Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
Source: Ars Technica
Discord announced a phased global rollout of AI-based age verification requiring video selfies or government IDs to access adult content. The move follows an October 2025 third-party breach that exposed roughly 70,000 government IDs submitted for age checks in certain markets.
User backlash and privacy concerns intensified because some prior verification was handled by external vendors. Discord says selfies remain on-device and IDs are checked off-device and deleted, but the combination of new sensitive data collection and past vendor compromise raises heightened vendor-risk and data-governance scrutiny for affected organizations.
Internal audit teams should treat Discord's announcement and the prior third-party ID leak as a vendor-risk and privacy control test case.
Vendor oversight. Auditors must validate contractual SLAs, encryption and data-retention terms with any age-verification provider and review third-party security assessments and SOC reports.
Data governance. Assess whether collection, processing and deletion policies for biometric data meet regulatory and organizational privacy requirements and whether retention practices create undue exposure.
IT change and access controls. Examine how age-inference ML models operate (on-device vs. cloud), who can access logs or model outputs, and whether segregation of duties prevents misuse.
Incident response and notification. Evaluate timeliness of breach detection, cross-vendor incident coordination, and regulatory notifications.
Third-party concentration risk. Quantify downstream concentration where a single vendor breach can cascade to many clients.
Practical audit actions: update risk registers to capture biometric data collection as an emerging operational and IT risk; add targeted SOC-type testing and control walkthroughs for vendors; perform control testing over data deletion and key management; review privacy impact assessments and legal opinions for jurisdictions with strict biometric privacy law; and advise the board and risk committee on residual reputational and compliance risk. These steps align to ICFR and SOX readiness concerns where identity-data flows intersect with financial control systems (for example, user monetization and dispute processes) and ensure the organization's risk governance reflects the expanded attack surface.
Source: Yahoo Finance (Reuters)
Nexo announced its return to the U.S. market in partnership with Bakkt after exiting in 2022 and settling prior U.S. regulatory action with combined penalties of about $45 million.
The company said the U.S. offering will be delivered through licensed U.S. partners and will exclude the product that prompted the SEC's 2023 order. Nexo's relaunch highlights how crypto firms are restructuring to address securities law issues and to align product design and custody with U.S. licensing and compliance frameworks.
This development matters to internal auditors overseeing third-party fintech relationships, regulatory compliance, and financial reporting controls.
Vendor and partner due diligence. Confirm Bakkt and any other U.S. intermediaries' regulatory licenses (money transmitter, BitLicense, SEC-registered adviser where applicable), governance frameworks, and historical compliance record.
Control design and contract terms. Validate that contractual arrangements segregate custody, reconcile transactions across platforms, and define responsibilities for financial reporting, custodial reconciliations and client asset protections.
Regulatory remediation tracking. Review Nexo's settlement terms and remediation plan to ensure any undertaking that affects U.S. customers (discontinued products, reserve or disclosure obligations) is tracked and tested to closure.
SOX/ICFR impact. Assess whether integration with third-party platforms creates new transaction flows that require control design or mapping into ICFR (e.g., revenue recognition, loan-collateral valuation, interest accruals, and fee calculations).
Compliance monitoring and reporting. Test monitoring of automated controls for transaction limits, AML/KYC escalation, and change-management for product redesigns intended to avoid securities classifications.
Practical actions: update the enterprise risk register and vendor risk scoring, perform walkthroughs of end-to-end flows involving the new partner ecosystem, and expand control testing to include reconciliation and exception handling between Nexo, Bakkt and any registered custodians. These steps support robust risk oversight and SOX readiness when regulated products are reintroduced through intermediaries.
Source: PR Newswire (Honeywell Form 10‑K / 8‑K)
Honeywell filed its 2025 Form 10-K on February 17, 2026 and disclosed incremental impairment charges tied to businesses classified as held for sale.
The company recorded a $436 million goodwill impairment in its Industrial Automation segment and a $35 million impairment on assets held for sale (PSS and WWS), partially offset by a $61 million tax benefit. Reported full-year EPS from continuing operations was revised to $6.94. Management reaffirmed adjusted 2025 results and 2026 guidance while continuing to pursue divestiture plans.
Large non-cash impairments materially affect financial statement presentation and signal control and valuation risks that internal audit should assess urgently.
Valuation governance. Review the process and governance over impairment testing, including identification of triggering events, assumptions for discounted cash flows, discount rates, and terminal values; verify oversight by the valuation committee and appropriate involvement of finance, legal, and external valuation specialists.
ICFR and control design. Evaluate design and operating effectiveness of controls over goodwill and long-lived asset impairment testing, including controls over forecasting, model change management, data inputs, and approval hierarchies.
Disclosure controls. Test completeness and accuracy of disclosures regarding assets held for sale, impairment methodology, and sensitivity analyses to ensure compliance with GAAP and SEC requirements.
SOX implications. Map the impairment processes to ICFR and perform targeted SOX testing where impairment adjustments feed into financial close and earnings metrics.
Transaction readiness and carve-out risk. Given planned divestitures, audit vendor-managed carve-out accounting, separation-related estimates, and controls over transitional service arrangements.
Recommended audit procedures include re-performing impairment models, validating source data, reviewing subsequent events and board minutes for indicators, and assessing whether management's remediation plans strengthen control design. These steps will support robust risk governance and provide the audit committee with assurance on valuation governance and control remediation timelines.
Subscribe now to join the Risk Register community:
