The Case for a Risk-Based Approach to Compliance Auditing
In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
Is the added complexity of a risk-based approach worth the effort?
Think of a “compliance only” approach as compliance to specific standards, with inflexible application. These standards could be specific client expectations, without consideration for various methods to achieve that goal. Take, for example, a case of standards which call for registering combination changes to a vault or safe, rather than simply relying on a locksmith receipt to document the change.
Well-intentioned company standards may very well miss the true risk control objectives.
Moreover, a compliance only approach may not be as dynamic with regard to industry loss trends and other high priority concerns. In other words, this approach may not take into consideration the true concerns of high risk activity.
With a compliance only approach there may also be a lack of consideration for the type of operations, values involved, and volume of high risk activity. Consider that while all ATM controls have their place, the exposure varies dependent upon the number of ATMs serviced, type of servicing, location of servicing, number of staff involved, the dollar amount involved in the replenishment, the safe lock types, the exposure with the servicing method (such as a kiosk versus island), and even the timing of the service.
Think of the balancing of compliance and risk as applying standards with core concepts in mind when needed, allowing for some common sense flexibility, and consideration for risk concerns.
Understanding Core Concepts
Separation of duties.
With a compliance only approach, this core concept held by the cash handling industry may be cut and dry with clear separation expectations, such as having a department involved with customer inventory balancing and reporting completely separate from those involved with any cash handling.
In reality, with tight staffing in both small and large companies, having such distinct roles to accomplish this may not be feasible. Simply focusing on the compliance aspect may very well cause one to lose sight of the goal. While the best practice would be to have pure separation, the goal of removing the opportunity for fraud (by a person that has been able to physically manipulate the funds and the reported amount), can also be effectively controlled with a well managed rotation of staff that essentially cross-check each other.
In a compliance only approach, this core concept may involve a second person verifying currency at a very specific time. Again, simply focusing on the compliance aspect may not align with the goal – removing the opportunity for theft or error by including a verification step.
The stage in which the verification takes place may be just as effective at creating the desired control at a different point. For instance, in a large operation where multiple tellers exist, after processing each teller would normally be expected to have a supervisor verify their results and consolidate the various teller work before it goes back into inventory for recycling. Later the full inventory is balanced, but identifying a discrepancy then, with the number of tellers involved, can get very complicated without having performed the earlier verification. However, having one teller, instead of multiple tellers, changes this need entirely.
Whenever there are recognized high risk areas, the controls surrounding these areas should be in layers, such that one failure should not by itself directly enable an opportunity for undetected theft.
Consideration should be given to whether certain layers are adequate, reducing the need for others.
For instance, an added internal control for ATM cash would be either a practice of rotating crews or conducting an ATM cash audit at an appropriate frequency. This control would reduce the risk of theft undetected by routine balancing, caused by the manipulation by the servicing person of incoming cash to the residuals to cover stolen cash.
The application of the appropriate controls will often involve consideration for the type of servicing, whether it is a cash swap or sealed cassette. A cash swap, which involves direct cash access, appears to be the obvious opportunity for theft by the servicer, unlike using a sealed cassette. Some may then conclude that sealed cassette usage negates the need for rotation or an ATM cash audit. However, seal control practices must be taken into consideration, because if they are not appropriately managed in terms of training and oversight, seal usage provides no greater control. Where the seal usage is unreliable, a cash audit program or rotation of staff should not be overridden simply by the practice of using sealed cassettes. Conversely, a well managed seal program should be given consideration when determining the need for additional layers.
Striking a Compliance-Risk Balance
Ultimately, adding flexibility to determine an appropriate compliance and risk balance, and how to apply the standard, not only makes sense in terms of risk management, but will add a greater level of acceptance by the party being evaluated.
When recommending corrective action, it may be necessary to think outside the box. Having sound standards that serve as the rule and provide guidance is important; however, there must be room for exceptions where appropriate. The lack of solid findings in some cases may create a distraction to other sound findings; management may view certain findings unreasonable, and hence ignore results more broadly. This may result in inaction where it is sorely needed.
A risk-based approach of adding risk considerations to the compliance survey enables management to make more appropriate decisions on the correct course of action and the responsible usage of assets to foresee threats and identify critical issues.