Quote of the Weak: We Have a Plan to Address that Risk

As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem.

It means that the risk isn’t as big as it appears.

Really?

When I hear this from the business, I ask the following questions:

  • Who can provide me with a project plan that shows the main objectives and the milestone dates?
  • Who is the project sponsor and has funding been allocated?
  • Who is the project leader and who are the project team members?
  • What parts of the project have been completed so far, and how do those items affect the risk?

Only once when I have asked these questions have I received answers (I’m taking over a 10-year period). Usually I get a blank stare or a “I’ll get back to you on that”.

The one time I actually received answers, when I reviewed the project plan and main objectives, I noted that:

  • The project included only phase 1 of a 2-phase project.
  • The project did not include all required products; I was told that enhancing the 2 other products were the responsibility of another team.
  • The targeted completion of phase 1 was over a year away; phase 2 did not have a project plan, sponsor, funding, or team.
  • The main objectives of phase 1 and 2, even if accomplished, did not address ALL of the identified risk.
  • None of the completed items to-date changed the risk.

So when you are told that a plan/project is in place, obtain and review the information carefully, and determine how the risk has been impacted to-date.

Remind the business that a plan or even a project doesn’t change the risk – it’s similar to how a speed limit sign identifies the fastest speed you SHOULD go under IDEAL conditions, but it does NOT control your speed.

Usually, until a project is fully implemented, the risk doesn’t change.

So go ahead and create an audit issue for that risk!

Leave a comment

Filed under Audit, Case Files, Humor/Irony, Quote of the Weak, Security

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.