Internal Audit’s Role in Picking up the Pieces

I have written several blog posts on high-profile risk, control, and governance failures over the past few years, from Volkswagen to Toshiba to Wells Fargo. Some posts looked at lessons learned while others explored internal audit’s role or absence in those corporate stumbles.

Public scandal makes easy fodder for critics, and pundits have made an industry of commenting on failure. But I’d like to focus on the thoughts of one of the most quoted and inspirational leaders of the 20^th century, Winston Churchill. The U.K. prime minister, celebrated as bold, brave, resolute, and tireless in his leadership during World War II, also had his share of political and military failures.

Throughout his storied political career, he learned that success and failure are intimately intertwined. The Churchill quote that best captures this is, “Success is not final, failure is not fatal. It is the courage to continue that counts.”

With this as inspiration, let us explore how internal audit can contribute to an organization’s recovery from ignominious scandal or high-profile risk and control failures. ​​

Ride-sharing innovator Uber was hit by multiple scandals, from driver revolts and revelations of its use of software to circumventing rules in cities where it operates to the company’s alleged indifference to sexual harassment and lack of diversity. The fallout seriously bruised the company’s reputation and led to the ouster of its hard-charging CEO, Travis Kalanick.

Its new CEO’s approach to rehabilitating Uber’s reputation amounts to a high-profile listening tour followed by decisive action. Under Dara Khosrowshahi’s leadership, Uber is responding to long-simmering issues of culture at the root of many of its problems. App changes have introduced a tipping option for drivers and a new 9-1-1 feature for passengers who feel threatened. The new leadership also has placed an emphasis on diversity and inclusion.

Facebook and Wells Fargo, which suffered significant reputational harm from a series of scandals, have taken a different approach. The public face of rehabilitation for these two companies — one relatively young and the other more than 150 years old — are expensive and sophisticated multimedia ad campaigns. But they are not stopping there.

Wells Fargo, which was hit with regulatory fines in the hundreds of millions of U.S. dollars for its fake-account scandal, announced an overhaul of its risk management process and changed its incentive pay plan for tellers and other bank employees. It recently agreed to settle a customer class-action suit for $142 million.

Weak controls at Facebook allowed Cambridge Analytica to illegally gather information on more than 87 million users. The scandal that erupted when details of the operation came to light drew typically reclusive Facebook founder Mark Zuckerberg out to publicly defend the social media giant at U.S. congressional hearings.

Zuckerberg testified that the company is looking at every app on its site with access to large amounts of user data, and vowed that any using data inappropriately would be banned and that affected users would be informed.

In all three examples, the high-profile failures and ensuing reputational damage were fueled at least in part by unanticipated risks from efforts to boost revenue. Management’s zeal to secure new business, overtake a competitor, or meet unrealistic sales goals create risks that can “come home to roost.” They can make the organization more susceptible to known risks and expose it to previously unknown or unanticipated risks.

Internal auditors can play a role in making the board and audit committee aware when management may not be effectively managing risks or may be straying beyond the risk appetite previously agreed with the board. In past blog posts, I’ve described the setting of risk appetite as the board painting lanes on a highway. The board essentially says to management, “Here are the lanes outside of which we don’t want to venture. Stay within these lanes.” It is internal audit’s job to alert the board when management veers outside those lanes.

But what is internal audit’s role when the organization is picking up the pieces of a significant risk management failure? The circumstances of each debacle dictate the particular role internal audit plays, but here are a few preventive or reactive roles to consider:

• We tried to warn you. Could the failure have been avoided had management and the board followed internal audit’s recommendations? The U.S. city of Atlanta’s recent cyber breech offers a good example of such a scenario. The breech would likely have been avoided had it followed internal audit’s urging to address identified cyber vulnerabilities months before the breach. In such instances, internal audit must push tirelessly for its initial recommendations to be implemented.
• Where’s the crisis plan? Internal audit should provide assurance on crisis communications and business continuity plans that offer direction in the event a high-profile scandal emerges. After the crisis, internal audit can examine how effectively the plans were executed.
• New and improved. Wells Fargo and Facebook both are investing in advertising campaigns to repair their bruised images. While some might criticize such actions as superficial or cosmetic, internal audit can play a role in providing assurance on the claims and promises such campaigns make. After all, consumers, regulators, and others will be even less forgiving of a second debacle.
• Risk management changes. Wells Fargo, Facebook, and Uber each committed to change some aspects of their risk management processes, including Wells Fargo’s risk management retrofit. Internal audit can provide an important enterprisewide perspective to such overhauls and assurance on subsequent new processes.
• It’s all about culture. Officials at Uber and Wells Fargo have commented publicly on how culture contributed to their problems. For example, Khosrowshahi described how Uber’s success masked its culture problems. “Winning gives an excuse for bad behavior,” he told the New York Times‘ Andrew Ross Sorkin in 2017. The more internal audit can incorporate examination of culture in its work, the more likely it can alert the board and management to potential problems.

These are just a few examples of internal audit’s role in the aftermath of scandal. I’d be interested in hearing your thoughts, as well.