The FBI arrested a former Amazon employee in connection with the crime, alleging she also breached 30 other companies and organizations. She is accused of creating a program to scan cloud customers for a specific web application firewall misconfiguration associated with Amazon Web Services. Once the tool found its target misconfiguration, the hacker exploited it to extract account credentials from databases and other web applications. While clearly the victim of the hacking scheme, Capital One was presentably susceptible because of serious lapses in basic risk assessment and control processes associated with cloud computing, according to details of the breach revealed in an OCC Consent Order.
Capital One did not establish appropriate risk management for the cloud operating environment, including failing to design and implement "certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts," according to the order. More troubling, according to the order, is that the bank's internal audit "failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee." And even when internal audit did raise concerns, the OCC found, the board "failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses."
The bank, according to the OCC, has begun to address corrective action and committed to providing resources to "remedy the deficiencies."
Details in the report paint a picture of risk management and governance breakdowns at all levels — the board, executive management, and internal audit.
The second case involved World Acceptance Corp. (WAC), a small-loan consumer finance business based in South Carolina. The firm was fined $21.7 million by the U.S. Securities and Exchange Commission (SEC) for violations of the Foreign Corrupt Practices Act (FCPA) by its former wholly-owned subsidiary in Mexico. According to the SEC's Cease and Desist order, the subsidiary was accused of paying out $4.1 million in bribes to government and union officials over a nearly seven-year period. But this case was as much about poor controls as any attempt to cover up allegedly illegal actions.
The Mexican subsidiary was accused of paying government and union officials to ensure that loan repayments continued to be made in a timely manner, according to the SEC order. The scheme included paying intermediaries to fly to different municipalities in the country with "large bags of cash to pay officials." The subsidiary identified the payments as "commission" expenses and "lacked the internal accounting controls sufficient to detect or prevent such payments."
Beyond the obvious FCPA violations and accounting control lapses in Mexico, the governance breakdowns were compounded by a "tone at the top from WAC management (that) did not support robust internal audit and compliance functions and undermined the effectiveness of those functions," according to the SEC order.
The report details issues starting in October 2015, when the then-CEO fired the vice president of internal audit after he raised compliance concerns, including the lack of accounting controls at the Mexican subsidiary. The CEO then combined the internal audit and compliance functions into one department and pressured the vice president over the new department to cut staff and become more "bare bones," according to the SEC order. About a year later, the CEO changed the reporting lines for the department from the board to the general counsel. According to the SEC, the vice president over internal audit and compliance was soon ousted allegedly for voicing concerns that the functions were "not sound."
In 2017, external auditors formally reported material weaknesses in the firm's internal controls over financial reporting. Specifically, external auditors cited control design gaps in vendor management and payment processes in the company's Mexico subsidiaries.
In the Capital One case, it appears risk assessments, risk management, independent risk management, and internal controls testing were missing from cloud services. Worse, it appears internal audit provided little independent assurance over this key risk area. The corrective actions called for in the OCC order include development of a formal internal audit plan that includes:
- Reassessing the cyber and technology risk assessment.
- Assessing and validating the completeness and accuracy of management's documented inventory of technology assets and configurable devices and software.
- Incorporating lessons learned related to the cybersecurity breach root cause analysis.
- Revising the risk-based technology audit plan.
- Assessing internal audit staff expertise and training needs.
Such a comprehensive list does not mean any of these key actions in particular was missing before the breach, but it lays out the complexity of assurance responsibilities that internal audit should take on when any organization turns over data storage and computing services to a third party.
In the WAC case, the SEC accepted the company's offer of remedial efforts that included supporting the SEC investigation; the firing of key personnel, including the CEO and general counsel; and divesting itself of its Mexico operations.
While these cases are different, there is a common moral to the stories: Strong and effective internal audit functions can keep organizations out of trouble. Ignore internal audit, or worse, circumvent it, and the regulators will be knocking on the door with serious charges and big fines.
As always, I look forward to your comments.