Risk consultant Uday Gulvadi confides that in recent years, many of his company’s financial institution clients have been subject to highly detailed and thorough evaluations of controls by regulatory examiners, especially in anti-money laundering and U.S. Office of Foreign Assets Control sanctions compliance. Examiners are interpreting regulations more strictly and assessing the implementation of compliance policies, procedures, and internal controls against a higher and more rigorous standard of testing. In turn, compliance lapses are leading to higher penalties and sanctions from regulators. “The quality and effectiveness of internal audit as the third line of defense also has come under the scanner,” says Gulvadi, director, internal audit, risk, and compliance, at Telavance Inc., an Iselin, N.J.-based firm that provides risk and compliance advisory services to the global financial community. “All of this has led to internal audit facing increased pressure from the C-suite and compliance groups.”
That scenario may sound familiar to many internal auditors, because while financial institutions may be the most obvious example of the increasing complexity of regulatory compliance — thus the need to audit and report on the controls designed to ensure it — they’re not, by any means, the only ones. Auditing compliance risk is one of the daunting issues all companies face.
A recent survey by the Enterprise Risk Management Initiative at North Carolina State University and consulting firm Protiviti Inc., which queried more than 200 C-suite executives and board members across a variety of industries, found that regulatory compliance topped their list of concerns for 2013. That put compliance higher than economic conditions and national and international political environments. “Compliance risk assessments focus on risks the company causes others, not risks to the company,” says Roy Snell, CEO at the Minneapolis-based Society of Corporate Compliance & Ethics, a professional association for compliance professionals. Lost investments, intellectual property, and insurance risks are important, but “if the only thing risk management does is focus on risks to the company, the risk department itself becomes a risk area.”
A Changing Role
Internal auditors tasked with compliance projects will find that the job is vibrant, evolving, and relevant — and it requires a keen understanding of today’s regulatory climate. Moreover, under The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), internal audit is responsible for assessing the effectiveness of the overall compliance program. Standard 2120: Risk Management specifies that among other areas, internal audit must evaluate risk exposures related to “compliance with laws, regulations, policies, procedures, and contracts (2120.A1).”
The Regulatory Jumble
It might help to use a spreadsheet to log all the regulations an enterprise faces — and all businesses face regulations of some sort. Here are just of few.
Solvency. The European Union’s Solvency II Directive — which takes effect in January and codifies and harmonizes insurance regulations there — requires companies to have adequate capital holdings to reduce the risk of insolvency. According to a report by PricewaterhouseCoopers and the Centre for the Study of Financial Innovation, many non-E.U. countries want to see how the directive works in Europe before finalizing their own regulatory plans.
Corruption. More than 40 countries have ratified the Paris-based Organisation for Economic Co-operation and Development’s convention requiring countries to put legislation in place criminalizing the act of bribing foreign government officials. Some nations’ laws go even further, criminalizing commercial bribery, as well. Authorities have heightened enforcement of the U.S. Foreign Corrupt Practices Act and are beginning to do the same with the U.K. Bribery Act. A recent addition to the international anti-corruption regulatory environment is Brazil, which just enacted a major anti-corruption measure.
Health care. In the United States, regulations stemming from the Patient Protection and Affordable Care Act will dramatically affect businesses in every industry sector.
Financial reform. The Volcker Rule section of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act restricts U.S. banks from making certain types of speculative investments that don’t benefit customers.
Environment. U.S. energy companies are subject to multiple recent Environmental Protection Agency clean water rules.
Fraud. U.S. firms now face several recent regulations implementing the Fraud Enforcement and Recovery Act of 2009, 2008’s Red Flag Rules, and the Federal Acquisition Regulation 3.1003, the Mandatory Disclosure Rule.
Law enforcement. The USA Patriot Act intersects with the Bank Secrecy Act and anti-money laundering rules, creating a trifecta of legal prohibitions on what financial institutions can do, how they can do it, and to and with whom.
Regulatory compliance auditing is central to most operations’ ongoing viability, and it changes every time a legislature meets anywhere in the world, and each time a regulatory panel decides how to implement new laws or revamp the implementation of old laws (see “The Regulatory Jumble” at right). It also changes every time corporate directors meet to assess risks to — and from — the organization. “Internal audit’s role in assessing regulatory compliance controls has changed in line with the changing expectations from management and other stakeholders to enhance their risk focus,” Gulvadi notes.
Recently, Gulvadi advised an international financial institution’s internal audit group to recast its audit planning from a cyclical process where each area would be audited in a defined time cycle to more of a risk-based process. “Adopting a risk-based approach requires internal audit to have a broader business orientation to correctly assess the impact of regulatory risks,” he explains. Risks related to reputational damage, fines and penalties, and legal costs need to be considered in assessing the control environment and specific control procedures in place, which represents a “key change,” he says. Moreover, audit groups need to understand the business implications of technology supporting various compliance initiatives, including privacy laws and data security.
“Twenty years ago, the internal auditor who arrived new to the department would have faced very few regulatory compliance issues,” says Fred Telling, a member of the audit committee at both Oragenics and Eisai Inc. “Today, however, regulatory compliance issues are 30 percent to 40 percent of the issues internal auditors deal with in some instances.”
One big example of the kind of changes that take place in regulatory compliance auditing is the shift in focus that has occurred globally in response to the devastating economic downturn a few years ago. “The U.S. Sarbanes-Oxley Act of 2002, which was a key challenge five or six years ago, is no longer considered as challenging,” Gulvadi points out. Taking its place for some companies are the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act and the U.S. Foreign Account Tax Compliance Act. Many aspects of those regulations are still being formulated, so many organizations have started monitoring the developments closely and assessing the potential impact to their businesses. As well, internal audit departments are discussing with management, compliance departments, and legal counsel how regulations will influence their risk-based internal audit planning. “As a result of the economic crisis, the pendulum has swung toward more stringent regulatory compliance requirements,” Gulvadi says. “Internal audit’s role within this has evolved to be one of prime importance.”
Assessing Today's Impact
Of course, it’s not generally changes to the laws in the background that bedevil internal auditors tasked with regulatory compliance auditing. “The entire inventory of laws that may impact the organization may not change that much from year to year,” explains Nancy Haig, director of internal audit and compliance at a global consulting firm based in New York. “Consider that the U.S. Foreign Corrupt Practices Act (FCPA) was passed in 1977, and that many of the laws related to employment rights and affirmative action were passed between 1960 and 1970.” Rather, it’s the regulations that put those laws into effect. “Those evolve in response to subsequent problems or issues that arise as data becomes available,” Telling says. “Standards and specificity continue to be refined.”
That’s compounded by the fact that an increasing number of U.S. state legislatures have chosen to be fairly active on the regulatory front, he adds. That means internal audit departments in the United States need to make sure they have systems in place for data collection and reporting that allow them to respond internationally and at the federal and state levels.
Dealing with change of that magnitude mandates a focus on the now, not an encyclopedic knowledge of what has transpired in the past. Telling suggests new internal auditors need a 20/80 balance in focus: The 20 percent represents an appreciation of the history, background, and culture that spawned the underlying law and its implementing regulations, and the other 80 percent should be on the present. “It’s important to have a good trunk of understanding,” he emphasizes. “Otherwise, you’ll miss shifts in public opinion and industry concerns.”
Gulvadi agrees. “In our internal audit engagements, we always start with a meeting of key members of the C-suite, typically the chief compliance officer and chief risk officer, to gain a comprehensive understanding of the compliance risks facing the institution,” he says. “That includes a current and historical perspective.” One way his firm gains a historical perspective is by looking at prior examination and audit reports to identify issues that might have been reported in the past — and how the organization has remedied them.
The regulations that often get the most attention from a risk perspective are those that may result in the most significant fines and penalties and in negative publicity for the organization, Haig notes. She points in particular to multi-billion-dollar settlements in the pharmaceutical industry for off-label promotion of prescription drugs, as well as huge settlements for FCPA violations. “Regulations that must be followed to ensure the health and safety of employees, patients, and other stakeholders also should be critical areas of focus,” she says. “As with other types of risk, internal audit may decide that less focus is needed in areas where management has implemented strong compliance controls. Particularly challenging are regulations that impact global operations and that involve compliance by third parties.”
Compliance Dos and Don'ts
There are some things internal audit should always do when it comes to regulatory compliance, and some things internal audit should always avoid. Here’s what the experts advise:
- “Understand the processes in place to ensure compliance,” Fred Telling urges. “Make sure they’re appropriate.”
- “Develop personal skills to detect problem areas,” Telling recommends. “Build relationships with people in the field you’re working in and make sure they give you credence.”
- “Internal audit should always include all types of risks in risk assessment and planning,” Nancy Haig advises. “If working in a regulated industry, chances are that regulatory compliance risks will trump others.”
- “Unless called upon to specifically assist in an ongoing investigation, internal audit should not be performing audit work in an area under investigation,” Haig says.
- “You never want to be part of the process,” Felix Vargas says. “Be part of the evaluation of its effectiveness and adequacy.”
- "Always ensure independence and objectivity from the business functions you audit,” Uday Gulvadi emphasizes. “Never cross the line into being responsible for compliance risk management and control monitoring.”
Staying on top of new and emerging regulations should be easy for internal auditors to do by scanning headlines. Read The Wall Street Journal, The New York Times, and the Financial Times, Haig recommends. In health care, she advises monitoring the U.S. Office of Inspector General for details on recent settlements and corporate integrity agreements. Of course, that would be easier if elected officials didn’t hide tiny tweaks inside gigantic and sometimes unrelated laws. “Hopefully, legal counsel as well as the company’s compliance and ethics department will review that information and pass it to internal audit,” Haig comments. Many webinars pick up on minute changes in regulations, and auditors also get updates by reading the Federal Register, industry- or government-related websites, and professional publications, as well as by attending industry conferences.
Teaming With Compliance
Perhaps the biggest operational challenge many practitioners will face related to compliance is that at many organizations, internal audit is tasked with assessing the thoroughness of a parallel department within the organization. The compliance and ethics department — when separate from internal audit, as it is in most large companies — is as concerned about autonomy and influence as the internal audit department, and it takes a deft hand to navigate the sometimes-vexing gaps and overlaps that can occur. Actually, Snell advises, “compliance and internal audit should coordinate their activities to ensure there are no gaps or overlaps in the organization’s audit efforts. When problems are found, collaboration can help ensure the problem is resolved and that controls are implemented to prevent the problem from resurfacing.”
Compliance and internal audit also can work together after problem resolution to provide follow-up education for the applicable departments, Snell says. “The compliance team must ensure that after the audit has been completed, the follow-up problem-correction, investigation, discipline, control implementation, and education are completed satisfactorily,” he adds. “Problem identification has a thousand fathers. Problem resolution and enforcement ... not so many.”
Assuming the two functions are separate, working together begins with a risk assessment, Haig asserts. “If there is a solid enterprise risk management (ERM) program at the organization, there will be one risk assessment that includes strategic and all other risks to achieving the organization’s objectives,” she explains. “Internal audit would be involved not only in assessing the overall ERM program, but also in determining that a sound process has been engaged to ensure that all potential regulatory compliance risks have been identified.” Working together, internal audit would determine that coverage by the compliance and ethics team is adequate to address the high-risk areas.
For example, at a former employer where Haig was vice president of internal audit, the vice president of compliance and ethics and Haig would meet each month to update the CEO and chief legal counsel on compliance and ethics issues and internal audit issues — discussions that often generated action items for each function and opportunities to collaborate. Internal audit also occasionally assisted in investigations that were initiated through the organization’s anonymous reporting mechanism or through direct reporting.
Keeping Them Separate
In some organizations, compliance may handle more monitoring of specific compliance controls, while internal audit may audit the entire program related to the specific regulation to ensure compliance. An example Haig points to is anti-bribery regulations. The compliance function may review requests for specific payments, while internal audit may evaluate compliance policies related to anti-bribery, training and training acknowledgments, third-party agreements, accounts payable procedures, and monitoring of procedures performed by the compliance department. Another area where compliance and internal audit often work together is specific investigations that may be generated by calls to the company’s anonymous reporting mechanism. “Because of its familiarity with systems and data analytics, internal audit may be a valuable internal resource,” she says.
Just remember, “good fences make good neighbors.” That means reporting must remain separate, says Felix Vargas, deputy group head, internal audit, at SCOR, a global reinsurance firm with operations in Amawalk, N.Y. “Internal audit should not report to a compliance officer.”
As Gulvadi explains it, “a clear definition of the roles of internal audit and compliance should be established and re-emphasized at the beginning of every audit engagement.” Compliance’s primary role is to establish the compliance framework, including the monitoring of control effectiveness. Internal audit’s role is to independently audit the compliance function and related risk mitigation measures, as well as the compliance policies and procedures. Gulvadi cautions that there can be confusion about who is responsible for monitoring controls, making it important for the departments to agree on the difference between control monitoring and internal audit’s control evaluations. “That can not only avoid overlaps,” he says, “but also prevent things from falling through the cracks where compliance does not perform its monitoring role, in the assumption that it is internal audit’s responsibility to do so.”
Asking the Hard Questions
Of course, keeping the lines of communication open between the two departments is key. Vargas’ internal audit department pairs periodic, formal meetings with ongoing informal communications with the compliance team to find out about their activities, challenges, and any new regulations that arise. Still, the risk of butting heads is fairly minimal. “Compliance is the easiest type of audit because it’s checklist-oriented,” he says. “It’s ‘You must do this;’ it’s not about best practices. If we weren’t there, it would be a regulator asking those same questions.”
Today, that regulator may be asking those questions in a sterner tone of voice than he or she might have used 10 years ago, and might be listing far harsher penalties if the answers are inadequate. That’s why companies are relying so much on internal audit to make sure that the business understands the regulatory climate and has controls in place that make sure the organization is in compliance. The good news is, it’s the kind of work internal audit departments do best.
Maximizing Audit's Input
Here’s a list of quick tips for making internal audit’s input into regulatory compliance risk management as productive as possible.
- “It’s always easiest when you go to the authoritative source and say, ‘This is not a best practice, this is required,” says Felix Vargas, deputy group head, internal audit, at SCOR. “This is not what was required 20 years ago, or what may be in the future, but what’s required today.”
- “Our internal audit recommendations have been most valued when they have been constructive and provide a business justification for implementing or enhancing compliance,” Uday Gulvadi,director, internal audit, risk, and compliance, at Telavance Inc., points out. “The best way to do that is to gain a broad and diverse perspective on the business operations and compliance risks through open discussions with senior management, compliance, and operations.”
- “Understand the nature, the environment, and the work of the group you’re responsible for auditing,” advises Fred Telling, an audit committee member at both Oragenics and Eisai Inc. “If you’re auditing the compliance function and you don’t understand, say, pharmaceutical samples, you compromise your capacity to be an effective auditor.”