I’ve been visiting with my mother who lives in a gated retirement community. In order for me to gain access to the development I need to pass through a security check point at the main gate. They ask me who I’m visiting, I provide my mother’s name and either they find my name on the pre-approved persons list or they have to call her to authorize my entry, or at least that’s what they’re supposed to do. Ever the auditor, I’m always amazed that they never ask me to provide any form of proof that I am who I say I am. I’m further amazed by how inconsistent this very basic control is applied. Some of the security guards wave me in without ever checking that it’s OK to let me in. Some look up her name on their system to make sure she exists but never ask me who I am and just a very small handful of the guards follow protocol and check my name against the list (but still without ever knowing if I’m me). For the purpose of this blog post, lets ignore the fact that I could park on the street outside the development and simply walk across the lawn in order to gain access to her apartment completely bypassing security. Lets also look past the fact that all I would ever need to do is have someone elderly sitting next to me and tell the guard that I’m returning that person to their apartment in order for them to let me in. Generally speaking, despite having security guards, a secured entry and a documented process to control who is allowed access, they might as well have nothing because net-net that’s what they really have. This visually impressive control fails miserably to work and anyone with ill intent would know that in a heart beat.
Which begs the question, why bother supporting ineffective controls when they fail to control anything?
I wish it was rare that I encountered similar situations with my clients but it’s not. My favorite ineffective control is the manual visitor sign-in sheet I often find when auditing/assessing my clients physical data center controls. My hosts often make a big deal out of asking me to sign-in before allowing me access to their data center or server room and I typically play along. However, I’m fond of using an alias to see if they validate the information I provide (usually they don’t). The manual sign in sheet falls under the category of “better than nothing” but in its own special sub-category I call “but not by much.” The list is always a bit lite and is often missing sufficient evidence to prove that it’s consistently relied upon. Another favorite of mine centers on production change control. Some of my clients have fairly robust processes to track changes to application software but ask them for evidence of system software updates or hardware configuration changes and I’m met with blank stares as they try and figure out how to tell me they don’t really track those things formally. So you have to wonder why you’d even bother to track some of the changes if you’re not tracking all of them? If something went wrong within a clients infrastructure how would they know if any recent changes might explain it if they don’t know about everything that changed?
Here’s a bit of a radical thought; stop supporting ineffective controls and save the time and effort required to support them.
Seriously, even though a control might appear critical in nature, if it’s poorly designed, poorly supported or just flat out ineffective, just kill it altogether. No decent examiner or auditor is going to be tricked into thinking it’s providing value and it’s likely going to call into question the validity and reliability of all your other (hopefully) effective controls. If you feel strongly that the control needs to be in place and doing its job than do something about it. Either redesign things so that it’s viable and effective or scramble like crazy to identify compensating controls that render the control unnecessary.
We live in an age where compliance rules all. There are all manner of controls that are required in order to satisfy our oversight agencies and auditors and that’s a list that will only continue to grow. No one has the luxury of wasting time or the precious few resources they have to work with and so it’s that much more critical that these things be thought through and validated. Expecting people to support control related activities that ultimately fail to satisfy their objective is flat out wrong. And because this is the age of regulatory enlightenment those who toil within the financial services industry are a bit more savvy about how these things work. They have an idea of whether or not what they’re being asked to do makes sense and will resist or defer participating if they think it’s a waste of time. The only thing worse than an ineffective control is one that’s poorly supported.
It’s why I often wonder what would happen if I simply drove across the lawn closest to my Mom’s building and completely avoided the main gate. I’m thinking that if it’s after sunset when there are no golfers walking the links I could probably pull it off. Of course I’d have to deal with the compensating control of an angry mother once she figured out what I did but perhaps, just to prove a point it might be worth it.