This picture says it all for me. I could stop here . . . . .
The car park barrier is the ‘control’ over access and use of the car park. The automatic gate opens only when you swipe your employee badge on the reader and it only lets one car through at a time. This way, it is clear that only authorised people can use the facility and that a record is kept of each visit. The automated control works perfectly and as designed. There is even a regular testing and maintenance cycle!
The tyre tracks tell us whether this control is achieving its desired effect.
Obviously not in this case!
That’s why controls monitoring is not enough. Irrespective of the debate on where the responsibility lies, it is important to test key controls in business and equally important to check the ‘tyre tracks’. The tyre tracks tell us what is actually happening and whether our risks are being effectively mitigated.