This is the second in my series on topics that are generally significant to the business, but are too often not addressed in the internal audit plan.

Today I am starting a series where I discuss risk and control issues of potential significance that are often overlooked by internal audit. These are issues that, for whatever reason, are not considered and therefore not included in the audit plan.

A May 18th article in Compliance Week by Rick Steinberg (former PwC partner who was the lead partner on the development of the COSO internal controls framework) doesn’t mince any words when it comes to practices at Washington Mutual (WaMu). He believes, and his points are cogent, that WaMu “created such a toxic environment for itself, one so bad that you have to wonder how anyone within the organization could survive, and whether any amount of help—oxygen, liquidity, or otherwise—could have saved the company.”

Watch and listen to this, then answer these questions:

I have been reviewing a 2009 document from the UK Treasury department: Risk Management assessment framework: a tool for departments. While it is designed for government agencies, I like a number of things about it.

Too many of my CAE-level (and other senior internal audit leaders) have shared with me stories of how they identified inappropriate activities, reported them to the audit committee, and found themselves out of a job within a year to 18 months.

ISACA has issued for comment an excellent draft on "Controls Monitoring and IT." Information on how to download it, and my comments on the document, are here.

Fraud is a major area of focus for some internal audit departments. They use data analytics for fraud prevention, and sometimes that is all they use data analytics for. When the potential for fraud is identified quickly put a team together to investigate.