So I purchased some of those curly cue light bulbs (CFLs), but as I am prone to do, I got the wrong ones (the base wasn’t right). Also like I always do, I bought the giant big box store pack, so it made sense for me to return them. So my family and I roll up to the <big box warehouse store> and I head for the customer service desk. I make pleasantries with the Lady Behind the Counter and inform her of my desire to return these bulbs for a refund. She takes the package, looks it over, and asks where the Sticker is. Its at this moment, were this an 80s high school movie, that some DJ somewhere would cause the record to scratch. For you see, I had no such Sticker on my packaging. I so informed her, and she was exasperated. The greeter at the door was to interrupt my ingress, inquire about the returned merchandise in my hand, tag it with the Sticker and direct me to the customer service desk. Not having done so, there was no way they could possibly know that I didn’t take this off the shelf and walk directly to the desk to perpetrate some fraud.

“We’ll have to check the videotape,” she said.

At this point, I too was exasperated. I attempted to explain that I purchased this and showed her my receipt. She waved over the greeter who was unable to recognize me from the myriad throngs of people that had been so “greeted.” The Lady Behind the Counter began making calls up the ranks. My wife asks if I would like her and my daughter to wait.

“Oh yes,” I say, “having my family nearby makes me look less like a criminal.”

I hear the half conversation over the phone where the Lady Behind the Counter says, “Uh, $16. Oh, okay,” and then hangs up. “We’ll accept it this time, but next time…”

I’ve turned this exchange over in my head countless times since. How could they have authenticated me better? What sort of losses from this threat vector have they incurred that caused them to implement this program? I never had to get a sticker on my returns from the <big box warehouse store> back in Central Ohio…

I’ve used this story several times since as an illustration of the distinction between auditors and risk professionals. It is absolutely critical that somebody be in charge of checking tickets. You need a ticket to get into the show, or in my case a Sticker. The policy says you need a Sticker, so a Sticker is what’s required. It’s also critical that the person at the door check incoming merchandise and apply a Sticker. The former is the auditor the latter is more akin to IT operations. But what of the person on the phone? Ah! They were the risk manager you see. They understood that a policy violation occurred despite my having a valid receipt and a relatively honest looking face. They could have checked my purchase history to see that I spend A LOT of money at their establishment. Sure, they had video of the incident, but for $16, everyone had better things to do. That is a risk-based decision. That’s just being a human being in a room otherwise full of automatons and making a judgement call that there are better things to spent our finite resources on than less than $20 worth of light bulbs that I likely really did purchase.

This is why the notion of something called a “risk-based audit” is somewhat anathema to me. Sure, please do check controls in areas where there is risk in the business, but that will quickly give rise to the causality dilemma commonly referred to as a chicken or the egg scenario: if the audit is meant to reveal high risk areas, then how could we possibly use risk as in input to scoping the audit (which is the premise of the risk-based audit)?

To bring this back home, let me say that I absolutely want and need somebody issuing and checking tickets at the door. But I’d never mistake them for risk managers. And if you wish to progress in your careers as IT risk professionals, try being the person on the other end of that phone call, and stop sweating the small stuff because somebody’s probably trying to run off with a new TV while your squabbling over light bulbs.