Few compliance and audit executives believe that integrating those two functions is a wise idea, but good news for those of you forced by your CEO to march down that dubious path—you have some fresh guidance on how to make the trip with minimal missteps.
Last week the Institute of Internal Auditors published a slim piece of guidance, “Internal Audit and the Second Line of Defense.” You can read the 16-page document and digest its main points in 30 minutes or less, and it does its proper job of provoking some good questions you should ask yourself about consolidation, and of walking you through the main points you’ll need to hit if you want to do something like this well. The guidance is free to IIA members and only $25 for non-members, so anyone talking to your board about consolidation (of audit and compliance, audit and risk management, or audit and any other second-line defense function) should consider giving it a read.
As to the basic idea of putting internal audit in charge of compliance, or vice-versa—I don’t know that anyone recommends it per se; I certainly don’t. But the idea itself is not new. When compliance with the Sarbanes-Oxley Act first confronted Corporate America in the mid-2000s, and given the nature of the challenge (building and testing internal controls for financial reporting), internal audit was a logical choice to run that sort of project. Especially since, at the time, hardly any companies outside the financial sector had much of a compliance function anyway.
My thoughts are more about what’s driving this idea today. Yes, we’ve seen an increase in the number of chief compliance officers at Fortune 1000 companies who have no other job title or responsibility—but that’s more a function of companies separating compliance and legal into two fiefdoms than anything else. In the 2015 Compliance Trends survey done by Deloitte and Compliance Week, for example, 59 percent of respondents said the chief compliance officer job at their company was a stand-alone role, up from 37 percent in 2013. Meanwhile, respondents who said the CCO also holds the title of chief audit executive held firm at 13 percent across the same three-year period.
The anecdotal evidence I hear about businesses trying to consolidate compliance and internal audit generally boils down to cost savings: a CEO or board wants to save money somehow, and decides to boil the second and third lines of defense (compliance and internal audit, respectively) into one hulking office of governance or risk management or some name like that.
Again, I can see how boards or CEOs (who are not as familiar with risk management as compliance or audit professionals) might get this idea into their heads. Internal audit executives perform an annual enterprise risk assessment. Audit executives are expert at studying processes and testing controls to make sure processes work as intended. It’s not a big leap for a CEO to jump from those facts to the conclusion, “Sure the audit executive can oversee risk and regulatory compliance! I mean, compliance oversees process too, right?”
Sigh. In a broad sense that thought is correct, but anyone venturing to combine compliance and internal audit has a million details to resolve that the above line of thinking blissfully ignores.
First is the real risk that in a consolidated compliance-audit function, where a single senior executive helps to design compliance processes and checks that those processes work as intended, business managers in the first line of defense forget “who owns compliance”—they do. But in a system where someone else tells you how to do something, and then ensures that you’re doing it correctly…that setup feels suspiciously like a management function to me, when neither compliance nor audit are supposed to manage the business.
Second, to counteract that risk, the chief compliance-audit executive in charge of this function (What do we call this person, anyway? The CCAE? The CACO? I dunno) will need some mad people skills—and as the IIA itself has noted in past industry surveys, audit executives aren’t always known for their people skills. And not only will this arrangement require superb people skills downward to rank-and-file employees; you will need the same communication skills upward, as you work with the general counsel, CFO, CEO, and the board.
Indeed, I’d even warn a board considering this arrangement that you will need clear and close scrutiny of a chief audit-compliance executive—because if that person ever decided to commit misconduct himself, he would be in an excellent position to do tremendous damage without anyone else spotting it.
Still, with all that said, this arrangement can work. I’ve heard of examples where internal audit takes over operational risk and compliance as well, while work on the financial audit with the external auditor is run by the corporate controller or maybe outsourced to a group like Protiviti or another audit firm; that’s feasible. Calpine has run internal audit and compliance under one executive, the highly competent Kevin McMahon, for years. Boeing houses compliance and audit under one Office of Internal Governance, shifting from a compliance-focused executive in the early 2010s (Wanda Denson-Low) to a finance- and audit-focused executive today (Diana Sands).
Just read the IIA guidance for some thoughtful context—because if your CEO is pushing this idea just to save money, you’ll need it.