The Vital Role of Internal Audit to Compliance
A chief compliance officer can only succeed with the support of other important compliance partners. Another way to put it – in the words of Blanche Dubois from A Streetcar Named Desire, “I have always depended on the kindness of strangers.” This observation, while dramatic in license, applies to the place of the compliance officer in the corporate governance world.
A key partner for compliance is the internal auditor. A CCO has to meet often and work closely with the internal auditor. In many areas, the internal auditor and compliance share common objectives. Let’s examine just a few of their common interests:
Financial controls: The internal auditor is responsible for ensuring that the company’s financial and accounting controls are operating effectively. The CCO shares several common interests.
To the extent that a company is subject to fraud or theft of money, a CCO shares the same concern because of employee misconduct, possible use of such funds for bribery or other illegal purposes, and other illegal acts. Both fear that deficient financial controls can result in serious misconduct and enforcement actions.
A CCO also shares interest with the internal auditor over specific financial controls relating to engagement and payment of third-party intermediaries, travel, gift and hospitality expenses, political donations, charitable donations, and other compliance-related expenditures.
Risk assessments: An internal auditor usually conducts risk assessments to plan an audit schedule for company offices and operations. While the internal audit risk assessment does not match the issues examined in a compliance risk assessment, the internal audit risk assessment can include specific questions helpful to a compliance officer. Moreover, CCOs often find the internal audit risk assessment to provide important insights to inform the CCO’s own view of relative risks. In those companies where compliance programs are still being developed, an internal audit risk assessment can provide reliable indicators of risk and should be weighed by the CCO in focusing a compliance program.
Audits: The internal audit’s responsibility for conducting audits of specific offices and functions provides important opportunities for CCOs to coordinate compliance audits with the internal audit staff.
Internal audit staff conducts numerous audits each year. CCOs often coordinate with the internal auditor to inject compliance issues into these audits. In many cases, a compliance staff member may accompany the audit team and conduct his or her own compliance audit with the support and assistance of the internal audit staff.
The audits can uncover deficiencies in specific compliance controls. For example, an internal audit review of gifts, meals and hospitality expenses may uncover deficiencies in compliance with relevant controls. The CCO and the internal auditor will share an interest in remediation of these deficiencies and ensuring that such remediation is completed by a date certain.
Internal auditors can also review the third-party intermediaries that work with a company office and make sure that due diligence procedures were followed, a written contract was executed and that payments to the third party were properly authorized. Such reviews are important to ensure that third party risks are mitigated.
These are just examples of where CCOs and internal auditors share common interests. There are many other issues and topics where CCOs and internal auditors have common interests and objectives.
An effective ethics and compliance program usually includes a strong relationship between CCOs and key partners, especially internal auditors.