Compliance and Internal Audit have risen in prominence in the past few years, both representing critical control components of an organization’s structure. Effective programs emphasizing both functions can reduce the incidence of abuse. The Compliance function, if integrated into the culture of the business, empowers those responsible for compliance to fulfill their mission. Internal Audit has the unique opportunity of being independent and objective in its operations due to its reporting structure. The Internal Audit department reports directly to the Audit Committee of the Board of Directors.
However, Compliance and Audit serve two very different roles. The Compliance function is meant to reasonably ensure that the company is complying with all applicable laws, rules and regulations, as well as internal codes of conduct, policies and procedures. The Internal Audit function is designed to monitor and evaluate the company’s internal control environment as to its adequacy, efficiency and effectiveness. One of the components of the internal control environment is the Compliance function itself, which should be subject to independent audits, as are all other functions within the environment. The Basel Committee on Banking Supervision report specifically states that the compliance function and the audit function should be separate, to ensure that the activities of the compliance function are subject to independent review. In a statement by The Associate Director of the Office of Compliance Inspections and Examinations of the SEC, the SEC’s examiners expect that there is a clearly documented understanding as to how risk assessment and testing activities are divided between the two functions. In fact, the SEC has initiated an enhancement to its examination program that will permit more effective and efficient exams through the use of an organization’s internal audit work.
To ensure an effective coordination of activities between these two functions, it is essential that the two functions leverage a common language of risk and control. A common methodology for compliance and internal audit leads to an agreement about the definition of risk types and risk thresholds. Additionally, organizations should manage compliance and internal audit using a common technology solution. The use of different technology solutions puts the organization at risk of inconsistencies and inefficiencies, and ultimately higher costs. A standardized solution establishes a single version of the organization’s activities. Further, a strong connection point between internal audit and compliance must be established through these functions’ relationships with the Board. Both audit and compliance take direction directly from the Board and in simple terms, both functions serve the same master.
To learn about other internal audit and risk advisory services that Schneider Downs offers and to read similar articles, visit our services webpage.