April 2019

April 29, 2019

​Willful Subversion of Second Line of Defense Can Land You in Jail

Among my earliest memories as an internal auditor was the constant refrain from officials in my organization that, as internal auditors, our job was to keep them “out of jail.” It was their light-hearted way of signaling how important we were to them. I didn’t take them too seriously, because I didn’t know of too many people who went to jail because of an internal control or compliance failure. But, as Bob Dylan so famously sang, “the times they are a-changin’!”

The recent guilty plea by a former drug company compliance officer on conspiracy and other charges is yet the latest example of when willful compliance failures can lead to jail time for executive management.…

April 22, 2019

The Fallacy of Follow-up Audits

During my early years in the profession as a young internal auditor, I was always proud of my reports, particularly the findings and recommendations. So, issuing a new audit report was cause for celebration. But nothing was more demoralizing than when I would invariably undertake the required follow-up audit only to discover that my carefully crafted recommendations or management action plans were never implemented. After all, management had agreed to the proposed corrective actions (or had proposed their own corrective actions) to rectify problems identified in my audits. So, why did they fail so often to follow through?

There were always plenty of excuses from management when the follow-up audits disclosed that “problems had not been corrected”:

  • “We underestimated the complexity of the action we agreed to take.”
April 15, 2019

​Internal Audit’s Technology Challenge Is No Easy Road

I often refer to the end of the first quarter as “whitepaper season” for the internal audit profession. Typically starting in late February and into March, several key players in the profession publish reports that offer a glimpse into how we’re doing. 

Two recently released reports should raise serious concerns about internal audit’s slow progress in adopting and adapting technology to execute its responsibilities: Protiviti’s Internal Audit Capabilities and Needs survey, Embracing the Next Generation of Internal Auditing; and PwC’s State of the Internal Audit Profession report, Elevating Internal Audit’s Role: The Digitally Fit Function.

Protiviti’s report indicates that three out of four internal audit groups are undertaking some form of innovation or transformation, but most are only beginning that journey.…

April 8, 2019

Facebook Data Exposure Offers Critical Lesson for Internal Auditors

Facebook, once the social media darling that could do no wrong in the eyes of users and investors, was hit with another setback recently. Researchers at a cybersecurity firm discovered Facebook user information readily available on cloud computing servers run by Amazon.com.

The revelation comes about a year after Facebook was pilloried for the Cambridge Analytica scandal, where an app developer shared data on millions of Facebook users with a political consulting firm. Despite assurances from Facebook CEO Mark Zuckerberg that the company would do more to protect user data, lapses such as the one involving Amazon continue to come to light.…

April 1, 2019

​Every “Where Was Internal Audit” Moment Presents an Opportunity

One of the constant challenges for internal audit is to overcome being the unwelcome guest at the party. So, it is not a common occurrence when internal audit is actually invited. I bring this up in the context of the recent college admissions scandal in the United States. 

In the wake of this shocking breech of admissions processes and controls, there is a growing chorus of voices saying that, based on the risks that are obviously present, it’s time to include the admissions process at colleges and universities in internal audit plans. The profession should eagerly accept the invitation to step up and show the value of independent assurance.…