The State of Compliance and the Role of Internal Audit

PwC has published a paper on the state of compliance that I recommend for internal auditors and others interested in compliance programs. There is also a Compliance Week article on the paper.

While it is generally interesting, I personally was not very surprised by its findings. Instead, it reminded me of a discussion I had much earlier this year with Catherine Finamore Henry. Catherine is active as a practitioner and consultant in the areas of ethics and compliance, as well as a CIA. She was concerned, as she wrote in a piece for my Governance Perspectives column in Internal Auditor, about companies that were combining internal audit and compliance. (The link is restricted to IIA members; non-members can get a copy here).

Let’s discuss two related questions:

  1. Should the head of internal audit (CAE) add the responsibility as chief compliance officer (CCO)? What about adding chief ethics officer?
  2. Should the CAE report to the CCO?

On the first question, I find this interesting and somewhat challenging: I always strive to look beyond my little box for ways I can help the organization, so saying “no” when asked to do more is not easy. A number of my CAE friends, here in the Silicon Valley, have answered the question “yes”. But I am not sure I would. I did say “yes” while I was at Tosco (some years ago) and added the title of CCO to the title of CAE. It wasn’t the same because although I was listed on filings as the CCO, my charter made it clear that mine was an assurance role with some level of coordination. Management remained responsible for (a) understanding their compliance requirements, (b) designing the related processes, (c) remaining in compliance, and (d) all related reporting. My friends have taken on responsibility for ensuring the company’s policies and processes are adequate, which is further than I went or would be prepared to go today.

I do see value in that the CAE cares about and understands compliance.

I understand that the CAE could outsource compliance audits. 

I can also see that there might be some level of efficiency.

But, the “buts” outnumber and outweigh (IMHO) the benefits:

  • A specialist can do the job better most of the time.
  • Outsourcing compliance audits means outsourcing a very large portion of the job.
  • The risk to actual — and perceived — independence and objectivity is too high.

So, I would be reluctant to take it on.

If I were asked to add CCO to my CAE job, I would first have a frank discussion with executive management. Why do they want to do this? Are there better options? Do they understand the risks? What can be done to address the risks? Is this temporary, while they find a specialist, or longer term? If they continue to press me to do it, I would discuss the question with the audit committee. The committee should hear all the arguments directly from management, unfiltered by me. If they wanted me to do it, I would (to the extent possible) make sure they not only understand the risks but give me the resources I would need to insulate the two functions and agree to review and reconsider after a year.

Would I feel the same about taking on the role of Ethics Officer (which I also have done in the past)? I think this is easier, especially if responsibility for an ethical organization remains with the board and executive management and the Ethics Officer acts as facilitator and chair of a senior management-level ethics committee. But, there would have to be open discussions with management and the audit committee, and a charter that clearly sets out the responsibilities in a way that minimizes any threat to independence and objectivity.

Should the CAE report to the CCO? Absolutely not!

  • The CAE will frequently have to report issues that make the CCO “look bad” and this can unnecessarily create tension and the potential for inappropriate influence on internal audit.
  • The CCO is not, generally, senior enough in the organization. The IIA recommends reporting to the CEO, and I can accept reporting to the CFO or the General Counsel (assuming a prominent General Counsel with the ear of the board).

What do you think? Do you think the CAE should add CCO responsibilities? Do you think the CAE should report to the CCO?

Have you seen a combination that worked well? Please share.

Posted on Aug 8, 2011 by Norman Marks

Share This Article:    

  1. I think it depends on the legislation. In some developed countries you will find the requirement to have an audit function which should reports directly to the board of directors (mainly shareholders representatives). In this situation you definitely can’t combine the audit function with any other. In the situation where there is no such a requirement I think it’s up to top managers to decide both a reporting line and compatibility (for example internal audit, risk management and compliance - three in one : ).

    • Not only the idea of CAE reporting to CCO souds ridiculous, but also the CCO position itself seems ridiculous and redundant.
    • The PWC survey says the only thing CCO 'owns' is ethics, that's people behavior. HR can well do with ethics. What's left to CCO? Going aroung legal department asking whether this or that practise is in complance with regulations? Responsible managers can easily skip CCO in the communications to legal.
    • Can CAE assume CCO functions? Why not, most of them CAE has already had, i.e. compliance audits, whistleblowing. At the same time CAE can easily escape management role by only 'recommending' functional departments to develop compliance policies and procedures. So CAE needn't be too reluctant to assume CCO role, to prevent looking arrogant and lazy.
  1.  Sorry for bold letters, they look awful, I didn't want it.

  1. Agree with Yury. Also if we are talking about compliance the question of legislation knowledge is arisen. Whether there is something wrong with the legislation and it’s too complicated for understanding or may be we should think about necessity for management to receive at least the beginning level of legislation usage in addition to their main qualification. If CAE can and should understand and know the legislation rules why it’s not applicable to the operation management?

  1. I am probably too old school but as CAE I would resist any activity outside internal auditing which impled assuming management responsibility.

    It seems so easy, because of the versatility of internal auditors, for more and more duties to be seen fit to be added to them.

    I would prefer to keep to the consulting and assurance roles mandated for internal auditors.

Leave a Reply