We often hear of the concept of partnering with regard to internal audit. For example, does it make sense for internal audit to partner with compliance? If so, what does this partnering entail?
The Future Auditor
To provide a context for exploring the partnering of internal audit with compliance, we would like to introduce our concept of the future auditor. Vested with a high level of objectivity with regard to the organization’s operating units, business processes and shared functions, as well as a direct reporting line to the board of directors, the future auditor:
- Establishes relevance by understanding the organization’s business objectives and strategy and identifying the risks that threaten their successful realization;
- Is authorized to evaluate the design effectiveness and operating effectiveness of the organization’s overall governance, risk management and internal control processes that address its critical risks, and creates value by making recommendations to the Board of Directors and executive management to strengthen those processes;
- Articulates the value a risk-based audit plan can contribute to the organization and keeps the Board and executive management informed regarding open matters; and
- Possesses escalation authority and exercises that authority to bring important matters to the attention of the board and executive management for evaluation.
With these distinct responsibilities and independent positioning, the future auditor is recognized throughout the organization as a positive change agent and provides a vital line of defense to executive management and the Board regarding the adequacy and effectiveness of activities that matter most to the success of the organization. (Note that some chief audit executives actively embrace the future auditor vision, particularly in financial services.)
The State of Compliance
With our definition of the future auditor as context, does it make sense for internal audit to partner with compliance? For many companies, complex compliance accountabilities have evolved in an ad hoc manner over many years. Internal and external pressures have resulted in changes being implemented at such a pace that new policies, procedures and controls are added onto the existing management structure with little or no rationalization of how they interact within the existing compliance framework and business processes across the organization.
As these new policies, procedures and controls have evolved, several elements of compliance management have emerged that are common to many companies: fragmented control environments, unnecessary and often redundant infrastructures, lack of automation, redundant requests of process and risk owners, reduced organizational transparency, inefficient communications and high audit costs, among other things. Herein lie opportunities for a partnership between the future auditor and compliance management.
We’re observing numerous challenges for companies in different industries that create similar opportunities for improvements in compliance and for the future auditor to serve as a positive change agent in securing those opportunities. These challenges include:
- Proliferation of operating silos, which drive myriad risk and control activities feeding a high-cost internal control structure and overlapping resource demands in large organizations (such as multiple self-assessment programs).
- Gaps and overlaps in ownership of control responsibilities, which drive missing and duplicative internal controls and assurance activities.
- Fragmented/diffused reporting of risk and control data, which leads to a lack of transparency and uninformed decision making about the control structure.
- Lack of aligned stakeholder expectations, because new policies, procedures and controls may be perceived by process owners as putting a drag on operational efficiency, resulting in failure to embed the new activities in the day-to-day business processes.
In what position does this state of affairs leave the Board of Directors and executive management? Accepting the above challenges as mere status quo comes with a cost, as it ultimately contributes to an ineffective and inefficient control structure. The lack of transparency in a distributed compliance function in which everyone is responsible for compliance makes it difficult to fully understand the end-to-end compliance infrastructure, including where it has been overbuilt, where redundant investments have been made, where controls may be ineffective or nonexistent, and where large compliance risk exposures exist that are neither identified nor understood. Most important, compliance lacks a seat at the decision-making table, resulting in failure to give adequate recognition of compliance considerations when making business decisions, as well as reduced emphasis on compliance in favor of achieving short-term business objectives.
Only when a fiasco occurs (e.g., regulatory penalties and fines for non-compliance, a major controls breakdown or some other debacle that tarnishes the organization’s reputation in a manner that is visible to the public) do the board and management begin to realize that a proactive approach to reducing reputational risk might be worth considering. Until a crisis happens, most organizations are in the same position of hoping and praying that “what happened to other companies isn’t going to happen to us” – even though they know full well that, if the unexpected happens, the organization will be thrown immediately into crisis management mode and damage control will become the order of the day. Ultimately, every organization is tested; no organization is immune. Therefore, it may be wise to view the spector of the unexpected happening as inevitable.
This state of affairs frames the problem that the future auditor can help compliance to solve. Because of the ad hoc evolution of compliance, there have been few, if any, top-down efforts to assess periodically whether the resulting infrastructure makes sense from an organizational design standpoint and whether it is sufficiently transparent and manageable. As a result, many large organizations have substantive untapped opportunities for improving the cost effectiveness of their compliance functions.
Four Pathways to Consider: A Blueprint for Partnering
Following are four pathways for streamlining compliance:
- Refine the compliance operating model – Strive for lean central functions and empowered operating units, with central functions focusing mainly on global initiatives, policy and strategy development, oversight and consolidated reporting. Push down compliance accountability to the front lines. Stay within the boundaries of established regulatory requirements for oversight, business accountability and independence. Delineate the activities of independent compliance functions and internal audit.
- Adopt basic internal control governance principles – Adopt an operating philosophy of multiple “lines of defense” to push responsibility for compliance and related internal controls down to the lowest level possible unless it is economically unfeasible to do so:
- First line of defense: The heads of business who are primarily responsible for managing compliance risks in their respective businesses push down responsibility and accountability to the process and risk owners within the businesses.
- Next line of defense: Risk management and compliance management functions that are independent from the business units coordinate, oversee and challenge compliance responses, act as advisors and have the power to escalate or veto high-risk activity in the first line.
- Final line of defense: Internal audit provides an independent assessment of the design and effectiveness of internal controls of the first- and second-line activities.
Senior management, under the Board’s oversight, sets and reinforces the “everyone is responsible” tone by positioning each of the above lines of defense to function “first-time-right” with respect to its respective responsibilities. The above lines of defense reinforce this tone of the organization. In addition, executive management acts on compliance matters on a timely basis when these matters are escalated to it and involves the Board in a timely manner when necessary. The above lines-of-defense model (a) provides independent compliance functions with the necessary veto and/or escalation authority to serve as a viable line of defense versus serving as mere champions, facilitators or reporters and (b) positions internal audit as a positive change agent to strengthen and improve compliance. This mutuality of interests provides the basis for partnering between compliance and internal audit.
- Undertake an enterprise-wide approach to assessing compliance risks – Establish a consistent top-down, risk-based, organization-wide view of all compliance risks, providing a complete coverage of risks at all levels in the firm. Incorporate these risk assessments and related risk information into risk mitigation decision-making processes and share with independent compliance functions and internal audit.
- Focus on increasing compliance cost effectiveness – Establish overall efficiency of compliance and related control objectives with the purpose of rationalizing a more efficient controls design and driving a more focused internal control structure. Perform risk assessments and controls testing once and reuse the results rather than engaging in redundant efforts across compliance, internal audit and other stakeholders. Adopt cost-efficient systems and infrastructure across all risk and control functions, with a bias toward leveraging existing systems rather than planning new systems.
With one or more of the above pathways in mind, define “quick win” scenarios and initiatives for which management could realistically expect quantitative and qualitative benefits to materialize within six to 12 months. A more streamlined, end-to-end view of compliance management will result in improved coordination across the organization with regard to control requirements setting, alignment of management and control activities, streamlining and integration of reporting around compliance and other risks, reduced complexity and redundancy and increased efficiency and effectiveness of entity-level compliance oversight processes.
We have suggested the vision of the “future auditor.” Chief audit executives embracing this vision can help the organization ensure that it is implementing a holistic, top-down and proactive approach to managing compliance. A fragmented control environment, unnecessary infrastructure, excessive manual controls, redundant requests of process owners, high audit costs and other symptoms of a reactive compliance infrastructure should drive an organization to re-examine its approach to managing compliance. Undertaking a quality focus on managing compliance with the same fervor with which management often approaches the improvement of core operating processes, the future auditor and independent compliance managers can both significantly reduce costs in specific areas and better manage compliance risks.