There has been plenty written about the relationship between internal audit and compliance—from analyzing functional differences to advocating integration between the two. This continued discussion is mainly because the two functions have hosts of similarities as well as some important differences in the array of their responsibilities.
To be honest, though, close cousins don’t always get along. We have seen numerous cases where internal audit either completely leaves compliance out of the picture or simply steps over the line between internal audit and compliance without even being aware that it is doing so. Conversely, there are just as many examples of compliance freezing internal audit out or not seeking assistance in accomplishing its goals. Such disconnects between the two functions mean missed opportunities to create more value for the organization.
The purpose here is not to look at ways to better quantify the value that each function creates, but to look for ways they can work together to leverage the qualities that they each bring to the table, thus multiplying their effectiveness. Here are the 10 things that internal audit needs to keep in mind when working with compliance that, when accomplished, can increase the value that both functions bring to the organization:
1) Help compliance become control-savvy
Compliance professionals typically come from legal backgrounds; so many of them don’t always have a great understanding of internal controls. Segregation of responsibilities, for example, may make less sense to compliance employees. For instance, why is it important to segregate procurement units from participating in vendor evaluation processes? Why might an independent confirmation of service receipts help uncover potential bribery scams? These anti-corruption and bribery measures often don’t get the attention from compliance they need. Teaming up with internal audit can offer the compliance professionals the necessary know-how to address these controls in detail, and together, to be able to build a solid line of defense against irregularities that could lead to compliance failures.
2) Back up compliance when it needs to say ‘no’
Saying “no” to a senior sales director—to not engage a high-profile distributor with integrity issues, for example—takes a lot of guts. Saying “no” not only takes guts but also requires strong support from others in the organization. Compliance individuals face such challenges on a daily basis. Not surprisingly, they are often labelled as being negative, hindering progress, or “doing things by the book.” That’s primarily because some rules are not always well supported with justifications, or some view them as unnecessary, either because they don’t understand the reasoning for the rule or can’t see its value.
To convince the business units, it takes additional work to articulate how rules can translate into gains and losses. In this case—the distributor with a bad reputation—not saying “no” could result in a loss of customers for the company associated with the disreputable distributor. Even more compelling would be to demonstrate the potential revenue losses that could occur if the company engages the questionable distributor. Internal audit is trained to analyze monetary impacts to resonate audit recommendations. Therefore, by allying with compliance, internal audit could help compliance ease the tension with business units and make compliance’s job more fruitful.
3) Consider the big impact of small failures
Internal audit looks at risk largely from the point of view of material impact. What would be the monetary impact on revenue, for example, if a control failed? What would be the cost justification if a control were to be implemented to detect a payment fraud?
Contrarily, the idea of materiality may not be relevant to addressing some compliance issues. One single incident of violating U.S. trade embargos, for instance, may lead to severe fines and sanctions. One case of bribery, even if the dollar amounts are small, can result in major fines from the Securities and Exchange Commission or U.S. Department of Justice. Corruptive behavior committed by senior management, regardless of the illicit amount, could represent a cultural issue of integrity. That being said, internal audit needs to adjust its view when working with compliance to be able to properly analyze compliance risks in a relevant way.
4) Cooperate, but maintain clear lines between compliance and internal audit
It is easy to blur the lines between each other’s job responsibilities when internal audit works together with compliance. Not only can unclear lines of responsibility confuse others, but they also create inefficiency. Despite efforts by some organizations to lump both functions into one, they are fundamentally different. Compliance is a management function. Period. And as such, compliance is the client of internal audit. In contrast, internal audit is independent of management functions and oversees management activities. Yes, internal audit and compliance serve as counterparts to each other, but they play separate and distinct roles and those roles should be well defined. In practice, internal audit should never treat compliance as part of the audit team or vice versa.
5) Engage compliance for better policies and procedures
Among the most common recommendations in audit reports is to improve policies and procedures. The existing policies are often not specific or comprehensive enough to guide business activities. Compliance is the perfect team to call to take action. With their legal expertise, compliance professionals are good at drafting policies, and they often are the lead policy makers in an organization. However, policies without procedures to back them up will be considered as “paper tiger policies.” Bad procedures equally harm operational efficiencies and create conflicts. Developing good procedures requires in-depth insights into processes and controls, which can be a weak spot for compliance. Therefore, compliance alone can’t fix the problems. A partnership between internal audit and compliance would be the right approach for the compliance to reshape the policies and internal audit to help with the procedures. In addition, this partnership reaffirms the bond between the two functions.
6) Emphasize deterrence over detection in compliance controls
Managing compliance risks is all about taking pre-emptive measures or adopting controls to prevent the occurrence of undesirable events. Pre-approval of travel and entertainment expenses, for example, is a good control to deter potential Foreign Corrupt Practices Act (FCPA) violations. Examining sales margins before potential deals with channel sales partners may potentially stop a bribery scam. Conducting a third-party screening may disengage a supplier with a bad reputation before it’s too late. Internal audit should keep in mind that it’s not good enough to have the compliance become a referee regarding these critical controls, but instead, it should exercise these controls on its own.
7) Assure compliance training is adaptive and effective
Compliance training is one of the key elements of any good compliance program. Training the right people at the right time in the right way is critical. Compliance is responsible for those training programs and should be held accountable for doing a good job of developing them. When evaluating the training, however, internal audit can help focus those programs and provide assurance that they are effective. For instance, the training could be less adaptive and focused, meaning compliance has not customized the training contents based on the audiences’ job scope, or it is not tailored training for a dispersed workforce in high-risk markets. The employees or management who have direct contact with government officials or deal with state-owned entities should be prioritized with more intense training programs. The form of training also needs to be adjusted to fit the risk profile of the audience.
8) View compliance risk through the lens of behaviors and actions
When compliance professionals talk about risk, they usually focus on regulatory risk. Keeping track of what regulators are saying is how they typically start their day. Gauging regulatory risks largely involves predicting which corporate behaviors could lead to potential compliance lapses and how to prevent such behaviors. Risk acceptance is generally not an option from compliance’s point of view.
In contrast, internal audit must view risk from a much broader scope that includes operational and financial risks, as well as other types of risk. It might involve a risk strategy that constitutes risk acceptance and mitigating efforts based on the organization’s risk appetite. Indeed, Internal audit assesses risks based on analyzing robust issues like magnitude and chance of occurrence, rather than merely on behaviors. Therefore, when working with compliance on compliance risk assessment, internal audit should keep in mind the assessment will be focused on behaviors or activities rather than financial impacts.
9) Aid compliance in evaluating and communicating its value proposition
Here’s a reality check. The only time that compliance generally gets attention is when a company receives a large penalty for violating a regulation. This contingent-based approach has been quietly acceptable in a profit-driven environment, even though it is deemed shortsighted. Still, very few companies would take time to do a cost analysis for how much they would have to pay for a FCPA violation for every single dollar made for profit. Nor is there an infinite amount of resources to spend on compliance. With its unique position, internal audit will be an ideal ally for compliance to leverage its voice to advocate the best practice of corporate compliance programs and evaluate its value proposition.
10) Internal audit and compliance should cooperate on investigations
Compliance is typically the first function notified when there are whistleblower complaints—indeed it is often responsible for maintaining the whistleblower hotline—but it may be the last party to be considered for conducting investigations into those complaints. There are various reasons for this: It could be either budget constraints or lack of resources. But largely, compliance professionals are not hired to focus on investigations. Compliance investigations are complex, involve a unique set of skills, and can be easily derailed if not handled correctly. However, compliance is a great source to mitigate legal issues that are encountered in the course of investigations. Here, again, teaming up with compliance enables the investigation team, including internal audit, to get to the bottom of the case with limited legal exposure.
Internal audit and compliance share an important set of common objectives. Working together in the above ways is critical for them to achieve these common goals. They must meet often, clarify their responsibilities, communicate well, and be willing to each take a supporting role when necessary. While it can be difficult to quantify the value that each function brings to the organization, when internal audit and compliance are working together the increase in that value is difficult to deny.
Sean Chen, CFE, CIA, CPA, has been a risk management and internal audit practitioner for more than 20 years and is currently based in Shanghai, China.