Building a Better Auditor: The Risk of Overcontrol

In Amsterdam last summer, I noticed young children riding bicycles without helmets, often on the main roads. Toddlers sat behind their parents’ bikes, loosely buckled in if at all, in a scene that would make many parents shudder with terror. Bikes, cars, and pedestrians moved quickly in sync with each other, performing a complicated dance. And while I jumped nervously out of the way anytime I heard a bicycle bell, I realized midway through the trip that I had not witnessed a single traffic accident. A local told us, “We teach our children to ride bikes at a very young age, so we don’t have many accidents.” Based on the statistics I found, the Netherland’s estimated per capita road fatality rate in 2023 was less than one-third that of the U.S., so it appeared their approach was effective.

As auditors, it can be tempting to look for every way risk could be actualized and make recommendations to plug every hole. However, this approach may be less effective — and far more costly — than investing in soft controls like training and culture. Dutch bicyclists have a self-preserving interest to avoid traffic accidents, but they are also trained and empowered early in life. Training employees — and then incentivizing the desired behaviors — can help organizations achieve desired results without resorting to redundant layers of red tape.

While internal controls are critical for achieving objectives, overcontrol may be more dangerous than many of us realize. There is the obvious expense associated with implementing redundant or ineffective controls, especially for low-risk areas. Overcontrol may also create inefficiencies that can reduce a company’s competitive advantage. Perhaps most damaging is the impact of overcontrol on employee morale and behavior. If employees feel that controls in place are hindering their ability to efficiently perform their responsibilities, they will often find workarounds, leading to shadow IT. Alternately, they may allow the system of overcontrol to impact the customer experience.

I have a gluten sensitivity and recently took a trip to my favorite theme park. I had seen pictures of fluffy gluten-free pancakes at one of their restaurants and eagerly went to order them. The employee at the register explained that according to policy, a chef was required to take any allergy-friendly orders. I awkwardly stood at the register for over 10 minutes while the poor employee checked in the back multiple times trying to find an available chef. Finally, the chef arrived, wrote “gluten-free pancakes” on a notepad without asking me any questions about the nature of my allergy, and disappeared. In this case, the well-intended control resulted in a poor customer and employee experience. I couldn’t help but wonder why the register employees couldn’t be empowered to place basic allergy-friendly orders and to involve a chef only when justified by the risk, such as in cases of multiple or severe allergies or upon customer request. And if the chefs were only involved in high-risk situations, they would have more time to discuss the nature of the allergies to ensure any additional precautions above the standard allergy protocol were taken, resulting in greater efficiency and possibly even stronger risk mitigation.      

In another example, I had a discussion with a friend who works for an organization with a low risk appetite. This friend’s organization prohibited certain commonly used technologies that can create efficiencies. My friend admitted that he and his coworkers bypass the controls and use the technology anyway. A more effective control may have been for the organization to train employees on how to use the technology safely and implement strong governance processes, versus banning it entirely.

In my experience, I’ve observed the most significant control failures in two types of environments: 1) those where employees were trusted but not trained or held accountable and 2) those where overly restrictive controls were in place, incentivizing either blind following of a checklist or workarounds to bypass the controls.

Perhaps we should learn a lesson from the Dutch and start training even the lowest level employees to understand the “why” behind the controls they perform. My guess is that training and empowering these employees will lead to better outcomes than rigid overcontrol.