They have different remits, to be sure, but ethics and compliance and internal audit teams that work collaboratively and via open lines of communication are a company’s best chance to fight risk and promote good governance. Experts Ellen Hunt and Ursula Schmidt offer practical examples of what it means for these teams to work together to support their organizations and avoid the pageant of who reports what to the board.
Internal audit and ethics and compliance have a lot in common, but they are not the same. However, because their differences are complementary, it’s imperative that both areas work together to bring value to the organization. Internal audit is designed to provide assurance that internal controls are working as intended. Ethics and compliance provides the necessary framework to create a culture of compliance that prevents and detects misconduct.
Simply speaking, internal audit assesses risks, tests policies and procedures, identifies weaknesses and provides recommendations to improve controls and reduce risk. Ethics and compliance, on the other hand, designs policies and procedures for compliance with the law. Both seek to protect the organization from reputational harm, fines and penalties, as well as create efficiencies and identify opportunities for continuous improvement. Together, they create a robust system of checks and balances.
Side-by-side in fighting common misconceptions
Internal audit and ethics and compliance share another common characteristic: They relentlessly work to overcome reputations that precedes both roles. Be it policing, business prevention, fun spoiling or else: Both often have a hard time convincing their organizations about their noble intentions of making the organization a better place for everyone.
Having a common story to share — one that focuses on healthy governance, open communication and the mitigation of risks — mutually supports both roles as adding value. And it also holds true that leveraging a reputation of trust and expanding governance-enabling activities under one roof could be a smart move. Such a move could allow a board of directors to demonstrate its clear intent to push independent assurance and sound internal policies and controls to the next level.
Broader understanding of the cultural landscape
Many of us work in environments where there are volumes of policies and procedures but also a “the way things get done around here.” That is, regardless of what the paper says, often people have a way of working that gets the job done as fast as possible. If there are unnecessary steps, they are eliminated, and some proverbial corners are cut.
To create a culture of compliance, the ethics and compliance team needs as many inputs as possible to know where the shortcuts might be. So does internal audit. For internal audit to perform its mandate, it needs information about how processes and procedures work as well as where the loopholes and weaknesses might be. None of these are openly displayed on the shelf; quite the contrary. When internal audit and ethics and compliance work together, they both gain a broader understanding of the cultural landscape, which makes each function better able to address risks.
Holistic view of risk
At the core of every audit plan is risk. At the core of every ethics and compliance program is risk. Rather than viewing risk from a siloed perspective of internal controls and misconduct, creating a risk universe for internal audit that includes misconduct information and a compliance risk assessment that includes significant audit findings gives both internal audit and ethics and compliance a more holistic view of risk. Developing ways to effectively mitigate and manage risk is what brings value to the organization.
As an example of such a cross-fertilizing mechanism, internal audit may come across instances of travel and entertainment issues that clearly point to insufficient awareness of antitrust risks and regulation. Ethics and compliance could pick this up in their training and awareness program about the company’s antitrust policies. Another example is anti-corruption and third-party due diligence. Audit reports that point to weak controls in this area could help compliance better tailor their guidance and training on anti-corruption and business partner due diligence.
Warning Signs of Embezzlement & Practical Internal Controls
No system is foolproof, but knowing the signals can help
Read moreMeeting fiduciary duty standards
Long gone are the days when the board of directors and officers can assert that they didn’t know about issues within their own company. Consumers and the public simply don’t buy the plea of deniability for the company’s own actions or lack thereof.
Under the evolving Caremark standard, the fiduciary duty of the board of directors for oversight of the ethics and compliance program extends to officers of the company. This duty entails an obligation of the oversight body to establish a reporting system to the board that is independent of management and focuses on the critical “bet the farm” risks to the company. For example, an ice cream company cannot have a board that never discusses food safety risks, an airplane manufacturer cannot have a board that never discusses safety concerns, and when concerns regarding sexual harassment and discrimination are raised within the company, they cannot be hidden from the board by the very officer responsible for investigating and resolving those concerns.
Both internal audit and ethics and compliance are positioned to have oversight of and provide this required reporting to the board as well as executive management to ensure that the board and officers have the information needed to exercise their fiduciary duties. A collaborative mindset displayed by both roles that extends to board reporting helps ensure that no board-critical topics fall through the net or are lost in the masses of information typically provided to a board.
Continuous improvement means it’s never one and done
Weaknesses in internal controls and misconduct are not like fine wine; they do not become better with time — in fact, they get worse. When internal audit and ethics and compliance work together and provide data with continuous monitoring and auditing that can prevent noncompliance, the organization will be able to course-correct faster.
The ability to detect and prevent misconduct is a key element that regulators not only expect but can become a significant factor in the company’s ability to voluntarily self-disclose and to fully cooperate, which can lower fines and penalties and in some cases can even help to avoid prosecution.
A collaborative and proactive approach can go a long way and result in cost savings as well as keeping reputation intact, all selling points that are hard to counter-argue. For example, say ethics and compliance gets feedback about lackluster engagement of one subsidiary in the company’s conflict-of-interest training; if they report this, it could put a specific risk of conflict of interest on the radar of internal audit in time for its next audit of third-party supplier selection processes.
Safeguards for independence and objectivity
There is a valid argument that there cannot be complete independence and objectivity when an individual receives a paycheck and has their performance reviewed by the very people one is supposed to be independent from.
Nevertheless, there are — and there need to be! — structural safeguards and measures that can be put in place to foster independence and objectivity. In addition to the criteria set forth by the Institute of Internal Auditors and regulatory and other guidance regarding ethics and compliance programs, a clear understanding of what independence and objectivity mean for these roles and within the organization can provide the mandate and support needed for both internal audit and ethics and compliance to do the work that brings the most value to the organization.
This doesn’t simply include appropriate organizational setup, relevant reporting lines or clear charters for both roles. In a collaborative environment, this should go as far as clearly communicating the safeguards put in place. For example, an audit and compliance role headed by the same manager couldn’t have the internal audit team run an audit on the controls in place on the compliance setup but might have to resort to other resources for that specific task.
Clear communication would also entail demonstrating transparency about which information is shared between the two roles and which is not. Where does independence stop? What does confidentiality mean for each team? How are potential conflicts escalated and resolved? And last, but not least: How are management and the board supporting a collaborative approach that safeguards objectivity?
From metrics to impact
Information and data without context don’t lead to better business decisions, but when internal audit and ethics and compliance work together, both benefit by having a broader view of the organization and a deeper understanding of the context in which policies, procedures and processes work as intended or present risks to the organization.
With open lines of communication, as well as the sharing of diverse opinions, both internal audit and ethics and compliance can move from reporting metrics like how many audits have been performed or how many misconduct concerns have been raised to demonstrating impact, such as remediation that proactively and continuously strengthens internal controls and prevents misconduct. As an example, by leveraging internal audit’s knowledge and experience in a specific field of activities of the organization, an investigation managed by compliance might be more targeted and better focused. With more effective inputs, both can make a greater impact.