The Importance of the Internal Audit and Compliance Partnership
In the wake of the International Institute of Auditors recent proclamation of a revised and controversial Three Lines of Defense Model, I thought it would be helpful to underscore the importance of the Internal Audit and Compliance functions to effective internal controls, including ethics and compliance programs.
In most companies, Internal Audit and Compliance work together effectively to leverage each others’ resources and overall efficiency. Internal Audit conducts an annual risk assessment to identify and risk rank financial activities to develop a multi-year audit plan for review by the Audit Committee. This risk assessment is helpful for Compliance purposes as well. It is a valuable source of risk information that can be incorporated by Compliance into its regular risk review and updating procedures.
Aside from this basic function, Internal Audit conducts relevant site visits and audits, sometimes with Compliance staff who might conduct a compliance review at the same time. Even when Compliance does not attend a site visit and audit, Internal Audit often coordinates with Compliance to conduct specific inquiries and audit reviews of specific controls such as gifts, meals and entertainment expenses, and third-party onboarding compliance.
Most Internal Audit and Compliance staff coordinate their activities, priorities and other projects. An empowered Internal Audit function naturally elevates the importance of Compliance responsibilities. In some situations, I have observed that Internal Audit and Compliance leaders may jointly present issues to the Audit Committee or the full Board of Directors.
Compliance has to reach out to Internal Audit, find issues of mutual importance, and leverage each other’s resources to identify win-win situations. There are many opportunities to work together and maintaining robust communication is imperative for an effective compliance program.
Compliance should seek Internal Audit’s ideas and assistance for focusing compliance audits on high-risk activities and in high-risk countries. A robust high-risk audit program is vital for global companies that operate in high-risk markets. Many companies have designed high-risk auditing programs to mitigate risks, identify weaknesses in controls, and apply lessons learned to its existing accounting and compliance controls.
From a theoretical standpoint, Internal Audit is responsible for design, monitoring and operation of a company’s accounting controls. Compliance and Internal Audit overlap in mutual interests in a variety of subject areas:
- financial authorization and approval thresholds;
- onboarding and contract-invoice-payment processes for vendors, suppliers, consultants and other third parties;
- contract pricing, discounts, rebates and marketing support programs;
- gifts, meals and entertainment;
- charitable donations;
- tender processes and bidding procedures;
- sponsorships; and
- local content and set aside policies and procedures.
The above list is not exhaustive but confirms the extensive mutual interests between Internal Audit and Compliance in financial controls. If such controls are circumvented, corporate risks of fraud, bribery, kickbacks, vendor fraud and related crimes increase exponentially
As stewards of these important functions, Internal Audit and Compliance need to work together. A company that does not encourage or ensure such a partnership is likely to suffer real and significant control weaknesses.