​The Compliance Audit Phenomenon: It Is All About Being Risk-centric

Comments Views

As I have commented often in this blog, one of the remarkable attributes of our profession has been our ability to adapt our coverage to address the emerging risks facing our organizations. Whether it was Y2K risks in the late 1990s, Sarbanes-Oxley compliance in the mid-2000s, or cost reduction and containment at the outset of the global financial crisis, we have repeatedly refocused coverage to address the most critical risks facing our organizations.

When The IIA established The Audit Executive Center (Center) in 2009, it began to closely monitor key trends in the profession and communicate them via semi-annual reports to chief audit executives. One trend that has been monitored since the beginning has been the focus of internal auditing. Early Center surveys of the profession validated that internal auditing was swiftly reorienting to address operational risks. For example, in 2010 almost 70 percent of respondents indicated they were increasing coverage of operational risks as compared to the prior year.

So, what is the emerging risk that is capturing internal auditing's attention in 2013? There's plenty of evidence to indicate that compliance risks are surging from the pack of competing priorities. Following several consecutive years in which respondents to the Center's surveys have projected dramatic increases in compliance coverage, in 2013 more internal audit resources are dedicated to compliance risks than Sarbanes-Oxley coverage, IT auditing, or assurance over the effectiveness of risk management. In fact, it is estimated that almost one-sixth of U.S. internal audit resources will be dedicated to compliance audit coverage this year. The outlook for next year includes even more focus on compliance.

I am often asked why compliance auditing has become such a prominent component of audit plans in recent years. My theory is that the shift in focus is a direct result of the highly legislative and regulatory environment in which we find ourselves. New U.S. laws, such as the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Jobs Act, and the Affordable Care Act, are spawning volumes of regulations, which are in turn creating new compliance requirements. New compliance requirements are generating associated risks, which is where internal auditing comes in. And add to all that the enduring compliance requirements, such as those associated with the U.S. Foreign Corrupt Practices Act, environmental protection regulations, and data privacy and security, and it is a wonder that compliance isn't consuming an even larger portion of the pie.

The IIA has become much more vocal in advocating to legislators, regulators, and others the need to consider the inevitable consequences of compliance requirements embedded in new legislation and regulations. We believe that the shift to compliance auditing is draining internal audit resources away from more strategic risks facing organizations. However, until the steady stream of new regulatory requirements abates, we are likely to see even more internal audit resources dedicated to compliance risks. That is a predictable consequence of our commitment to follow the risks.

I welcome your thoughts on this important topic, as well as any insights on how this trend is impacting your internal audit function.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • NAVEX_June 2019_Blog 1
  • IIA GRC_June2019_Blog 2
  • IIA AIS_June2019_Blog 3