Profile picture for user mkli

Compliance is a cumbersome topic - nobody likes it, most people feel pressed to adhere to rules they do not understand what for and see that they loose personal or process efficiency by performing controls they feel to help others. Thereof it is no wonder that very often the primary need of testing the performance of controls is questioned. "We keep to our defined process!", or "Don't you trust me that I know my business?" is what you get to hear quite often.

How to react when challenged with such statements? My personal tip is to bring up some facts about business reality and there is a nice study by PWC that has looked at the quality and performance of controls over time. (see picture) Unfortunately it was conducted in German but the main findings translate easily. It was named "Noch ein Jahr – wie fit sind die Schweizer Unternehmen?" and was published in November 2007.

The main result: Any control that is not continuously monitored on design and performance decrease in effectiveness. There is a dependency notable between test frequency and level of control maturity. This correlation can be optimized for efficiency reasons. So it's with a control as with an athlete doing no contests - performance will go down! But doing to many contests will wear him down … the right balance is needed!

 PWC 2007, "Noch ein Jahr – wie fit sind die Schweizer Unternehmen?"

So if you are required to provide prove that your management system is working properly and achieving it's control objectives you have to assess it regularly. For sure you should ensure efficiency of the overall system by limiting the number of controls using a risk based approach when defining your overall setup and to limit testing activities to the maximum needed level to ensure control performance depending on your company culture. You should use different auditing concepts like central audit, peer testing or control self assessment as appropriate. And you should use an integrated approach across compliance topics to raise maximum synergies between those and to avoid to wear down your control performers by unnecessary testing.

But after all you are still required to look at the performance of your controls. Reality proves that a control left alone is not keeping it's level of effectiveness.

Featured achievement

Rookie
Say hello to the ARIS Community! Personalize your community experience by following forums or tags, liking a post or uploading a profile picture.
Recent Unlocks

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock