None of us would conclude a glass is half full without knowing how big the glass actually is. The amount of liquid currently in a glass doesn’t tell you anything unless you know how much liquid the glass will hold.
Similarly, control effectiveness opinions are often based on knowing only half the facts. Many, if not most, of the major corporate failures we have experienced have happened to companies whose external auditors reported effective internal controls. What was missing?
Seeing the Glass Half Full
Let’s consider three scenarios to test my theory:
1.) A company establishes a policy that all purchases over $1,000 must be supported by at least two competitive bids. An internal audit confirms that the policy is in place and adhered to. No exceptions were noted.
2. ) Concerned about growing traffic volumes in a residential community, citizens urge the city council to place stop signs at every intersection. After the stop signs were installed, police records confirmed that few if any motorists have been charged with running any stop signs
Each of these scenarios illustrates a “control” of some sort. I’ve deliberately used some “controls” outside of traditional “internal controls” to better illustrate my point. But are any of these controls effective?Many professionals would proclaim them effective almost by definition. But making a conclusion on control effectiveness based on just the information provided is like stating a glass is half full without knowing the size of the glass.
The Glass Half Empty
Let’s add a little more information to each of the scenarios described above:
1. ) The extra time required to obtain competitive bids delays the development of new products by six weeks and drives operating costs up.
The control objective was to ensure competitive bids were used. But the business objective was to drive down costs and increase efficiency.
2.) While the stop signs cause motorists to stop, they also cause them to speed up between the stop signs as they attempt to make up for the time lost in stopping. Speeding violations then increase.
The control objective was to make traffic stop. But the community objective was to increase safety.
3.) The research conducted on the glaucoma medication confirms it indeed lowers pressure, but due to side effects, 20 percent of patients miss 10 percent of their scheduled doses, 10 percent of patients stop taking it entirely, and a very small percent have a potentially fatal reaction.
The control objective of the medication was to reduce interocular pressure. The medical objective was to treat patients effectively.
Based on this additional information, are the controls effective?
If one looks only at the control objectives , the answer might be yes. If one looks at broader business, community or medical objectives, the answer is probably no.
So what lessons do we learn from these examples? Check back here this week as I finish this two-part examination of the effectiveness of controls.
And if you find this subject area interesting, see the other blogs in my Myths in Risk Management Series: Exposing the Flaws of Risk Heat Maps, Can Risks Be Registered, Can Risks Be Owned, You Don’t Need to Start with a Risk, and Controls Are Bad for You.