What’s so interesting about risk and control?
Risk and control are what makes auditors of all persuasions tick … like cartoon bombs. The independent eye can often see risks in a situation that those intimately involved with it either cannot see or cannot face. With training and experience, auditors come to appreciate that risk is not a purely theoretical concept – bad things really do happen sometimes. This is what gives auditors a bad name. If an auditor sees a boy taking his first tentative ride on a new bicycle, he sees the potential for grazed knees. His father sees a supreme athlete. His mother sees her little boy leaving home. This sense of perspective and foreboding is what distinguishes a good auditor, or indeed an information security professional from a cynic. It gives auditors something in common with insurance salesmen, weather forecasters and soothsayers. IT auditors genuinely believe that the lottery is simply a tax on the numerically-challenged. Controls help to minimise risks. The insurance man expects his client
