I often visit shops and am specifically asked to "circumvent our triggers" so we can find the holes before our developers do. Most organizations call on ABS to do this as a final check and assume that they are "mostly safe" and that heir policy will not be easily circumvented. Most are surprised when the “audit” only takes 2-3 minutes (of the 8 hours they allocated) before they are circumvented.

Rarely does an organization pass the "audit" if I’m on the audit team and no team yet has failed an audit if I was on the "pre-audit" team. At long last I have finally agreed to put some of the techniques I use to circumvent policy to print. Not to make the job of every ClearCase CM person harder, but make them aware of where the holes could exist in their policy so they can make safer triggers and know that those policies that they painstakingly put in place are actually being executed and not circumvented at critical times by one or more developers. Of course this is written from the security standpoint. In some shops this kind of security is not needed and performance is a higher priority. ...(more)...

--- Read the whole FAQ article here.