Are you feeling “over-controlled?”


I recently had a conversation with a colleague in the past month about his clients’ feelings they were “over-controlled.”  The discussion identified a few of the reasons the people in these organizations are feeling “over-controlled”, including:
Lots of audits
Many different audit standards and frameworks
A going-through-the-motions, and not reducing core business risk

One of the solutions to this miasma is to consolidate audit control statements across many different audit frameworks.  This is simply doing it once and making it repeatable: a good practice. However, another thought occurred to me after our conversation: maybe we aren’t measuring enough.  Are we relying too heavily on static controls to deal with dynamic user error – and subterfuge – to stem loss or theft of sensitive data? 

Human beings are always ten-steps, or more, ahead of controls.  Gaming the system and figuring out how to maximize gain seems to be a well-learned part of the human condition.  The ingenuity and creativity of people goes far beyond limits imposed by static procedural and technical controls.  An interesting take on this, can be found at realtime-itcompliance (see:, where the movie “Home Alone”, is recommended for training and education about social engineering.

So, in addition to consolidating control statements to more cost-effectively manage existing audit load, should we be looking at adding dynamic systems for managing risk, whereby the 5% to 10% of policy violations falling outside the norm should be actively managed and the other 90% to 95% of routine violations are collapsed into the “audit log.”  This is a practice that has met with great success in most industries, as well as in finance and manufacturing among other business functions.  In fact, manufacturing went overboard with Six Sigma.  5% to 10% exception management ought to work for audit, IT general controls and data protection. 

What are your thoughts:
 Is your organization feeling over-controlled?
Have you figured out how to do audit once, and make it repeatable?
Are you delivering entertaining ways to educate the workforce?
Is exception-based risk management a reality or a pipe-dream?
Are you managing by exception today?
Jim Hurley  


One Response to “Are you feeling “over-controlled?””

  1. edickson Says:

    For the past two years, we had a branch audit process that every district manager had to complete once a month. In addition to this, we had regular compliance auditing on an ongoing basis.

    The result was exactly what your post speaks to.

    The process was streamlined with impressive results. Involved in the process are local area experts in internal audit operations, finance and security.

    There is a lot to be said about identifying the biggest risk factors and inspecting them frequently.

    Effective auditing needs to be a living and breathing process taking into account current risk factors and then acting on them.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: