Next I consider how the Internal Audit (IA) function can be used to facilitate more effective continuous improvement. According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.
IA is doing compliance all the time as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.
It should be apparent there are numerous benefits to compliance having a closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.
One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers – Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”
When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.
From the compliance aspects, IA is really kind of the watchdog or monitoring facility for the entire company. This dovetails explicitly into this ‘gatekeeper’ function. Additionally, and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. I have certainly seen numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: "Are these people aware of standards of business conduct? Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?"” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjunction with audit and HR could develop a remediation plan.
With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes. Such integration can work to strengthen IA's network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.
For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.