Hefty fines levied by U.S. regulators last week in two high-profile cases provide new examples of how ineffective controls can lead to significant problems. One instance was driven by inadequacies in managing cloud computing risks, the other resulted from conspicuous and deliberate rejection of sound governance practices. In one instance, internal audit was part of the problem. In the other, it was a victim.
The best known of the two cases involved Capital One, the Virginia-based bank holding company known for its catchy “What’s in your wallet?” advertising campaign. The bank was hit with an $80 million civil fine from the U.S. Office of the Comptroller of the Currency (OCC) stemming from a 2019 data breach that exposed more than 106 million customer records.