auditee are included.
Before issuing an audit report, the auditor works with the auditee to verify the facts of the findings.
D. Communicate the observation to the auditee. Documenting the findings in the audit report is essential, but it should come after communicating the observations to the auditee. The auditee should have an opportunity to respond or take corrective action before the findings are formally documented.
While options such as escalating the situation to the lead auditor (option A) may be necessary in certain circumstances, it's generally advisable to start by communicating the observation to the auditee. This allows the organization to respond to the findings and take appropriate actions promptly.
Prior to issuing an audit report, auditor review the facts of our findings with the auditee.
C makes most sense to me.