News & Blogs

Internal Audit's Imperative: Challenging and Eliminating Useless Controls

Global · · insightcpe.com

This article challenges internal auditors to critically evaluate the controls they are tasked with auditing, rather than blindly testing those that offer no real value. It highlights the significant financial and operational waste associated with poorly designed or obsolete controls, urging auditors to proactively identify and advocate for the removal of such inefficiencies to enhance organizational effectiveness and resource allocation.


The Cost of Compliance Theater

The article opens with a relatable scenario for many internal auditors: the frustration of testing controls that appear to serve no practical purpose. The author recounts a personal experience auditing a retail control requiring logs at every door to document bag checks for alarm triggers. Despite the control's clear ineffectiveness and the fact that employees viewed it as an afterthought, internal audit was compelled to test it across 850 stores, each with multiple entrances. This exercise, designed to create an "impression of control," consumed an estimated 1.8 million hours annually, costing the company over $22 million in wasted resources.

Auditor's Role in Control Efficacy

This anecdote underscores a critical question for internal audit professionals: who bears more responsibility for the perpetuation of useless controls – management for implementing them, or internal audit for failing to challenge their existence? The author argues that internal audit has a professional obligation to move beyond mere compliance testing and actively assess the design effectiveness and true value of controls. Blindly auditing controls, even those recognized as ineffective, not only wastes audit resources but also perpetuates operational inefficiencies within the organization.

Shifting from Compliance to Value-Add

The core message for internal auditors is to adopt a more proactive and critical stance. Instead of simply accepting controls as given, auditors should:

  • Question the 'Why': Understand the original intent and current relevance of each control.
  • Assess Design Effectiveness: Determine if the control is logically designed to mitigate a specific risk effectively.
  • Evaluate Operational Efficiency: Consider the resources consumed by the control versus the actual benefit derived.
  • Advocate for Change: Be prepared to challenge management on poorly designed or obsolete controls and recommend their modification or elimination.

By doing so, internal audit can transition from being perceived as a compliance burden to a strategic partner that enhances organizational value by optimizing the control environment and freeing up resources for more impactful activities.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →