WhoM to AUDiT?

we're often told monitor how our stakeholders manage their security and risk, but how do you know whom to target for an audit? 

A risk or security audit is an unusual investigation into how an actor is managing risk or security. Most standard processes of risk management do not specify how an audit is supposed to be achieved, even though most standards imply that monitoring and reviewing includes a prescription to audit where and when necessary.

But how do we know where and when an audit is necessary? In practice, most audits are investigative after an issue has emerged, too late to prevent the issue. Preferable would have been to audit the offending organization before the issue, to identify where its risk or security management is failing, correct the failing, and thereby prevent the issue ever arising.

Yet issues usually arise before an audit is prompted. For instance, in 2009, the United Nations High Commissioner for Refugees (UNHCR) deployed 17 staff to Pakistan, but on June 9, three staff were killed by a bombing of a hotel, after which another was abducted for 2 months. Later that year, the UN Office of Internal Oversight carried out the first audit of UNHCR’s security management; it recommended personnel with better training in assessment, improved operational strategies, and more integration of security management into preparedness and response activities.

So one prompt for an audit is when an unacceptable issue arises. Before any issue arises, you could choose to audit one of your stakeholders periodically. An easy way to decide which to prioritize for an audit is to search for the actor:

​1. whose compliance with the standards of security or risk management has been most tardy, incomplete, or delinquent,
2. were least responsive or cooperative with reviews or monitors,
3. revealed noncompliance during reviews or monitors,
4. were audited least recently,
5. that hold more risks or greater total risk than the average peer,
6. that have experienced more than an average number of negative events, or
7. some event has revealed the organization’s poor management of security or risk. 

practical skills and applied knowledge in Security, defense, and risk management