Halfway through an enterprise-wide project to implement business solutions, an IS auditor is called in to do a project risk evaluation. The results from this audit are to be communicated directly to the project steering committee. What should the auditor do FIRST?
When an IS auditor is called in to perform a project risk evaluation, the first step should be to perform a risk assessment of the project based on best practices. This approach identifies potential risks that can impact the project and sets the scope for further investigation. Understanding these risks early allows the auditor to prioritize areas needing immediate attention and helps in communicating specific concerns to the project steering committee.
Firstly review the project management framework to understand the methodologies being used to carry out the project
While reviewing the project management framework is important, it is not the first step. Priority should be given to gathering information focusing on the specific status, progress and risks of the project.