As my wife recently watched a Sherlock Holmes program in which a clue was a silent dog, I worked on a presentation for the ISACA Los Angeles Conference titled “Controls–Why They’ve Become Wasteful, A False Sense of Security and Dangerously Distracting (And How to Fix Them).” In that process, two causes for controls churn and confusion came to mind.
First, the dog (control) does not bark if it fails to meet the tight assumptions required for control to actually work. For example, the “chain of fitness” assumptions for controls require that:
- The control is used as intended
- The control is maintained as implemented
- The control is implemented as designed
- The control is designed from the appropriate template
- The control template is appropriate for the process class and problem
- The control is located properly in the process flow
- The location in the process flow was determined based on the location of useful warning signs
- Useful warning signs were determined based on robust, real-world “What if?” scenario analysis
- Scenario analysis was conducted properly based on a thorough “know the business” understanding of environment and capabilities
Though still challenging, these assumptions are easier to meet when applied to retrospective financial reporting, when those reporting systems are stable and a threshold of materiality (percent of revenue or income) can be applied. These assumptions are more difficult to meet when a prospective view is needed of a dynamic, operational world, where a tiny issue can turn into a huge problem.
The second cause for controls churn and confusion is when the auditor or compliance person fails to bark because all looks well—because he or she does not understand the chain of fitness and other assumptions. There is a false sense of security.
Why do some auditors miss these problems? In speaking at ISACA programs around the world, show-of-hands surveys reveal that it has much to do with the time a person began working in audit. In particular, whether a person’s work experience begins before the Sarbanes–Oxley Act of 2002, when IT audit began focusing on a narrow financial reporting notion of “IT General Controls” (ITGC).
The modern, skilled IT pro has a clear operational view of a control as something that senses and responds, whether dumb like a light switch or intelligent like server load balancing.
ISACA’s COBIT 5 offers help in the shift from “controls” (too often understood mostly as ITGC) to business-objective-oriented management practices. More broadly, consider ISACA’s tagline: “Trust in, and value from, information systems.” Value creation in Val IT (now incorporated in COBIT 5) is well beyond controls that struggle just to protect value.
I suggest taking action—host a “Cut Controls Churn and Confusion Day” at your chapter or for your team at work. Invite a panel of people with managerial accounting, operational process improvement and IT process improvement experience to discuss why improved oversight, management practice and core business process are more effective than controls for any operational situation.
Principal Analyst & Advisor, ValueBridge Advisors
ISACA conference presenter and volunteer on Risk IT and COBIT 5 initiatives
Author of “The Operational Risk Handbook”
Continue the conversation in the Controls Monitoring topic within ISACA’s Knowledge Center.