The best phase of the software development life cycle to initiate the discussion of application controls is the application design phase when process functionalities are finalized. Application controls are the policies, procedures, and techniques that ensure the completeness, accuracy, validity, and authorization of data input, processing, output, and storage in an application. Application controls help prevent, detect, or correct errors and fraud in software applications. Examples of application controls include input validation, edit checks, reconciliation, encryption, access control, audit trails, etc.
The application design phase is when the software requirements are translated into a logical and physical design that specifies how the application will look and work. This phase is the best time to discuss application controls because it allows the developers to incorporate them into the design specifications and ensure that they are aligned with the business objectives and user needs. By discussing application controls early in the design phase, the developers can also avoid costly rework or changes later in the development process.
The other phases are not as optimal as the application design phase to initiate the discussion of application controls. A. Business case development phase when stakeholders are identified. The business case development phase is when the feasibility, scope, objectives, benefits, risks, and costs of a software project are defined and evaluated. This phase is important for obtaining stakeholder approval and support for the project, but it is too early to discuss application controls in detail because the software requirements and functionalities are not yet clear or finalized. B. User acceptance testing (UAT) phase when test scenarios are designed. The user acceptance testing phase is when the software is tested by the end-users or stakeholders to verify that it meets their expectations and requirements. This phase is too late to discuss application controls because it is near the end of the development process and any changes or additions to the application controls would require retesting and revalidation of the software. C. Application coding phase when algorithms are developed to solve business problems. The application coding phase is when the software design is translated into executable code using programming languages and tools. This phase is not ideal to discuss application controls because it is after the design phase and any changes or additions to the application controls would require redesigning and recoding of the software.
References:
* ISACA, CISA Review Manual, 27th Edition, 2019, p. 2471
* ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription2
* What Is Application Control? | McAfee3
* What Is Application Lifecycle Management? | Red Hat4

The most effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented is to ensure ownership is assigned. This means that the management of the audited area should accept responsibility for implementing the action plans and report on their progress and completion to the audit committee or senior management. This will ensure accountability, commitment, and follow-up for the audit recommendations34. References: 3: CISA Review Manual (Digital Version), Chapter 1: The Process of Auditing Information Systems, Section 1.6: Reporting, page 41 4: CISA Online Review Course, Module 1:
The Process of Auditing Information Systems, Lesson 1.6: Reporting

The answer C is correct because preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs) would be of greatest concern to an IS auditor reviewing on-site preventive maintenance for an organization's business-critical server hardware. This is because outsourcing preventive maintenance to multiple vendors without NDAs exposes the organization to the risk of unauthorized access, disclosure, or modification of sensitive data and information stored on the servers. NDAs are legal contracts that bind the vendors to protect the confidentiality and security of the data and information they access or handle during the preventive maintenance. Without NDAs, the vendors may not have any obligation or incentive to safeguard the data and information, and they may misuse, leak, or compromise them for malicious or commercial purposes. This could result in financial losses, reputational damage, legal liabilities, or regulatory penalties for the organization.
The other options are not as concerning as option C. Preventive maintenance costs exceed the business allocated budget (option A) is a financial issue that may affect the profitability or efficiency of the organization, but it does not directly impact the security or availability of the server hardware. Preventive maintenance has not been approved by the information system (option B) is a procedural issue that may indicate a lack of coordination or communication between the IT department and the business units, but it does not necessarily affect the quality or effectiveness of the preventive maintenance. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters (option D) is a technical issue that may influence the frequency or timing of the preventive maintenance, but it does not imply any risk or deficiency in the preventive maintenance itself.
References:
* What is a Maintenance Audit?
* How to audit your preventative maintenance schedule
* 5 Step Maintenance Management Program Audit
* How do you get effective Preventive Maintenance really?
* What is a Planned Preventative MaintenanceAudit?

The IS auditor's best course of action in this situation is to present observations for discussion only.
Observations are factual statements or findings that are based on the audit evidence collected and analyzed during the audit. Observations can be presented to management for discussion and feedback, but they should not be considered as final conclusions or recommendations until the audit is completed and the audit report is issued. The other options are not appropriate for presenting the findings to date, as they may compromise the audit quality or integrity. Reviewing working papers with the auditee is not advisable, as working papers are confidential documents that contain the auditor's notes, calculations, and opinions that may not be relevant or accurate for management's review. Requesting the auditee provide management responses is premature, as management responses should be obtained after the audit report is issued and the audit findings and recommendations are finalized. Requesting management wait until a final report is ready for discussion is impractical, as management may have a legitimate interest or need to know the audit progress and results as soon as possible. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.3