Tracy and Hepburn: CCOs and Internal Auditors
If you enjoy Spencer Tracy and Kate Hepburn movies like I do, you know the value of a great partnership. Tracy and Hepburn movies are classics, and their chemistry was powerful (on the screen and off). Like their relationship, the Chief Compliance Officer and the Internal Auditor can be a powerful force in corporate governance.
There are so many areas where a CCO and IA should work together because of common interests and goals.
First, they share a very common perspective – to monitor the company’s operations and ensure that internal controls are followed. Ever since Sarbanes-Oxley, the IA has been at the forefront of corporate governance. This status has raised the importance of the IA function in corporate governance. Compliance, like the IA, has a rising profile, and an important direct connection to the Board.
Second, on a day-to-day basis, the CCO and IA share important functions.
For example, a CCO’s program is built on the company’s risk assessment and tailored to the risk profile. Similarly, an IA conducts a risk assessment to determine where to conduct audits. CCOs and the IA often coordinate in this area because they are looking for the same information.
CCOs and IAs are always interested in testing internal controls. A weakness in financial controls can create serious risks of legal violations. Violators look for weaknesses in internal controls to secure access to money to fund bribery or fraud or other schemes. CCOs and IAs understand the importance of segregation of duties, strict financial authorizations, and other controls needed to ensure proper access to and use of company assets.
Third, CCOs and IAs are committed to implementing monitoring strategies. CCOs and IAs are looking across the organization for important indicators of possible financial and compliance irregularities. They have the same vision and need for real-time information – a deficiency in one area (i.e. compliance) is likely to indicate a similar deficiency in the other (i.e. financial controls), and vice versa.
CCOs and IAs know that it is important to adopt proactive strategies to review company operations. CCOs and IAs are employing proactive compliance and financial audits of high-risk operations. They know it is important to identify problems before a serious issue arises.
Fourth, CCOs and IAs have to conduct audits – some proactive and others reactive. CCOs have to audit the company’s compliance program. IAs have to audit the company’s financial operations and controls. There are real and significant benefits to cooperation and coordination of these two functions.
Fifth, CCOs and IAs have to identify weaknesses in a company’s compliance program and financial controls. The IA is often are the first to discover financial problems indicating possible bribery. The IAs work in the trenches and usually are the first to confront potential wrongdoers about financial irregularities.
CCOs and IAs should watch each other’s backs – they have direct dealings with the Audit Committee, are usually understaffed and need additional resources, and can support each other.
One cannot succeed without the other. An effective compliance program depends on a vigorous internal audit function. Conversely, a company’s internal audit program will not work nor result in any serious changes unless there is an effective compliance program.