With the end of the year it’s time to look back at the headlines that should have attracted internal auditors’ close attention. Like recent years, 2018 saw a number of big stories about high-profile corporate scandals. Several may have sown the seeds for the next wave of regulations that could impact the work of internal audit.
Fines and regulatory settlements of past scandals made for many more headlines in 2018 involving Equifax, Wells Fargo, and Volkswagen. They also provided important lessons about risk management.
The settlement of a class action suit brought against Equifax by eight American states signaled what I described in a July blog post as “a bold statement about the importance of internal audit.” The Equifax consent order, stemming from the stunning 2017 data breach that exposed the personal data of more 140 million Americans, was designed in part to address shortcomings in internal audit and board and management oversight.
Similarly, a massive billion-dollar fine by two U.S. regulators against Wells Fargo for its mishandling of auto insurance and home loans also elicited an agreement to change the lender’s risk and compliance practices. That included producing for its board a detailed plan to strengthen its compliance and risk management functions.
The U.S. Federal Reserve went further, limiting the bank’s ability to grow its balance sheet beyond 2017 levels until it takes steps to address risk management shortcomings. Wells Fargo estimates the limitation would cut its annual profit by as much as $400 million.
As for Volkswagen, the fallout continued three years after its emissions scandal first erupted. “Dieselgate,” which has already cost the automaker more than $15 billion in fines, has morphed into greater scrutiny and skepticism among European regulators — not just for Volkswagen, but for Daimler-Benz and BMW, as well.
I wrote about the important lesson for internal audit and risk managers from those situations in the July blog post:
Indeed, scandals from Volkswagen to Wells Fargo to Equifax have heightened awareness that all players in risk management must work collectively and equally to succeed. Ultimately, there are consequences whenever key components of systems of risk management fail.
The stunning downfall of one of the United Kingdom’s biggest construction companies brought to light failures in board oversight, government oversight, and both internal and external audit functions at Carillion.
The worst news from an audit perspective was what can only be described as a highly dysfunctional independent assurance process laid bare by two parliamentary select committee investigations. One committee report described the outside firms that provided audit or consulting services as a “cozy club incapable of providing the degree of independent challenge needed.”
The fallout from Carillion peaked late in the year when the U.K.’s Competition and Markets Authority issued a report calling for separation of audit from consulting services among the Big Four firms — KPMG, EY, Deloitte, and PwC. This includes a split between audit and advisory businesses, with separate management and accounts.
The reports also include recommendations to create additional accountability for those appointing auditors, and development of a “joint audit” system, where the Big Four would have to work with smaller firms on audits.
Not all of 2018’s headlines were about internal audit failings. Indeed, news reports indicated that Atlanta’s ransomware attack could have been avoided had city leaders acted on internal audit recommendations to address serious cyber vulnerabilities.
The city’s auditor laid out dire shortcomings in Atlanta’s IT department and forewarned that there were basically no formal plans in place to protect the city from cyber threats. The audit report warned that complacency and severe resource shortages in IT created a “significant level of preventable risk exposure to the city,” and it concluded the city had “no formal processes to manage risk.”
The arrest of Nissan Motors board Chairman Carlos Ghosn on charges that he severely underreported his compensation to Japanese authorities raised significant questions about governance and assurance processes at the automaker.
Indeed, Nissan CEO Hiroto Saikawa described the “dark side” of placing too much company power in one person’s hands and called the corporate governance structure within the company “weak,” according to Bloomberg News. I raised a more fundamental question in a blog post on the scandal:
But the question that isn’t being asked is, why was an admittedly “weak” governance structure allowed to exist in the first place at a Fortune 100 company? And a more fundamental question is, who was charged with assuring good governance at Nissan?
Criminal charges were brought against former Public Company Accounting Oversight Board (PCAOB) and KPMG employees accused of using leaked PCAOB information to help the Big Four firm improve its audit results. The wrongdoing was exposed by an internal KPMG investigation and related federal investigation, and the arrests resulted in an October guilty plea from one former KPMG executive.
To its credit, KPMG acted quickly when it learned of the scheme and cooperated fully with federal investigators. It also fired the three executives involved. As I wrote in a related blog post, organizations must set ethical standards, communicate them clearly and repeatedly, determine suitable punishments for transgressions, and act consistently when disciplining ethical violations, no matter who commits them.
The lesson for practitioners is to be aware that professional ethics live and die at the personal level. In other words, the moral compass is ultimately steered by the individual. Executive leadership must understand this reality and be prepared to react decisively and ethically when an employee’s personal weakness puts the organization at risk.
Driven by whistleblower revelations, details of the Facebook–Cambridge Analytica debacle raised the stakes on data privacy in March, just two months before the European Union’s new data privacy rules went into effect.
Many have accused Facebook of lax oversight of its privacy protocols and confusing privacy settings that put the personal information of nearly 90 million people at risk and further exposed how social media could be exploited politically.
The Facebook revelations prompted significant policy discussion and enactments among U.S. lawmakers involving data privacy. The California Consumer Privacy Act, signed into law in June and effective in January 2020, requires explicit consent to share consumer information.
It probably won’t end there. Indeed, the White House said in July it would work with lawmakers to create consumer privacy protection. Apple and Google weighed in in September, urging Congress to create new federal privacy legislation.
The #MeToo movement redefined how many organizations see risks associated with sexual harassment and inequality in the workplace. While those two areas were known risk categories prior to the movement, the explosion of misconduct allegations against executives from the entertainment industry and elsewhere significantly raised these risks. The movement also showed the power of social media and the lightning speed at which atypical risks can impact organizations.
The #MeToo movement’s impact was demonstrated in voter turnout in the U.S. midterm elections and a record number of women being elected to Congress. This new dynamic could influence legislation and regulations next year and into the future.
In December, The IIA announced a yearlong project to review and update the Three Lines of Defense, one of the best known risk management models. The project is headed by a core working group of governance experts who have tapped into the vast experiences of a 30-member advisory group. The project includes a comprehensive review of governance approaches from around the world, and it will seek out and incorporate public comments through a formal exposure process.
From the outset, The IIA’s objective has been to explore how best to update the Three Lines of Defense model to reflect changes in modern risk management and governance, while at the same time preserve its straightforward and clear approach. In keeping with its original intent, the refresh will focus on roles, not organizational structures. In response to critiques, the aim is to make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks present.
The consequences associated with several of the headlines outlined here highlight the potential for new regulation or regulatory scrutiny. Internal auditors should monitor developments in these areas in the coming year and be prepared to speak candidly with stakeholders about control weaknesses in cybersecurity, data privacy, and elsewhere that make their organizations vulnerable.
As always, I look forward to your comments.