Single Significant Case
The first class of purposeful sampling methods includes methods where just one example is enough to provide the evidence necessary to make a reliable conclusion. In an audit environment, these critical case situations can be used to exemplify how a weakness in a control can be exploited or to give a first-hand account from an auditee’s perspective.
Types of single case sampling methods include:
- Index case: The first documented case to manifest a phenomenon
- Critical case: A case that allows for logical generalization to other situations
- High-impact case: A case that resulted in a larger than normal level of material impact
- Self-study: An examination of one’s own experience when subjected to a process, program, or service
- Teaching case: A well-documented case study that provides a revealing perspective on the topic
- Exemplar case: An in-depth examination of a case that illustrates an important dimension and allows for a more thorough examination
Index Case
A single highly informative case could be the first known instance of a new phenomenon. Fox example, given the rapid advancement of information management and information technology, it is not unreasonable that controls developed even a just a decade ago might not be enough to deal with new IT security risks. With an emerging IT risk, it is often the first discovered case that results in new controls. The low incidence rate is not the determining factor in deciding whether to address the threat. The potential importance of not addressing the threat immediately upon discovery is what matters here.
Critical Case
Criticalc ases are typical cases where one or more major controls failed to mitigate or to avoid risk. This failure demonstrates that if the controls failed in this instance, they can fail anywhere. Although critical cases do not allow for statistical generalization, they are a form of plausible logical generalization.
The sinking of the Titanic can be considered a critical case. It was not the first case of individuals perishing from a vessel sinking at sea and there was not much unique about this case. Indeed, there was not much to learn about sinking vessels from this case. In fact, it was its ordinary circumstances that made this a critical case. This particular vessel should not have been lost in an ordinary sinking. It was designed to remain afloat long enough to allow for the rescue of its passengers. Hence, it only needed enough lifeboats to ferry the passengers to a rescue vessel. As a result of this ordinary sinking of an extraordinary vessel on its maiden voyage, both the British and U.S. governments introduced several new regulations to mitigate the risk of catastrophic sinking. Why? If it could have happened to the Titanic, then it could happen to any vessel.
High-Impact Case
High-impact cases deal less with the control of risk and focus more on the level of importance. Given that the effort to control for risk is a function of both likelihood and importance, a program may dedicate little effort to control for some risks that are considered to result in minor exposure or harm. A high-impact case can demonstrate how the level of importance has either changed or was underestimated.
Self-Study
The self-study is substantially different from other single-case methods because the researchers or auditors need to subject themselves to the program or service of interest to obtain the necessary first-hand perspective that normally only program recipients or service clients would have. In this method, an auditor adopts the role of the client and tries to navigate normal procedures and controls with the aim of gathering first-hand evidence for programs involving the delivery of services to people. Alternatively, this method, often used in investigations, could also be used by an auditor adopting the role of a criminal or terrorist with moderate means and resources in order to discover vulnerabilities of programs that could pose a significant and immediate threat to public safety. The potential ethical risks of this approach should be considered and may require appropriate safeguards (e.g., documentation of ethical risks, implementation of ethical safeguards such as privacy and “no-harm” stance).
Case Study #1: Self-Study
|
Audit: U.S. Government Accountability Office – Use of Covert Testing to Identify Security Vulnerabilities and Fraud, Waste, and Abuse; published November 2007 Posing as private citizens, investigators purchased sensitive military equipment—including ceramic body armour inserts, guided missile radar test sets, and microcircuits used in F-14 fighter aircraft—on the Internet from the Department of Defense’s liquidation sales contractor. This demonstrated and documented an existing threat to public safety. |
Teaching Case
Teaching cases are not necessarily high impact or exemplar, but what they might lack in dramatic appeal, they make up for in how well they are documented and understood. Having a case that has been well dissected allows the rest of the world to explore it and learn from it. Unlike other types of single case sampling methods, the teaching case is a combination of finding a potential case and exploring it with enough depth so as to create a teaching case. A teaching case is equal parts opportunity and research.
Case Study #2: Teaching Case
|
Audit: Office of the Auditor General of Canada – Audit of the Privacy Commissioner; published September 2003 When exploring the risks associated with poor leadership, one might not consider looking to a small department or agency given that levels of importance are always considered to be higher within large departments. However, the case documented by the Office of the Auditor General of Canada’s 2003 audit of the Privacy Commissioner is a perfect teaching case. Despite the small size of the Office of the Privacy Commissioner, the extent of abuse and impact on lives identified in this audit remains an outstanding example of the negative and long-lasting impact poor leadership can have. The working atmosphere in the Office of the Privacy Commissioner was described in the report as a “reign of terror”; there were repeated instances of humiliation, inappropriate comments, intolerance, and verbal abuse. Favouritism was also common: there were cases of individuals rewarded with over-classification of positions, biased hiring practices for friends, inappropriate cash-outs of vacation leave, and abuse of travel and hospitality privileges. The amount of documentation of this case and the impact it had is what makes it a teaching case. This particular case can be used for years to come to help individuals understand the impact and anatomy of abuse of power. |
Exemplar Case
An exemplar case provides a more in-depth perspective to a problem and allows for an analysis of how a problem repeatedly manifests itself when no intervention is applied. As with the teaching case, such cases are rare in the field of auditing given that the periods covered by most audits are relatively short.
Generic Example #1: Exemplar Case
|
To see whether federal policies caused problems in port operations, a national audit office could examine the port of a large metropolis, which is diverse and has a high work volume. Problems would be likely to show up at this site and at others; if no problems were observed at the port the large metropolis, problems were unlikely at other sites. Source: GAO (2017) |
LinkedIn
Twitter