On the Frontlines: Should Compliance Report to Internal Audit?
Blogs Sabine Charles, DBA, CIA, CRMA, CGAP Dec 13, 2023
The relationship between internal auditing and compliance is inextricably linked. Yet, the relationship between internal audit responsibilities and those of compliance within the context of corporate governance has been a source of contention. The inclusion of the compliance unit within the scope of internal auditing is a matter that is frequently debated.
Merging the compliance function and internal audit function can offer benefits, such as knowledge-sharing and procedural streamlining — but also the disadvantages of limiting expertise and overburdening the audit function. Merging these functions can have a significant impact on enterprise risk management, adherence to regulatory obligations, and operational effectiveness optimization — and again, not all positive.
Proponents of merging compliance and internal audit argue that integrating auditing and compliance activities will result in fewer redundant efforts, increased productivity, and cost savings. Simplifying and standardizing processes could lower the likelihood of noncompliance events and strengthen overall organizational compliance with legal responsibilities.
Further, the integration of compliance issues into the overall risk assessment and risk management process could allow for a more comprehensive risk management strategy. One could imagine a more thorough and integrated approach to assessing risks and reducing their effects.
Another compelling reason to transfer compliance responsibilities to internal audit is the consolidation of specialized expertise. The audit team's expertise in risk assessment and control testing could be beneficial in meeting compliance obligations. A cross-functional team that collaborates closely may be able to more quickly detect and assess emerging dangers and adopt proactive strategies to mitigate and prevent their potentially negative outcomes.
Adding responsibilities to the internal audit team, even if compliance specialists are also added, can result in an overworked audit function. Auditors may feel compelled to prioritize compliance issues above other pertinent audit topics, potentially resulting in conflicts of interest. Their ability to make objective recommendations for improving operational performance and minimizing operating hazards may be limited because their judgment may be questioned. The complexity of regulatory requirements makes it more difficult to strike a balance between thorough and compliance-ensuring audits. Organizations must assess how they are allocating resources and the potential ramifications of an overburdened audit department.
Merging the two functions could also weaken expertise in the organization. Compliance involves a thorough understanding of industry conventions, best practices, and evolving regulatory requirements. When compliance is included in the internal audit process, compliance experts may become overly focused on their traditional auditing tasks. The distinctive skills and contributions of compliance experts, polished through significant training and experience, risk being overshadowed within the broader internal audit framework. Broadening their experience may result in a dilution of compliance experts' skills. All of this can negatively impact the team’s ability to monitor actions relevant to regulatory and standards conformity, and the organization’s reputation and legal standing could even be jeopardized.
Striking the Right Balance
Compliance, risk management, and effective governance are all essential. Organizations must weigh the benefits of enhanced procedures and shared knowledge against the risks of overburdening the audit function and limiting specialization when deciding whether or not to merge specialized operations.
The choice may depend on the nature of the business, its risk tolerance, and its location. While some firms may find it beneficial to merge their compliance and auditing responsibilities, others may want to continue operating separately to avoid introducing new risks.