It is difficult to argue that compliance audits are not an important internal audit product. Noncompliance with, for example, anti-money laundering legislation can have serious consequences. In one recent example, Deutsche Bank was fined $425 million by the New York State Department of Financial Services and $204 million by the U.K. Financial Conduct Authority for failing to conduct basic money laundering due diligence.
Despite the seriousness of noncompliance, many managers do not see compliance audits to be of value, possibly because they often look like this:
- Objective: Verify compliance with “A.”
- Criterion: Client should do “A.”
- Condition: Client is not doing “A.”
- Recommendation: Do “A.”
Auditors need to ensure that compliance audits provide real assurance to senior management and add value.
Do the Right Thing
Internal auditors can add value to compliance audits by doing the right audit and doing it correctly. Doing the right audit means examining why there is a compliance requirement in the first place. Typically, it’s for legal, regulatory, operational, or ethical reasons. But behind “you must do ‘A,’” there is a serious enough risk for management or regulatory/legal authorities to put in a compliance requirement. However, risk shifts quickly, and speed of change is a critical success factor of business. Risk morphs rapidly in a world where globalization and automation affect strategic and operational initiatives of global enterprises. Changing risks can affect not only the need for compliance controls but also their adequacy. In addition, while the compliance function monitors noncompliance, internal audit provides the independent assessment over risk as the third line of defense.
Internal audit provides assurance on the effectiveness of governance, risk management, and compliance, including the way in which the first and second lines of defense achieve risk management and control objectives. This assurance covers a broad range of objectives, including compliance with laws, regulations, policies, procedures, and contracts. But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective — even when examining compliance-related controls.
Deconstructing the top-level strategy into key objectives will identify the enterprise-level risks that threaten achieving those goals, the process-level control objectives that mitigate enterprise risks, and process-level risks and controls. The compliance activities will likely be closely related to these process-level risks and controls, which should be assessed.
Start With the Objective
Virtually every company will have a set of policies and procedures that must be followed to protect it from lawsuits, prosecution, and reputational and other risks. These are the areas with compliance requirements and where audit performs compliance audits. For example, companies with manufacturing plants must comply with environmental regulations, and U.S. publically traded companies have to comply with the U.S. Sarbanes-Oxley Act of 2002 and other financial and legal rules and regulations.
Transforming a compliance audit into a value-adding activity starts with the audit objective. This defines what the audit seeks to accomplish and drives the scope, criteria, work plan, and final results. If the objective is simply to verify compliance with “A,” then one will fall into the trap of concluding “You are not doing ‘A’” and recommending “Do ‘A.’” However, if the objective is “To verify the need for, existence of, and adequacy of compliance with ‘A,’” it will be better positioned to address governance and risk management issues and compliance.
In this type of audit objective, one of the first steps would be to determine if the original risks and compliance requirements still exist. They may have been eliminated by a change in operations (e.g., the company is no longer making that product) or transferred to someone else (e.g., subcontracted out); the company is no longer using that manufacturing process; or business process re-engineering, changes in location, or retooling may have eliminated, transferred, or lessened the risk. In these cases, the value add might be the elimination of the requirement. No risk = no compliance requirement.
With a good understanding of the current level and sources of risk, the next step is to look at the requirement for, and the adequacy and effectiveness of, the mitigating control. This requires an understanding of the cause and source of the risk and the operation of the control. Is the control still required? Does it address the root cause? Are there better ways to mitigate the risk? By answering these questions, the audit may identify unnecessary, ineffective, or better controls, which may reduce the cost of compliance while improving risk mitigation. The next step would be to verify that the control activities are being performed (i.e., compliance).
However, if one finds noncompliance, it is not sufficient to recommend “Do ‘A.’” Audit recommendations should address the root cause, including determining why management is not complying. Was management aware of the requirement? Is management capable of complying? Are there compensating controls that have been implemented? Asking why (usually several times) is often sufficient to determine the cause of noncompliance.
Internal auditors also should determine the impact of noncompliance. Then instead of saying, “Do ‘A,’” audit can provide a rationale and make a recommendation that assists management in complying.
Next, the audit should be done right. This means maximizing use of resources and analytics. Data analytics includes the application of analysis techniques to understand business processes; identify and assess risks; test controls; assess efficiency and effectiveness; and prevent, detect, and investigate fraud. Data analytics techniques can assist organizations in focusing their risk responses in the areas in which there is a higher risk — including compliance risk.
Existing levels of risk can be assessed and trends identified to determine whether the risk is increasing or decreasing. For example, environmental compliance could examine spills (number and quantity), clean-up costs, and lawsuits (quantity and value); while production compliance could examine material, personnel, maintenance, and operational costs. By examining measures over several months or years, trends can be produced to assess the effectiveness of mitigation efforts and identify emerging risks.
The effectiveness of controls also can be tested with analytics. For example, environmental compliance can examine the control over the purchasing of hazardous materials — ensuring that the purchase quantities match requirements — thereby avoiding environmental compliance issues around disposal. Compliance with hiring practices could review staffing methods and staffing rates (by gender, race, etc.) to ensure procedures are being followed and address employment equity requirements before they become noncompliance issues.
Remove the Stigma
Sometimes compliance with a poor control can increase risk and dysfunctional behavior, and cultural issues can make enterprisewide compliance difficult for global companies and increase risk. Doing the right compliance audit — not simply “did we do ‘A?’” — and doing it effectively can result in significant value to the organization and remove the “gotcha’” stigma of compliance audits. However, it requires auditors to re-look at the compliance-related risk and controls and use analytics. By doing so, it will add value and provide assurance to senior management about compliance-related risks.