As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem.
It means that the risk isn’t as big as it appears.
Really?
When I hear this from the business, I ask the following questions:
- Who can provide me with a project plan that shows the main objectives and the milestone dates?
- Who is the project sponsor and has funding been allocated?
- Who is the project leader and who are the project team members?
- What parts of the project have been completed so far, and how do those items affect the risk?
Only once when I have asked these questions have I received answers (I’m taking over a 10-year period). Usually I get a blank stare or a “I’ll get back to you on that”.
The one time I actually received answers, when I reviewed the project plan and main objectives, I noted that:
- The project included only phase 1 of a 2-phase project.
- The project did not include all required products; I was told that enhancing the 2 other products were the responsibility of another team.
- The targeted completion of phase 1 was over a year away; phase 2 did not have a project plan, sponsor, funding, or team.
- The main objectives of phase 1 and 2, even if accomplished, did not address ALL of the identified risk.
- None of the completed items to-date changed the risk.
So when you are told that a plan/project is in place, obtain and review the information carefully, and determine how the risk has been impacted to-date.
Remind the business that a plan or even a project doesn’t change the risk – it’s similar to how a speed limit sign identifies the fastest speed you SHOULD go under IDEAL conditions, but it does NOT control your speed.
Usually, until a project is fully implemented, the risk doesn’t change.
So go ahead and create an audit issue for that risk!
ITauditSecurity 