At the end of last month, the Chartered Institute of Internal Auditors published its latest report, Internal Control Failure! The report analyses Financial Conduct Authority fines linked to internal control failures over the past five years. Its publication has already sparked an important debate about why strong internal controls matter. These are not technical compliance issues or about the failure to tick a box. When controls fail, the consequences are felt in the real economy and in people’s everyday lives.

When we began this research towards the end of last year, we had little sense of the scale of the problem we were about to uncover. There had been growing media interest in major financial institutions being fined for control failings, including challenger banks such as Monzo and Starling. Even so, the findings were striking. Of the 97 FCA fines issued since 2021, more than half related to internal control failures, with penalties totalling more than £1 billion. Many of these cases involved weak, defective or entirely absent anti money laundering and fraud controls.

Some of the individual cases are as shocking as they are concerning. In one instance, weak or deficient trading controls allowed a city trader to place erroneous trades whose value was comparable to the entire economies of countries such as Romania, South Africa or Hong Kong. In another, a bank’s internal audit function had not reviewed its financial crime function for more than eight years.

A case involving a major credit rating agency is equally troubling. Internal audit identified 7,500 critical or high cyber vulnerabilities on internal systems as far back as 2015, 93% of which remained unresolved for more than 90 days. As a result, the data of millions of people in the UK was exposed to the risk of a cyber-attack because internal audit warnings were not acted upon.

‘Reckless’ boards

In many of the cases we examined, the FCA warned that weaknesses could have enabled money laundering, the financing of international terrorism or organised crime. In some instances, the regulator went so far as to describe firms as “reckless”.

Perhaps most concerning of all is that internal audit or compliance teams often raised red flags years in advance, only for those warnings to be ignored or for remediation efforts to stall. In some cases, boards failed to give these warnings the attention they required.

These findings should therefore give pause for thought not only to internal audit leaders, but to board members too. In several instances, it was not just companies that were fined, but individual directors as well. The message here is hard to miss.

Regulators and policymakers should also reflect carefully on the report’s findings. After all, warnings about the damage caused by weak internal controls have been circulating for decades. The debate stretches back to the dot com bubble of the late 1990s and the collapses of Worldcom and Enron, and it resurfaced prominently in the wake of the global financial crisis of 2008.

Pull your SOX up

A decade later, following Carillion’s collapse in 2018 and the subsequent independent reviews of audit and governance regulation, the government was urged to legislate for stronger internal control requirements, drawing on lessons from the Sarbanes Oxley Act in the United States.

Ultimately, policymakers stepped back. Rather than legislating, they opted to strengthen the UK Corporate Governance Code, relying on a “comply or explain” approach. Yet too many companies still neither comply nor explain properly. Too often, annual reports offer boilerplate statements on controls that do not always live up to reality.

The introduction of Provision 29 in the UK Corporate Governance Code and the new Internal Controls Declaration is a step in the right direction, but it lacks the weight of a statutory reporting requirement. That makes the role of internal audit even more important. Our research suggests that boards’ declarations should explicitly cover areas such as anti money laundering, fraud and cybersecurity. These statements should also be supported by robust evidence and assurance, including from internal audit.

The report highlights further lessons for boards and audit committees, including the need to ensure internal audit is properly positioned, resourced and taken seriously when issues are raised. The Chartered IIA’s Internal Audit Code of Practice provides a useful benchmark for establishing and maintaining an effective internal audit function. The latest iteration makes clear that fraud, financial and economic crime should be included as part of the scope and priorities of internal audit.

Three Lines Model

Audit committees should also ensure that the Three Lines Model is fully embedded and operating as intended and not just on paper. This includes clear ownership of risks and controls by management, effective oversight from risk and compliance functions, and independent assurance from internal audit that controls are working and risks are being managed.

When serious issues are identified, boards and audit committees must act decisively. That means holding management to account, driving remediation and supporting internal audit’s independence, authority and capability. Without sufficient standing, skills and resources, internal audit cannot provide the credible challenge organisations need.

The findings of Internal Control Failure! should serve as a wake up call for internal audit professionals, boards, policymakers and regulators alike. The real test will be whether, in the years ahead, we continue to see the same costly failures that have caused such widespread consumer and market harm, or whether organisations finally raise the bar on internal control.

Leading commentators, including the Bank of England, are warning that stock markets are too high. Others are increasingly pointing to the risk of an AI bubble. At a time of unprecedented risk and uncertainty, boards must ensure strong internal controls are at the heart of successful business models. In the current environment, this could mean the difference between a business that succeeds and a business that fails.

Gavin Hayes is head of policy and public affairs at the Chartered Institute of Internal Auditors