Top ten things that internal audit needs to understand
The compliance function is often confused as being an audit function, yet this couldn’t be further from reality. The two groups can be complementary, though – they just need to know how to get along with each other.
There have been plenty of publications about the relationship between internal audit and compliance functions – from analysing functional differences to advocating integrations between the two – because they have hosts of similarities as well as differences in the array of their functionalities. But in many cases internal audit either completely leaves the compliance team out or simply steps over the line of compliance without even being aware. It is this disconnection between the two functions that has meant missed opportunities to create more value.
The following are the top ten things that internal audit teams need to keep in mind when working with compliance people.
Compliance people are not control-savvy
Many compliance professionals come from a legal background; hence, few are trained on internal controls. The concepts of ‘check and balance’ and ‘segregation of responsibilities’ often don’t make much sense to compliance people. For instance, they may not understand why it is important to segregate procured units from participating in vendor evaluation processes, or why an independent confirmation of service receipts might help uncover potential bribery scams. These anti-corruption and bribery measures are regularly left untouched as the compliance people are not able to handle them alone. Teaming up with internal audit can provide the compliance people with the necessary know-how to address these controls specifically and to be able to build a solid line of defence against irregularities.
Just saying no may require an ally
Telling a senior sales director that they cannot, for example, engage a high-profile distributor with integrity issues takes a lot of guts. In fact, saying no not only takes guts, it also requires a strong backup. This is what compliance people are facing on a day-to-day basis. Not surprisingly, compliance people are often labelled as ‘negative’ or ‘doing things by the book’, primarily because rules are not necessarily well equipped with justifications. To convince the business units, it takes additional work to articulate gains and losses. In the case of a distributor with a bad reputation, not saying no could result in a loss of customers for the company associated with the disreputable distributor. Even more compelling would be to demonstrate the potential revenue losses that could occur by engaging the distributor in question. Internal audit is trained for analysing monetary impacts to resonate audit recommendations. Therefore, by allying with compliance, internal audit would help ease the tension with business units and make the compliance job fruitful.
Audit theories sometimes do not work for compliance people
Internal audit looks at risk largely from the point of view of material impact: What would the monetary impact on revenue strings be if a control failed? What would the cost justification be if a control were to be implemented to detect a payment fraud? Contrarily, a theory of materiality may not be relevant to addressing some of the compliance issues. For instance, one single incident of violating United States trade embargos may lead to severe fines and sanctions. Corruptive behaviours committed by senior management, regardless of the illicit amount, could represent a cultural issue of integrity. That being said, internal audit needs to adjust its view when working with compliance people to be able to properly analyse compliance risks in a relevant way.
Compliance is not an audit function
It is easy to blur each other’s job scope when internal audit works with compliance. Oftentimes, the two functions overlap or misrepresent each other’s job. Not only does this confuse others, it also creates inefficiency. Despite some organisations’ efforts to lump both functions into one, they are fundamentally different. Compliance is a management function, period. As such, compliance is an auditee of the internal audit. In contrast, internal audit is independent of management functions and oversees management activities. Internal audit and compliance serve as counterparts to each other. In practice, internal audit should never treat compliance as part of its team.
Compliance is a policymaker
Improving policies and procedures is a common post-audit recommendation. It means that the existing policies are not specific and/or not comprehensive enough to guide business activities. With their legal expertise, compliance people are good at drafting policies and are the policymakers in an organisation, so they are the perfect party to call to action here. However, policies without procedures to back them up will be considered as ‘paper tiger’ policies. Bad procedures equally harm operational efficiencies and create conflicts. Developing good procedures requires in-depth insights of processes and controls, which the compliance people are not necessarily good at; therefore, a partnership between internal audit and compliance would be the right approach, where compliance reshapes the policies and internal audit helps with the procedures. In addition, this partnership would reaffirm the bond between the two functions.
Deterrence outweighs detection
Managing compliance risks is all about taking pre-emptive measures or controls to prevent the occurrence of undesirables. A pre-approval of travel and entertainment expenses is a good control to deter potential FCPA violations. Pre-examining a sales margin for deals with channel sales partners may potentially stop a bribery scam. Conducting a third-party screening may disengage a supplier with a bad reputation before it’s too late. Internal audit should keep in mind that it won’t be good enough to have the compliance people become a referee regarding these critical controls; instead they should exercise these controls on their own.
Compliance training needs to be thoughtful
Compliance training is one of the key elements of compliance programmes. Compliance teams are responsible for creating effective training programmes and training the right people. When evaluating this training, internal audit should keep in mind the various issues or concerns typically associated with the programme. For instance, the training could be less adaptive and focused, meaning it does not customise the training content based on the audience’s job scope and a dispersed workforce with higher risk markets. The employees or management who have direct contact with government officials or deal with state-owned entities should be prioritised with more intensive programmes. Training also needs to be adjusted to fit the risk profile of the audience.
A regulatory risk is at stake
When compliance people talk about a risk, they will always mean a regulatory risk – keeping track of what regulators are saying is how compliance teams spend their days. To gauge a regulatory risk is largely predicting which corporate behaviours could lead to a potential breach and how to stop doing those things. Risk acceptance is generally not an option from compliance’s point of view. In contrast, internal audit views a risk from a much broader scope, which also includes operational and financial risks, and assesses risks based on analysing robust issues like magnitude and chances of occurrence rather than merely on behaviours. Therefore, when working with the compliance team on compliance risk assessments, internal audit should keep in mind the assessment will be focused on behaviours or activities rather than financial impacts.
Sadly, compliance is often ad hoc
The only time that compliance really gets attention is when a company is at risk of an investigation or prosecution. This contingent-based approach has been quietly acceptable in a profit-driven environment, even though it is deemed short-sighted. Very few companies would take time to do a cost analysis for how much they would end up paying for a FCPA violation for every single dollar made for profit. With its unique position, internal audit would be an ideal ally for compliance to leverage its voice to advocate the best practice of corporate compliance programmes and value preposition.
Compliance may fall short when conducting investigations
Compliance is the very first party to be reported for whistleblower complaints, but maybe the last party to be considered for conducting investigations. There are various reasons for this, including budget constraints or lack of resources, but largely, compliance people are not hired to focus exclusively on investigations. Compliance investigations are complex and involve a unique set of skills, and can be easily derailed if not handled subtly. However, compliance is a great source for internal audit to mitigate legal issues that are encountered in the course of investigations.
Value creation can be a dreaded topic in a corporate environment, particularly in discussions surrounding ‘cost centre’ functions such as compliance and internal audit, and the suggestion of having the compliance and internal audit teams work together to double the value further increases scepticism. But the ten points above demonstrate that the better the two teams work together, the more value can be created for the business.