No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Adhering to Compliance Mandates: Why the Big Four May Not Be the Safest Bet

Compliance Audits Call for a Different Approach

by Leigh Vickery
June 5, 2020
in Compliance, Featured
red audit stamp on paperwork with gold-tipped fountain pen

Compliance audits and financial audits are different animals calling for different skill sets. Level 2 Legal’s Leigh Vickery explains why your organization might not want to choose a Big Four firm.

Compliance is a top concern in the business world and an area of increasing concern for corporate board members, executives and legal departments. While privacy is certainly not the only compliance issue facing enterprises today, intense media coverage of the EU’s General Data Protection Regulation (GDPR), which became enforceable two years ago, and the California Consumer Privacy Act (CCPA), which became law this year, has created a new sense of urgency. Concerns around privacy violations on Zoom and other videoconferencing platforms during COVID-19 and massive data breaches at major brands have only heightened the anxiety.

As more states make plans to update their own privacy regulations, compliance officers and internal stakeholders are rightfully concerned about the potential legal, financial and reputational risks of mismanaging data containing personal information. Many recognize this may not be a problem they can solve on their own and are wisely seeking outside expertise. Meanwhile, the Big Four accounting firms are offering enterprise legal services to corporate law departments and, in effect, have become direct competitors to ALSPs and law firms. In their view, the surging demand for compliance audits looks to be another promising new opportunity in the legal services domain both in the U.S. and abroad.

Whether it is a good idea for organizations whose core expertise is in financial audits to cross over into privacy or other compliance audits will vary by country; it is a question that should give us pause. While it’s certainly true that some legal services – the most prominent example of which is probably e-discovery – now lend themselves to outsourcing to a broad range of service and technology providers, including the world’s largest accounting firms, we should recognize from the start that a compliance audit in today’s increasingly complex and dynamic regulatory environment is not a commodity – not even close. It is also something quite distinct from a financial audit—something the Big Four are known for.

How Compliance Audits Are Different

The term “compliance” applies to a broad range of diverse corporate behaviors and practices in areas like finance, IT, data security, antitrust, privacy, human resources, marketing and much more. We should also note that compliance frameworks vary considerably across industries. Credit card and payments companies must be especially concerned with PCI compliance, government agencies with FISMA, health care organizations with HIPAA, investment firms with FINRA and so on.

Compliance challenges are not all the same. The skill sets required to perform an effective audit that provides the client with strategic guidance and practical, lasting remedies differ widely from project to project. Even more to the point, each individual organization has a unique configuration of technologies and internal workflows, as well as a unique organizational structure and workplace culture – not to mention its own budget constraints and tolerance for risk – so compliance challenges and solutions necessarily look very different from one organization to the next.

A financial audit is an objective and independent analysis intended to ensure an organization’s financial statements present a “true and fair” picture of its financial performance and position at a specific point in time. A compliance audit is typically much less narrow and well-defined. A compliance team must be able to look at and interpret the data and be ready to take on any challenge that involves translating data into something meaningful. But the team must also be able to integrate data and technological expertise with a high level of legal expertise. That’s because compliance audits often lead to internal investigations, which may in turn lead to full-blown legal matters.

When a compliance auditor finds an issue that has legal implications, the client may need to act quickly and decisively to mitigate risk and limit potential damage. There can be a significant cost for not getting it right the first time. If an audit is going to serve both the immediate and long-term interests of the client, it makes sense for the compliance auditor to assume the role of a strategic partner that understands legal processes and technologies, has a firm grasp of the legal issues that may arise from a detected problem and can quickly devise and adapt legal workflows that enable an organization to respond to compliance requests appropriately.

How the Compliance Challenge is Comparable to e-Discovery

The Big Four aspire to be full-service and highly scalable “integrators” of legal advice, legal processes and technology and legal staffing to fill demand for niche or project-oriented skills. In theory, they can round up resources at a scale that no other organizations can match, including state-of-the-art technologies. They envision a process of accumulating interdisciplinary talent, advanced tools and process expertise to streamline the legal supply chain. But it’s not at all clear that the inherent complexities, unpredictability and client-specific nuances of compliance challenges are a good fit with the linear logic of a supply chain approach.

There are also conflict-of-interest landmines that must be navigated. Financial accounting firms are obliged to put the public interest first when they perform an audit or attestation, and they are not allowed to ignore or conceal information that may reflect negatively on a client. Organizations that offer legal services, on the other hand, are obligated to attend primarily to their client’s interest. Maintaining the integrity of these two distinct functions across thousands of client relationships on a global scale is likely to be a persistent challenge for the world’s largest accounting firms.

Furthermore, it remains to be seen whether the comparatively high cost of compliance audits by large accounting firms is sustainable in a highly competitive marketplace.

The comparison to e-discovery is instructive. Compliance practice is nowhere near the stage of maturity that e-discovery has reached after decades of intensive technology development, process improvements, best practices guidance from industry associations and landmark legal decisions governing the use of electronically stored information as evidence. We do not have a one-size-fits-all template – something comparable to the electronic discovery reference model (EDRM), for example – that can guide organizations through a sequential, step-by-step, best-practices approach to solving compliance problems. There is not yet a standard playbook for compliance, in part because it is a nascent discipline that we’re only beginning to get a handle on, in part because of the rapid emergence of complex regulatory structures like GDPR and CCPA and also because compliance projects are simply much more diverse and require a broader range of skill sets than e-discovery projects.

It’s clear that a combination of mature technology and managed review teams can be an efficient and often cost-effective way for specialized vendors to take over non-core tasks from law departments. And, in some cases, it may make sense for the legal function to outsource this kind of work on a project-by-project basis to a provider their company already relies on and trusts for financial audits, just as they might turn over routine, labor-intensive contract review to a qualified services provider that has successfully managed such projects before.

But it makes little sense to regard compliance as another service that can be fulfilled by deploying junior-level associates and ad hoc teams of IT and legal professionals who may never have worked together before and may have little, if any, experience in actual litigation or in compliance projects. This is likely to be the case at very large professional services organizations, where compliance is a new offering conceived as an ancillary service to complement core functions like accounting, auditing, consulting and corporate finance.

There is No Universal Compliance Playbook – Yet

Until we have a compliance playbook, or a series of playbooks corresponding to different industries and different regulatory frameworks, a Big Four firm actually may not be the safest or most strategic choice for compliance audits. What we need instead are legal services organizations for which compliance guidance is a core function. Such organizations do not claim to have a template for compliance; instead, they begin by taking the time to ask lots of questions of lots of stakeholders and data custodians across multiple business units. They know they must work hard to understand how each client is unique – how its data is structured, how its employees interact with that data, its information governance plan, the details of its technology infrastructure, the industries it operates in and the culture of the company – before proposing solutions. There must be deep data and technology expertise, real legal practice area expertise, seasoned and compliance-specific project management expertise and exceptional collaboration across a team that, ideally, has years of experience working together on diverse projects.

As we emerge from the COVID-19 crisis, we can expect heightened regulatory scrutiny and subsequent litigation around privacy and liability as governments test the limits of practices like required social distancing, location-based epidemiological tracking and conflicts between the imperatives of disclosure for public health purposes on one hand and protection of individual privacy on the other. The compliance landscape presented by such scenarios is likely to make the challenges of GDPR look like a walk in the park. There is no playbook. Who will you trust to guide you through it?


Tags: COVID-19Data Breache-Discovery
Previous Post

Thomson Reuters Survey: Corporate Tax Departments Must Automate to Achieve Necessary Efficiencies

Next Post

Oversight Report Reveals the Impact of COVID-19 on Employee Spend & Risk

Leigh Vickery

Leigh Vickery

Leigh Vickery is the Chief Strategy & Innovation Officer for Level 2 Legal Solutions – a leading legal services company – and serves as the head of Level 2 Legal’s Charitable Giving Initiative. Leigh is also the CEO and Founder of Queso Mama, a multimillion-dollar cheese company. A graduate of Baylor University in English and psychology, Leigh continued her English studies in graduate school at Rice University and is also a graduate of Seth Godin's altMBA program, earning the class’s highest honor for most outstanding body of work, the Frances Perkins Award.

Related Posts

new yorkers in covid masks on street

Covid Fraud Enforcement (Yes, This Is Still a Thing)

by Denise M. Barnes and Brian Irving
February 7, 2025

With $2B recovered and $36B in estimated fraud, DOJ signals years of continued pandemic relief investigations ahead

group looking at data breach details digital art collage

Navigating Data Breach Compliance & Communication

by Salim Gheewalla
October 28, 2024

Compliant response starts well before an incident occurs

sec building

News Roundup: SEC Finalizes New Cybersecurity Rules for Broker-Dealers, Others

by Staff and Wire Reports
May 16, 2024

OFAC launches public-facing sanctions database

characters breaking into padlock

Navigating Personal Liability: Post–Data Breach Recommendations for Officers

by Daniel B. Garrie and Richard A. Kramer
April 16, 2024

Executives may be on the hook if info is compromised

Next Post
piggy bank wearing mask and glasses, gloved hands punching numbers into calculator

Oversight Report Reveals the Impact of COVID-19 on Employee Spend & Risk

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights