I have often been critical of compliance audits, but I recently realized that it is not the ‘compliance audit’ that bothers me, but the way it is done. This led me to write the following thoughts.
It is difficult to argue that compliance audits are not an important internal audit product. Done properly, they can protect a company from fines, penalties and even criminal charges. For example, non- compliance with anti-money laundering legislation have recently had serious consequences. A financial institution was fined $1.93B for failure to conduct basic money laundering due diligence in its operations in Mexico. But it doesn’t stop there the institution is also being sued by families of murdered by Mexican drug cartels. Non-compliance with environmental regulation has had significant monetary and non-monetary impacts on companies. The Environmental Protection Agency’s enforcement actions include administrative, civil and criminal penalties. And SEC has civil and criminal penalties for insider trading and other non-compliant activities. Despite the seriousness of non-compliance, compliance audits are often not seen to be of value by many managers. Possibly because these audits often look something like this:
- Objective: Verify compliance with “A”
- Criterion – you are supposed to do “A”
- Condition – the audit found you were not doing “A”
- Recommendation – Do “A”
And some auditors wonder why the client does not see any value in a compliance audit – particularly if they already knew that they were not complying with the requirements to do “A”. These audits fail to identify the cause, and the impact, of the non-compliance. Auditors need to do more – not only to ensure that compliance audits are providing real assurance to senior management – but also to be seen to be adding value.
There are two basic things you can do to add value to compliance audits: do the right audit; and do it right. Doing the right audit mean examining why there is a compliance requirement in the first place. Typical it is for legal, regulatory or operational reasons. But behind the simple compliance “you must do A” there is a risk that was deemed serious enough for management or regulatory/legal authorities to put in a compliance requirement. Now you are auditing compliance with that requirement – perhaps because there is a mandatory requirement to verify compliance on a regular basis. However, risk shifts quickly in an economy where “speed of change” is a critical success factor of business, and it morphs rapidly in a world where globalization and automation results in shifts in strategic and operational initiatives of global enterprises. Yesterday’s risk and compliance requirements are not always the same as those of today. Changing risks and compliance requirements can affect not only the need for the compliance controls but also their adequacy.
The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. The overarching context of the model acknowledges the broader role of organizational governance and governing bodies. The model encourages auditors to expand their role to include risk and compliance. In addition, it is not enough that the various risk and control functions exist — each must have a well-defined role and their efforts should be coordinated to avoid duplication and gaps in controls. As a result, it is not uncommon to find teams of internal auditors, enterprise risk management specialists, compliance officers, internal control specialists, quality inspectors, fraud investigators, and other risk and control professionals working in concert to help their organizations manage risk.
Senior management and governing bodies collectively have responsibility and accountability for setting the organization’s objectives, defining strategies to achieve those objectives, and establishing governance structures and processes to best manage the risks in accomplishing those objectives. The second line includes risk, compliance, financial controls, IT functions that oversee risk. While the compliance function monitors various specific risks such as noncompliance with applicable laws and regulations; internal audit provides the independent assessment over risk – the third line of defense.
If you are a manufacturing plant, there are probably numerous environmental regulations that you must comply with; and publicly traded companies you will have SOX and other financial and legal rules and regulations. Virtually every company will have a set of policies and procedures that must be followed to protect it from lawsuits, prosecution, reputational and other risks. These are the areas where compliance requirements will be established and where audit will perform compliance audits.
Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls (GRC), including the manner in which the first and second lines of defense achieve risk management and control objectives. The scope of this assurance covers a broad range of objectives, including compliance with laws, regulations, policies, procedures, and contracts. (IIA Position Paper: Three Lines of Defense in Effective Risk Management and Control (June 2013)). But it should not be “compliance simply for compliance sake”. Audit should be mindful of the overarching business objective and the controls that are put in place to help mitigate risk to the achievement of the objective – even when examining controls with compliance requirements.
Deconstructing the top level strategy into key goals/objectives will help you to identify the enterprise-level risks that threaten the achievement of those goals; the process-level control objectives that mitigate those enterprise risks; the process-level risks; and the controls that mitigate the process level risks. The compliance activities will likely be closely related to these process-level risks and controls and these are the risks and controls that should be assessed.
The risk tolerance around an activity subject to compliance requirements may be closer to zero than other activities of the organization. However, transforming a compliance audit into a value added activity still starts with the determination of the audit objective. This sets out in clear terms, what the audit seeks to accomplish and drives the scope, criteria, work plan and final results. If the audit objective is simply to verify compliance with “A”, then you will fall into the trap of concluding “You are not doing A” and recommending “Do A”. However if the audit considers the compliance–related business objective and the associated risk; and has as an objective such as: to verify the need for, existence and adequacy of compliance with “A”, it will be better positioned to address the governance, risk management and compliance issues as well as to add value.
Given this type of audit objective, one of the first steps would be to perform a risk assessment to determine if the original risks and compliance requirements still exist. They may have been eliminated by a change in operations e.g. we are no longer making that product; or we are no longer using that manufacturing process. It may have been transferred to someone else – we subcontracted out the operation – or business process re-engineering, changes in location, retooling, are just a few of many possible reasons why the original risk and associated need for compliance may have been eliminated, transferred or lessen. In these cases, the value-add might be the elimination of the requirement to comply: no risk – no compliance requirement.
****** more next week *******