The first thing you captured was essentially that whole question of the risk, the risk to security, the risk to resources, and those types of things.
Yes, that's fundamentally something we're looking at, but we also make an assessment of what the controls are around that. Sometimes we may look at something that is inherently risky, a risky activity such as national defence. Things that the military does are inherently risky, but if we look at something National Defence does, we could say they seem to have adequate controls around it. They have ways of minimizing, or managing, or dealing with that risk, and we think that they're probably doing a good job of that.
We might say that even though that's a risky area, the controls look all right. We might look at something that is maybe a little less risky but where the controls are not there, because we think that means the end impact is not as good as it needs to be.
We will do that additional thing and not just look at the risks, but also look at the types of controls that are in place. We always try to make sure when we're making recommendations at the end that they are things that can be implemented.
Throughout my career I've been on both the giving and receiving ends of Auditor General recommendations. I think I understand the importance of being able to go to a department and say, “You need to do these things.” The department can look at us and say, “Yes, we agree that we need to do them and it's doable.”