Sometimes, executives abuse power and override corporate internal controls. Controls such as segregation of duties and system access controls are implemented to safeguard any organization from many risks facing companies and ignoring such controls leaves major risks unaddressed for the companies. Executives like all other employees should not be exempt from following any of the company policies, procedures or any of the internal controls in place in order to ensure continued safeguard of company assets including confidential information.
Usually, when policies and procedures are not followed or are overridden by the same people who created and approved them, it becomes not only impossible to prevent such violations but also extremely difficult to immediately detect such security violations because the detective controls are also sometimes eliminated, manipulated, bypassed, or ignored all together. Such violations may be detected during subsequent internal or external audits but it may be too late by then since a control override for even a short period of time may lead to serious consequences.
Executives sometimes abuse power by overriding controls because 1) they don’t even know their actions constitute control override and policy violations, 2) they are not fully aware of the consequences of their corporate violations leading to inadequate or lack of controls, 3) they are busy and don’t think the same stringent controls and rules apply to them, 4) they don’t think they pose any risk to the company if they violate the policies vs. the rest of the company, 5) they plan to commit fraud, and 6) they can do it and sometime get away with it due to their positions and perceived entitlement and rights in the company.
To their credit, when executives abuse power and override controls, it’s not always knowingly. What I mean by this is that a) executives might not know that their actions or decisions are overriding existing controls placing the company at risk, b) might not know the consequences of their actions, and c) might not even have requested such override. When executives abuse power and override controls knowingly, it can be malicious and/or much more dangerous. For example, such power abuse can be intended to commit fraud, which can cost the company immensely.
In some instances, executives abuse power innocently by granting their assistants the right to request a password reset because they forgot their passwords and don’t have time to request a password reset. By doing this, the executives convey their privileged access rights to sensitive company information and e-mails to their assistants and by doing so, even for a short period of time, they have just placed their company at risk unknowingly. Although, the decision to share their passwords with someone else is intentional and careless, I believe the consequences of such decision and introduction of additional risks for the company are unintentional in this example.
When executives abuse power unknowingly, their actions can still be dangerous for the company but not malicious. I’ve encountered many cases of unrequested control override. One example that comes to my mind is the automatic granting of access to restricted areas to executives. The person or group responsible for securing a restricted area like the data center automatically grants the CEO or the President of the company access to such restricted area as if they’re automatically entitled to such access even if they have not requested such access nor have a need for such access. Last time I discovered such violation and confronted the person in charge of securing the restricted area suggesting the removal of the executive access, the person became fearful for his job when even thinking or considering about removing unneeded and unrequested executive access.
These findings suggest to me that 1) some employees in a company may believe that executives are entitled to unrestricted access and thus a) grant them such access even if they are not requested by the executives or b) employees would not question executive request for unneeded access or control override, and 2) some executives may believe the company rules don’t apply to them.
In order to maintain a sound internal control environment and address instances where executives abuse power, executives should be expected to support and follow the same policies that they created, approved and expect every one in the company to follow. It should also be clearly communicated to all employees that executives are not exempt from following company policies and are subject to the same rules and policies as every one else. Much too often, independent internal parties responsible for monitoring the existence of and compliance with internal controls within an organization are reluctant to follow-up on cases when executives abuse power, especially if such abuse is minor. However, the risk on hand is not always about the executives’ intentions, which may be innocent, but rather how others can take advantage of decreased controls because executives abuse power either directly or indirectly.
Return from executives abuse power to workplace security.