Internal Audit and Compliance: Getting It Together!

Can internal audit and compliance professionals better collaborate for the benefit of their organization? Why not? Audit and compliance—working together—are uniquely positioned to help the board and management understand the importance of an integrated approach to governance activities that enables wise resource use, prevents undesirable outcomes, and grasps advantages for achieving business objectives. It's all good.

So when I wrote a few years ago on the concept of integrated governance, risk management, and compliance (GRC) and how governance provide the overarching framework for management activities in which audit, risk management, and compliance support, I have to admit to being taken aback by some of the heated reaction to GRC.

As many of you are well aware, GRC is the umbrella term that emphasizes governance, risk, and compliance activities being integrated and aligned in order to avoid conflicts, wasteful overlaps, and gaps. While interpreted differently in different organizations, GRC typically encompasses activities involving corporate governance (the overall management approach through which the board and senior executives direct and control the entire organization), enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.

Along with other commentators I was merely pointing to opportunities to improve performance and effectiveness between these closely related areas and activities. Yet merely raising a discussion of GRC seemed anathema to cherished professional principles (and turf) and—in the view of some critics—constitutes a consulting industry sham. Still others mistakenly believe that GRC calls for its own structure adding another layer of complexity, including the designation of a Chief GRC Officer to herd all these functions together.

At first, I thought this antagonism was confined to auditors who perhaps were not familiar with compliance programs and activities—some even suggesting the “C” should refer to control rather than compliance. However, there are compliance professionals who similarly view GRC as the Growing Revenue Channel and worry about being marginalized as merely one of the many company risks needing to be managed. Commentators from compliance have opined that compliance risks are so operationally unique that the concept of GRC can only distract from compliance solving problems as well as detract from necessary resources, time, and attention.

The internal audit and compliance functions need to be guided by overarching principles and executed through repeatable processes; they need to take into account governance issues and be a part of the organization's governance structure.

Yes, when you group dissimilar things together into broader categories there is always the danger that the common principles become so abstract that they have little to offer in the way of practical guidance for the solution of real problems. But I don't believe anyone is claiming that governance, risk, and compliance are all best handled by the same department, the same competencies, or the same software product. I also don't believe that internal audit or compliance and ethics necessarily get lost in such an approach—at least no more so than it currently does. Those serving as a chief audit executives (CAE) or chief ethics and compliance officers (CECO) still need to make their case for access, funds, and resources. If we believe that the internal audit function and compliance programs are essential elements of the company's management of risk and truly add value, I am not sure why we would assume these areas would receive less support and attention; if nothing else, there is strength in numbers.

The internal audit and compliance functions need to be guided by overarching principles and executed through repeatable processes; they need to take into account governance issues and be a part of the organization's governance structure; and compliance risks certainly can be analyzed using common risk-assessment, control, and mitigation frameworks. What each area needs is a clear understanding of their role in the organization and ultimately how to mutually work together. Depending on each company's unique risk profile, history, and culture, that specific role may vary. The GRC approach, among other things, allows us to "think big" about compliance and audit and how each can maximize their effectiveness.

Some Differences

According to the Institute of Internal Auditors, internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The scope of internal audit is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, the deterrence and investigation of fraud, the safeguarding of assets, and compliance with laws and regulations. 

Regulatory compliance describes the goal of ensuring that personnel are aware of and take steps to comply with relevant laws and regulations. Due to the increasing number of regulations and the need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and use of resources.

Here are some ways the functions work separately and are distinct:

The compliance department primarily monitors regulatory risk with some, although limited, auditing; but generally compliance relies on internal audit to identify and conduct regulatory audits.

Compliance makes recommendation for the audit plan.

Compliance risks are just one category of risk that internal audit monitors to evaluate the effectiveness of the organization's risk management processes.

Compliance is a management function that needs to be audited—typically by internal audit.

More Similarities

Increasingly, the lines between regulatory compliance and internal audit duties have become blurred. A primary focus of both functions as it relates to corporate governance is assisting the audit committee and board of directors to perform their responsibilities effectively and meet their oversight obligations. This includes reporting on potential misconduct, identifying critical internal control problems, informing privately on the capabilities of key managers, and coordinating carefully to ensure the committee and full board receive effective information. Here are commonalities:

Both require a high degree of objectivity, independence, and integrity. Although compliance is a management function, it requires a high level of clout and independence in order to meet its responsibility of preventing misconduct. Under the Federal Sentencing Guidelines, compliance is viewed as a check and balance to the legal function which serves to protect the organization. Similarly, under COSO the audit function is recommended to be separate from finance to enable unrestricted evaluation of management activities.

Both the CAE and CECO need a reporting line to a level within the organization that allows them to fulfill their responsibilities; increasingly this is viewed as reporting functionally to the board or audit committee.

Both heavily focus on risk management and fraud and abuse prevention.

Both address building and maintaining an ethical organizational culture.

Semantics?

It seems to me that debates on GRC and the roles of audit and compliance are more misperceptions than any real dispute. Again, GRC is about collaboration and getting functions to work together. Organizations need efficiency in risk and compliance process with a single experience and system to learn. It applies to policies, assessments, controls, audits, and other areas.

Concerns that compliance risk needs to be handled separately from other risks are legitimate, but can be addressed.  For example, an enterprise risk management function is not the owner of identified risks—they model and assess risk with the support of the business owner of risk. In this case risk management, as a separate function from internal audit and compliance, can assess and understand compliance risk and show its relationship to other risks without managing the compliance risk.

Maybe it just means internal audit and compliance (and risk management) collaborating more so they better understand each other's respective disciplines? I still get blank stares from auditors and compliance professionals when I suggest that a strong “tone at the top” from COSO is really the same as an “organizational culture that encourages ethical conduct and commitment to compliance” as described in the Sentencing Guidelines. Or that an auditor reviewing integrity and ethical values for the control environment and the compliance department evaluating the ethical culture to determine the impact of the compliance and ethics program are largely redundant activities.

Both the roles of internal audit and compliance have been expanding particularly in the post-Enron era and with the ongoing onslaught of corporate misconduct. Both increasingly have an active role in risk identification, management, monitoring, and mitigation. In this context, the close collaboration between audit and compliance activities makes perfect sense. Working together, audit and compliance can monitor and periodically report to the management and board of directors on how compliance and ethical risks are being identified and addressed.