Compliance and Financial Audits – Distinctions With Substance
Chief compliance officers and internal auditors are natural friends and allies. In the corporate governance world, they share many common interests.
The natural partnership between compliance and audit reflects their substantive overlap of responsibilities. Internal auditors are guardians of a company’s internal controls, and ever since Sarbanes-Oxley, they have even greater responsibility for the accuracy of a company’s financial reporting system.
A compliance program is a part of, or a subset, of a company’s internal controls. Hence, the substantive overlap. Compliance policies and procedures establish internal policies and procedures governing compliance-related function.
For example, a company’s gifts, meals and entertainment policy sets out basic procedures that must be followed for spending money on gifts, meals and entertainment. In most cases, companies have adopted a threshold above which an individual must secure pre-approval. If the procedures are properly followed, an individual will obtain pre-approval for a meal that exceeds the threshold.
After spending the money using a company credit card, the individual may seek reimbursement for the expenditure. The company’s financial controls will reflect the requirements that need to be satisfied for reimbursement, including pre-approval of certain expenditures, before authorizing repayment of the funds.
The company’s compliance controls and financial controls interact with each other to reinforce an overall compliance program and relevant financial controls.
My purpose in outlining this distinction is to show the closeness with which compliance and internal audit operate. In time, compliance and internal audit may work even more closely to leverage cost-effective strategies.
Internal auditors often travel to company locations to conduct financial audits. When conducting audits, compliance officers often ask internal auditors to examine compliance issues or ask specific compliance-related questions. While I am not a big proponent of this strategy, there are ways to gain benefits from having internal audit staff focus partially on compliance issues.
My concern with respect to asking internal audit to conduct compliance inquiries is that it dilutes compliance officers’ responsibilities, compliance officers’ presence in the field and compliance officer’s ability to exercise their responsibilities under the watchful eye of global managers and employees. Compliance officers need to spend time outside of headquarters and in the field. Compliance officers also need to conduct compliance audits. To the extent these can be coordinated with internal audit, a joint audit maximizes the benefits of an audit.
If, on the other hand, having internal audit supplement its audit with compliance questions is not done at the expense or as an alternative to a compliance audit, then collecting information that would not otherwise be available is perfectly proper. Compliance audits are valuable as a separate matter and should not depend on nor resemble a financial audit.
Compliance and audit functions share a lot in common. But a compliance program extends beyond its financial controls to include a company’s culture, training, communications, internal investigations and other components that are not directly tied to financial controls. As a result, compliance has to exercise its responsibilities to maximize its impact and its overall objectives. Internal auditors, while helpful in many respects, need to focus on their objectives, offer to support the compliance functions, and do so where it makes sense.
If the compliance profession wants to continue its robust growth in influence and status in the corporate governance world, compliance officers have to step up and assume responsibility for compliance programs, and when resources are needed, compliance officers cannot sit idly by and complain to themselves. They need to communicate clearly their needs and the important functions that they carry out.
Michael,,
I think that a modern internal audit department has another important role to play in the area of Compliance. Modern Internal Audit is an independent verification that ANY business process is operating as designed and is effective in controlling the risk that it was designed to cover. Financial audits are only a part of the IA remit.
What IA should do, is to review the Compliance Department and its procedures/operation and provide an independent opinion to the Board (via the Audit Committee) whether Compliance is well organised, has installed the right (and complete!) controls and that they are operating as designed.
I know to some this may sound like being the policeman of the policemen, but it is an important assessment that allows the Board to form itself an opinion on the effectiveness of the Compliance organisation. As we all know, those close to an operation often have difficulty seeing its own weaknesses: IA can provide an import additional check in that respect. Some companies do this as well as inviting an Ethics NGO to make an outsider’s assessment