PrepAway - Latest Free Exam Questions & Answers

The appropriate response of the IS auditor would be to:

An IS auditor invited to a development project meeting notes that no project risks have been
documented. When the IS auditor raises this issue, the project manager responds that it is too early
to identify risks and that, if risks do start impactingthe project, a risk manager will be hired. The
appropriate response of the IS auditor would be to:

PrepAway - Latest Free Exam Questions & Answers

A.
stress the importance of spending time at this point in the project to consider and document risks,
and to develop contingency plans.

B.
accept the project manager’s position as the project manager is accountable for the outcome of the
project.

C.
offer to work with the risk manager when one is appointed.

D.
inform the project manager that the IS auditor will conduct a review of the risks at the completion of
the requirements definition phase of the project.

Explanation:
The majority of project risks can typically be identified before a project begins, allowing
mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear
link back to corporate strategy and tactical plans to support this strategy. The process of setting
corporate strategy, setting objectives and developing tactical plans should include the
consideration of risks. Appointing a risk manager is a good practice but waiting until the project has
been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks
to evolve into issues that adversely impact the project represents a failure of risk management.
With or without a risk manager, persons within and outside of the project team need to be consulted
and encouraged to comment when they believe new risks have emerged or risk priorities have
changed. The IS auditor has an obligation to the project sponsor and the organization to advise on
appropriate project manage me ntpractices. Waiting for the possible appointment of a risk manager
represents an unnecessary and dangerous delay to implementing risk management.


Leave a Reply