Headlines That Defined 2018 for Internal Audit

Risk Management Chickens Came Home to Roost in 2018

Fines and regulatory settlements of past scandals made for many more headlines in 2018 involving Equifax, Wells Fargo, and Volkswagen. They also provided important lessons about risk management.

Carillion Collapse Exposed Systemic Risk Management Problems

The stunning downfall of one of the United Kingdom's biggest construction companies brought to light failures in board oversight, government oversight, and both internal and external audit functions at Carillion.

The worst news from an audit perspective was what can only be described as a highly dysfunctional independent assurance process laid bare by two parliamentary select committee investigations. One committee report described the outside firms that provided audit or consulting services as a "cozy club incapable of providing the degree of independent challenge needed."

The reports also include recommendations to create additional accountability for those appointing auditors, and development of a "joint audit" system, where the Big Four would have to work with smaller firms on audits.

Internal Audit Findings Could Have Prevented Atlanta's Ransomware Attack 

Not all of 2018's headlines were about internal audit failings. Indeed, news reports indicated that Atlanta's ransomware attack could have been avoided had city leaders acted on internal audit recommendations to address serious cyber vulnerabilities.

The city's auditor laid out dire shortcomings in Atlanta's IT department and forewarned that there were basically no formal plans in place to protect the city from cyber threats. The audit report warned that complacency and severe resource shortages in IT created a "significant level of preventable risk exposure to the city," and it concluded the city had "no formal processes to manage risk."

The arrest of Nissan Motors Chairman Exposed Weak Governance 

The arrest of Nissan Motors board Chairman Carlos Ghosn on charges that he severely underreported his compensation to Japanese authorities raised significant questions about governance and assurance processes at the automaker. 

PCAOB Insider Information Leaked to KPMG Employees

Criminal charges were brought against former Public Company Accounting Oversight Board (PCAOB) and KPMG employees accused of using leaked PCAOB information to help the Big Four firm improve its audit results. The wrongdoing was exposed by an internal KPMG investigation and related federal investigation, and the arrests resulted in an October guilty plea from one former KPMG executive.

The lesson for practitioners is to be aware that professional ethics live and die at the personal level. In other words, the moral compass is ultimately steered by the individual. Executive leadership must understand this reality and be prepared to react decisively and ethically when an employee's personal weakness puts the organization at risk.

Facebook Scandal Upped the Ante on Data Privacy

Driven by whistleblower revelations, details of the Facebook–Cambridge Analytica debacle raised the stakes on data privacy in March, just two months before the European Union's new data privacy rules went into effect.

Many have accused Facebook of lax oversight of its privacy protocols and confusing privacy settings that put the personal information of nearly 90 million people at risk and further exposed how social media could be exploited politically.

#MeToo Movement Continued to Topple Mighty Corporate Executives

The #MeToo movement redefined how many organizations see risks associated with sexual harassment and inequality in the workplace. While those two areas were known risk categories prior to the movement, the explosion of misconduct allegations against executives from the entertainment industry and elsewhere significantly raised these risks. The movement also showed the power of social media and the lightning speed at which atypical risks can impact organizations.

IIA Looks to Refresh Three Lines of Defense

In December, The IIA announced a yearlong project to review and update the Three Lines of Defense, one of the best-known risk management models. The project is headed by a core working group of governance experts who have tapped into the vast experiences of a 30-member advisory group. The project includes a comprehensive review of governance approaches from around the world, and it will seek out and incorporate public comments through a formal exposure process.

From the outset, The IIA's objective has been to explore how best to update the Three Lines of Defense model to reflect changes in modern risk management and governance, while at the same time preserve its straightforward and clear approach. In keeping with its original intent, the refresh will focus on roles, not organizational structures. In response to critiques, the aim is to make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks present.


The consequences associated with several of the headlines outlined here highlight the potential for new regulation or regulatory scrutiny. Internal auditors should monitor developments in these areas in the coming year and be prepared to speak candidly with stakeholders about control weaknesses in cybersecurity, data privacy, and elsewhere that make their organizations vulnerable.


Source: Richard Chambers