Blog: ​Strong and Effective Internal Audit Is Essential to Keeping Companies out of Trouble

In his blog, IIA President and CEO Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. Here’s an excerpt from his latest post:

Hefty fines levied by U.S. regulators last week in two high-profile cases provide new examples of how ineffective controls can lead to significant problems. One instance was driven by inadequacies in managing cloud computing risks, the other resulted from conspicuous and deliberate rejection of sound governance practices. In one instance, internal audit was part of the problem. In the other, it was a victim.

The best known of the two cases involved Capital One, the Virginia-based bank holding company known for its catchy “What’s in your wallet?” advertising campaign. The bank was hit with an $80 million civil fine from the U.S. Office of the Comptroller of the Currency (OCC) stemming from a 2019 data breach that exposed more than 106 million customer records.

The FBI arrested a former Amazon employee in connection with the crime, alleging she also breached 30 other companies and organizations. She is accused of creating a program to scan cloud customers for a specific web application firewall misconfiguration associated with Amazon Web Services. Once the tool found its target misconfiguration, the hacker exploited it to extract account credentials from databases and other web applications. While clearly the victim of the hacking scheme, Capital One was presentably susceptible because of serious lapses in basic risk assessment and control processes associated with cloud computing, according to details of the breach revealed in an OCC Consent Order.

Read the full InternalAuditor.org blog post from IIA President and CEO Richard Chambers.