Earlier, the need for system audit trails was discussed. Those audit
trails are useful only if management regularly reviews exception items
or unusual activities. Irregularities should be researched and action
taken when merited. Similarly, all information-related losses and
incidents should be investigated.
A positive benefit of an effective monitoring process is an increased understanding of the degree of information-related risk in agency operations. Without an ongoing feedback process, management may unknowingly accept too much risk. Prudent decisions about trade-off between efficiency and control can only be made with a clear understanding of the degree of inherent risk. Every manager should ask questions and periodically review operations to judge whether changes in the environment have introduced new risk, and to ensure that controls are working effectively.