Are many controls wasteful, distracting, and even harmful? This risk expert thinks so.

In this podcast, Joseph McCafferty, head of audit content at the MIS Training Institute, talks with Brian Barnier, a principal at ValueBridge Advisors and an OCEG fellow, about the role of controls in audit and risk management and their limitations. According to Barnier, although controls are the centerpiece of many audit, compliance, governance, and risk-management programs, they are often ineffective. He says they are difficult to implement, maintain, and use and often don’t work. They can even be harmful, Barnier says, since they can offer a false sense of security. 

“When doing postmortems after a control failure at companies you can easily see that there are very specific failures in controls. They are structural and they also apply to specific controls. For example, there is bad math—they are just not doing the proper probability mathematics,” says Barnier. He adds that controls are too static. “Controls stand there and they are immovable. Bad things just go right around them. They can’t keep up with a dynamic world,” he says.

So what’s a better way? According to Barnier, there are many oversight approaches, management practices, process improvement activities, and the right kind of automation that can do a better job at managing risk and governance than controls can.


Length: 10 min. 41 sec.
size: 11.5 MB