[authors: Pamela S. Hrubey, Maddie N. Cook, and Stefany L. Samp*]
In many organizations, the second and third lines of defense struggle to work as a team—either unintentionally or under the false notion that independence standards require complete separation. In these situations, compliance and internal audit can be like a doubles tennis team trying to return shots without communicating before or during the game. This would be a disaster on the tennis court, with players going for the same shots or missing others completely. The same is true in business. Without close collaboration, risks and opportunities either will be overmanaged or will slip through the cracks between the lines of defense. It is possible, however, for companies to shore up communication and coordination between compliance and internal audit, so they play as an effective doubles team.
If an organization is less mature or in initial high-growth stages and going public, it might not yet have dedicated compliance and internal audit teams, or it might have the dreaded “department of one.” In these situations, sharing knowledge between limited resources is even more crucial. They also can advocate for each other as they ask for the necessary resources.
Build regular touchpoints between teams. Chief compliance officers (CCOs) and chief audit executives (CAEs) gain value from having regular touchpoints as leaders. CCOs have regular contact with teams through training, issues raised, and partnering with the business to integrate compliance into daily processes. CCOs can share themes they see with CAEs to help inform scheduled internal audits or drive a focused internal audit in an area of concern. CCOs and CAEs often have teams or employees that they want to keep a closer eye on because of complaints, investigations, expense audits, and so on. Discussing those “problem children” can give both compliance and internal audit teams information they need to dig deeper or include specific activities in ongoing monitoring or sample selections. Remember that both teams can maintain their independence while collaborating.
Deputize each other’s teams to support your mission. Compliance should deputize internal audit to advocate for key compliance priorities such as data privacy, anticorruption, and environmental, social, and governance (ESG) issues. Internal audit has many contact points with the business where it might observe risks or opportunities in compliance areas it is not specifically auditing. Empower internal audit to bring those potential issues to the compliance team’s attention so issues can be investigated and compliance programs can be updated as needed.
Internal audits should deputize compliance to identify potential issues that might affect audits. When the compliance team feels empowered to share issues, internal audits can design and perform more risk-based audits.
By deputizing each team to keep its eyes and ears open for the other, each team gains support without any additional cost to the business and can more quickly and thoroughly address risks.
Collaborate on risk assessments. Both compliance and internal audit might be conducted enterprise-wide and/or targeted risk assessments during the year. It benefits both teams to coordinate timing and avoid duplicating work. Whenever possible, stakeholders going through risk-assessment interviews or surveys appreciate having a coordinated discussion instead of several. Risks can be inadvertently miscommunicated when stakeholders hear the same question worded differently, or they can get confused about who is responsible for doing what and in which situation. When assessments still are done separately, they are most successful when the compliance and internal audit teams share results. Having results from all completed assessments provides better inputs for internal audit plan preparation and compliance program management strategies.
Share risk rankings. Management will be able to digest results of risk assessments and audits more easily if, no matter who prepares them, the results are presented in one voice. Regardless of whether it’s an enterprise risk assessment, a compliance assessment, or an internal audit, ideally, risk rankings used for likelihood, significance, and velocity will be the same for all reports—especially when those reports are presented to the most senior stakeholders, including boards of directors. Finance and other teams should not be forgotten, as they might use risk rankings for fraud or Sarbanes-Oxley Act assessments. Using shared risk rankings keeps individual subject-matter experts from assuming their area of expertise is the highest risk, lets the actual highest risks rise to management review, and helps the company prioritize corrective action plans.
Aligning on rankings can be challenging, but companies with a wide range of compliance and internal audit teams have successfully done so. For first assessments, compliance and internal audit often can work together to develop simple tables that outline criteria and a shared heat map format. For more mature teams and large, global organizations, the legal team might need to help develop a more detailed framework, including examples of scenarios and how they would be ranked using the shared rankings.
Collaborate on data analytics. In general, compliance and internal audit teams have made strides in the past several years toward implementing ongoing monitoring programs using data analytics. In some companies, these analytics have been developed but are overlapping or missing risks because of assumptions that another team is reviewing a particular risk. In some cases, both teams are spending inordinate amounts of time reviewing false positives—including on the same transactions—because both compliance and internal audit built similar analytics. Sharing analytics programs and discussing false positives can improve both teams’ time spent.
Hold joint training sessions. Compliance and internal audit face constantly changing regulations and increasing scopes of work. When evolving topics affect both teams, consider joint training. For example, both teams might be scrambling to get up to speed on ESG reporting requirements and what they mean for the company’s systems and processes in the near term. Bringing in specialists to train both teams together allows each team to understand the impact on all lines of defense.
For the win
Playing doubles in tennis means the entire court is covered even though each player takes fewer steps. This concept transfers to risk assessment because sharing risk assessment results allows both compliance and internal audit to provide strong support for the company overall without duplicating their efforts, which makes everyone involved winners.
Collaboration between internal audit and compliance can take place while retaining necessary independence.
Deputize the other team. Covering the entire surface of the court (or company) is easier when teams collaborate to watch for emerging or existing risks.
Compliance and internal audit should present risk assessment results to management in one voice, using the same risk rankings to make reporting comparable.
Collaboration gets easier with practice. Practice collaborating by establishing regular touchpoints between compliance and internal audit.
Internal audit and compliance teams should work together to learn about changes inside and outside of the organization. Share knowledge and improve skills collaboratively.
* Pamela S. Hrubey, DrPH, CCEP, CIPP/US, FIP; Maddie N. Cook, CPA; and Stefany L. Samp, CCEP, CPA is in consulting at Crowe LLP.