An IS auditor has identified deficiencies within the organization's software development life cycle (SDLC) policies. The SDLC is the process of planning, developing, testing, and deploying software applications1. SDLC policies are the guidelines and standards that govern the SDLC process and ensure its quality, security, and compliance2. Deficiencies in SDLC policies can lead to various risks, such as:
Software errors, bugs, or vulnerabilities that can affect the functionality, reliability, or security of the applications3 Software failures, delays, or overruns that can affect the delivery, performance, or customer satisfaction of the applications3 Software non-compliance that can result in legal, regulatory, or contractual violations or penalties3 The next step that the IS auditor should do after identifying deficiencies in SDLC policies is to communicate the observation to the auditee. The auditee is the person or entity that is subject to the audit and is responsible for the area being audited4. In this case, the auditee could be the software development manager, the project manager, or the senior management of the organization. Communicating the observation to the auditee is important for several reasons:
It allows the IS auditor to verify the accuracy and validity of the observation and gather additional evidence or information from the auditee4 It gives the auditee an opportunity to respond to the observation and provide their perspective, explanation, or justification for the deficiencies4 It enables the IS auditor to discuss with the auditee the potential impact, root cause, and remediation plan for the deficiencies4 It fosters a collaborative and constructive relationship between the IS auditor and the auditee and promotes transparency and accountability in the audit process4 The other options are not as appropriate as communicating the observation to the auditee. Documenting the findings in the audit report is a later stepthat should be done after communicating with the auditee and finalizing the observation. Identifying who approved the policies is not relevant for addressing the deficiencies and may imply blame or fault on a specific person or group. Escalating the situation to the lead auditor is not necessary unless there is a serious disagreement or conflict with the auditee that cannot be resolved by normal communication. Therefore, option D is the correct answer.
References:
What Is The Software Development Life Cycle? | PagerDuty
Software Development Life Cycle (SDLC) Policy | StrongDM
What Is SDLC? Best Phases, Methodologies, and Benefits Revealed - Kellton Communicating Audit Findings

The audit charter is the document that defines the purpose, authority and responsibility of the IS audit function. It provides IS audit professionals with the best source of direction for performing audit functions, as it establishes the scope, objectives, reporting lines, independence, accountability and resources of the IS audit function. The IT steering committee is a governance body that oversees the strategic alignment, prioritization and direction of IT initiatives, but it does not provide specific guidance for IS audit functions. The information security policy is a document that defines the rules and principles for protecting information assets in the organization, but it does not cover all aspects of IS audit functions. Audit best practices are general guidelines and recommendations for conducting effective and efficient audits, but they are not binding or authoritative sources of direction for IS audit functions. References: CISA Review Manual (Digital Version) 1, Chapter 1: Information Systems Auditing Process, Section 1.1: Audit Charter.

When operational management informs the IS auditor that recent organizational changes have addressed previously identified risks and implementing the action plan is no longer necessary, the IS auditor should accept management's assertion and report that the risks have been addressed. However, it is essential to document this communication and ensure that there is evidence supporting management's claim. If there are any doubts or concerns, further investigation may be necessary. The auditor should not assume new risks without proper assessment or evidence1. References: 1(https://www.isaca.org/resources/isaca-journal/issues
/2016/volume-6/enhancing-the-audit-follow-up-process-using-cobit-5)