The Harvard Law School Forum on Corporate Governance and Financial Regulation recently posted an interesting piece titled
"Compliance or Legal? The Board's Duty to Assure Compliance." I know it all sounds a little boring, but trust me on this one — there is interesting information here. Take some time to read through it before we dive in.
(One very quick, very important aside. I came across this article as a part of The IIA's SmartBrief — a weekly "snapshot" of news and issues internal auditors might care about. To receive the newsletter you must "opt in." I cannot urge you enough to opt in. No puffery here. Seldom does a week go by where I don't find at least one nugget I can use. If you aren't receiving it, you can opt in
If you have been paying attention to the discussions that are going on regarding internal audit's evolving role you were probably gobsmacked by the similarities between those discussions and what is being said in this article. Take the opening sentence: "A series of developments threaten to blur the important distinction between the corporation's legal and compliance functions." Make a few changes and you are talking about the dilemma internal audit is facing. "A series of developments threaten to blur the important distinction between the organization's internal audit department and [insert your favorite assurance provider's name here]."
There it is in a nutshell, the crux of the battle currently being waged over the role of internal audit and others within the organization.
Wait, let's back up a second. Did you miss that there is a war going on? Let's take a quick look.
I have a good friend who is a CAE. In that role he is also in charge of risk management. We often talk about the potential conflict that exists with those dual roles. He is not alone. I have talked with other audit leaders who are being approached about audit taking on the role of risk. Not a bad fit. We are risk experts, we have the communication and relationship skills, and there should be a definite meshing of gears between audit and risk.
On the other hand, I have also heard from others who face the opposite issue; they are under pressure to have internal audit placed under the jurisdiction of the risk officer. "Wait a minute," you say, "That is a very bad idea: a serious problem, a conflict of interests, a subversion of our objectivity, an invasion on our independence." Our list of reasons why this shouldn't happen is quite long.
When the shoe is on the other foot the bunions become just a tad more obvious.
And it is not just the risk function. While not as common, I am hearing similar discussions around such functions as compliance, corporate security, finance, quality assurance, and, yes, even legal. In some cases the discussion is around audit taking on part of the role; in others it is about audit becoming a part of the other function.
Why are we suddenly seeing this land grab?
Governance has become an important topic at the executive and board level. (Definitely a good thing.) Assurance providers (compliance, legal, risk, et al) realize the way to raise the esteem with which the board and executives hold them is to take on a greater piece of the governance pie. The pushing and shoving starts. Escalation ensues. And we find ourselves in the midst of a jurisdictional war.
And while internal audit would like to believe we are above the fray (we are independent, we are objective, we are internal audit, hear us roar), unless we recognize the existence of this war — unless we are willing to take up arms and join in the fray — we will find ourselves trivialized, the core values we provide handed off to the victors.
We think we are Switzerland. But there is no such thing as neutrality in this battle.
So, with that background, let's return to the article previously referenced. The contents provide a good indication of the type of arguments internal audit will encounter. Two examples:
- The author states that a forced separation of compliance from under legal would jeopardize the ability of the organization to preserve attorney-client privilege. Cold chills went up my spine as I read this. I still vividly recall similar debates from 20 years ago when the legal department argued they should have more direct control over internal audit in order to preserve attorney-client privilege. We won. But it is obvious that the ugly head of that particular argument continues to rise again and again.
- The article quotes compliance thought leaders as saying that the role of "guardian of corporate reputation" is exclusively reserved for the corporate compliance officer; that the compliance officer is the organizational "subject matter expert" for ethics and culture. The author of the article states that this is "contrary to long standing public discourse that frames the lawyer's role as a primary guardian of the organizational reputation." My first, knee-jerk reaction is that internal audit should be the guardian of reputation and the subject matter expert. But once I put my knee back where it belongs, I realize it is probably more true that the attempt to define any one department as guardian or expert is a fool's game. Everyone with any governance role should have the protection of reputation, ethics, and culture as their No. 1 responsibility.
There is much more in the article and many more thoughtful and reasoned arguments. And it would be quite easy to say "Let them duke it out. Their arguments are not important to us." However, that is exactly why we should be paying attention. The article contains the points that will be used in the battle — points to be used against us and points we can use in our defense.
We are in a war. And audit cannot sit back and say, "We have independence; we are safe and above the fray." No. They will have an eye on our "turf," also. And who's to say that some of their turf shouldn't be ours. I'm not saying we break out the bayonets and start going after some of the unwounded, but I am saying we have to recognize the existence of a battle and be willing to take a stand — be willing to say what it is we do, why it is important, and why we should have those responsibilities.
What are your thoughts? What is internal audit's role regarding the organization's approach to risk, governance, compliance, legal, etc.? If we are more involved, is there a conflict? If the lines blur, does it have a negative impact on the company? Is there really a war brewing? And what might this have to do with the future (if there is going to be a future) of internal audit?
I'd be interested in your perspectives.