Certified Information Systems Auditor (CISA) — Question 926

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Answer options

• A. Escalate the situation to the lead auditor.
• B. Identify who approved the policies.
• C. Document the findings in the audit report.
• D. Communicate the observation to the auditee.

Correct answer: D

Explanation

The correct step is to communicate the observation to the auditee, as it allows for immediate awareness and potential corrective action. Escalating to the lead auditor, identifying who approved the policies, or documenting findings are important, but they should occur after the auditee is informed to ensure transparency and collaboration in addressing the deficiencies.