Convergence of Audit and Compliance Functions
Humans have a tendency to make things more complicated than they really are. To capture the flavor of my sentiment, all you need to do is watch the beginning scenes of “History of the World, Part I” by Mel Brooks (Here) to see how simple life was in the early history of man.
Returning to the serious subject of compliance, there are some who argue that compliance is a lot simpler than professionals and commentators tend to describe. I am an advocate for simplicity as a way to ensure adoption of compliance strategies. Complexity can be a barrier to effective compliance strategies.
For years, companies have segregated audit and compliance functions. Do not get me wrong – audit and compliance serve complementary but different purposes. I understand that.
Sarbanes-Oxley’s reform of the internal audit function bolstered and transformed the role of the internal auditor and the audit function. As a consequence, internal auditors have been riding high for years in the corporate world.
Chief compliance officers are focusing on compliance audits as an important aspect of an effective compliance program. For years, CCOs have been struggling to get the pieces of an effective compliance program in place. In recognition of the progress they have made, CCOs are now turning to designing effective audit strategies. In the interim, CCOs have piggy-backed on internal audits to requested internal auditors to examine “compliance” issues when conducting audits.
The piggyback days of compliance and audit working together are about to mature. No longer will internal auditors carry the ball for a compliance program by asking a few questions, examining a set of compliance documents, or addressing a specific compliance issue (e.g. gifts and hospitality).
This brings me to my point – the convergence of compliance and internal auditing functions. This is an important trend that requires even closer coordination between the compliance and audit functions. It is a trend that should be welcomed and embraced by CCOs and Internal Auditors.
If you think about it, the convergence of these functions makes sense and is long overdue. Compliance is an important aspect of a company’s internal controls. An internal auditor is devoted to oversight and monitoring of a company’s internal controls. An effective compliance program requires periodic audits and assessments to ensure proper operation of the compliance program.
The question then becomes how should compliance and audit work together in this area. As always, the answer will depend on two factors – expertise and inter-personal relationships. A CCO has to work closely with the internal auditor. Building on this relationship, the CCO and internal auditor have to design and implement an effective strategy for conducting audits of a compliance program and the functions within the compliance program. This requires CCOs and auditors to think outside the box.
First, a CCO and an internal auditor have to consider the variety of audit tools available. Not all audits have to be conducted with resource-intensive site visits and two-week detailed examination of an office’s operations. There are other tools that can be applied and will generate important information, such as desk audits conducted by telephone, transaction testing of financial data samples, spot/issue checks, and other approaches. Of course, on site visits are important but should be carefully assigned based on risk and available resources.
Second, CCOs should build on the working relationship with an internal auditor to learn from internal audit how to conduct audits and apply these techniques to compliance issues. There is nothing magical about compliance audits and internal auditors are fully capable of conducting such audits but a partnership of compliance and audit personnel can be a major advantage for an overall compliance strategy. Compliance and audit working together is by definition a greater total than the sum of their respective parts. The synergies are significant and should be embraced by compliance and internal audit leaders.