Making compliance and internal audit a winning doubles team

Pam S. Hrubey

Pam S. Hrubey

Pam S. Hrubey (pam.hrubey@crowe.com) is a principal in consulting at Crowe.
Maddie N. Cook

Maddie N. Cook

Maddie N. Cook (maddie.cook@crowe.com) is in consulting at Crowe.
Stefany L. Samp

Stefany L. Samp

Stefany L. Samp (stefany.samp@crowe.com) is in consulting at Crowe.

By Pamela S. Hrubey, DrPH, CCEP, CIPP/US, FIP; Maddie N. Cook, CPA; and Stefany L. Samp, CCEP, CPA

In many organizations, the second and third lines of defense struggle to work as a team—either unintentionally or under the false notion that independence standards require complete separation. In these situations, compliance and internal audit can be like a doubles tennis team trying to return shots without communicating before or during the game. This would be a disaster on the tennis court, with players going for the same shots or missing others completely. The same is true in business. Without close collaboration, risks and opportunities either will be overmanaged or will slip through the cracks between the lines of defense. It is possible, however, for companies to shore up communication and coordination between compliance and internal audit, so they play as an effective doubles team.

If an organization is less mature or in initial high-growth stages and going public, it might not yet have dedicated compliance and internal audit teams, or it might have the dreaded “department of one.” In these situations, sharing knowledge between limited resources is even more crucial. They also can advocate for each other as they ask for the necessary resources.

Collaboration tips

Build regular touchpoints between teams. Chief compliance officers (CCOs) and chief audit executives (CAEs) gain value from having regular touchpoints as leaders. CCOs have regular contact with teams through training, issues raised, and partnering with the business to integrate compliance into daily processes. CCOs can share themes they see with CAEs to help inform scheduled internal audits or drive a focused internal audit in an area of concern. CCOs and CAEs often have teams or employees that they want to keep a closer eye on because of complaints, investigations, expense audits, and so on. Discussing those “problem children” can give both compliance and internal audit teams information they need to dig deeper or include specific activities in ongoing monitoring or sample selections. Remember that both teams can maintain their independence while collaborating.

Deputize each other’s teams to support your mission. Compliance should deputize internal audit to advocate for key compliance priorities such as data privacy, anticorruption, and environmental, social, and governance (ESG) issues. Internal audit has many contact points with the business where it might observe risks or opportunities in compliance areas it is not specifically auditing. Empower internal audit to bring those potential issues to the compliance team’s attention so issues can be investigated and compliance programs can be updated as needed.

Internal audits should deputize compliance to identify potential issues that might affect audits. When the compliance team feels empowered to share issues, internal audits can design and perform more risk-based audits.

By deputizing each team to keep its eyes and ears open for the other, each team gains support without any additional cost to the business and can more quickly and thoroughly address risks.

Collaborate on risk assessments. Both compliance and internal audit might be conducted enterprise-wide and/or targeted risk assessments during the year. It benefits both teams to coordinate timing and avoid duplicating work. Whenever possible, stakeholders going through risk-assessment interviews or surveys appreciate having a coordinated discussion instead of several. Risks can be inadvertently miscommunicated when stakeholders hear the same question worded differently, or they can get confused about who is responsible for doing what and in which situation. When assessments still are done separately, they are most successful when the compliance and internal audit teams share results. Having results from all completed assessments provides better inputs for internal audit plan preparation and compliance program management strategies.

Share risk rankings. Management will be able to digest results of risk assessments and audits more easily if, no matter who prepares them, the results are presented in one voice. Regardless of whether it’s an enterprise risk assessment, a compliance assessment, or an internal audit, ideally, risk rankings used for likelihood, significance, and velocity will be the same for all reports—especially when those reports are presented to the most senior stakeholders, including boards of directors. Finance and other teams should not be forgotten, as they might use risk rankings for fraud or Sarbanes-Oxley Act assessments. Using shared risk rankings keeps individual subject-matter experts from assuming their area of expertise is the highest risk, lets the actual highest risks rise to management review, and helps the company prioritize corrective action plans.

Aligning on rankings can be challenging, but companies with a wide range of compliance and internal audit teams have successfully done so. For first assessments, compliance and internal audit often can work together to develop simple tables that outline criteria and a shared heat map format. For more mature teams and large, global organizations, the legal team might need to help develop a more detailed framework, including examples of scenarios and how they would be ranked using the shared rankings.

Collaborate on data analytics. In general, compliance and internal audit teams have made strides in the past several years toward implementing ongoing monitoring programs using data analytics. In some companies, these analytics have been developed but are overlapping or missing risks because of assumptions that another team is reviewing a particular risk. In some cases, both teams are spending inordinate amounts of time reviewing false positives—including on the same transactions—because both compliance and internal audit built similar analytics. Sharing analytics programs and discussing false positives can improve both teams’ time spent.

Hold joint training sessions. Compliance and internal audit face constantly changing regulations and increasing scopes of work. When evolving topics affect both teams, consider joint training. For example, both teams might be scrambling to get up to speed on ESG reporting requirements and what they mean for the company’s systems and processes in the near term. Bringing in specialists to train both teams together allows each team to understand the impact on all lines of defense.

This document is only available to members. Please log in or become a member.
Become a Member Login

What to read next...

“Big Data,” big regulations, and big ethics


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings