Showing Insufficient Deviations to Support Comprehensive Testing

This one is tricky and by its nature highly controversial, deviations are not bad things when handled correctly they are a legitimate part of any system testing and should not be looked upon as bad work by the analyst.
When an auditor assesses a system, they will rely on years of experience validating the same types of systems, (even sometimes the same systems). It is the “sick gut feel” the auditor gets when looking at an application of over 2 million lines of code and only finds five documented Deviations. In a system of that size and complexity, unless the system was developed and debugged according to Military Standards, there aren’t enough Deviations to show a thorough Validation Testing effort.