Compliance and Audit Getting It Together

The do-more-with-less movement may be inspiring a growing number of companies to merge corporate compliance and internal audit functions into a single reporting structure. Others are encouraging the functions to work more closely together.

Compliance and internal audit experts say they see an increasing number of companies creating closer ties between compliance staff and internal audit staff partly due to economic pressures. They are looking for ways to leverage resources and become more efficient, says Bill Watts, a principal with accounting firm Crowe Horwarth.

They're also uniting the functions to establish more collaboration and a broader focus on identifying and mitigating risk.  Companies want to take a more proactive approach to managing risk and are looking more broadly across the entire enterprise for where there may be unidentified or unmanaged risks, says Watts. Compliance and internal audit both play a role in that effort. They go out into various operational areas of the company, gather information and data, perform assessments, and make recommendations for change. “This is an emerging opportunity we see in risk management,” he says. “It's becoming a wake-up call to some organizations; maybe they ought to look more closely at what they're doing.”

Yet, most companies keep the compliance and audit functions separate, sometimes creating redundancies. “What they have not done in the past is share data or information,” says Watts. “So some companies see an opportunity to integrate that under one umbrella.”

Dime Community Bancshares recently formed a risk committee to better gauge risk on the macro level and look for overlaps and gaps in the company's risk assessment processes. “We don't want to have internal audit thinking they're responsible for certain things while compliance is doing it, and the other way around,” says Joe Perry, who chairs the bank's risk committee and is also a partner for accounting firm Marcum. “We want a coordinated effort with delineated responsibilities for who is doing what.”

Perry says a more integrated effort in compliance and internal audit leads to a better view of risk and a more efficient way to assess and manage it, especially for companies in highly regulated sectors such as financial services. “There are so many more regulations that you need more people to deal with all of them,” he says. “You need people who can adapt to the situation and do it in a more risk-weighted way to cut down on the amount of time you spend on compliance, yet with the same effectiveness. Efficiency is the outcome of our economic times— doing more with less.”

While there is plenty of integration of compliance and audit taking place among larger public companies, some have resisted the idea, says Laura Flippin, a partner with law firm DLA Piper. “I certainly see some companies moving toward convergence, but others are still keeping their functions separate,” she says.

“[Compliance and IA are] both charged with identifying whether certain behaviors have taken place, monitoring on the back end, making changes going forward. It makes sense to put them under one roof.”

—Laura Flippin,

Partner,

DLA Piper

Companies that have chosen to integrate the functions tend to see compliance and internal audit as two sides of the same coin. “They're both charged with identifying whether certain behaviors have taken place, monitoring on the back end, making changes going forward,” she says. “It makes sense to put them under one roof. Auditing means more than simply doing a string-of-numbers calculation and financial review, and compliance needs to understand the financial implications of the actions taken by the company.”

Of course, there are steps along the way to achieving more cooperation without opting for a wholesale merger of the two functions. In fact, KPMG partner Eric Holt says that it is still somewhat rare to see companies physically merging their compliance and internal audit functions. However, he does see a strong focus on integrating the activities of compliance and internal audit to eliminate existing silos and potential redundancies. “The goal of convergence is to transform operations that incorporate a more integrated and intelligent approach,” says Holt, who is KPMG's global leader of internal audit, risk, and compliance. “The goal is not to eliminate an entire function or force a function to assume new duties.”

A SUCCESSFUL MERGE

The following excerpt from Nichols, Cauley & Associates' Website BankAudit.net provides tips on how to merge the internal audit and compliance functions:

Clearly a new approach is called for that brings compliance, risk management and internal audit into a framework that enables management to measure, prioritize and manage them efficiently and effectively. The organization should employ a streamlined framework that integrates compliance and internal audit activities across lines of business and shared service functions which would eliminate redundancies and overlap efforts.

The three major keys in such an approach are:

Diagnosis: An evaluation of current business operations and the compliance implications is the first step. This step identifies compliance resources, internal audit resources, technologies and actively develops an initial baseline cost of compliance and internal audit. Existing risks, compliance resources, internal audit resources, control and technologies are split up and divided into groups to be catalogued.

Analysis: This step involves analyzing the effectiveness of the existing compliance and internal audit programs against existing risks and indentifying any compliance gaps and potential needs for additional controls and elimination of duplicative services. This rationalization can save any organization up to 10-15% over a 6-12 month period according to research performed by a leading accounting firm

Implementation: The last step involves implementing the new compliance and internal audit operating model that has been developed.

These three steps should generate greater compliance and internal audit effectiveness at a lower cost.

The new compliance and internal audit operating model should differ from the current model with the following differences:

The organization should now have an integrated compliance and internal audit function which facilitates a more consistent approach across the organization ensuring standards are consistently being met and any duplication and unnecessary activities are reduced, if not eliminated and therefore, costs are reduced.

Compliance management controls can now be assessed against a common enterprise-wide standard that replaced the individual standards in the old model.

With the more integrated and compliance efforts, the technology infrastructure can be more closely aligned with compliance and internal audit needs. The institution might be able to automate manual activities and eliminate duplicative applications, potentially further driving down its cost structure.

The new integrated operating model should help in integrating reporting relationships across risk areas, compliance management functions, and internal audit functions improving communications about any risk and compliance issues. A more integrated structure creates open dialogues and increases awareness of operational risk and compliance issues which fosters a stronger risk and compliance management culture.

The benefits generated from implementing a new more efficient risk and compliance model may yield a 10-20% reduction in cost within the first year after implementation. Beyond the monetary benefits, there are additional benefits.

An integrated approach to risk and compliance management better positions financial institutions to address future risks and anticipate the impact of changing conditions. The cost savings and improved risk management may provide a competitive advantage. As markets become more risky, it may provide the most important basis for competitive success.

Source: Nichols, Cauley & Associates' Website BankAudit.net.

For example, no companies are going so far as to having compliance assume responsibilities that have been performed by internal audit, says Holt. But they are looking to share resources, and technology is the key enabler of such sharing and integration, he adds. By integrating the resources of governance, risk, compliance and even internal audit into a single system, companies can develop a consistent set of information on risks, issues, mitigating actions, enabling timely and consistent analysis and reporting.

Integrated Systems

That's exactly what companies are looking to buy these days as they consider new systems, says Steve McGraw, president and CEO of technology firm Compliance 360. Currently, the firm is working with a few hundred companies that are looking to upgrade or replace existing systems, and not a single proposal is focused exclusively on internal audit or compliance. “Three years ago, we saw a lot of internal audit- or compliance-only deals,” he says. “That stopped dead in its tracks.”

Where there is resistance to such integration, Flippin said, it often arises because of legacy, institutional structures,  and political alignments. “There are some boards and some executives who view audit and compliance as two separate areas,” she says.  

Companies might also balk at the upfront costs associated with restructuring or retraining, says Crowe Horwath's Watts. “You have to spend money to make money,” he says. Companies need to invest in cross-training compliance and internal audit staff to achieve an integrated process. While that will yield an immediate effect on efficiency, he says, it will add cost on the front end.

Consultants who are selling the idea of merging or integrating the functions may not say so, but there are plenty of purists who are willing to assert that the two areas should remain separate. To retain its independence, internal audit in many organizations reports directly to the audit committee, creating a check on management that is important to regulators and Sarbanes-Oxley compliance. Concern abounds that internal audit should not be absorbed into compliance, which is a function of management. “This would effectively keep management from being audited,” one observer recently wrote on the Institute of Internal Auditors blog. “You need to fight for these audits to continue or you'll end up moving down the food chain into quality control.”