Internal control failures: A wake-up call for internal audit and boards

The Chartered Institute of Internal Auditors (CIIA) has issued a timely and sobering report on internal control failures across the UK financial services sector. The findings demand attention from boards, audit committees, regulators, and internal auditors alike.

I see this report as more than a retrospective analysis. It’s a clear call to act. At the center of the report is a stark statistic. Between 2021 and 2025, 52 of 97 enforcement actions by the Financial Conduct Authority were tied directly to internal control failures. These cases resulted in fines of more than £1 billion.

This is not a marginal issue. It’s a systemic problem.

The scale of the problem

The data tells a consistent story. Over half of the FCA fines in the past five years stem from weak, ineffective, or absent controls. The financial impact exceeded £1.025 billion.

But the real cost runs deeper:

• Customers were exposed to fraud and financial crime
• Systems failed to detect suspicious transactions
• Data security weaknesses created exposure to cyber threats
• Firms suffered reputational damage and lost strategic focus

A press release from the CIIA underscores this message: every fine leads to harm for customers and markets. This is what happens when organizations fail to get the basics right. Understanding the scale is only the starting point. The more important question is why these failures keep happening.

5 recurring control failures identified in the report

The report identifies several recurring themes. These are not isolated breakdowns. They reflect persistent weaknesses in the control environment.

1. Financial crime and AML controls

Deficiencies in anti-money laundering programs appear repeatedly. Firms struggled with:

• Customer due diligence
• Transaction monitoring
• Sanctions screening

In many cases, controls were poorly designed or not updated as risks evolved.

2. Weak governance and oversight

Boards often lacked clear, actionable information. Risk ownership was unclear. In some firms, first-line responsibilities drifted into the second line. Even more concerning, internal audit findings were not always addressed in a timely manner.

3. Ineffective three lines model

The Three Lines Model existed in theory, but not in practice. Coordination across risk, compliance, and internal audit was often weak. Assurance was fragmented. Issues were identified but not resolved.

4. Data and technology weaknesses

Poor data quality, weak system integration, and ineffective change management undermined control effectiveness. These failures often sat at the root of larger breakdowns.

5. Failure to remediate

This may be the most troubling finding. In many cases, issues were known. Internal audit and compliance raised concerns. Yet corrective action stalled or failed to deliver sustainable results.

Where internal audit must rise to the occasion

The report does not place blame on internal audit. In fact, internal audit was present in many of these organizations. But presence is not enough.

The findings raise hard questions about effectiveness. Internal audit often identified issues. The gap came in driving action.

In several cases:

• Findings were not escalated with sufficient urgency
• Actions were closed prematurely
• Follow-up lacked rigor
• Coverage of high-risk areas was delayed or absent

In one case, internal audit had not reviewed a financial crime function for more than eight years. That is not a resource issue. That is a prioritization failure. Internal audit must be more assertive. More persistent and more focused on outcomes.

Lessons for boards and audit committees

Boards cannot treat internal control as a compliance exercise. The report makes that clear.

There are several actions boards should take now:

• Demand high-quality assurance over critical risk areas, especially financial crime
• Ensure the Three Lines Model operates effectively in practice
• Hold management accountable for timely and sustained remediation
• Support internal audit with sufficient authority, independence, and resources

Boards must also listen. When internal audit raises significant issues, those concerns must drive action.

Too often, they do not.

A broader concern

The remediation failures described above are troubling enough. But there is a structural issue that sits beneath all of them, and it should concern every regulator.

At least 13 firms fined for control failures did not have an internal audit function. This raises a fundamental question. Should more firms be required to maintain internal audit capabilities? Given the scale of the failures, the answer seems clear.

The path forward

The report points to practical steps for internal audit functions. I would highlight a few that stand out.

• Focus on end-to-end assurance over financial crime risks
• Strengthen coordination with second-line functions
• Invest in data analytics and technology-enabled auditing
• Conduct rigorous root cause analysis
• Enforce strict standards for closing audit issues
• Escalate high-risk issues clearly and persistently

These are not new ideas. But they are not being executed consistently. That must change.

Final thought

Internal control failures are not inevitable. Many of the issues identified in this report were preventable. In several cases, they were identified years in advance.

The failure was not detection. It was execution. Internal audit has a critical role to play. When it focuses on the right risks, challenges management effectively, and drives accountability, it can prevent these outcomes.

Boards and regulators must support that role. They must demand it. I encourage every internal auditor, board member, and risk leader to read the full report. The findings are clear. The lessons are practical. The implications are significant. The profession should treat this as a moment of reflection. More importantly, it should treat it as a moment to act. The report is a wake-up call. The question is how we answer.

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at Optro. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.