Audits that focus on critical controls are more effective than those that do not

  Have a question about ISO/IEC 27001, related standards, or about certification? Use our enquiry page to ask your question and we will do our best to answer it


Audit is a traditional component of internal control, and it is therefore not surprising that in features in all management system standards as a requirement. Assessment of conformance to such as standard is also dealt with by audit.

Audit is an examination of an activity in pursuance of a specific objective by an independent person. But what constitutes an effective audit?

Audit effectiveness

Consider the following graph (right).

This graph depicts risk as the product of FoL and Severity logarithmically. On the x-axis, a severity of 2 corresponds to £10,000 and 5 corresponds to £10,000,000. On the y-axis, a FoL of 2 corresponds to one a year, and 5 corresponds to several times a day. The green and yellow areas are considered by the organisation to be acceptable risks and the pink and red areas unacceptable. The orange areas are borderline.

The graph shows the estimates of the inherent risk for two events (black squares) and the residual risks (white squares) taking into account the estimated/measured effectiveness of controls.

Now, suppose there are two audits. Both have the objective of determining the organisation’s exposure to risk.

The first audit, Audit A, looked at the controls that were involved with mitigating the right-hand black risk. The audit discovered that there were problems with these controls leading to a reassessment of residual risk that was unacceptable (blue square). The audit makes a single recommendation that reduces the risk back to the value shown by the right-hand white square.

The second audit, Audit B, discovers no real failings with the controls concerned with mitigating the second risk event (left-hand black and white squares). Indeed the reassessment of risk is no different to that given by the original risk assessment. However, the audit makes 20 recommendations.

Which of these two audits is the more effective?

Notwithstanding that there might be some good ideas resulting from Audit B which may lead to efficiencies and improvements in the long run, since the objective of the audit concerns the organisation’s exposure to risk, Audit A is the clear winner. What can therefore be done to ensure that any future audit is likely to be as effective as Audit A?

Control latitude

An answer to this question is to look at the estimates of inherent risk. Those that are furthest away from the regions are acceptable risk are the most dangerous. If the controls do not work, then the organisation will be exposed to greater risks than if the controls associated with near-acceptable risks do not work. This illustrates, incidentally, why it is important to estimate inherent risk.