Testing is completed by IT support users without input from end users should be of most concern to a risk practitioner reviewing the system development life cycle (SDLC). This is because testing without input from end users can result in poor quality, usability, and functionality of the system, as well as increased errors, defects, and rework. Testing without input from end users can also lead to user dissatisfaction, resistance, and non-compliance, as well as misalignment with the business requirements and objectives. According to the CRISC Review Manual 2022, one of the key risk identification techniques for IT projects is to involve the end users and other relevant parties in the testing process1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, testing without input from end users is the correct answer to this question2.

Testing in phases, overriding segregation of duties controls, and using data anonymization are not the most concerning issues for a risk practitioner reviewing the SDLC. These are possible practices or techniques that can be used in the testing process, but they do not necessarily pose significant risks or problems. Testing in phases can help ensure that the system meets the technical and functional specifications, as well as the user acceptance criteria, at each stage of the development. Overriding segregation of duties controls can be justified and authorized during the testing phases, as long as the controls are restored and verified before the system goes live. Using data anonymization can help protect the privacy and security of the data used in the testing process, as well as comply with the relevant regulations and standards.