Deena King (deenaking@uttyler.edu) is the author of Compliance in One Page and the forthcoming Strategic Compliance, and is a Chief Compliance Officer at The University of Texas at Tyler in Tyler, Texas, USA. Marisa Zuskar (mzuskar@hcg.com) is a Senior Director at Chicago-based Huron Consulting Group.
We recently read two columns on internal controls, one by Joe Murphy and the other by SCCE & HCCA CEO Gerry Zack, in the November 2021 issue of CEP Magazine. These pieces resonated with us, because we, the authors, are passionate about the positive impact of internal controls in strengthening compliance programs and have spoken together on this issue at a couple SCCE events.[1]
In his column, Murphy shared some concerns about the use of internal controls in compliance programs and raised several valid examples of how internal controls, when not “approached thoughtfully” can be detrimental to an organization’s environment.[2] He added that they can sometimes “appear oppressive” and lead employees to willfully work around compliance controls meant to protect the organization (which can make many compliance professionals nervous). In the second column we read, Zack stated, “Internal controls over compliance are the foundation of any compliance program,” conceding that internal controls should be carefully reviewed to ensure they are reasonably designed and effective.[3]
We, the authors, have our own biases related to this topic, which can be summed up in the following statement: Laws/regulations + internal controls = effective compliance.[4]
In our view, what makes the compliance profession so unique is the yin-yang-like collaboration that must occur between regulatory experts and internal controls specialists. Regulatory experts are focused on all the legal requirements and laws affecting an entity while internal controls specialists have expertise in operationalizing these laws via compliance programs within other business functions.
We hope that Murphy agrees with the following idea—that the objective of compliance programs is to achieve operational alignment with the requirements that come from a large body of laws and regulations.
As compliance leaders, the body of laws we care about are going to be dictated by our industry—healthcare, finance, energy, utilities, higher education, etc. Understanding the laws and regulations relevant to our industries, therefore, is necessary to the design and implementation of an effective compliance program and its elements, including policy, organizational design, procedure, communication, and training.