By Chinmay Kulkarni
Ever Showed Up Without Your Office Key Card? I Did!
It was Wednesday morning, 8:45am.
I’m rushing to make a 9am work meeting when I reach the office lobby. As I go to swipe my electronic access card…uh oh.
Where’s my key card? I left home without it!
Now I’m locked out with minutes to spare.
Panic sets in. Do I just wait in the lobby? Interrupt my manager to let me in?
As I’m puzzling, the front security guard notices my plight. “No worries, sir. I can help with that,” he pipes up.
I brace for him to send me back home for my forgotten card. But instead, he asks to see my government ID for verification. After checking my credentials against the employee database, he produces a temporary access pass so I can enter for the day.
This compensating control kicked in when the preventative control of issued employee key cards failed me.
See, those key cards themselves aim to allow only authorized access daily. But by verifying my identity and giving a temp pass when that primary protection lapsed.
It hit me that in both digital and physical security, compensating controls serve as backup mechanisms when our main defenses fall short.
So next time you forget your badge for the office, take comfort like I did!
IT teams and guards have planned backup verification methods so work can go on interrupted.
What are compensating controls?
In information security, compensating controls serve as critical backup mechanisms when primary defenses fail or are impractical to implement.
Primary security controls are initial safeguards designed to handle a particular risk, like complex passwords defending against unauthorized access. They are the first line of defense.
No control is 100% bulletproof all the time.
In my key card example, employee-specific cards usually regulate lobby access as the primary control. When I left this credential at home, the guard cross-checking my ID against the staff database served as an effective compensating verification process given the context of my unexpected situation.
Without compensating control readiness, major security incidents or workflow disruptions can occur from the slightest hiccup in primary measures. But having planned contingency mechanisms allows operations to continue securely despite inevitable primary control failures.
What should we as auditors do?
As auditors, one of our primary duties is assessing whether appropriate controls are in place to mitigate key risks. However, we are also realistic that primary preventative controls will not always be feasible or fail-proof.
Take the principle of segregation of duties – a crucial foundation of checks and balances. For a startup with only 15 employees, strictly enforcing segregated responsibilities across all functions can cripple productivity.
Does this automatically equate to poor internal controls?
This is where compensating controls become the auditor’s safety net. If a primary preventative or detective control cannot reasonably be implemented, we first consider alternate “plan B” mechanisms that still effectively fill the gaps.
For instance, if segregation roles are difficult in a small business, requiring dual authorization of all payments above a threshold through an email approval chain still prevents unilateral decisions.
As auditors, we must expand testing beyond just primary controls to uncover compensating contingencies addressing the same baseline risks.
Examining their design and operating effectiveness allows us to appropriately gauge residual risk exposure and overall internal controls.
This article first appeared on Chinmay’s IT Audit Guide and is published here with permission.