Another week, another example of internal control failures hurting an organization and industry.

Details of the scandal engulfing the online fantasy sports company DraftKings should be common knowledge by now. A DraftKings employee admitted to the early release of data not generally available to the public and won US$350,000 on a rival site, FanDuel, that same week. The comparisons to insider trading quickly – and logically – followed.

It didn’t take long for critics to start asking why a major player in the largely unregulated, multibillion-dollar fantasy sports industry didn’t have stronger controls in place to restrict access to protected information or ban its employees from participating in fantasy games elsewhere. In the wake of the bad publicity, I couldn’t help but wonder: Are there no “lines of defense” in fantasy football? One thing is clear: In the absence of such controls, regulators are more likely to step in and impose their own rules.

The lesson from this latest corporate blunder should be crystal clear: A well-designed system of internal controls is fundamental to reducing business risks.

It is important to have an understanding of how the rapidly growing fantasy sports industry works to grasp the magnitude of the imbroglio and how it might have been avoided through sound internal controls.

The industry was born from amateur fantasy leagues, where players assemble teams populated with real athletes. Points are earned based on how the athletes perform in real life, and winners are determined based on whose fantasy team accumulates the most points.

DraftKings and FanDuel, as well as other companies in online fantasy leagues, set up games in which players pay entry fees to go up against opponents, sometimes numbering in the hundreds. Prize money for the biggest winners can swell to seven figures. Indeed, DraftKings and others can afford to offer generous payouts, because the industry is expected to collect about US$3.7 billion in entry fees in 2015.

So here we would seem to have the perfect recipe for trouble: Take an in-demand commodity, add a helping of proprietary and valuable data, mix in the opportunity for large financial gains, and add a dash of resistance to or ignorance of internal control processes. Voila! We have cooked up the scandal du jour.

It’s not my intent to make light of a serious situation, but the current DraftKings mess was totally predictable. While DraftKings and FanDuel announced permanent bans on employees participating in fantasy leagues within days of the scandal breaking, the damage had already been done to their brands and reputations.

To be sure, the fallout was fast and painful:

• ESPN initially announced it would end DraftKings’ sponsorship of certain programming, and later said it would stop running its ads.
• The New York attorney general’s office announced it was looking into whether employees of DraftKings and FanDuel had an unfair advantage.
• A Kentucky man is seeking class-action status for a federal lawsuit that accuses DraftKings and FanDuel of negligence, fraud, and false advertising.

Should DraftKings executives be criticized for not anticipating such problems? Considering the industry is largely unregulated, has seen remarkably rapid growth, and handles huge sums of capital on a weekly basis, the answer is an unequivocal “yes.”

Beyond the obvious lesson in the benefits of having a well-designed internal control system, the DraftKings scandal indirectly provides yet another good example of the need for mandatory internal audit programs at publicly traded companies.

While DraftKings is not currently publicly traded, it is a textbook example of how limited or poorly designed int​ernal controls can quickly be overwhelmed by the pressures of rapid business success. One of the criticisms of mandatory internal audit programs is that start-ups lack the resources to support them. But without such an investment, organizations are at greater risk of making much costlier mistakes in the future.

It’s all about the old expression, “Pay me now, or pay me later.”