Audits that focus on critical controls are more effective than those that do not

  Concerned about your IMS certification audits — engage IMS-Smart to review your ISMS and assist you to make certification audits a joy to look forward to


Audit is a traditional component of internal control, and it is therefore not surprising that in features in all management system standards as a requirement. Assessment of conformance to such as standard is also dealt with by audit.

Audit is an examination of an activity in pursuance of a specific objective by an independent person. But what constitutes an effective audit?

Audit effectiveness

Consider the following two graphs:

Both graphs depict risk as the product of FoL and Severity logarithmically. On the x-axis, a severity of 2 corresponds to $10,000 and 5 corresponds to $10,000,000. On the y-axis, a FoL of 2 corresponds to one a year, and 5 corresponds to several times a day. The green and blue areas are considered by the organisation to be acceptable risks and the yellow and red areas unacceptable.

The left hand graph shows the estimates of residual risk for two events (black and white) taking into account the estimated/measured effectiveness of controls. The right hand graph shows the reassessment of the same two risks following audits of their respective controls.

Now, suppose there are two audits. Both have the objective of determining the organisation’s exposure to risk.

The first audit, Audit A, looked at the controls that were involved with mitigating the black risk. The audit discovered that there were problems with these controls leading to a reassessment of risk that was unacceptable. The audit makes a single recommendation that reduces the risk to the value shown by the left-down arrow.

The second audit, Audit B, discovers no real failings with the controls concerned with mitigating the white risk. Indeed the reassessment of risk is no different to that given by the original risk assessment. However, the audit makes 20 recommendations.

Which of these two is the more effective audit? Notwithstanding that there might be some good ideas resulting from Audit B which may leads to efficiencies and improvements in the long run, since the objective of the audit concerns the organisation’s exposure to risk, Audit A is the clear winner. What can therefore be done to ensure that any future audit is likely to be as effective as Audit A?

Control latitude

An answer to this question is to look at those risks that are most sensitive to the slightest variation in the effectiveness of their associated controls.

In the above figure, we see the question restated as "how close are we to the border between acceptable and unacceptable risk, taking into account the uncertainties in our estimations". The uncertainty in our estimate of the effectiveness of a control may be very large, but the residual risk is so small as to be unaffected by even the grossest errors in estimation. On the other hand, our estimate of the effectiveness of a control may be extremely precise, but as the risk lies close to the border, the slightest error moves the risk into the region of unacceptability. It is by looking at these risks, and the controls that are associated with them, which will bring the greatest dividends in auditing for exposure to risk.