The efficiency and effectiveness of a compliance management program can be elevated by aligning them with other assurance groups in the organization like Internal Audit and Internal Controls, IT Assurance, etc. and adopting their practices.
Too often, Compliance groups have grown organically out of legal services department to manage compliance requirements and don’t get the attention they deserve. This has led to a growth in Compliance departments ad‑hoc practices, taking on any first‑line duties proposed by management and a mash of capabilities from compliance officers, analysts, and accounting generalists resulting in siloed compliance requirements and an unfocused approach to compliance that puts the entire compliance management program at risk. Compliance groups should have a formally structured Compliance Management System (CMS) that aligns with the regulatory environment, culture and maturity of the organization and uses a risk‑based approach to compliance.
Compliance should be clearly defined by requirements and communicated to the organization that sets the boundaries of the in‑scope requirements. it is important to remember that compliance is testing against rules, regulations, laws, statutes, or some other clearly defined and appropriate in‑scope compliance requirement which means that any finding is technically a violation of law, statute or company compliance policy and could lead to penalties or sanctions by regulators or internal actions (employment suspension or termination).
Since Internal Audit departments deploy a structured and risk‑based approach to proving assurance guided by formal internal audit standards, it creates an opportunity for the alignment of these functions and deploying a collaborative or combined assurance relationship that will benefit the Compliance group in developing a sound CMS. For example, Internal Audit are experts in leveraging frameworks for assurance testing (fraud risk management, confidential reporting, etc.) in identifying and assessing risks; documenting and testing the effectiveness of controls; root cause analysis; communicating findings; and validating remediation with control owners. They are also becoming leaders in deploying data analytics, continuous auditing and other technologies to increase efficiencies and effectiveness of providing assurance that would immensely benefit Compliance groups’ use of data for assessing compliance. A measured approach to achieving this alignment could be through secondments of internal auditors to Compliance; combining efforts in compliance testing programs or directly hiring compliance officers with Internal Audit designations and experience.
Regulators expect companies to effectively demonstrate that it has a fully functioning CMS. Executing a compliance program with Excel spreadsheets, manual processes, ad‑hoc practices and under‑skilled Compliance Officers may attract scrutiny from regulators and put the organization at reputational risk with clients, customers or other stakeholders in the event of a compliance failure.
There is a great opportunity for Compliance groups to leverage Internal Audit capabilities and practices in developing, executing and sustaining their own compliance management programs.
How Can I Help?
Over my career as a Chief Audit Executive and internal audit practitioner, I’ve collaborated directly with Compliance groups on developing processes and practices for compliance management programs including applying frameworks for managing fraud risk assessments; compliance operations; implementing and monitoring confidential reporting programs (whistleblowing), regulatory requirements monitoring, etc. and advised on in‑scope practices.
B. Comm., CPA, CIA, CRMA