Sometimes an enforcement action cuts across numerous branches of governance failure, to offer lessons for all manner of risk assurance professionals. Such a thing happened last week, when Fiat Chrysler agreed to pay $9.5 million to settle charges that it wasn’t honest with investors about an investigation into auto-emissions cheating devices.
What we have, according to allegations laid out in a settlement with the Securities and Exchange Commission, was a poorly scoped internal audit Fiat engineers performed in 2015 to see whether any of the company’s diesel engine vehicles used cheating software similar to what Volkswagen had been caught using. That audit found no problems, so Fiat management promptly told investors, “There are no defeat mechanisms or devices present in our vehicles.” The company included that same point in its annual report released in 2016.
You can guess the rest, I’m sure. Later that year the Environmental Protection Agency informed Fiat that several of its vehicles did include defeat-device software. A Justice Department inquiry ensued. In 2019 Fiat settled those charges, agreeing to a recall program to fix affected vehicles and to pay $325 million in civil penalties.
This enforcement action from the SEC is just a securities law epilogue to the case. Fiat neither admits nor denies the charges, but did agree to a cease-and-desist order plus the $9.5 million penalty.
Meanwhile, we in the risk assurance world have a few internal audit and corporate governance issues to chew over. Let’s get to it.
Internal Audits vs. Whitewashes
First is the internal audit that Fiat ordered in September 2015. This was only several weeks after the blockbuster news that Volkswagen had been using cheating devices for years. The EPA and California environmental regulators had also announced that they would be testing diesel vehicles from all major auto manufacturers for the same misconduct.
OK, so Fiat executives wanted to conduct an internal audit to get ahead of a regulatory threat. That’s nothing new, and not a bad idea.
The scope of that internal audit, however, was so narrowly tailored that one has to wonder whether Fiat executives deliberately planned to examine only those parts of the business that would show nothing amiss. As the SEC order describes things —
The internal audit was focused entirely on determining whether any of the software in the engines contained code or was calibrated to detect that the vehicle was undergoing emissions testing, similar to the defeat devices employed by VW. The internal audit was not a comprehensive review of [Fiat]’s emissions control systems to check for defeat devices generally or to ensure compliance with applicable U.S. emissions regulations.
There’s a world of difference between those two points. Fiat was only looking for evidence that it was engaging in the same method of evading emissions standards that VW had used. That’s not the same as an internal audit to assess whether you are evading emission standards in any way at all.
Nor did Fiat work too hard at getting evidence from third-party suppliers that had provided software for Fiat’s emissions-control systems. Yes, Fiat auditors did ask those suppliers about the risk of cheating devices; but those suppliers only provided “some assurances” that their software code had no issues, the SEC said — and put nothing in writing. Fiat’s audit team accepted that.
Fiat’s internal auditors presented their findings to Fiat’s board of directors in late 2015, and again to Fiat USA’s board in early 2016. The audit team only said that they had found no defeat devices akin to what Volkswagen had used. Even then, that conclusion was only stated in a PowerPoint presentation to the boards. The team had no other written findings or detailed audit report.
Those allegations leave plenty of questions about what the internal audit team was thinking, and why it scoped the audit so narrowly. Still, the most important question is this: Why would the boards accept such a narrowly scoped audit in the first place?
Selling Fiat to Investors
Another interesting point is that while Fiat’s internal audit team was performing its review of Fiat diesel vehicles, so were the EPA and the California Air Resources Board. By late November 2015 — two months after Fiat had begun its internal audit, but before the findings were presented to Fiat’s U.S. board — those regulators met with Fiat engineers and regulatory compliance teams to say that they had found suspicious results in the Fiat Ram 1500.
So at least some executives at Fiat knew they had an emissions problem on their hands before internal audit presented its report to senior U.S. executives. And still, that narrowly tailored report went to the Fiat U.S. board, declaring that nothing was amiss.
On Jan. 27, 2016, the CEO of Fiat held an earnings call and said the following:
“[Fiat] has undertaken a pretty thorough review and a thorough audit of its compliance teams. I think we feel comfortable in making the statement that there are no defeat mechanisms or devices present in our vehicles. And I think the cars perform in the same way on the road as they do in the lab under the same operating conditions.”
So was the issue that Fiat’s internal audit team was told to procure a whitewash? Or did the engineers and environmental compliance teams who knew Fiat had a problem not pass that fact along to internal audit and the brass?
Clear lines of communication, people. Whether those lines run up and down the chain of command, or across the enterprise from one function to another — keeping those lines working is a paramount priority.
Then came the disclosures in SEC filings. In February 2016, Fiat issued a press release with its earnings report that included this line: Fiat had “conducted a thorough internal review of the application of this technology in its vehicles and has confirmed that its diesel engine applications comply with applicable emissions regulations.”
Except, the internal audit hadn’t examined compliance with emissions regulations. The audit had only examined whether Fiat diesel vehicles included the same sort of cheating software the Volkswagen had used. That’s a narrower statement than “comply with applicable emissions regulations.”
Fiat went on to make the same statement in its Form 6-K earnings filing with the SEC later that month. But, as the SEC said:
The statements were misleading because they did not sufficiently disclose that the internal audit had a limited scope focused only on finding VW-style cycle-beating defeat devices, was not a comprehensive review of compliance with emissions regulations, and did not cover or address certain issues that EPA had been raising.
From the rest of the allegations in the SEC order, we still can’t quite tell how the breakdowns in communication and oversight happened here; nor how much was deliberate planning versus the usual Keystone Kops clumsiness that happens at large organizations.
The result: a $9.5 million lesson in the importance of scoping an audit thoughtfully, and of communicating the right information to the right people at all times.