Fines don't happen until they get caught. How long can a company go and how much can they make before they get caught? What happens to the executives? They just move on pointing to their old success numbers.
I run internal audits for a large org as part of a strike team when my company is acquiring smaller orgs. External auditors are a joke and it's incredibly easy to slip things by them. The only reason we catch stuff is because we assume full ownership as part of our takeover process and actually build and deploy product to find issues.
But your company wouldn't even have a line item to look for those problems if regulations didn't require it. It's not a fool-proof solution but it's at least a foot in the door for improvement
I run internal audits for a large org as part of a strike team when my company is acquiring smaller orgs. External auditors are a joke and it's incredibly easy to slip things by them. The only reason we catch stuff is because we assume full ownership as part of our takeover process and actually build and deploy product to find issues.