Is it possible to combine the roles of chief audit executive and head of corporate compliance, or other jobs, without sacrificing the independence that’s a cornerstone of the audit function? Opinions are divided. “For internal audit to provide an objective view, they have to be independent of the functions they’re auditing,” says Peter Brady, national leader, business risk consulting with RSM US LLP, a global audit, tax, and consulting firm.
Others say that while compliance helps establish policies and procedures, it doesn’t implement them. Instead, execution is the responsibility of the operating units. As a result, internal audit wouldn’t be auditing itself, even if it and compliance report to the same individual.
“The concept of where compliance lands within the organizational chart is a hot topic,” says Brian Christensen, executive vice president, global internal audit and financial advisory practice at consulting firm Protiviti. Historically, compliance and internal audit were separate functions. More recently, as organizations have established chief risk officer (CRO) roles, some have placed multiple areas related to risk under the CRO’s direction, including compliance and internal audit, says Christensen.
At the same time, “there comes a point where it’s a bridge too far, especially in highly regulated environments,” Christensen says.
Why Combine Roles?
Organizations that combine internal audit and compliance typically point to several drivers behind their decision. One is simply the fact that internal audit typically reviews and must remain abreast of many compliance activities anyway. “An internal audit function that’s not somehow discussing regulatory and compliance risk runs the risk of not being relevant,” Christensen says.
This is especially pronounced within many large financial services companies, where managers must work with myriad overseers, both internal, like corporate compliance, and external regulators. The groups may ask similar questions, but use different frameworks, Brady says. Having separate groups respond to multiple sets of similar questions not only introduces duplication, but it also increases the risk that some information “falls through the cracks,” he adds.
Scott McAdams is senior vice president and chief audit, compliance and risk officer with Blue Cross and Blue Shield (BCBS) of Kansas City. His six direct reports oversee about 100 employees in audit, compliance and privacy, government relations, information security, and several other functions.
McAdams is charged with establishing an internal control framework that’s aligned with the organization’s code of conduct, as well as the many regulations that govern health plans. These are under one umbrella to ensure the controls reflect all risks to which the organization is exposed. “If you’re doing it independently, you’re losing the value of an integrated response in your mitigating controls,” he says
By taking an integrated risk management approach, BCBS of Kansas City is able to conduct a single, comprehensive risk assessment. “You want a full vision to all the risks of the company,” McAdams says. At the same time, each area has its own leader and maintains its own list of agenda items that it reports to the audit committee. The internal audit team also independently questions the risk assessment plan. “It’s about maintaining three lines of defense,” McAdams says.
Both internal audit and compliance often use the same frameworks, tools, and personnel resources. Combining them can be a way to more effectively leverage these resources. Darcy Morowitz is vice president, internal audit and chief compliance officer with Navistar International Corp., a manufacturer of commercial trucks, school buses, and other products. She oversees a couple dozen employees working in internal audit, enterprise risk management, compliance and several other functions.
Navistar combined internal audit and compliance several years ago to better leverage its resources. In addition, some thought leadership has theorized that having compliance report to legal could create a conflict of interest, as legal would be the activity owners and defenders in case of an issue.
“Since the reorganization, we’ve made better use of resources,” Morowitz says. She and her team conduct more training on, for instance, the Foreign Corrupt Practices Act (FCPA) and anti-corruption initiatives. They work more with executives on developing the “tone at the top.” They also host a compliance week in which all employees across the company compete in games and competitions designed to further their knowledge of compliance, the code of conduct, and other topics. They’re also leveraging data analytics to a greater extent.
To maintain some independence, the organization incorporates a matrix reporting structure. The compliance employees who are located within operating areas—for instance, emission compliance within engineering—report up through those organizations. They also have dotted line reporting responsibilities to Morowitz’s group, and use a framework developed by her group that covers policies, training, and other functions.
As the examples of Morowitz and McAdams show, organizations that combine internal audit and compliance often put in place safeguards that help internal audit maintain its independence.
Jeff Pigott is vice president of compliance and internal audit at Lee Health in Florida.
While he oversees both functions, each has its own work plans and prepares its own report for the governance board.
The compliance group reports to the chief executive officer, with a dotted line relationship to the board of directors. Should the CEO take some action that the board should be aware of, Pigott can initiate a conversation to address it. At the same time, he and his employees also have access to the CEO. “We have the ability to move the needle, whether it’s on internal audit or compliance issues,” he says.
Like Morowitz, Pigott also plans to engage an independent third-party to assess the organization’s compliance function. “It’s inherent in the nature of the beast to bring in independent auditors when you combine internal audit and compliance,” he says.
Mitigating the Risks of Combined Roles
Organizations that place internal audit and compliance within the same department should maintain a direct reporting relationship between internal audit and the board of directors, says Mark Ruppert, chief audit executive at Northern Arizona University. “That helps ensure the functional role of internal audit remains.”
“Clear, objective boundaries are critical,” says Eric Lustig, law professor and director of the Center for Business Law at New England Law School. For instance, when an internal auditor tests the compliance function, his or her career shouldn’t be affected by the results.
When an independent firm is engaged to audit the compliance function, it should report to the board or chief executive officer—whichever has responsibility for governance, says Rob Farling, national anti-money laundering and regulatory compliance leader, also with RSM.
If the firm instead reports to audit, its objectivity will be suspect. “You’ll still have the contract with audit, which oversees compliance,” Christensen says.
Some say these safeguards aren’t enough to justify combining internal audit and compliance. Brady notes that many aspects of a regulatory compliance role are executives in nature, such as implementing changes in policies and regulations. Keeping internal audit and compliance separate allows internal audit to “provide an overview from an objective standpoint,” he adds.
At many financial institutions, independence is required by regulation. For instance, the pillars of an effective compliance program within a financial institution, which were developed by the U.S. Financial Crimes Enforcement Network (FinCEN), include a section on independent testing of the organization’s compliance with the Bank Secrecy Act, anti-money laundering laws, and other regulations.
Achieving Effectiveness Without Combining Roles
While the risk of creating siloes around internal audit and compliance is real, it’s possible to keep each department independent, and yet working effectively together and providing a comprehensive view of risk. One way to guard against siloes is through better communication and reporting, Lustig says.
To leverage always-tight budgets, the departments also can share some resources, such as an issue-tracking platform or database, Brady says.
To be sure, maintaining strong relationships between any two departments takes commitment and energy. Yet more organizations are seeing the benefits of taking a holistic, collaborative approach to risk management, Farling says. For instance, a financial institution that’s entering a new market is likely to bring internal audit and compliance into their early discussions, along with legal, IT, and other areas. “With a more holistic approach and more open dialogue, you’re better able to identify risks ahead of time,” he says.