In my experience, people are inherently good and want to do the right thing. For most of our lives we don’t need to prove our goodness or innocence, and the laws keeping us on the right side of the law are taught to us early and often. Parents, grandparents, teachers, and Sunday school are the ways we learn the basics of right and wrong in our personal lives. The business world can be very different. The rules are not clear; it’s often a challenge just to figure out what rules and regulations apply to your company. It’s even harder to prove that you followed them! Welcome to the complicated world of corporate compliance. Just like every other business function, Internal Audit has a role to play.
Today, we continue our coverage of Internal Audit and compliance. If you need a quick refresher on the what, why, and how of a typical compliance audit project, take a look at our past post, Auditing Compliance 101.
Compliance is a big scary word that invokes fear. Often the auditor is seen as the beacon of hope; a line of defense against rule breaking, fines, and red tape. But sometimes, this admiration and esteem can go too far, leading to misconceptions about Internal Audit’s role. What is the difference between Internal Audit and compliance? How are these teams similar? When must they work together, and when should they stay in their own corners? Can one person be responsible for compliance and Internal Audit? Keep reading and find out!
Internal Audit and Compliance: What’s the Difference?
Internal Audit is, by the IIA’s definition, “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Your Credit Union should have a team of auditors who create and execute a risk-based audit plan every year. For some smaller Credit Unions, this function is often performed by one auditor or even volunteer Supervisory Committee members. The Internal Audit activity should not have any transactional or reporting responsibilities. Additionally, the audit leader should report administratively to the CEO but functionally to the Supervisory Committee, promoting independence.
By contrast, the Compliance function typically reports to the COO, CFO, or Risk Management leader. A compliance officer (or team) will perform basic compliance quality control procedures, identify compliance lapses, and alert the appropriate leaders. For smaller Credit Unions, this may be handled by a competent multi-tasker who has frontline or administrative duties, as well as a keen eye for compliance. This doesn’t pose a conflict because the independence standards Internal Auditors are familiar with don’t apply.
The compliance specialist, officer, or team is not independent of operations, and their focus is narrow in comparison to Internal Audit. While Internal Audit must consider every process, department, and control at the Credit Union in their audit universe, compliance can focus on specific areas. As a general rule, compliance will look at fewer processes than Internal Audit does in a typical test, but their sample size will be much larger. In fact, many compliance tests will examine the entire population of transactions or events, testing a requirement for “pass/fail”. For example, compliance staff may test an entire month’s worth of new member accounts and look at the overdraft opt-in form, making sure it was completed and signed.
What are the Similarities?
Despite these clear distinctions, Internal Audit and compliance should be strategic partners at the Credit Union. The same personality types are drawn to these professions, and it isn’t uncommon for strong work friendships to form across departments. Compliance team members and auditors are rule followers, highly organized, and detail oriented.
Internal Audit and compliance will often coordinate projects, brainstorm solutions, and compare notes to make sure all is well. The NCUA Safety & Soundness exam is another time when auditors and compliance staff have important roles to play and must work together for the success of the organization.
Depending on whether or not your Credit Union has a compliance department, you may want to consider incorporating some of their testing into your audits, on a case-by-case basis. For example, you can make a habit of checking in with them to see if they have any concerns or insights when you start planning for an audit. This can help point you in the right direction and bring risks you may not have considered to the surface.
The Dangers that Lurk
For some auditors, getting your feet wet in compliance could be the start of a dangerous situation; people assuming you are the authority. When I was a CAE, I had employees, department leaders, and even Board and Supervisory Committee members ask me to speak to the Credit Union’s compliance with a law, rule, or regulation. Just like the perplexing topic of policies, we are sometimes asked to cross an important line and step into the role of compliance.
Outside of presenting formal audit findings, this simply isn’t appropriate. Practice being polite but firm, explaining that management and the Board are responsible for following all the rules and regulations; Internal Audit is the mirror to show them how well they are doing. This is a concept that is hard for many to grasp. If your Credit Union is not following the rules, there is only so much that even the best auditor can do to help. We can find exceptions left and right, but it is up to the leadership and Board to accept this feedback and implement changes.
Often, there are further complications between audit and compliance. Many of my Credit Union colleagues, friends, and clients are really good at compliance work! You may have worked in a compliance role, leading you to audit. It’s possible you hold a certification in the compliance field, such as a CUCE. If a compliance question comes up in a meeting, in the Boardroom, or even at the water cooler, it may be really tempting to chime in and start sharing this hard-earned knowledge.
While you may be an expert, this isn’t your current role or responsibility. If you state that the Credit Union has complied with a rule or regulation, and that turns out to be incorrect, you have just undermined your credibility! If you answer on behalf of compliance during external audits, compliance engagements, or NCUA examinations, you are overstepping. You’re denying the appropriate staff the opportunity to make their case, and assuming responsibility that doesn’t belong to you!
Always be aware of crossing the line as an Internal Auditor.
When Internal Auditors are Responsible for Compliance
Every post like this needs an exception to the thesis! In theory, Internal Audit and compliance should be two completely separate departments. In the real world, this is not always possible. Some Credit Unions will have audit and compliance performed by the same team or individual. This is not ideal, but I’m a realist. Not every Credit Union has the resources they need.
If you are an auditor who also has compliance responsibilities, I stand by the advice in this article about drawing boundaries and sticking to them. Know when you are speaking as an auditor, or as the compliance function. Do not audit your own work; outsource compliance audits or cross-train a talented multi-tasker from another department to help you out part-time. Make sure your Supervisory Committee understands that while you are responsible for compliance, their role is to oversee the audit function. If your Supervisory Committee becomes the compliance oversight committee, you need to encourage your members to focus their time and energy appropriately!
Auditor, Know Thyself!
As an auditor you may have a limited, working, or expert level of compliance knowledge. Wherever you are at is perfectly absolutely 100% okay!
When I first started out in an Internal Audit role at a Credit Union, I was not very literate in compliance. I knew what the NCUA was and could name the major regulations we dealt with. That was about it. When I would be assigned a compliance project, I often had to start from the very beginning; I’d read the online guide, develop a basic plan, and learn first-hand in the field. After many years and countless compliance audits performed, I officially know enough to be dangerous. But it’s really neither here nor there; I believe that I provided value when I was a newbie, because I researched my subjects, asked questions, and tried to be as objective as possible, just like I do now.
Sometimes auditors get the impression that they have to be subject matter experts or know more about the topic at hand than their auditees do. I don’t agree with that at all. I also think it’s dangerous for auditors to not be honest about their own knowledge base, particularly in an area like compliance. The devil is in the details in this work. If something doesn’t make sense to you, it probably doesn’t make sense. So keep digging, don’t be afraid to say you don’t know something or you can’t follow what someone is telling you.
All of this is to say that if you are not yet fully versed in the compliance issues facing your Credit Union, I encourage you to accept yourself where you are. Having knowledge does make you a better auditor, but everyone has blind spots. If you’re in the learning phase, you can absolutely add value to any compliance audit. On the other hand, an auditor well-versed in a topic can still miss things. Regardless of how much you know about your audit subject, you can make inroads with good audit practices, professional skepticism, and intellectual curiosity.
Readers, I hope this post has given you a framework to think about compliance, and the role you play. Please leave a comment and tell others about the challenges you’ve faced or overcome. I also hope you’ll consider becoming a subscriber to The Audit Library, if you are not one already. We have an extensive and growing collection of Credit Union compliance audit programs that can help!