A company is using an agile development methodology for a critical business application. The IS auditor is concerned about the lack of formal documentation. What is the BEST approach to mitigate this risk?
This balances agile flexibility with audit requirements.
Why this answer
Option D is the best approach because it balances agile principles with the need for auditability. In agile, lightweight documentation (e.g., architecture decision records, user story acceptance criteria) captures key decisions and changes without the overhead of full waterfall documentation. This mitigates the risk of knowledge loss while preserving the team's velocity.
Exam trap
The trap here is that candidates may confuse agile's 'working software over comprehensive documentation' with 'no documentation at all,' leading them to choose Option B, while the correct answer recognizes that lightweight documentation is both agile-compliant and risk-mitigating.
How to eliminate wrong answers
Option A is wrong because forcing a switch to waterfall would disrupt the existing agile workflow, likely causing delays and team resistance, and is not a proportionate response to a documentation gap. Option B is wrong because accepting the lack of documentation ignores the auditor's responsibility to ensure that critical business applications have sufficient records for maintenance, compliance, and knowledge transfer; agile emphasizes working software but does not prohibit necessary documentation. Option C is wrong because code review, while valuable for quality, does not capture design decisions, rationale, or change history that documentation provides; it is a complementary practice, not a substitute for documentation.