On a recent flight, I caught a snippet of the conversation behind me:
Of course, we are compliant.
Both my teams are compliant too.
Yes, yes, we are all compliant.
I could not help, but think that compliance for some has become a dance in, and of, itself. We gather evidence, identify control deficiencies and report to management. Performance is measured by the number of controls that have been successfully validated without exceptions, or conversely, a reduction in the number of deficiencies identified. This leaves us wondering what the forest truly looks like beyond the trees. To be sure, control deficiencies have real consequences – a persistent error in a system calculation can skew reported financials, ...