Should Some Internal Controls Be Surreptitious?

The Israeli defense forces claim they destroy all the attack tunnels they discover, but there is speculation that they leave some alone to monitor who uses them and why. Richard Cassin, writing on the FCPA blog, wonders whether the same concept ought to be implemented in corporations. Should some aspects of the internal controls on fraud be kept secret, as a way to catch bad actors? he asks. In the interest of transparency, most companies publish their ethics and compliance programs online, expressly so anyone can read and understand them, and how they are to be achieved. In some cases this can be counterproductive. Perhaps, he suggests, some controls should be surreptitious, not only to catch culprits but to avoid becoming a target. It is a well-known fact that whenever a company announces that its systems can’t be hacked, hackers take it as a challenge and routinely succeed. The same concept may apply to internal controls.