Risk Assessment: A Natural Partnership for Internal Auditors and CCOs
We all know our favorite things and people who fit together well – milk and cookies, peanut butter and jelly, chips and salsa, Tracy and Hepburn, Martin and Lewis, Abbott and Costello, and many other great combinations.
In the corporate compliance world, chief compliance officers and internal auditors are natural allies. They often report to the same board committee, share a common perspective on corporate operations, and are aimed at identifying and preventing misconduct.
They often coordinate with each other to monitor and audit corporate operations with a slightly different perspective – financial controls for the auditor and overall ethics and compliance program requirements for the CCO.
In this process, there is one area that CCOs and internal Auditors should coordinate and build a strong working relationship – risk assessments. I am often surprised when I learn that a CCO and an Internal Auditor do not work together on this issue. While they may use the information collected for different purposes, there is a significant economy to having one risk assessment process conducted for use by both the CCO and the Internal Auditor.
The Internal Auditor uses the risk assessment information for a very specific purpose – developing an audit plan for the upcoming years. In addition, the risk assessment data helps an Internal Auditor not only to identify where to conduct audits in the company, but provides important information for the Internal Auditor to determine the type and focus of an audit.
For example, if the risk assessment identifies extravagant gifts, meals and entertainment as a high-risk in China, the Internal Auditor may focus the audit of the China operations on such expenditures and surrounding internal controls. On the other hand, if the risk assessment identifies tendering procedures in the Middle East as a high-risk activity, the Internal Auditor may focus the audit on such activities and surrounding controls.
The CCO uses a risk assessment not only for identifying and prioritizing risks for design and implementation of compliance controls, but uses such information for conducting compliance audits for specific company operations, depending on location, product line or other risk factors associated with individual operations.
A CCO can use risk assessment information to decide on training activities for the next few years, as well as considering new or enhanced controls to mitigate relevant risks.
A CCO and an Internal Auditor need to coordinate their own joint plans for conducting audits of company operations, focused on compliance and financial issues. This is a critical joint activity that requires CCOs and internal Auditors to rank risks, allocate resources to different types and levels of audits, and design a plan relying on both audit and compliance staff to carry out the projected audits.
Internal auditors frequently rely on survey information to develop their risk assessments. CCOs should piggyback on this same procedure and build in appropriate questions and data needed to assess risks for compliance purposes. Working together, they should conduct this assessment each year, coordinate the results and analysis, and use the risk assessment information as foundation for their respective and joint activities.
Internal auditors often have the same complaints as CCOs about the lack of resources and staff. This is one area where they can reduce their respective costs and facilitate coordination with each other.