No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home GRC Vendor News

Internal Audit: Are You Partnering with Compliance?

by Jim DeLoach
January 16, 2014
in GRC Vendor News
handshake

We often hear of the concept of partnering with regard to internal audit. For example, does it make sense for internal audit to partner with compliance? If so, what does this partnering entail?

The Future Auditor

To provide a context for exploring the partnering of internal audit with compliance, we would like to introduce our concept of the future auditor. Vested with a high level of objectivity with regard to the organization’s operating units, business processes and shared functions, as well as a direct reporting line to the board of directors, the future auditor:

  • Establishes relevance by understanding the organization’s business objectives and strategy and identifying the risks that threaten their successful realization;
  • Is authorized to evaluate the design effectiveness and operating effectiveness of the organization’s overall governance, risk management and internal control processes that address its critical risks, and creates value by making recommendations to the Board of Directors and executive management to strengthen those processes;
  • Articulates the value a risk-based audit plan can contribute to the organization and keeps the Board and executive management informed regarding open matters; and
  • Possesses escalation authority and exercises that authority to bring important matters to the attention of the board and executive management for evaluation.

With these distinct responsibilities and independent positioning, the future auditor is recognized throughout the organization as a positive change agent and provides a vital line of defense to executive management and the Board regarding the adequacy and effectiveness of activities that matter most to the success of the organization.  (Note that some chief audit executives actively embrace the future auditor vision, particularly in financial services.)

The State of Compliance

With our definition of the future auditor as context, does it make sense for internal audit to partner with compliance? For many companies, complex compliance accountabilities have evolved in an ad hoc manner over many years. Internal and external pressures have resulted in changes being implemented at such a pace that new policies, procedures and controls are added onto the existing management structure with little or no rationalization of how they interact within the existing compliance framework and business processes across the organization.

As these new policies, procedures and controls have evolved, several elements of compliance management have emerged that are common to many companies: fragmented control environments, unnecessary and often redundant infrastructures, lack of automation, redundant requests of process and risk owners, reduced organizational transparency, inefficient communications and high audit costs, among other things. Herein lie opportunities for a partnership between the future auditor and compliance management.

We’re observing numerous challenges for companies in different industries that create similar opportunities for improvements in compliance and for the future auditor to serve as a positive change agent in securing those opportunities. These challenges include:

  • Proliferation of operating silos, which drive myriad risk and control activities feeding a high-cost internal control structure and overlapping resource demands in large organizations (such as multiple self-assessment programs).
  • Gaps and overlaps in ownership of control responsibilities, which drive missing and duplicative internal controls and assurance activities.
  • Fragmented/diffused reporting of risk and control data, which leads to a lack of transparency and uninformed decision making about the control structure.
  • Lack of aligned stakeholder expectations, because new policies, procedures and controls may be perceived by process owners as putting a drag on operational efficiency, resulting in failure to embed the new activities in the day-to-day business processes.

In what position does this state of affairs leave the Board of Directors and executive management? Accepting the above challenges as mere status quo comes with a cost, as it ultimately contributes to an ineffective and inefficient control structure. The lack of transparency in a distributed compliance function in which everyone is responsible for compliance makes it difficult to fully understand the end-to-end compliance infrastructure, including where it has been overbuilt, where redundant investments have been made, where controls may be ineffective or nonexistent, and where large compliance risk exposures exist that are neither identified nor understood. Most important, compliance lacks a seat at the decision-making table, resulting in failure to give adequate recognition of compliance considerations when making business decisions, as well as reduced emphasis on compliance in favor of achieving short-term business objectives.

Only when a fiasco occurs (e.g., regulatory penalties and fines for non-compliance, a major controls breakdown or some other debacle that tarnishes the organization’s reputation in a manner that is visible to the public) do the board and management begin to realize that a proactive approach to reducing reputational risk might be worth considering. Until a crisis happens, most organizations are in the same position of hoping and praying that “what happened to other companies isn’t going to happen to us” – even though they know full well that, if the unexpected happens, the organization will be thrown immediately into crisis management mode and damage control will become the order of the day.  Ultimately, every organization is tested; no organization is immune.  Therefore, it may be wise to view the spector of the unexpected happening as inevitable.

This state of affairs frames the problem that the future auditor can help compliance to solve. Because of the ad hoc evolution of compliance, there have been few, if any, top-down efforts to assess periodically whether the resulting infrastructure makes sense from an organizational design standpoint and whether it is sufficiently transparent and manageable. As a result, many large organizations have substantive untapped opportunities for improving the cost effectiveness of their compliance functions.

Four Pathways to Consider: A Blueprint for Partnering

Following are four pathways for streamlining compliance:

  • Refine the compliance operating model – Strive for lean central functions and empowered operating units, with central functions focusing mainly on global initiatives, policy and strategy development, oversight and consolidated reporting. Push down compliance accountability to the front lines. Stay within the boundaries of established regulatory requirements for oversight, business accountability and independence. Delineate the activities of independent compliance functions and internal audit.
  • Adopt basic internal control governance principles – Adopt an operating philosophy of multiple “lines of defense” to push responsibility for compliance and related internal controls down to the lowest level possible unless it is economically unfeasible to do so:
    • First line of defense: The heads of business who are primarily responsible for managing compliance risks in their respective businesses push down responsibility and accountability to the process and risk owners within the businesses.
    • Next line of defense: Risk management and compliance management functions that are independent from the business units coordinate, oversee and challenge compliance responses, act as advisors and have the power to escalate or veto high-risk activity in the first line.
    • Final line of defense: Internal audit provides an independent assessment of the design and effectiveness of internal controls of the first- and second-line activities.

Senior management, under the Board’s oversight, sets and reinforces the “everyone is responsible” tone by positioning each of the above lines of defense to function “first-time-right” with respect to its respective responsibilities. The above lines of defense reinforce this tone of the organization. In addition, executive management acts on compliance matters on a timely basis when these matters are escalated to it and involves the Board in a timely manner when necessary. The above lines-of-defense model (a) provides independent compliance functions with the necessary veto and/or escalation authority to serve as a viable line of defense versus serving as mere champions, facilitators or reporters and (b) positions internal audit as a positive change agent to strengthen and improve compliance. This mutuality of interests provides the basis for partnering between compliance and internal audit.

  • Undertake an enterprise-wide approach to assessing compliance risks – Establish a consistent top-down, risk-based, organization-wide view of all compliance risks, providing a complete coverage of risks at all levels in the firm. Incorporate these risk assessments and related risk information into risk mitigation decision-making processes and share with independent compliance functions and internal audit.
  • Focus on increasing compliance cost effectiveness – Establish overall efficiency of compliance and related control objectives with the purpose of rationalizing a more efficient controls design and driving a more focused internal control structure. Perform risk assessments and controls testing once and reuse the results rather than engaging in redundant efforts across compliance, internal audit and other stakeholders. Adopt cost-efficient systems and infrastructure across all risk and control functions, with a bias toward leveraging existing systems rather than planning new systems.

With one or more of the above pathways in mind, define “quick win” scenarios and initiatives for which management could realistically expect quantitative and qualitative benefits to materialize within six to 12 months. A more streamlined, end-to-end view of compliance management will result in improved coordination across the organization with regard to control requirements setting, alignment of management and control activities, streamlining and integration of reporting around compliance and other risks, reduced complexity and redundancy and increased efficiency and effectiveness of entity-level compliance oversight processes.

In Closing

We have suggested the vision of the “future auditor.”  Chief audit executives embracing this vision can help the organization ensure that it is implementing a holistic, top-down and proactive approach to managing compliance. A fragmented control environment, unnecessary infrastructure, excessive manual controls, redundant requests of process owners, high audit costs and other symptoms of a reactive compliance infrastructure should drive an organization to re-examine its approach to managing compliance. Undertaking a quality focus on managing compliance with the same fervor with which management often approaches the improvement of core operating processes, the future auditor and independent compliance managers can both significantly reduce costs in specific areas and better manage compliance risks.


Tags: HIPAA
Previous Post

The Asia-Pacific Top 10 FCPA Enforcement Actions of 2013: A Statistical Anomaly

Next Post

Corruption in Turkey and Integrating Your Risk Assessment

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

virginia state flag

Are You Ready for Virginia’s Sweeping Reproductive Health Privacy Law?

by Meghan O’Connor
April 29, 2025

Broadly defined ‘reproductive and sexual health information’ may affect any company doing business in the state

demystifying data de ID collage

Demystifying Data De-Identification for US Privacy Compliance

by L. Hannah Ji-Otto, David Chen and Julie Kilgore
October 30, 2024

De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal...

paper medical records

What HIPAA-Covered Entities & Other Companies Need to Know About Cookies & Tracking Tech

by Steve Britt
October 21, 2024

New state laws seek to regulate collecting of health data

Medical professional enters information into electronic medical record

Navigating HIPAA Compliance in the Cloud: Is Google Workspace the Right Fit?

by Nick Harrahill
August 15, 2023

By 2025, an estimated 85% of enterprises will shift to a cloud-first mindset, while others will adopt a hybrid approach...

Next Post
flag of Turkey and Suleymaniye Mosque

Corruption in Turkey and Integrating Your Risk Assessment

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights