Recently, I facilitated an internal audit seminar where something unusual occurred. The restrooms at the facility were locked, requiring a code for access. And while this type of security can be found in many commercial buildings, other factors raised questions about the practice.
The event coordinator gave the restroom code to seminar facilitators to share with participants. Someone also had written it on the whiteboard of each room. Moreover, the code appeared on flip charts that pointed the direction to the restrooms, as well on the doors of the restrooms themselves.
Seminar participants started to discuss the situation. The room full of auditors instantly pointed out that displaying the code in so many places represented an obvious breakdown in controls. Some of them compared it to writing a login password on a sticky note and then attaching it to one's computer.
But a couple of attendees took the analysis a little further. They asked the deeper question — the one that any auditor using critical thinking skills should ask: What was the risk of everyone knowing the code? And as the discussion continued, someone asked another, perhaps more important question: How big was the risk that unauthorized individuals would enter the sanctum sanctorum of the 9th floor restroom when the building had guards on duty to
ensure only authorized individuals could gain access in the first place?
What kind of auditor are you? Do you go ballistic when you see a circumvented control? Do you accept the control as is, assuming that, because it existed in the first place, it should continue to exist? Or do you look at a control circumvention and ask why the control existed in the first place and why it continues to exist? Or do you ask even deeper questions about risks, how they have changed, and how people are reacting to them?
A good auditor identifies a control breakdown and determines how to get it working again. A better auditor questions whether the control needed to exist in the first place. But the best auditor, the auditor who is providing real value to the organization, doesn't put all the focus on the existing process and controls. The best auditor looks at the risks with fresh eyes to better understand exactly what is at risk, how people's actions impact those risks, and how the organization can most effectively respond.
Allow me to go out on a most dangerous limb here and disclose that the code to enter the men's room was 312. And now, security is compromised and disaster may rain down upon us because a control has been circumvented. Of course, to the best of my knowledge, no disaster befell us during the seminar.
What is the worst that can happen when a control is circumvented? And why am I supposed to care about the control in the first place? Those are the questions far too many auditors forget to ask.