Approach to Audit

Intellectual Position

Governance risk is structural.

It arises when system complexity, organizational growth, and decision velocity exceed the capacity of oversight architecture to absorb them.

Audit begins from first principles:

  • What decisions are being made?
  • Where does the authority for those decisions reside?
  • What evidence supports reliability?
  • How does risk propagate through the business systems?
  • Would governance remain robust under stress?

The objective is not to confirm that processes exist. It is to evaluate the structural sufficiency of governance, controls, and processes.

Analytical Rigor

Risk is probabilistic.

Governance decisions implicitly assume relations between threat probability, control effectiveness, and business impact. Audit makes explicit when risk materially affects governance decisions.

Risk exposure is examined using structured reasoning that typically includes

  • Probability of threat materialization
  • Effectiveness of preventive and compensating controls
  • Magnitude of business impact
  • Expected loss under plausible failure conditions

In simplified form:

Risk exposure ≈ probability × control weakness × impact

This formulation disciplines judgment. Uncertainty in each of the terms prevents mechanical precision.

Quantification of risk clarifies exposure, but it does not determine remediation cost.

The cost of strengthening a control, redesigning a process, or reducing business impact is separate, and managerial inputs quantify this. Remediation economics cannot be determined from exposure magnitude alone.

Risk Quantification and Risk Ranking

Risk quantification evaluates exposure, which can materially affect governance outcomes.

In contrast, risk ranking supports decision order.

No organization can eliminate all risk. Governance requires prioritization. Findings are therefore structured to support ranking based on

  • Magnitude of exposure
  • Structural fragility
  • Concentration risk
  • Escalation failure potential
  • Feasibility of mitigation

Some risks are best mitigated through stronger controls.
Some are best reduced through impact limitation.
Some may be transferred.
Some may be consciously accepted.

Ranking clarifies where management effort most reliably produces structural improvement.

The objective is not certainty. It is allocation of attention proportionate to its effect.

Evaluation Model

Audit proceeds through structured stages.

  1. Identification of formal governance structures
  2. Testing alignment between documentation and operational reality
  3. Evaluation of control design
  4. Assessment of operating effectiveness
  5. Identification of fragility, dependency, and escalation failure points

Recognized control frameworks may be referenced for specific categories of structures, controls, and risks. Frameworks are reference tools, not substitutes for judgment.

The central question remains “Is this sufficient to its purpose?”, not “Does this conform to a checklist?”

Evidence Discipline

Conclusions are evidence-based.

Evidence can include

  • Governance documentation
  • System configuration artifacts
  • Access and change records
  • Interview testimony evaluated against documentation
  • Observed system behavior

Assertions are evidenced by corroboration before acceptance. Documentation is operationally validated before acceptance.

Reporting Philosophy

Findings are communicated in structured, board-ready form. This means business language, for a knowledgeable audience, backed by evidence.

Each audit finding addresses

  • Condition
  • Risk implication
  • Structural consequence
  • Severity classification

Recommendations are in the form of governance and control objectives. Specific technologies or vendors are not recommended. Audit is not remediation consultation. (It Runs on Data does not offer post-audit consultations.)

The purpose of reporting is clarity, not volume.

Independence in Practice

Audit is structurally separated from implementation and operational roles.

Evaluation and reporting remain independent. Management determines remediation pathways.

This separation protects objectivity and ensures that incentives, such as consulting on remediation, do not influence findings.

Engagement Discipline

Scope, reporting line, and deliverables are defined in writing at engagement outset.

Confidentiality and data handling protocols are formalized in advance.