Recently, I facilitated an internal audit seminar where something unusual occurred. The restrooms at the facility were locked, requiring a code for access. And while this type of security can be found in many commercial buildings, other factors raised questions about the practice.
The event coordinator gave the restroom code to seminar facilitators to share with participants. Someone also had written it on the whiteboard of each room. Moreover, the code appeared on flip charts that pointed the direction to the rest-rooms, as well on the doors of the restrooms themselves.
Seminar participants started to discuss the situation. The room full of auditors instantly pointed out that displaying the code in so many places represented an obvious breakdown in controls. Some of them compared it to writing a login password on a sticky note and then attaching it to one's computer.
But a couple of attendees took the analysis a little further. They asked the deeper question--the one that any auditor using critical thinking skills should ask: What was the risk of everyone knowing the code? And as the discussion continued, someone asked another, perhaps more important question: How big was the risk that unauthorized individuals would enter the sanctum sanctorum of the 9th floor restroom when the building had guards on duty to ensure only authorized individuals could gain access in the first place?
What kind of auditor are you? Do you go ballistic when you see a circumvented control? Do you accept the control as is, assuming that, because it existed in the first place, it should continue to exist? Or do you look at a control circumvention and ask why the control...