Adding Value to Compliance Audits – part 1

I have often been critical of compliance audits, but I recently realized that it is not the ‘compliance audit’ that bothers me, but the way it is done.  This led me to write the following thoughts.

It is difficult to argue that compliance audits are not an important internal audit product.  Done properly, they can protect a company from fines, penalties and even criminal charges.  For example, non- compliance with anti-money laundering legislation have recently had serious consequences.  A financial institution was fined $1.93B for failure to conduct basic money laundering due diligence in its operations in Mexico.  But it doesn’t stop there the institution is also being sued by families of murdered by Mexican drug cartels.  Non-compliance with environmental regulation has had significant monetary and non-monetary impacts on companies.  The Environmental Protection Agency’s enforcement actions include administrative, civil and criminal penalties.  And SEC has civil and criminal penalties for insider trading and other non-compliant activities.  Despite the seriousness of non-compliance, compliance audits are often not seen to be of value by many managers.  Possibly because these audits often look something like this:

  • Objective: Verify compliance with “A”
  • Criterion – you are supposed to do “A”
  • Condition – the audit found you were not doing “A”
  • Recommendation – Do “A”

And some auditors wonder why the client does not see any value in a compliance audit – particularly if they already knew that they were not complying with the requirements to do “A”.  These audits fail to identify the cause, and the impact, of the non-compliance.  Auditors need to do more – not only to ensure that compliance audits are providing real assurance to senior management – but also to be seen to be adding value.

There are two basic things you can do to add value to compliance audits: do the right audit; and do it right.  Doing the right audit mean examining why there is a compliance requirement in the first place.  Typical it is for legal, regulatory or operational reasons.  But behind the simple compliance “you must do A” there is a risk that was deemed serious enough for management or regulatory/legal authorities to put in a compliance requirement.  Now you are auditing compliance with that requirement – perhaps because there is a mandatory requirement to verify compliance on a regular basis.  However, risk shifts quickly in an economy where “speed of change” is a critical success factor of business, and it morphs rapidly in a world where globalization and automation results in shifts in strategic and operational initiatives of global enterprises.  Yesterday’s risk and compliance requirements are not always the same as those of today.  Changing risks and compliance requirements can affect not only the need for the compliance controls but also their adequacy.

The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. The overarching context of the model acknowledges the broader role of organizational governance and governing bodies.  The model encourages auditors to expand their role to include risk and compliance.   In addition, it is not enough that the various risk and control functions exist — each must have a well-defined role and their efforts should be coordinated to avoid duplication and gaps in controls.  As a result, it is not uncommon to find teams of internal auditors, enterprise risk management specialists, compliance officers, internal control specialists, quality inspectors, fraud investigators, and other risk and control professionals working in concert to help their organizations manage risk.

Senior management and governing bodies collectively have responsibility and accountability for setting the organization’s objectives, defining strategies to achieve those objectives, and establishing governance structures and processes to best manage the risks in accomplishing those objectives.  The second line includes risk, compliance, financial controls, IT functions that oversee risk.  While the compliance function monitors various specific risks such as noncompliance with applicable laws and regulations; internal audit provides the independent assessment over risk – the third line of defense.

If you are a manufacturing plant, there are probably numerous environmental regulations that you must comply with; and publicly traded companies you will have SOX and other financial and legal rules and regulations.  Virtually every company will have a set of policies and procedures that must be followed to protect it from lawsuits, prosecution, reputational and other risks.  These are the areas where compliance requirements will be established and where audit will perform compliance audits.

Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls (GRC), including the manner in which the first and second lines of defense achieve risk management and control objectives.  The scope of this assurance covers a broad range of objectives, including compliance with laws, regulations, policies, procedures, and contracts. (IIA Position Paper: Three Lines of Defense in Effective Risk Management and Control (June 2013)).  But it should not be “compliance simply for compliance sake”.  Audit should be mindful of the overarching business objective and the controls that are put in place to help mitigate risk to the achievement of the objective – even when examining controls with compliance requirements.

Deconstructing the top level strategy into key goals/objectives will help you to identify the enterprise-level risks that threaten the achievement of those goals; the process-level control objectives that mitigate those enterprise risks; the process-level risks; and the controls that mitigate the process level risks.  The compliance activities will likely be closely related to these process-level risks and controls and these are the risks and controls that should be assessed.

The risk tolerance around an activity subject to compliance requirements may be closer to zero than other activities of the organization.  However, transforming a compliance audit into a value added activity still starts with the determination of the audit objective.  This sets out in clear terms, what the audit seeks to accomplish and drives the scope, criteria, work plan and final results.  If the audit objective is simply to verify compliance with “A”, then you will fall into the trap of concluding “You are not doing A” and recommending “Do A”.  However if the audit considers the compliance–related business objective and the associated risk; and has as an objective such as: to verify the need for, existence and adequacy of compliance with “A”, it will be better positioned to address the governance, risk management and compliance issues as well as to add value.

Given this type of audit objective, one of the first steps would be to perform a risk assessment to determine if the original risks and compliance requirements still exist.  They may have been eliminated by a change in operations e.g. we are no longer making that product; or we are no longer using that manufacturing process.  It may have been transferred to someone else – we subcontracted out the operation – or business process re-engineering, changes in location, retooling, are just a few of many possible reasons why the original risk and associated need for compliance may have been eliminated, transferred or lessen.  In these cases, the value-add might be the elimination of the requirement to comply:  no risk – no compliance requirement.

****** more next week *******

Year 30 + P-card fraud

I didn’t realize how quickly it would take to get to 30 years when posting one blog per week for each year (30 weeks).  Even drawing some of the posts out to two weeks didn’t add much.  So now I am posting additional analysis performed over the years.  Another thing I didn’t take into account was that I would continue to perform analysis – even after I retired.  So I will likely have enough to continue to post – maybe not every week since I am trying to slow done a bit.

I have often said that I never performed the same audit twice.  This is not entirely true.  I certainly have perform Accounts payable and Payroll more than once, but for different organizations.  I have also done a variety of audits around contracting and construction or major capital projects.  But I have never implemented the same audit program twice.  There was always new risks, additional concerns, and different analysis to be done.  This has made every audit a unique challenge.

The audit that comes closest to be repetitive is p-cards.  I first mentioned this in my Year 2000 post which described a standard set of analysis I performed to find misuse, abuse and fraud in p-card charges.  It started because I was tasked to assist the USA IG with some complicated analysis looking at totals by cardholder within any 5 day period.  The audit of p-cards continued with my own company and the standard analysis scripts I have developed have been used over and over again in various organizations.

Perhaps not coincidentally, I was asked to develop and analysis program for p-cards again a couple of weeks ago.  Many of the tests were the same as I had performed numerous times.  The usual risks such as split transactions to avoid financial limits, duplicates to detect merchant fraud; personal expenditures charged to corporate p-cards, etc.  But this time the organization actually had a list of prohibited Merchant Category Codes (MCC) that could verify by individual cardholder.  This particular test was made more difficult because the list of prohibited MCCs was formatted like “4511, 3351-3499, 7512, 3500-3999, 7011, 4814-4815, 5541-5542, 7523-7524, 4112, 4817-4821”. While I did develop a script that expanded “3351-3499” into “3351, 3352, 3353, …. 3499” using nested loops, I thought there might be an easier way so I posted the question on the ACL Peer Community (aka User Forum).  One of the regulars, Thomas Larson, posted a much easier script that used BETWEEN() when there was a range such as “3351-3499”, and a FIND() when it was a single MCC. However, this is not the point of my story.  My point is – once again I found misuse, abuse and possibly fraud (still needs to be reviewed and verified) in p-card transactions.

P-card were introduced because they are cheaper than invoices, and have additional controls both at the bank and at the organization level.  Why then do I consistently find issues with p-card transactions?  The single most contributory cause is management review of p-card transactions.  Employees who have been assigned a p-card are often asked to sign off an official looking form that says that they understand the rules around p-card use (basically, only to be used for business purposes that comply with policy).  As a second level of control, the employee’s manager (or a p-card manager) is tasked with reviewing their employee’s use of the p-card.  For some managers this can mean review 50-100 employees p-card usage which amounts to thousands of transactions.  Since many are small dollar, managers can be less than diligent, providing employees with the opportunity they need to commit fraud.

However, sometimes it is a higher level manager who commits the fraud.  For example, we had one such fraud in the city where I work. Finance director at charity organization charged personal expenses to her corporate credit card including: $78K in home furnishing and new appliances; $69K in groceries; $50K for gas and car repairs.  She covered the expenses for 8 years with transfers ranging from $663.03 to $40,500.00 from various accounts.  A simple review of transactions by MCC would have identified this fraud in the first few months.

Back in 2000, the office of the Inspector General in the US did a government-wide audit and identified the following control weaknesses – which based on audits I have been involved in – are also applicable in non-government companies.  These include:

  • Inadequate review of purchases by approving officials
  • Unmanageable span of control
  • Excessive number of cardholders
  • Exceeding authorized purchase limits
  • Lack of/inadequate documentation
  • Inappropriate purchase methods
  • Unrecorded accountable property
  • Lack of security over purchase card
  • Inadequate training for cardholders and approvers
  • Inappropriate financial coding
  • Inadequate reconciliation

I have seen numerous cases where:

  • The approving official’s review is the most essential element of the p-card control system. The approver should ensure purchases are appropriate and charges are accurate.  At the same time, the span of control can be quite large (1000’s of cardholders) making it difficult to perform adequate review
  • Cardholders have developed unique ways to get around purchase limits, including one I know of that had a consultant who was working for them – write a letter to the credit card company to get the limit to be raised – it was.
  • People confuse having a credit card with “authority to purchase” and are able to bypass purchasing controls
  • Items that are purchased are often not recorded in any corporate system – this includes computers and other expensive and attractive items
  • Cards are lost, stolen, misplaced and often not reported
  • Financial coding is often “general office supplies” even though many different items can be purchased and it is difficult to reconcile transactions.


Lessons Learned: the implementation of an improved system of controls (p-card versus accounts payable invoices) can still have serious weaknesses and must be assessed.  Also, when you are relying on managers to perform (manual) reviews of thousands of transactions, the likelihood of this being a good control is small.

In addition, control weaknesses in one company or one portion of a company, likely exist elsewhere.  When performing a fraud risk assessment be sure to look at what is happening in your own company and others.  Fraud schemes are often repeated whenever and wherever similar control weaknesses exist.

Lastly, despite close to 30 years of using ACL, I can and do ask for help.  Some of the users on the Peer Community have analytical skills that put mine to shame; and they offer them freely to those of us who ask for help.