Internal audit and compliance departments should be the closest of allies in the fight against regulatory breaches, poor governance and noncompliance. Traditionally viewed as an organization’s third line of defense, your internal audit and compliance teams play a central role in your risk management efforts.
But in practice, does this ‘three lines of defense’ model create a siloed structure that hinders your risk management efforts?
Does separating your senior managers responsible for finance and risk from your internal audit and compliance teams limit visibility into each department’s approach?
Does it reduce transparency – always a watchword when it comes to achieving a comprehensive picture of risk?
And more fundamentally, should audit and compliance teams work more closely together in order to minimize this siloed structure? Here we explore why partnership is key to an effective governance, risk and compliance strategy.
What’s the Relationship Between Compliance and Internal Audit?
In recent years – as the regulatory compliance burden has continued to grow, and scrutiny of firms that breach the rules intensifies – the compliance team’s role and influence within the business has grown. Along the way, the internal audit team often provided support in those areas where they have specialist expertise – identifying potential financial misconduct, for instance.
Recently, however, the pressure on internal audit teams has increased, as a result of ever-growing legislative demands. They may have found themselves with less capacity to support their compliance colleagues.
In tandem, regulatory obligations have required many Chief Compliance Officers (CCOs) to expand their own teams and remits. In many cases this has led to compliance teams developing their own controls and audit procedures, to enable them to monitor and measure the effectiveness of the organization’s governance and compliance processes.
It’s easy to see how the previous symbiosis enjoyed by the two teams may be reducing as their roles change and grow. The accountabilities of the compliance team, in particular, have grown and developed in a fairly arbitrary and reactive way – occasionally encroaching on the traditional remit of their audit colleagues.
The Challenges of Evolving Compliance and Internal Audit Roles
This changing relationship creates a number of challenges:
- The potential for duplication is increased, and even with the best intentions, there is an enhanced possibility of similar – even conflicting – approaches being developed by the two teams.
- Controls become fragmented, as operating silos develop. It becomes more difficult to keep track of activities undertaken to manage risk. As a result, gaps in your risk management approach are more likely.
- Accountability becomes murky. With no clear line of control or command, there’s not just a risk of duplication or omissions, but a lack of clarity around who is responsible for complying with every risk management obligation.
- Data and insight are suboptimal. The best, most robust corporate governance and compliance strategies are based firmly on accurate and comprehensive data. Without this foundation, decisions are made without the necessary insight. Strategies may focus on non-priority areas due to a lack of Management Information (MI) on which to base action plans.
- Compliance and internal audit teams suffer a lack of buy-in to their recommendations – as they do not have the data to clearly articulate or evidence the need for change.
How Compliance and Internal Audit Can Partner to Break Down Silos
The arguments for closer synergy between compliance and internal audit teams, therefore, seem compelling enough. So, what practical steps can they take to improve their partnership?
The good news is that there is a proven approach that can help. Integrated Risk Management (IRM) can break down these silos, giving audit and compliance the opportunity to streamline processes, centralize business assets, and ensure all departments work collaboratively.
A strategy that integrates governance, compliance and risk management can pay significant dividends in the efficiency of your compliance efforts.
Integrated Risk Management can do this.
What is Integrated Risk Management?
Gartner defines IRM as ‘a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.’
The keyword here is ‘integrated’; IRM delivers a holistic view of risk, deconstructing the operational silos that can be so counter-productive to a comprehensive picture of risk and risk-mitigating actions.
How Can IRM Improve the Relationship Between Internal Audit and Compliance?
In an earlier blog, we noted that IRM ‘looks at risk in the context of every part of an organization’ and ‘how those risks interplay and interact with each other.’
In doing so, it can remove the walls that separate internal audit from compliance (and other relevant teams). While audit has traditionally been well integrated with finance-related functions, this integration is less evident with other areas of the business.
IRM can change this by:
Centralizing and rationalizing policies and processes
Where procedures are created or even just managed in-team, they often take on a life of their own, diverging from any centralized model and being captured on a number of slightly differing systems and spreadsheets.
This can make internal audit and compliance reporting more difficult and time-consuming, and lead to a lack of confidence in the quality of the data gathered. By streamlining processes, systems and data capture, IRM can reduce the chances of errors and omissions, improve the richness and accuracy of data and save teams time in accessing the information they need.
Working collaboratively on internal auditing and compliance reporting can be challenging when documents have to be collated and shared manually. By storing all relevant information centrally, with easy access for all required colleagues, document sharing is facilitated and teams have no excuse for not participating in any assessment or audit process.
Improving efficiency by facilitating automation
Automated compliance solutions are recognized as one effective way to improve the efficiency and rigor of your compliance processes. A shift to increased automation is often an integral aspect of the move to IRM, providing the holistic oversight identified above as a key component of an effective audit/compliance partnership.
Automation can also help to mandate compliant approaches; improve collaboration; and evidence that your organization is taking the right steps towards governance, compliance and risk management.
Encourage Closer Partnership Between your Internal Audit and Compliance Teams
Diligent’s suite of governance and compliance solutions helps organizations of all sizes and sectors deliver on their compliance, governance and risk management obligations.
Get in touch with us to request a demo and find out how Diligent can help your organization develop a more holistic approach to compliance, risk and audit.