An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?
Violates segregation of duties.
Why this answer
Developers having direct production database access violates the principle of segregation of duties and poses a significant risk of unauthorized data modification, deletion, or exfiltration. In a well-controlled SDLC, production access should be restricted to operations or DBA teams, with changes promoted through automated deployment pipelines. This finding directly undermines data integrity and confidentiality controls.
Exam trap
The trap here is that candidates may dismiss local development environments or monthly test data refreshes as risky, while overlooking the critical segregation of duties violation inherent in granting developers direct production database access.
How to eliminate wrong answers
Option A is wrong because refreshing test data from production monthly is a common practice to ensure test environments reflect realistic data, though it requires proper masking to protect sensitive information. Option B is wrong because developers using local development environments is standard for coding and unit testing, as long as code is version-controlled and integrated into a shared repository. Option D is wrong because code reviews performed by senior developers are a positive control that helps identify defects and security vulnerabilities before deployment.