The Project development life cycle is something that most CISA students struggle with. I have developed a question below that will help you in understanding this concept.
Ransom’s Question on 19/03/2017 – Project Development life cycle
During a project development team meeting, an IS Auditor notes that there is no documented project risk. The IS auditor raises the issue in the team meeting and the project managers advised that it was too early to know what the risks are and thus they couldn’t be identified with certainty. The Project manager added that they will hire a risk manager if it is established that risks are affecting the delivery of the project objectives. What would be an appropriate response of the IS auditor:
Select an answer:
A – stress the importance of spending time at this point in the project to identify and document risk, and to develop contingency plans.
B – accept the project manager’s view since he is ultimately accountable for the outcome of the project.
C – offer to assist the risk manager when one is appointed to identify the project risks.
D – inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.
Let us apply the K-E-C approach in answering this question.
Please note that the K-E-C approach is as follows:
K = Keyword, phrase or stem of the question
E = Eliminate two incorrect options
C = Choose the best answer for the remaining two options, linking the answer to the Key or K.
So let us approach this question.
K = Key – The key phrase here is “appropriate response”. This question is about getting the IS auditor to persuade the project team manager in considering risks at an early stage. This question will be better understood if we have a good grasp of the project development life cycle.
Below I have drawn a simplified project cycle that will help you understand the various stages and the tasks that are involved with each stage. There are 5 stages of a project cycle namely (1) Initiation, (2) Planning, (3) Execution, (4) Monitoring and control and (5) Close. See an illustration below:
E = Eliminate two options – If we go through the options above, we can easily eliminate answers B and C. Option B says the IS auditor should accept the project manager’s view since he is ultimately accountable for the outcome of the project. The Project Manager’s view is that “it was too early to know what the risks are and thus they couldn’t be identified with certainty“. The project manager’s view is ill-advised since appointing a risk manager after the project would have been impacted by risks may produce adverse effects for the organisation. Additionally, in considering the scope and objectives, the risks can also be identified as most project risks do not necessarily need very detailed understanding to be identified.
Option C says the IS auditor should “offer to assist the risk manager when one is appointed to identify the project risks“. A good IS auditor should facilitate the risk identification process but should not be involved in working with the risk manager in any way in developing the project risk. This might infringe on the independence and objectivity of the IS auditor since the IS auditor needs to audit the risk management process. Additionally, the IS auditor does not need to wait for the risk management to be appointed after the company has already suffered damages due to the risk exposures.
C = Choose the correct answer that lines up with the KEY – We are thus left with options A and D to choose from. Option D says “inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project“. This is a good suggestion but it is not appropriate in that notifying the project manager about an audit in the future does not help him/her in identifying the risks at the start of the project.
The correct answer is thus A – to “stress the importance of spending time at this point in the project to identify and document risk, and to develop contingency plans”.
It agrees with the “key” to this question which required us to select an appropriate response. Risk management needs to be forward looking and the IS auditor has a responsibility to the project sponsors to advise on appropriate project management processes. Postponing the risk management component of a project until a risk manager is hired creates a dangerous delay that may impact the organisation.