This week I am engaging in a week-long series on how a Chief Compliance Officer (CCO) or compliance practitioner might think about operationalizing a compliance program with other corporate functions and disciplines. I am joined in this exploration by Russ Berland, a well-known compliance commentator and practitioner who recently joined Dematic Inc., a Supply Chain optimization company, as it CCO. Today I want to demonstrate how the Internal Audit (IA) function can be used to more fully operationalize compliance.
The Department of Justice (DOJ) clearly feels IA is an important mechanism for compliance to use to operationalize compliance. In its Evaluation of Corporate Compliance Programs (Evaluation), Prong 9 it asks the following questions: “Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”
According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.
Berland noted that IA is doing compliance “all the time” as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.
It should be apparent there are numerous benefits to compliance having closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.
One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers – Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”
When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.
From the compliance aspects, IA is “really kind of the watchdog or monitoring facility for the entire company”. This dovetails explicitly into this ‘gatekeeper’ function. Additionally and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. Berland noted, “I have certainly seen numerous opportunities, or numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: “Are these people aware of standards of business conduct?; Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?”” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjuction with audit and HR could develop a remediation plan.
With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes. Such integration can work to strengthen IA’s network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.
For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.
Tomorrow I will conclude this week long series with a look at operationalization of compliance through the corporate Controller’s Office.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017