Internal audit

The audit has been present since time immemorial. There are different types (according to its objective), but in a generic way, an audit is defined as the objective and independent verification of the adequacy and effectiveness of internal control measures. In other words, audits verify that what is being done is what should be done. This is done by auditing or reviewing numbers.

After the financial scandals that led several companies to bankruptcy (e.g., Enron, WorldCom), most internal audit areas began to use the business risk methodology to perform audits. They were forced to know the company’s processes in order to identify risks and the controls that minimize them. Therefore, its scope became global, covering the whole company. But as we know, “watchdog” areas are not very welcome in companies, and after the impact those financial scandals have had, not only in the company itself but in the country’s economy, people knew they needed reinforcement. Therefore…

Compliance

Compliance arose as a result of all those financial scandals that had a worldwide effect. It arose as an additional control measure to minimize the risks a company is exposed to, specifically, a new powerful risk: reputational—that is to say, the risk that the company’s image will be affected.

Due to financial scandals, regulators decided that in order to protect consumers, market integrity, and stability, the companies that must have a compliance officer were those listed on the stock market exchange and those in the financial sector.

Nowadays, the compliance officer has been included as a key control in anti-money laundering regulation as a powerful control to minimize the risk of money laundering.

The objective of compliance is to ensure adherence to laws, regulations, and commitments made both with third parties (contracts, agreements) and internally (code of conduct and ethics, policies, and procedures). This led to responsibility for three main risks: reputational, regulatory, and legal.

Up until now, it was assumed that those working in the internal audit area needed to be qualified accountants, and those working for compliance needed to be lawyers. Many companies keep these as their requirements for hiring staff for these positions, but the truth is that a compliance officer needs to be much more than a lawyer.

Why? The answer is that to assess reputational risk, a compliance officer must start by knowing the company’s processes and use the business risk methodology to understand which processes, products, or services make the company vulnerable to risk and which could affect its image.

An element of compliance is making sure that everyone complies with regulations (regulatory risk) and with contracts and agreements (legal risk). In order to protect the company’s image, a compliance officer must be involved in processes and in new products the company wants to launch (before they do), in any kind of suit, and of course, they must know in advance how to protect the company from being used for money laundering.

What companies have learned is that hiring lawyers as compliance officers isn't enough. The compliance officer profile has evolved into a mix of the following skills:

• An auditor: to review every detail analytically and ask why this is happening.

• A policeman: to obtain the information needed and to preserve or restore order.

• An investigator: to be able to corroborate all the information.

• A psychologist: to understand the behavior of others and persuade others.

• A marketer: to promote compliance and the benefits of its work.

• A lawyer: to be able to exercise the right of the “must be.”

• A politician: to exercise the art of diplomacy.