The role of internal audit is expanding as it guides the enterprise be- yond traditional attitudes about financial risk management, risk mitigation, and monitoring and toward evaluating a broader spectrum of compliance activities. Today’s auditor must have a full understanding of the risks the company faces and how they relate to each other, and needs to rely on well-constructed and well-executed risk management, control, and governance processes in order to provide assurance that controls are designed appropriately and operating as designed.
At the same time, the role of compliance is expanding as it goes beyond the traditional roles of building an ethical workplace culture, identifying and managing regulatory and legal obligations, and implementing and monitoring policies, controls, and training. Today’s compliance officer, beyond being devoted to the business and shareholder requirement of building and maintaining an ethical organizational culture, must have an active role in risk identification, management, monitoring, and mitigation.
Audit and compliance—working together—are uniquely positioned to help the board and management understand the importance of an integrated approach to compliance that enables wise resource use, prevents undesirable outcomes, and grasps advantages while achieving business objectives.
As risks like the UK Bribery Act and various import/export trade regulations change the regulatory landscape, Audit and Compliance can together assess risk and ensure that compliance processes and controls are operating as designed and are effective in mitigating the most significant compliance risks.
The close collaboration between audit and compliance activities simply makes sense. Internal auditors have the skill set, interest, and focus to be able to look at things in a measurable way. They have a broad understanding of many facets of the company. Additionally, internal audit departments already have budgets and resources available to assess the effectiveness and efficiency of compliance process. If audit is involved on the front-end design of the compliance capabilities, theorganization will be assured that compliance systems are created to enable backend reviews, which ultimately improve efficiency.
Audit’s existing relationship with the audit committee can be leveraged to enhance the compliance reporting process; without a consistent and measurable compliance function, audit will have trouble assessing this process and providing assurance to the board that it is operating effectively.
At the same time, compliance under- stands how multiple regulations impact different business units differently and can help identify places where controls can address multiple requirements and/ or obligations. The entire compliance process needs to be audit-ready, with policies in place to deal with inquiries, subpoenas, formal audits, external reviews, and investigations. Working together, audit and compliance can monitor and periodically report to the CEO and board of directors on how compliance and ethics risks are being identified and addressed.
As the board and executive management bring assurance to all stakeholders of the strategic and organizational effectiveness of the enterprise and continue plans to both preserve and create value, an effective standard approach to providing assurance related to compliance and ethical risk is critical.
