Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​​​The Passcode Is ... 312

Do you see control issues everywhere? How you respond to them may speak to your expertise as a practitioner.

Comments Views

​Recently, I facilitated an internal audit seminar where something unusual occurred. The restrooms at the facility were locked, requiring a code for access. And while this type of security can be found in many commercial buildings, other factors raised questions about the practice. 

The event coordinator gave the restroom code to seminar facilitators to share with participants. Someone also had written it on the whiteboard of each room. Moreover, the code appeared on flip charts that pointed the direction to the restrooms, as well on the doors of the restrooms themselves. ​

Seminar participants started to discuss the situation. The room full of auditors instantly pointed out that displaying the code in so many places represented an obvious breakdown in controls. Some of them compared it to writing a login password on a sticky note and then attaching it to one's computer.

But a couple of attendees took the analysis a little further. They asked the deeper question — the one that any auditor using critical thinking skills should ask: What was the risk of everyone knowing the code? And as the discussion continued, someone asked another, perhaps more important question: How big was the risk that unauthorized individuals would enter the sanctum sanctorum of the 9th floor restroom when the building had guards on duty to
ensure only authorized individuals could gain access in the first place?

What kind of auditor are you? Do you go ballistic when you see a circumvented control? Do you accept the control as is, assuming that, because it existed in the first place, it should continue to exist? Or do you look at a control circumvention and ask why the control existed in the first place and why it continues to exist? Or do you ask even deeper questions about risks, how they have changed, and how people are reacting to them? 

A good auditor identifies a control breakdown and determines how to get it working again. A better auditor questions whether the control needed to exist in the first place. But the best auditor, the auditor who is providing real value to the organization, doesn't put all the focus on the existing process and controls. The best auditor looks at the risks with fresh eyes to better understand exactly what is at risk, how people's actions impact those risks, and how the organization can most effectively respond.

Allow me to go out on a most dangerous limb here and disclose that the code to enter the men's room was 312. And now, security is compromised and disaster may rain down upon us because a control has been circumvented. Of course, to the best of my knowledge, no disaster befell us during the seminar.

What is the worst that can happen when a control is circumvented? And why am I supposed to care about the control in the first place? Those are the questions far too many auditors forget​ to ask.

Mike Jacka
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Mike JackaMike Jacka<p>​​​​​​​​​​​Mike Jacka, CIA, CPA, CPCU, CLU, worked in internal audit for nearly 30 years at Farmers Insurance Group. He is currently co-founder and chief creative pilot for Flying Pig Audit, Consulting, and Training Services (FPACTS). In <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=ac8af301-e15c-49bc-9c04-b97c2e183a4b">From the Mind of Jacka​</a>, Mike offers his wit and wisdom on the internal audit profession.</p> Jacka blog posts


Comment on this article

comments powered by Disqus
  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3