The Compliance Audit Phenomenon: It Is All About Being Risk-centric

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


As I have commented often in this blog, one of the remarkable attributes of our profession has been our ability to adapt our coverage to address the emerging risks facing our organizations. Whether it was Y2K risks in the late 1990s, Sarbanes-Oxley compliance in the mid-2000s, or cost reduction and containment at the outset of the global financial crisis, we have repeatedly refocused coverage to address the most critical risks facing our organizations.

When The IIA established The Audit Executive Center (Center) in 2009, it began to closely monitor key trends in the profession and communicate them via semi-annual reports to chief audit executives. One trend that has been monitored since the beginning has been the focus of internal auditing. Early Center surveys of the profession validated that internal auditing was swiftly reorienting to address operational risks. For example, in 2010 almost 70 percent of respondents indicated they were increasing coverage of operational risks as compared to the prior year.

So, what is the emerging risk that is capturing internal auditing’s attention in 2013? There’s plenty of evidence to indicate that compliance risks are surging from the pack of competing priorities. Following several consecutive years in which respondents to the Center’s surveys have projected dramatic increases in compliance coverage, in 2013 more internal audit resources are dedicated to compliance risks than Sarbanes-Oxley coverage, IT auditing, or assurance over the effectiveness of risk management. In fact, it is estimated that almost one-sixth of U.S. internal audit resources will be dedicated to compliance audit coverage this year. The outlook for next year includes even more focus on compliance.

I am often asked why compliance auditing has become such a prominent component of audit plans in recent years. My theory is that the shift in focus is a direct result of the highly legislative and regulatory environment in which we find ourselves. New U.S. laws, such as the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Jobs Act, and the Affordable Care Act, are spawning volumes of regulations, which are in turn creating new compliance requirements. New compliance requirements are generating associated risks, which is where internal auditing comes in. And add to all that the enduring compliance requirements, such as those associated with the U.S. Foreign Corrupt Practices Act, environmental protection regulations, and data privacy and security, and it is a wonder that compliance isn’t consuming an even larger portion of the pie.

The IIA has become much more vocal in advocating to legislators, regulators, and others the need to consider the inevitable consequences of compliance requirements embedded in new legislation and regulations. We believe that the shift to compliance auditing is draining internal audit resources away from more strategic risks facing organizations. However, until the steady stream of new regulatory requirements abates, we are likely to see even more internal audit resources dedicated to compliance risks. That is a predictable consequence of our commitment to follow the risks.

I welcome your thoughts on this important topic, as well as any insights on how this trend is impacting your internal audit function.

Posted on Sep 9, 2013 by Richard Chambers

Share This Article:    

  1. Richard

    From my experience at Siemens and elsewhere I would add some other factors that cause internal audit to increase their focus on Compliance risks.  First, we are slowly rebutting the argument that special 'compliance audit groups' that do not sit in internal audit but in other, less professional and less independent organizations are covering these risks.  This is opening up the compliance arena for more internal audit activity and is a positive outcome. Second, in addition to more regulation, there is also more rigorous and globally-coordinated enforecement in areas like FCPA, pharmaceutical and medical device production and anti money laundering which is increasing compliance risk to organizations.

    I have always wondered not whether there are too many professional, operationally independent internal auditors engaged in compliance auditing, but whether there are too few.  I believe that if regulators and legislators understood better the difference between a properly constituted and credentialed internal audit and something that fails to meet the grade they could become better advocates for the profession.


  1. Richard,

    I am finding that within the UK financial services, the audit plan is becoming dictated, to an extent by regulation.  For example, regulations require XYZ to be independently audited on an annual basis (and there are many examples of where they have put the frequency as "regularly" which isn't very helpful). 

    Where regulation doesn't necessarily require an audit, the audit plan is still being manipulated by senior management (executive and non executive) who want assurance that we are compliant.

    It is a shame because in my opinion there are other areas that may require Internal Audit's attention more urgently.  For example, if you are not compliant, you are likely to get fined.  If you suffer a disaster and do not have appropriate BCP in place, you are likely to be out of business.

    Just some thoughts

  1. There is not a single organisational objective that is one dimensional, which in other words does not have one or more of strategic, governance, operations, compliance, fraud, ICT or reporting aspects or variables.

    In our engagements, we need to nurture this realisation, by conducting engagements which consider the governance, risk management and control PROCESSES as they should be. If this is done, one would certainly not have a discreet engagement.

    Some of the consequences of this approach would be for example considering whether the risk management process is ongoing, rather than being periodic, and considering whether there aren't any additional aspects of the objective which need to be added to get a fuller understanding of threats and opportunities to the objective.

    It worries me when internal auditors are continually linked directly to risks and controls. "Creep" then moves the goalposts from the popular "internal auditors provide assurance on risks and controls" to "internal auditors identify risks and develop controls".

    Whether providing consulting or assurance services, we should be careful to communicate a proper understanding of the fundamental purpose (to help organisations to achieve their objectives), nature (consulting - [provision of advice/traning], and assurance - [provision independent assessments]) and scope (governance, risk management and control PROCESSES) of internal auditing.

  1. Richard, I would also like to express my concern with these latest change internal audit environment. We are obviously witnesses of major shift from control obsessed to cost cutting and increased regulation driven business conditions. Internal audit resources are more focused on regulative compliance risk and i'm afraid this is only a beginning. Authorities are producing excessive volume of regulations which are almost impossible to analyze and implement. Its like achieving compliance is the key strategy goal now. Maybe we (internal auditors) should speak more louder and spread our mission and goals, not only to our management board and committees but to regulators also. Because its obvious,they are keen to forget why are we here.

Leave a Reply