I’ve always been a fan of tracking down efforts, it helps me explain why we need money or why our GRC team is still to small to do the job well.
I have kept (using custom fields) what effort is spent on audits, mantaiances and reviews for a long time, i can tell you right away:
- what is my total expenditure of time in testing
- what controls take longer, how long they take in average
same stuff for reviewing risks, policies, etc…
when you start adding up numbers … is %50 of my bloody time (we still dont do it well!)
… we’ll include this fields on the forms as standard, they wont be mandatory but they will be there. if completed we will be able to provide nice reports on the policy, risk and control section on effort spent doing this activities.