Dashboards

I've always been a huge fan of dashboards and I'm not talking about in cars.

After all, the only reason the folks in Star Trek can fly all over the universe at breakneck speed is because they can tell you the temperature of cargo bay three at any moment from their seat on the bridge of the ship. When the bad guys start doing something down there, a little beep goes off at their console that lets them know to send expendable guys in red uniforms down to have a look.

So what does that have to do with anything?

When I conduct an audit and find the management has dashboard reports, charts, or whatever in place I know I've got folks who understand controls.

Indeed, I once reviewed a college admissions unit that employed dashboard reports (a combination of charts and numbers) for each of their eight colleges and nearly 100 majors. Each year they projected a trend based on history and computed each college's capacity for new students, and from this knew whether they were ahead or behind at any given moment. Seeing this level of management information, I was hardly surprised when I discovered they received close to 39,000 applicants for only a couple of thousand spots.

The best I've ever seen, outside the USS Enterprise, was the weekly output of the Enterprise Project Management Office (EPMO) at RSA. Each project at work within the US division had a single dashboard page in a “deck” of dashboards. Each, had an inset for planned deliverables over time. Right next to that were actual deliverables and variance. There were insets for budget, for issues, and ultimately a notation whether the EPMO believed the status of the project was red, amber, or green. The amber, as opposed to yellow, designation helped mark us as a British company.

The CIO summoned, each week, the project managers of any projects marked amber or red to explain themselves. It wasn't pleasant, I'm sure, but it was amazingly effective. Through an online repository, as IT Audit Manager, I had access to this entire “deck” and the supporting documentation on each project.

As a result, in terms of my audit opinion, once I audited the workings of the EPMO and found them sound, I could rely on these dashboards. This gave me tremendous amounts of breadth to my opinion, far more than if I tried to send a team of auditors to each project. And, prehaps more importantly, I knew where things were at the same time management did.

More on this in future posts.

Prescott Coleman, CIA, CISA