The business world can be very strange place. There are rules and regulations every way you look, but not all of them apply to everyone. Once you figure out which rules and regulations apply, you then have to figure out how to follow them. Sometimes the biggest challenge is proving that you followed them!
Welcome to the complicated world of corporate compliance. Just like every other business function, Internal Audit has a role to play. If you need a quick refresher on the what, why, and how of a typical compliance audit project, take a look at our past post, Auditing Compliance 101.
The focus of this post will be the fine and sometimes fuzzy line between these two departments. Compliance is a big scary word that invokes fear. Often the auditor is seen as the beacon of hope; a line of defense against rule breaking, fines, and red tape. But sometimes, this admiration and esteem can go too far, leading to misconceptions about Internal Audit’s role. What is the difference between Internal Audit and compliance? How are these teams similar? When must they work together, and when should they stay in their own corners? Can one person be responsible for compliance and Internal Audit? Keep reading and find out!
Internal Audit and Compliance: What’s the Difference?
Internal Audit is, by the IIA’s definition, “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Your company should have a team of auditors who create and execute a risk-based audit plan every year. The Internal Audit activity should not have any transactional or reporting responsibilities. Additionally, the audit leader should report administratively to the CEO but functionally to the Audit Committee, promoting independence.
By contrast, the Compliance function typically reports to the COO, CFO, or Risk Management leader. A compliance officer (or team) will perform basic compliance quality control procedures, identify compliance lapses, and alert the appropriate leaders. For small organizations, this may be handled by a competent multi-tasker who has frontline or administrative duties, as well as a keen eye for compliance. This doesn’t pose a conflict because the independence standards Internal Auditors are familiar with don’t apply.
The compliance specialist, officer, or team is not independent of operations, and their focus is narrow in comparison to Internal Audit. While Internal Audit must consider every process, department, and control in their audit universe, compliance can focus on specific areas. As a general rule, compliance will look at fewer processes than Internal Audit does in a typical test, but their sample size will be much larger. In fact, many compliance tests will examine the entire population of transactions or events, testing a requirement for “pass/fail”. For example, compliance staff may test an entire month’s worth of new member accounts and look at the overdraft opt-in form, making sure it was completed and signed.
What are the Similarities?
Despite these clear distinctions, Internal Audit and compliance should be strategic partners. The same personality types are drawn to these professions, and it isn’t uncommon for strong work friendships to form across departments. Compliance team members and auditors are both rule followers, highly organized, and detail oriented.
Internal Audit and compliance will often coordinate projects, brainstorm solutions, and compare notes to make sure all is well. A regulatory exam is another time when auditors and compliance staff have important roles to play and must work together for the success of the organization.
Depending on whether or not your company has a compliance department, you may want to consider incorporating some of their testing into your audits, on a case-by-case basis. For example, you can make a habit of checking in with them to see if they have any concerns or insights when you start planning for an audit. This can help point you in the right direction and bring risks you may not have considered to the surface.
The Dangers that Lurk
For some auditors, getting your feet wet in compliance could be the start of a dangerous situation; people assuming you are the authority. When I was a CAE, I had employees, department leaders, and even Board and Audit Committee members ask me to speak to the company’s compliance with a law, rule, or regulation. Just like the perplexing topic of policies, we are sometimes asked to cross an important line and step into the role of compliance.
Outside of presenting formal audit findings, this simply isn’t appropriate. Practice being polite but firm, explaining that management and the Board are responsible for following all the rules and regulations; Internal Audit is the mirror to show them how well they are doing. This is a concept that is hard for many to grasp. If your company is not following the rules, there is only so much that even the best auditor can do to help. We can find exceptions left and right, but it is up to the leadership and Board to accept this feedback and implement changes.
Often, there are further complications between audit and compliance. Many of my colleagues, friends, and clients in the Audit industry are really good at compliance work! You may have worked in a compliance role, leading you to audit. It’s very possible you hold a certification in the compliance field. If a compliance question comes up in a meeting, in the Boardroom, or even at the water cooler, it may be really tempting to chime in and start sharing this hard-earned knowledge.
While you may be an expert, this isn’t your current role or responsibility. If you state that the company has complied with a rule or regulation, and that turns out to be incorrect, you have just undermined your credibility! If you answer on behalf of compliance during external audits, compliance engagements, or regulatory examinations, you are overstepping. You’re denying the appropriate staff the opportunity to make their case, and assuming responsibility that doesn’t belong to you!
Always beware of crossing the compliance line as an Internal Auditor.
When Internal Auditors are Responsible for Compliance
Every post like this needs an exception to the thesis! In theory, Internal Audit and compliance should be two completely separate departments. In the real world, this is not always possible. Some companies will have audit and compliance performed by the same team or individual. This is not ideal, but I’m a realist. Not every organization has the resources they need.
If you are an auditor who also has compliance responsibilities, I stand by the advice in this article about drawing boundaries and sticking to them. Know when you are speaking as an auditor, or as the compliance function. Do not audit your own work; outsource compliance audits or cross-train a talented multi-tasker from another department to help you out part-time. Make sure your Audit Committee understands that while you are responsible for compliance, their role is to oversee the audit function. If your Audit Committee becomes the compliance oversight committee, you need to encourage your members to focus their time and energy appropriately!
Auditor, Know Thyself!
As an auditor you may have a limited, working, or expert level of compliance knowledge. Wherever you are at is perfectly absolutely 100% okay!
When I first started out in an Internal Audit role, I was not very literate in compliance. I knew the name of our regulatory body and could name the major regulations that applied to us. That was about it. When I would be assigned a compliance project, I often had to start from the very beginning; I’d read the online guide, develop a basic plan, and learn first-hand in the field. After many years and countless compliance audits performed, I officially know enough to be dangerous. But it’s really neither here nor there; I believe that I provided value when I was a newbie, because I researched my subjects, asked questions, and tried to be as objective as possible, just like I do now.
Sometimes auditors get the impression that they have to be subject matter experts or know more about the topic at hand than their auditees do. I don’t agree with that at all. I also think it’s dangerous for auditors to not be honest about their own knowledge base, particularly in an area like compliance. The devil is in the details in this work. If something doesn’t make sense to you, it probably doesn’t make sense. So keep digging, don’t be afraid to say you don’t know something or you can’t follow what someone is telling you.
All of this is to say that if you are not yet fully versed in the compliance issues facing your company, I encourage you to accept yourself where you are. Having knowledge does make you a better auditor, but everyone has blind spots. If you’re in the learning phase, you can absolutely add value to any compliance audit. On the other hand, an auditor well-versed in a topic can still miss things. Regardless of how much you know about your audit subject, you can make inroads with good audit practices, professional skepticism, and intellectual curiosity.
Readers, I hope this post has given you a framework to think about compliance, and the role you play. Please leave a comment and tell others about the challenges you’ve faced or overcome. I also hope you’ll consider becoming a subscriber to The Audit Library, if you are not one already. We have an extensive and growing collection of compliance audit programs that can help!