Internal Audit and Atypical Risks

When a Canadian cryptocurrency exchange CEO died unexpectedly, he was the only person who knew the security keys and passwords needed to access $70 million in cash and $190 million in bitcoin and other cryptocurrencies belonging to his company's 115,000 clients. The Supreme Court of Nova Scotia has granted the company, QuadrigaCX, protection from creditors while appointed monitor Ernst & Young (EY) sorts out the mess.

Apparently, CEO Gerald Cotton ran the business from an encrypted laptop to which he was the only person with access. The laptop is thought to contain the keys — long, randomly generated sequences of numbers and letters — to digital wallets holding millions.

This could easily be a post about some of the underlying risks associated with cryptocurrencies or other uses of blockchain technology. Instead, I use this as an example of atypical risks. Atypical risks are described as "risks that are difficult to define and assess, or those very infrequent in occurrence."

The incident at QuadrigaCX exemplifies atypical risk: It is the first time a crypto exchange is known to have "lost the keys." While unsecure passwords have been seen as a risk for some time, encryption codes for blockchain are at the other end of the security spectrum, considered safe from hacking. Companies are springing up to try to help people who did not write down or lost their encryption keys, which is sometimes successful if the client has partial numbers.

In this unusual instance, the security was too secure. And to add to the intrigue and suspicion here, EY reported there is more than one active laptop at the center of the case, plus three encrypted USB flash drives. Experts in the cryptocurrency industry say there's a slim chance technicians will be able to recover the currency, according to The Canadian Press.

It's not clear if QuadrigaCX, one of 237 widely recognized public cryptocurrency exchanges worldwide, has an internal audit activity, but it's doubtful. EY, in its initial attempt to unravel the company's finances, reported to the court that QuadrigaCX had no discernible accounting system, no bank account, that Cotton's directions to release payments were made by email to employees through third-party payment processors, and payment inflows and outflows were not systematically tracked.

In The IIA's 2019 North American Pulse of Internal Audit report (to be released in early March), data indicates that 7 in 10 chief audit executives (CAEs) are "extremely, very, or moderately" confident about their audit function's ability to identify and assess atypical risks. However, this confidence is somewhat contradicted by results showing less than half agree that management has similar capability. Nearly one-fourth of CAEs reported management was surprised by a risk in the previous 12 months.

This incongruity may be explained by internal audit's peripheral involvement in these types of risks. Internal audit is not normally where boards turn for identification of atypical risk. Seventy-eight percent of CAEs rated the likelihood of board reliance on executive management as very likely. That figure drops to 49 percent for internal audit and 48 percent for the risk management function.

Among all this is opportunity for internal audit to think creatively about risk. What could happen that no one has thought of? What is happening in the world that could impact the organization in the short, medium, and long term?

It also highlights another opportunity for internal auditors: Use time with senior management and the board to initiate conversations on atypical risks, and be seen as a resource to provide insight and foresight. Talk about succession plans, who has access to company "secrets," and what is stored where. To protect and enhance value, it's important we remain vigilant and ensure our objective voice is heard.

That's my point of view. I'd be happy to hear yours.