An unfortunate truth about our profession is that risk and control failures can and do happen despite internal audit’s often heroic efforts. This reality is highlighted by several recent public- and private-sector incidents.
Last month, I wrote about Atlanta’s cyber breach and how the city’s internal auditors had warned officials that their IT systems could be easily compromised. Those officials’ failure to act promptly to correct the deficiencies left the city susceptible to a ransomware attack that crippled its computer network.
Meanwhile, the California state auditor reported that the University of California (UC) president’s office had amassed $175 million for preferred projects but did not disclose it in its public budgets. A year has passed since then, and several recommended fixes have not been made. That failure to act could lead to leaner allocations from state coffers for the UC system, which would have to be offset by tuition increases.
Beleaguered U.S. banking giant Wells Fargo offers an example of just how costly ignoring internal audit can be. The U.S. Bureau of Consumer Financial Protection and the Office of the Comptroller of the Currency announced in April the bank would be fined $1 billion over practices involving its mortgage and auto businesses.
In its settlement with the U.S. regulators, Wells Fargo admits it wrongly applied policies relating to auto insurance requirements and locked in mortgage rates to the detriment of customers. But the regulators found fault not only on Wells Fargo’s misapplication of policies. They concluded the bank’s actions reflected risk management practices that they deemed “reckless, unsafe, or unsound.”
The regulators determined internal audits identified the misapplication of the policies early on, yet the bank’s management allowed the practices to continue. For example, in the case of the locked-in mortgages, the bank continued to charge borrowers extension fees when it shouldn’t have for nearly three years after internal audits discovered the problem.
Each of these instances provides an example of governance meltdowns fed by board and management inaction or indifference to internal audit’s work. Such instances, at best, frustrate practitioners who take seriously their task of providing assurance over risk management efforts. At worst, they can demoralize internal audit staff, thereby eroding the function’s effectiveness.
We should never forget that the work of internal audit yields transparency for management and the board on the complex web of processes and policies that help to mitigate the key risks their organizations face. Transparency, whether shining a light on successes or weaknesses, should ultimately lead to accountability and improved governance. Transparency is internal audit’s greatest weapon.
Last week, more than 2,700 internal audit practitioners from around the world gathered in Dubai at The IIA’s annual International Conference. The conference theme, Connecting the World Through Innovation, was designed to inspire and invigorate attendees. Indeed, growing demands will require the profession to embrace technology in data analytics, artificial intelligence, and elsewhere, and to become more agile and visionary. As a profession, we recognize and are responding to changing needs and demands from our stakeholders.
However, success today and in the future also is dependent on our stakeholders — boards, executive management, investors — to recognize the value in our work and leverage it to improve the organization. The governance failures I outlined earlier show the dangers of ignoring that work.
We can take heart in knowing that, for every high-profile failure, there are thousands of untold success stories that illustrate how internal audit serves as an integral part of good governance. No matter the setback or challenge, internal audit must always be a beacon for transparency.
As always, I look forward to your comments.