Stop Auditing Useless Controls
We’ve all done it. You start testing a control that you think is stupid. You have no idea why you are testing this useless control. You are not even sure you can test this control. Of course it doesn’t end there. You find exceptions, so now you have to write an issue around this stupid thing. Good luck coming up with the risk statement. “The effect of this control is…nothing.”
Here is my favorite real world example. When I was auditing retail, we had a control that logs were kept at all doors so that when an alarm went off, someone had to run over, check the bag for items with hard tags that would set off the alarm and then note on the log that the bag was checked. In this case, keeping the log was the control management decided was so important, we had to test every log, by every door, in every store. We had to look for past records for evidence of review. We looked for patterns and evidence of management review of the log.
The log was useless. In every location, the log was an afterthought. No one cared about it. They knew it was useless. We would put these issues in a report and management would want it dropped. They said the log was to give “the impression of control”.
We had at the time 850 store location, each with an average of six entrances, meaning we were keeping over 5,000 of these logs, all day, every day. We figured it took about an hour each day to complete and monitor each log. In the course of a year, that one poorly designed control wasted over $22 million dollars:
850 Stores
6 Doors/logs per store
5100 Logs total
1,861,500 Hours spent on the logs per year
$22,338,000 At $12 avg wage, total cost of control for 1 year
In reality, this control had been in place for many years, and is still in place at many brick and mortar retailers.
So management came up with a poorly designed control. Now here is my big question: who is more at fault, management for coming up with this control, or internal audit for never questioning the control?
At this point, we should all be aware enough to look for poorly designed controls. The challenge is to call them out when you see these, and not waste your time testing.