mkli's picture

Compliance is a cumbersome topic - nobody likes it, most people feel pressed to adhere to rules they do not understand what for and see that they loose personal or process efficiency by performing controls they feel to help others. Thereof it is no wonder that very often the primary need of testing the performance of controls is questioned. "We keep to our defined process!", or "Don't you trust me that I know my business?" is what you get to hear quite often.

How to react when challenged with such statements? My personal tip is to bring up some facts about business reality and there is a nice study by PWC that has looked at the quality and performance of controls over time. (see picture) Unfortunately it was conducted in German but the main findings translate easily. It was named "Noch ein Jahr – wie fit sind die Schweizer Unternehmen?" and was published in November 2007.

The main result: Any control that is not continuously monitored on design and performance decrease in effectiveness. There is a dependency notable between test frequency and level of control maturity. This correlation can be optimized for efficiency reasons. So it's with a control as with an athlete doing no contests - performance will go down! But doing to many contests will wear him down … the right balance is needed!

PWC 2007, "Noch ein Jahr – wie fit sind die Schweizer Unternehmen?"

So if you are required to provide prove that your management system is working properly and achieving it's control objectives you have to assess it regularly. For sure you should ensure efficiency of the overall system by limiting the number of controls using a risk based approach when defining your overall setup and to limit testing activities to the maximum needed level to ensure control performance depending on your company culture. You should use different auditing concepts like central audit, peer testing or control self assessment as appropriate. And you should use an integrated approach across compliance topics to raise maximum synergies between those and to avoid to wear down your control performers by unnecessary testing.

But after all you are still required to look at the performance of your controls. Reality proves that a control left alone is not keeping it's level of effectiveness.

Tags: GRC