Chartered IIA report hits headlines by revealing over £1bn avoidable fines for internal control failures

Financial services firms could have swerved over £1bn fines over the past five years if they’d listened to their internal auditors and acted swiftly to address control failures. A Chartered IIA report, Internal Control Failure!, has analysed all the fines imposed by the regulator in the period and found that more than half (54%) related to control failures, and many followed repeated red flags and warnings by internal audit teams.

The story has been widely picked up by news outlets and industry sector commentators, highlighting the importance of the internal audit role and the value of this research. The true cost of the control failings is likely to be far higher once other factors, such as reputational damage, customer redress packages, and management time, are considered.

Many of the fines related to issues such as anti-money-laundering (AML) checks, fraud protection, data quality, technology systems, and the effectiveness of governance and oversight. Consequently, they may also have exposed firms to regulatory attention in multiple regions and to follow-up investigations by other authorities.

Most importantly, they caused significant customer harm as accounts and data were left vulnerable to criminals. Weak governance meant that warnings were ignored and consumers, some of whom were vulnerable, were treated unfairly. Some firms failed to address known weaknesses for years, despite warnings by internal audit and compliance teams.

Call to action

The Chartered IIA said the findings are a wake-up call for boards, audit committees, and senior management. The report also highlights that at least 13 firms did not appear to have internal audit functions, which exposes gaps in regulatory scope.

Arleen McGichen, President of the Chartered IIA, pointed out that when more than half of FCA fines are rooted in internal control failures, this should seriously concern boards across the financial services sector and beyond.

“Too many firms are not getting the basics right in areas such as AML, where there should be zero tolerance for failure,” she said. “Internal audit has a critical role to play in independently assessing whether controls are effective and in holding senior management and boards to account when issues persist. But assurance only works when it is properly resourced, with issues taken seriously and acted upon.”

In her introduction to the report, McGichen highlighted that some of the FCA final notices warned that the failings “could have enabled the financing of international terrorism or organised crime”.

Where problems intersected with second-line compliance, risk, and legal functions, she said, they raised questions about the level of coordination between second and third lines. Corporate culture and the support of boards and audit committees are also key factors in ensuring that governance weaknesses are identified, communicated, and addressed swiftly.

Pressure is increasing for boards to demonstrate the effectiveness of their controls – particularly from the UK Corporate Governance Code’s new Internal Controls Declaration (“Provision 29”). Further focus will come from financial services firms’ obligations under the Consumer Duty rules.

This report highlights a dangerous gap between what companies say they do and what is happening in practice.

The report includes a deep dive into the key failings, which include customer due diligence processes, transaction monitoring scenarios and sanctions screening, training and capability gaps, and missing or delayed internal audit coverage of financial crime frameworks. It also provides detailed lists of recommendations for internal audit functions, boards and audit committees, and regulators and standard-setters.

Internal audit teams are advised to:

• Prioritise end-to-end assurance over AML and other financial crime controls.
• Coordinate with second-line functions on assurance over AML, fraud, financial, and economic crime    controls.
• Build specialist skills in AML, market abuse surveillance, technology risk, and data management.
• Consider how data analytics and AI could be deployed in relation to financial crime controls.
• Carry out root-cause analysis.
• Strengthen assurance over the performance of second-line functions.
• Focus on first-line ownership of risk and control.
• Ensure regular audits of the Three Lines Model.
• Scrutinise remediation programmes.
• Assess culture and risk appetite in practice.
• Ensure follow-up and follow-through of internal audit actions.
• Ensure high-risk issues are escalated and pursued.
• Ensure high-risk issues are communicated clearly to the board and, where relevant, with subsidiary-level internal audit teams, boards, and senior management.
• Ensure an open and constructive relationship with regulators.

The Chartered IIA said that until firms treat internal controls as vital safeguards, not mere box-ticking exercises, their customers and the financial markets will continue to bear the cost of their failures.