Tales from the audit trenches#2 Which Walt Disney cartoon character would you be?

When time permits, I have decided to share some of what I consider to be the slightly more amusing experiences from my time in the wonderful profession that is internal audit. 

Some of you may recognise some of these stories. I have shared several them previously in person. All are true. Maybe I have changed some of the names of those involved. Maybe not. 😐 I have considered our Code of Ethics and have sought to abide by the confidentiality rule and principles throughout. As you would expect. Of course…

Welcome to the second article, or episode if you prefer of… ***gentle fanfare and drum roll*** …tales from the internal audit trenches.

This one is also from a long time ago, if not quite from a galaxy far, far away.

I’ll mix up the timeline a little with the next one and maybe go for a more recent tale. I’m not intending these to follow any particular order whatsoever, by the way.

Anyway, I digress.

Here goes.

We want to undertake a physical security audit we said to the head of internal audit. Why’s that? He not unreasonably replied.

Well, we’re concerned that the security guards are not undertaking their checks properly. And we haven’t looked at how well some of the other security-related policies are operating in practice. And, and, and!

The head of internal audit agreed to our remonstrations quite quickly on this occasion. He was always very good about taking onboard reasonable suggestions.

Do you mind if we carry out some quite practical testing on this occasion? No, replied the head of internal audit, but run it past the head of security first. I don’t want anyone arrested. Or shot. He was joking about the latter. I think.

Now an outside contractor supplied the security guards, and the head of security, an employee, managed this arrangement. For the avoidance of any doubt, this head of security was not the same head of security who some years later infamously managed to spell (and say) the word “w*****s” on Countdown. Forgive me for the profanity. Different guy. I promise.

We met with the (non-sweary) head of security and talked through the draft terms of reference for the internal audit and how we hoped to test some of the physical security arrangements.

I’m paraphrasing slightly, but basically, he said, that sounds like fun, yes, why not! Let me know how you get on. We said that we would.

In true Columbo-style, we asked for ‘just one more thing’ as we left the meeting. What’s that, he replied. Could we have a ‘get out of jail free’ letter, signed by you, in case we get apprehended by the security folks? Yes, of course, he affirmed.

We got the letter later that day and started planning immediately.

A big fence surrounded the site where we worked, with ‘Keep out’ signs at regular intervals, CCTV and stuff like that. There were two vehicle and pedestrian entrances. One at the front and, unsurprisingly, one at the back. The front was the main - and busiest - entrance. Security guards checked all vehicles and pedestrians entering the site.

The security guards were supposed to carefully check anyone entering the site by looking at the pass, which the individual usually waved at them, and then looking at the person’s face. A reconciliation if you will - that person and face-on-the-pass matched. If yes, you could enter. And if not, well I don’t know really. Maybe you’d be thrown to ravenous wolves, taken out to some nearby waste ground and double-tapped, renditioned to the Forest of Dean with a hood over your head, or, more likely, have some form of painful visitation from the head of security and his acolytes. And I like many parts of the Forest of Dean, for the record, before anyone complains.

We were concerned that this key control - the person and face-on-the-pass matching - did not operate properly in practice. In other words, while it may have been an adequate control (well designed, at least at the time), was it effective and well-executed, each time, every time? It needed to be. If not, security guards were potentially admitting unauthorised people to the site. Not good. At the very least, the risk of this situation occurring was considerably higher than it should be.

We firmly believed that the security guards were not as attentive as they could have been and the checking was often lethargic or perfunctory. Especially when it was cold or wet. The guards sat in individual security booths and when a cyclist or vehicle drove up, they had to peer out, as the driver and any passengers waved their passes as them. The booth was cosy and warm. Looking out properly and carefully often involved getting cold and wet. If passes and faces matched, the security guard would then raise the barrier and the vehicle would be admitted.

A similar routine would occur with pedestrians. A security guard in a warm, comfy guard post would have to move to the doorway where it was often as cold and wet as it was outside, to properly scrutinise a pass.

And this was where our imaginative testing idea came about.

Why don’t we forge some passes and try to use them to get onsite?!

I honestly can’t remember whose idea this was, but I know that I had a hand in it. We loved the idea and got to work quickly. Using only our desktop IT applications, card, plastic, scissors, a scanner, photocopier and a printer we soon produced enough fake passes for each of the internal audit team involved to use. It was a positively Blue Peter operation.

We made them the same (rough) colour as the original, slightly-larger-than-a-credit-card passes, but instead of our own photos we had a final moment of inspiration, or madness, if you prefer.

We used the images of Walt Disney cartoon characters. So, there was a Mickey Mouse, a Daffy Duck, a Little Mermaid, Bambi and suchlike.

We made up several fake passes and were more than happy with the results. We all looked forward to this part of the testing as you can imagine. And more importantly, we managed to avoid a Reservoir Dogs-style disagreement over who would ‘be’ the Little Mermaid or Bambi. We agreed that we would take it in turns to use each of the passes as the field testing began.

Over the course of a week, at various times of day, in different vehicles, cycling or on foot, members of the internal audit team used the fake passes to attempt to gain access to the site. We must have carried out around 20 attempted entries.

And each time we succeeded on getting onsite without any trouble at all.

As you (and we) were secretly hoping, I guess.

The organisation had several thousand employees, so it is not as though the security guards knew us personally. And even if they did, of course, they should still have diligently performed the person and face-on-the-pass matching control.

The result? Toons would clearly have overrun the organisation. A big risk, for sure.

We also tested other things too of course.

Ultimately, the internal audit report was a joy to draft! For a change. You can imagine the impact it had once we issued it. And we certainly described in detail how we managed to get onsite. A one-page report may not have had the same impact. From memory, I think we even included a photo or two of the best of the fake passes, for added amusement. In an appendix of course.

The head of security was shocked but also secretly rather impressed by our work. I heard that he subsequently had a rather colourful meeting with the outsourced security provider and, from memory, I think the contract was retendered shortly thereafter. Quite right too.

So, internal audit testing can be fun. And so can report-writing.

Maybe we just need to be a bit more creative from time to time.

And so, my friends, more importantly, which Walt Disney cartoon character would you be?

**************************************************************************

I hope you enjoyed this second tale from the internal audit trenches and that it has maybe made you think about how you could make your testing more fun. Err, while still achieving its serious goal, of course! (Performance Standard 2300 - Performing the Engagement - Internal auditors must identify, analyse, evaluate and document sufficient information to achieve the engagement’s objectives. As you remember.)

And of course, you only have to see from the latest Risk in Focus 2022 publication (Risk in Focus | Research reports| Policy and research | IIA) that security, both physical and logical, remain important areas of risk and potential internal audit focus.

I will pick up how well some of the other security-related policies were operating in practice in a future tale...look out for the one I’ll call, “Oi, what do you think you’re doing?!” That ‘get out of jail free’ letter proved useful in the end, after all.

 Cheers!