The Equifax debacle, which left the personal data of nearly half of the U.S. population exposed, continues to offer lessons for internal audit practitioners, other risk management players, and organizational stakeholders.
The recent settlement between Equifax and eight states, which brought suit following the credit reporting agency's massive data breach, signals the end to those legal proceedings. But I believe its details also reflect a bold statement about the importance of internal audit: A strong system of risk management and internal controls must include an independent, well-resourced internal audit function that addresses the full portfolio of an organization's risks.
Indeed, scandals from Volkswagen to Wells Fargo to Equifax have heightened awareness that all players in risk management must work collectively and equally to succeed. Ultimately, there are consequences whenever key components of systems of risk management fail.
The Equifax consent order reflects those consequences for the troubled credit reporting agency, addressing shortcomings in internal audit and board and management oversight. A quick review of the settlement suggests concerns by the eight states' banking and consumer affairs officials that Equifax did not do enough to audit its IT controls.
Its call for quick action — within 30 days — for the audit committee to oversee establishment of an audit program "capable of effectively evaluating IT controls . . ." reflects a decided lack of confidence in what was being done before. Its call for improving board and management oversight of the information security program within 90 days also arguably speaks to less-than-desirable conditions.
In both cases, the consent order lists specific actions to be taken within the deadlines that are as detailed as any annual audit plan. Additional sections of the consent decree call for actions regarding vendor management, patch management, and IT operations relating to disaster recovery and business continuity.
What can we conclude from this?
Signals to Practitioners Auditing IT controls, while daunting, cannot be neglected by internal audit or the audit committee. In the 21stcentury, IT control failures are almost guaranteed to have consequences — financial and reputational.
The IIA published a Global Technology Audit Guide earlier this year that provides direction and insight on internal audit's approach to auditing IT governance. Its summary captures the importance of internal audit's active participation in IT assurance and oversight.
"Effective IT governance contributes to control efficiency and effectiveness , and allows the organization's investment in IT to realize both financial and nonfinancial benefits. Often when controls are poorly designed or deficient, a root cause is weak or ineffective IT governance."
Signals to Stakeholders Serving on an audit committee or technology committee is not a passive act. Organizations cannot afford to have board members who wait on answers from management and internal audit. They must be engaged enough to ask the tough questions. If you don't understand, are overwhelmed by reports, or simply are confused, ask management or internal audit to connect the dots for you.
The consent decree left me thinking of the oft used metaphor about the cup being half full or half empty. It is tempting to pick through each word of the consent decree to try to piece together a post mortem on the Equifax breach. That would be the cup half-empty approach.
Instead, I'm more of a mind to take the cup half-full approach. The same paragraph that calls for an audit plan capable of effectively evaluating IT also requires that it comply with the Internal Audit Charter, "which requires compliance with International Standards for the Professional Practice of Internal Auditing." That statement is one of the most important signals of all.
Executives from the eight states who signed off on the consent order — Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina, and Texas — recognize and understand the value and importance of IIA Standards. It is also notable that the order identifies internal audit assurance over IT controls and proper audit committee oversight as the solution to the company's IT woes. This conclusion falls in line with one of The IIA's core messages: Internal audit is integral to good governance and good governance is integral to protecting and enhancing organizational value.
Not surprisingly, recognition of internal audit is the keystone of The IIA's North American advocacy strategy. The IIA continues to push for the U.S. Securities and Exchange Commission to make it easier for the public to know whether publicly traded companies have an internal audit function in place. In the simplest terms, The IIA believes the public is best served when it knows internal audit is on the job providing assurance on the effectiveness of an organization's risk management process.
That will hopefully prove true at Equifax going forward.
As always, I look forward to your comments.