How do auditors test process drift before failure?

author: Verified Expert

• Related article: cia-process-break-early-warning-controls-map
• Related question-bank placeholders: ["early-warning-kri-selection", "handoff-backlog-monitoring"]
• Question: How do auditors test process drift before failure?
• Question detail:
• If a process has not failed yet, what can internal audit actually test without overreacting?
• Answer:
• Internal audit can test leading indicators rather than waiting for a confirmed failure. Useful procedures include trending exception volume, reviewing backlog aging, selecting manual-workaround samples, comparing handoff logs to completion evidence, interviewing new control owners, and inspecting whether repeated exceptions receive root-cause action.
• Suppose an access review is completed every quarter, but 38% of access decisions are marked "follow up later." The audit issue is not only whether the review happened. The auditor should test whether follow-up items were resolved, whether aging is monitored, and whether unresolved items create inappropriate access risk.
• The key is proportionality. If the signal is isolated, monitoring may be enough. If the signal is repeated, unowned, or tied to a high-risk process, it can justify expanded testing or a finding about control design, monitoring, or ownership.