Internal auditors and chief compliance officers appear to have differing opinions about the internal audit department’s ability to assess risk and compliance functions.
That’s according to the findings of a recent poll conducted by the Open Compliance and Ethics Group, which surveyed more than 500 enterprises in the public, private, government, and non-profit sectors. In the poll, roughly 65 percent of internal auditors say they are capable of assessing an organization’s risk and compliance functions—but less than 40 percent of everyone else agreed.
Switzer
“Everyone else” in the poll is a mix of various governance, risk, and compliance executives, OCEG President Carole Switzer says. The majority of that sub-group were compliance and risk officers—roughly 39 percent and 18 percent, respectively—and the remainder included legal (10 percent), finance (8 percent), IT (11 percent), and human resources (2.5 percent).
Pavlounis
Given that many companies are still in the “very early stages” of developing GRC functions, the split opinion about internal audit’s expertise is “not surprising, says Charles Pavlounis, chief audit executive of hospitality services provider Wyndham Worldwide. Internal audit departments at smaller organizations, for example, typically are less mature than those at large, global organizations, which tend to have a wider variety of skill sets, he says.
At Ventura Foods, for instance, “we don’t have a large enough compliance group or audit group to have them separated,” explains Jason Mefford, vice president of business process assurance for the Brea, Calif.-based food manufacturer. Therefore, Mefford says, he assumes much of the chief compliance officer role “to help set up some of the governance and compliance functions that weren’t in place before hand, so we can actually audit them.” He is also in charge of performing all internal audit and investigation activities of the company.
Traditionally, many audit departments have been staffed primarily with internal auditors who are very good at auditing processes and assessing financial reporting controls, experts say. That has contributed to the general sense “that internal auditors know much more about Sarbanes-Oxley 404 and financial controls than they do about anything else,” says Jay Cohen, chief compliance officer of Assurant. (Although, Cohen adds, he disagrees with that view.)
Mefford
In some instances, the internal auditor genuinely might not have the necessary qualifications, Mefford admits. “One of the hardest things for internal audit is having to understand the job and the complexity of whatever the area is that you’re auditing,” he says.
The majority of non-internal auditors in OCEG’s poll seemed to agree. Roughly 52 percent said internal audit is “somewhat capable” of assessing risk and compliance functions, but stressed that a “wide disparity in knowledge” exists.
“One of the hardest things for internal audit is having to understand the job and the complexity of whatever the area is that you’re auditing.”
—Jason Mefford,
Vice President,
Ventura Foods
The internal audit role “relies on a significant level of judgment to be able to leverage experiences, understand the fundamental concepts of what makes a good system or program, and then to be able to make an objective assessment against that,” Pavlounis says. That further involves looking out for best practices and benchmarks, spending the time doing the research, and simply networking, both internally and externally, to understand what works and what doesn’t, he says.
Pavlounis adds that, in general, the chief audit executive should be charged with staffing an internal audit department with auditors who are well positioned to perform assessments, and execute them properly. Wyndham Worldwide, for example, embraces an enterprise risk management approach and looks for auditors with analytical skills that go beyond just financial risk to assessment of operational, strategic, and compliance risk, he says.
IA and ERM
The OCEG survey also asked how much the internal audit department is involved (if at all) in planning and designing risk-management and compliance systems. Roughly 42 percent of auditors in the poll answered “yes,” compared to less than 30 percent of non-auditors.
Internal auditors and compliance professionals alike agree that the internal audit function works most effectively when collaborating with the risk and compliance teams (assuming they exist at the company). “There really has to be a coordinated effort between these groups,” Mefford says.
Because internal audit sometimes gets left out of the discussions, “some people don’t see or understand the perspective that they can bring,” Mefford adds. If each department acts independently, “obviously, that is going to lead to more misunderstandings and conflicted interests,” he says.
Cohen
At Assurance, Cohen says, “Our internal audit team is part of the overall risk management program. They have been tasked by the audit committee with contributing their expertise and, where needed, their audit skills and resources to our risk-management efforts.”
In addition, several of Assurant’s internal auditors have experience at audits of non-financial controls, such as business operations like claims processing and customer service, Cohen adds. “From my vantage point, they know what they are doing and do it well.”
CAN IA AUDIT COMPLIANCE?
The following two charts from the OCEG poll show respondents’ answer to the question: Is the internal audit profession capable of evaluating the effectiveness of an organization’s risk-management and compliance systems? Internal auditor responses total 323; Non-internal auditor responses total 236.
Response
Percent of Internal Auditors
Percent of Non-Internal Auditors
Yes
63.16%
35.59%
Yes, but Only Risk Management
1.24%
1.27%
Yes, but Only Compliance
4.95%
7.20%
Some, but There Is a Wide Disparity in Knowledge Needed
29.41%
53.81%
Not at All
1.24%
2.12%
Source
OCEG Poll: Does Internal Audit Help? (Feb. 22, 2010).
The poll also showed discrepancies in how much internal audit helps to plan and design an integrated approach to GRC. The plurality of internal auditors (roughly 40 percent) said “yes,” while the plurality of non-auditors (roughly 38 percent) said, “no.”
Pavlounis contends that subtle differences in how individuals define GRC, and the subjectivity of evaluating one effective GRC program against another, will always exist. Just like enterprise risk management programs, integrated governance, risk, and compliance programs must be tailored to each organization’s culture and capabilities, he says.
“It’s got to be more than just a standard process or cutting-edge software. It has to be part of the corporate culture and tone-at-the-top, and should be integrated into the every day life of an organization,” Pavlounis says. “You just can’t force feed an out-of-the-box program into an organization.”
Lastly, the survey asked whether internal auditors test and provide assurance about GRC systems. In both cases, the plurality answered yes: 35 percent of auditors, 28 percent of non-auditors.
“You have to be able to assess the readiness, the awareness, and the culture of an organization to make it work,” stresses Pavlounis. It’s easy to develop polices and facilitate training seminars on the corporation’s strategy, he says, “but the difficult part is the ongoing risk assessment needed to ensure that the company is focusing on the right risks and dedicating the right resources against the riskiest ones.”
When companies are looking to confirm that their risk management effort is focusing on the right compliance risks—that is, “you probably need to look to experienced compliance professionals or attorneys, internal or external, for advice,” says a deputy general counsel and chief compliance officer who asked to remain anonymous.
No comments yet