The Current State of Compliance and Internal Audit Partnership
Compliance officers and internal auditors are natural partners and allies in the compliance governance landscape. As the compliance profession and influence grew, compliance officers often leaned on internal auditors for help in assessing risks, uncovering financial misconduct, and assessing compliance functions and controls. Recently, however, I have noticed some changes in their relationship, suggesting that they both are maturing and gaining independence from each other.
Since Sarbanes-Oxley, internal auditors have gained in the corporate ladder, and rightfully so. Internal audit was given en greater responsibilities for ensuring accurate financial reporting. Congress mandated a greater responsibility and sought to improve internal and external audit functions.
Corporate boards gave internal auditors increased power and access to more resources. If the internal auditor requested staff and resources, the audit committee would be hard pressed to deny such a request.
In contrast, chief compliance officers have never enjoyed the same level of authority, access to resources and overall influence at the board level as the internal auditor. Since the CCO and the internal auditor usually report to the same audit committee, CCOs and internal auditors helped each out, formed alliances and developed synergies, especially in areas where auditing and compliance functions overlapped. This usually worked out to both parties’ benefit.
Two recent trends, however, have transformed this close and natural partnership.
First, CCOs are becoming more influential on their own, meaning that they have matured professionally and gathered their own constituencies, created their own relationships, and promoted their own connections with senior management and the board.
Second, internal auditors are busier than they ever have been with more projects, day-to-day responsibilities, and focus on financial reporting systems and overall system management. Internal auditors do not have the time nor the resources to conduct compliance audits or focus on specialized compliance auditing, particularly in the area of measuring compliance with controls.
Given these trends, CCOs have begun to develop their own auditing or compliance review protocols and functions. CCOs recognize that conducting their own independent audits of compliance functions can quickly improve monitoring and assessment capabilities and improve the accuracy and speed of compliance program improvements.
My generalization is just that – a general observation. Of course, there are still situations where compliance and internal audit continue to work closely with each other.
The separation of CCOs and internal audit, however, is not a negative trend but reflects the positive growth in compliance. Internal audit has extraordinary responsibilities being placed on it, especially as companies seek to reduce reliance on outside consultants and auditing firms.
On substance and in practice, internal audit and compliance will always operate with a close respect for each other and coordinated perspective on corporate financial and compliance controls. Even as they mature, they will remember the old days of close affiliation while maintaining a close eye and support for the respective functions dedicated to improving overall corporate governance. Compliance and audit will continue to learn from each other and maintain a mutual admiration for their roles.