Navigation:


DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
Thread Title: Audit vs Compliance
Created On Wednesday April 01, 2009 4:38 PM
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance
  Audit vs Compliance


Dens


Posts: 4
Joined: Apr 2009

Wednesday April 01, 2009 4:38 PM

User is offline View thread in raw text format

My company is having discussions about merging the Compliance Department with the Internal Audit Department. Please give specific reasons why this should not be done or whether this can be done. thanks

Reply
Quote
Top
Bottom



kyyee


Posts: 746
Joined: Oct 2002

Wednesday April 01, 2009 5:53 PM

User is offline View users profile View thread in raw text format

I think you need to provide more details regarding what your IA and Compliance functions are mandated to do now, and in what industry. More importantly, you are in a better position to outline *your* thoughts for and against; it then might be better ask for commentary on your thoughts compared to simply soliciting other people's thoughts that may or may not be appropriately framed.

Reply
Quote
Top
Bottom



tombee


Posts: 31
Joined: Mar 2009

Wednesday April 01, 2009 5:54 PM

User is offline View thread in raw text format

I work for a DoD government agency. We used to have 30 auditors and some compliance people. The compliance people are not auditors, they are quality assurance person, reviewers, or investigators and not trained in audit and accounting and have degrees other than accounting. The audit function merged with the compliance function. We now have only 4 auditors and 35 compliance people. Not much attention is paid to the audit team and resources for audit are scarce vs. the compliance unit. The compliance people act like they are auditors and the work they do is very similar to audit especially performance or operations or quality type audits. I do not know what went on but evidently someone at sometime thought that it would be better to have fewer auditors and more compliance personnel. Not a good thing for the audit function. Money is not the issue because most of the compliance people are paid more than the auditors.

-------------------------
CIA is more important

Reply
Quote
Top
Bottom



Dens


Posts: 4
Joined: Apr 2009

Thursday April 02, 2009 10:19 AM

User is offline View thread in raw text format

Thanks for your response. Regarding the situation I raised, I dont think that the compliance function should merge with the Audit function as in my opinion, compliance is a management function which too will have to be audited. I think the problem stem from the fact that Compliance is new to our organisation and the compliance dept somewhat copy how we do audits so the Management is basically seeing it as an overlap. Since the whole Compliance is new to the organisation, I really dont know how different a compliance report should be from an audit report. In addition, I see compliance as the dept that works more closely with the different dept to ensure that they understand the policies and procedures set by the organisation, laws, regulations etc. There will be some overlapp between the two but I think how it is reported is the problem. So, I really want to know if its okay for the two to merge and if anybody has ever worked in such an environment and get some feedbak on it.

Reply
Quote
Top
Bottom



Crash


Posts: 1770
Joined: Jun 2004

Thursday April 02, 2009 11:42 AM

User is offline View thread in raw text format

I started an Audit function at a pharmaceutical company that had a Compliance group. The first audit I did was of the Compliance group. Issue #1 was the fact that they called themselves an audit group. We got that straightened out quickly. Next came the reality of scope or coverage - audit assesses all organizational risk while compliance only validates certain components of the risk universe. It is this difference that sets Audit at a different spot than where Compliance rests. It is this difference that you must leverage for your existence.

My first reaction would be to never blend the two roles. I would utilize the Audit Committee to help managment understand the difference in scope. Professional, polite, and fact based is the lighted path between these forces. However, if your management is headed down the dark path, then you must do what is necessary to stay employed. There are clear compliance risks that the organization is facing. It is a small leap to include these in your audit plan. Based on what you wrote however, I'd be very concerned that they are trying to absorb audit into compliance. This would effectively keep management from being audited anywhere else (AP, Finance, Fraud, Contracts, Sales, etc). You need to fight for these audits to continue or you'll end up moving down the food chain into Quality Control.

-------------------------
Do the right things for the right reasons.

Reply
Quote
Top
Bottom



Dens


Posts: 4
Joined: Apr 2009

Thursday April 02, 2009 1:17 PM

User is offline View thread in raw text format

Thanks very much for your response. I am going to do a paper on why they should not merge and highlight the specific reasons. As you suggsted I will seek the help of the Audit Committee. I however need some guidance on what a compliance report should look like or in other words what should be reported to make it somewhat different from an audit report. thanks

Reply
Quote
Top
Bottom



Crash


Posts: 1770
Joined: Jun 2004

Thursday April 02, 2009 2:51 PM

User is offline View thread in raw text format

Compliance reports always go to the same people - Ops Management & Quality. Audit reports usually go to the executive with responsibility for the area under review. This could be anyone in the organization.

Compliance reports are usually very narrow in their assessment of an output, known process, or batch. They often attest that a documented process was followed (ISO Standard), the finished output matches expectations, and/or the steps needed to ensure a good product were followed as required. Audit reports go where the risks of that review take it in light of the expectations of the audit committee and senior management. We also submit opinions on controls based on testing, but these usually go further with recommendations for improvement and management's responses to these recommendations.

-------------------------
Do the right things for the right reasons.

Reply
Quote
Top
Bottom



Honeybadger


Posts: 76
Joined: Sep 2008

Friday April 03, 2009 9:56 AM

User is offline View users profile View thread in raw text format

Dens

To add to Crash's views, your mandate is to "evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach."

What is this Compliance Department's mandate? Exactly - not what you think it is or should be.

I think the answer to your dilemna will jump out and stare you in the face when the mandate question has been answered.

Assessing and advising on the management of compliance issues would be an IA responsibility.

Ensuring and effecting compliance should definitely not be an IA responsibility.

The internal audit charter should be your ally in fighting for your independence and organisational status, both of which it would seem would be adversely affected by the proposed merger.

Whatever the case, my advice to IAs, always fight to have the compliance risk appetite to be as low as you can get according to your organisation's rating system.

-------------------------
Honeybadger

Reply
Quote
Top
Bottom



planoisdaudit


Posts: 1814
Joined: Oct 2006

Friday April 03, 2009 3:14 PM

User is offline View users profile View thread in raw text format

Dens,

Also take a look at their review process.
What professional standards do they follow?
How are their compliance reviews documented?
What professional certifications do the individuals have?
Is the compliance department subject to an external quality assurance review?

Questions like these will quickly highlight differences between audit and compliance.

-------------------------
Dan
Integrity can be defined as your moral soundness. A test for integrity - Do your actions match your words?

Reply
Quote
Top
Bottom



Dens


Posts: 4
Joined: Apr 2009

Friday April 03, 2009 5:52 PM

User is offline View thread in raw text format

Thanks to all who responded. I am more clearer on how to handle the situation. thanks again..However, I still do welcome any other suggestions, views etc.

Reply
Quote
Top
Bottom



roblarose


Posts: 53
Joined: Aug 2008

Monday April 06, 2009 6:56 PM

User is offline View thread in raw text format

The two functions are not incompatible. Internal Audit is larger and encompasses Compliance. Compliance is more focused and is a part of Internal Audit. Internal Audit is composed of these elements: 1) financial audit 2) performance or operational audit and 3) compliance audit.

Reply
Quote
Top
Bottom



Flo


Posts: 33
Joined: Feb 2009

Tuesday April 07, 2009 7:40 PM

User is offline View thread in raw text format

Compliance functions fall into either of two categories. One is to proactively determine and maintain all requirements to be complied with e.g. regulatory, technical accounting policy, etc. The other is to reactively determine that all applicable compliance requirements are complied with and prompt corrective actions taken - hence compliance audit in readiness for the true external compliance audit. For independence purposes and to keep compliance as a management function, I think management should delineate between the two functions. If compliance becomes a part of internal audit, and internal audit fails to determine new and amendments to existing compliance requirements, management would blame internal audit and the organization will be exposed.

Nevertheless, I have been a member of the Compliance Committee in my organization.

In this case, though, I am not sure which category of compliance it is. However, if the organization’s compliance function is a stable one where significant changes to compliance requirements rarely occur, I can see the merger of the compliance and internal audit departments.

Reply
Quote
Top
Bottom

DISCUSSIONS > IIA GENERAL DISCUSSION AREA [ REFRESH ]
The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org