The Compliance Audit Phenomenon: It Is All About Being Risk-centric
September 09, 2013
As I have commented often in this blog, one of the remarkable attributes of our profession has been our ability to adapt our coverage to address the emerging risks facing our organizations. Whether it was Y2K risks in the late 1990s, Sarbanes-Oxley compliance in the mid-2000s, or cost reduction and containment at the outset of the global financial crisis, we have repeatedly refocused coverage to address the most critical risks facing our organizations.
When The IIA established The Audit Executive Center (Center) in 2009, it began to closely monitor key trends in the profession and communicate them via semi-annual reports to chief audit executives. One trend that has been monitored since the beginning has been the focus of internal auditing. Early Center surveys of the profession validated that internal auditing was swiftly reorienting to address operational risks. For example, in 2010 almost 70 percent of respondents indicated they were increasing coverage of operational risks as compared to the prior year.
So, what is the emerging risk that is capturing internal auditing's attention in 2013? There's plenty of evidence to indicate that compliance risks are surging from the pack of competing priorities. Following several consecutive years in which respondents to the Center's surveys have projected dramatic increases in compliance coverage, in 2013 more internal audit resources are dedicated to compliance risks than Sarbanes-Oxley coverage, IT auditing, or assurance over the effectiveness of risk management. In fact, it is estimated that almost one-sixth of U.S. internal audit resources will be dedicated to compliance audit coverage this year. The outlook for next year includes even more focus on compliance.
I am often asked why compliance auditing has become such a prominent component of audit plans in recent years. My theory is that the shift in focus is a direct result of the highly legislative and regulatory environment in which we find ourselves. New U.S. laws, such as the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Jobs Act, and the Affordable Care Act, are spawning volumes of regulations, which are in turn creating new compliance requirements. New compliance requirements are generating associated risks, which is where internal auditing comes in. And add to all that the enduring compliance requirements, such as those associated with the U.S. Foreign Corrupt Practices Act, environmental protection regulations, and data privacy and security, and it is a wonder that compliance isn't consuming an even larger portion of the pie.
The IIA has become much more vocal in advocating to legislators, regulators, and others the need to consider the inevitable consequences of compliance requirements embedded in new legislation and regulations. We believe that the shift to compliance auditing is draining internal audit resources away from more strategic risks facing organizations. However, until the steady stream of new regulatory requirements abates, we are likely to see even more internal audit resources dedicated to compliance risks. That is a predictable consequence of our commitment to follow the risks.
I welcome your thoughts on this important topic, as well as any insights on how this trend is impacting your internal audit function.