Corporate Compliance vs. Internal Audit – A Turf Battle?

Corporate compliance has been in the spotlight much more in recent years. The enormous corporate failures spawned the Sarbanes-Oxley act of 2002.  Regulations such as HIPAA, Dodd-Frank and the stock exchanges have caused compliance departments to build and scurry.

Internal Audit departments have become much more active not just performing Internal Audits but assisting in compliance validation. Many corporate compliance leaders would rather monitor compliance through their departments and not through the Internal Audit department. On the other hand, Internal Auditors are trained compliance testers by their nature. So are we setting ourselves up for confrontation?

Two teams with common goals

The role of a corporate compliance program is to prevent, detect and deter issues of noncompliance. They also communicate the company’s commitment to compliance throughout the organization. Compliance has a serious impact on the company’s reputation from their customers’ vendors and competitors’ viewpoints.

What is Corporate Compliance?

Compliance involves the process of adhering to obligations derived from laws, regulations, industry and organizational standards, contractual commitments, corporate commitments, values, ethics and corporate policies.  This charge is very broad and often, complicated. A compliance program encourages employees to report potential problems. Once identified, immediate and appropriate action is taken. This immediate action reduces exposure to civil damages penalties, sanctions and ministry remedies.

In contrast, the Internal Audit department provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The Chief Audit Executive (should) report directly to the Audit Committee.  Traditionally, the Internal Audit department has invested a great deal of their time monitoring compliance with company policy. Because of their relative independence they perform assessments and make recommendations but do not operationally make changes.

The Corporate Compliance department typically reports to the Compliance Committee. Compliance Committee functions include advising the Chief Compliance Officer, development of standards of conduct policies and procedures, reviewing reports and recommendations from the compliance department including the chief compliance officer, conducting annual reviews of the compliance program and ongoing analysis of legal requirements in specific risk areas.

Corporate compliance evolved in the 1970s with the initiation of the foreign corrupt practices act. In the 1980s, regulations were issued regarding insider trading. The federal sentencing guidelines were published in the 1990s just prior to the Sarbanes-Oxley act of 2002. The concept of corporate compliance, at least at the time, was substantially a United States concept. In many countries, corporate compliance was a foreign concept. In particular, foreign countries with less developed capital markets, low liquidity and strong family owned concentration of capital were characteristics of countries with limited corporate compliance.

The federal sentencing guidelines which became effective on November 1, 1991 required effective corporate compliance programs to prevent and detect violations of law. Recommendations included in these guidelines were to encourage the following:

  • Instilling a “culture” of ethics and compliance
  • Defining ethics and compliance standards
  • Spelling out compliance obligations
  • Allocating adequate resources to compliance
  • Clarifying employee screening practices
  • Training as an essential compliance element
  • Providing a means of anonymous reporting
  • Conducting ongoing risk assessments

The question at hand is the following:

Who is to perform the monitoring and auditing of corporate compliance; Internal Audit or Corporate Compliance?

Monitoring and auditing of corporate compliance procedures is essential for an effective compliance program. Regarding compliance, the processes are designed to detect criminal conduct. These processes are foundationally different from those typically tested by an Internal Audit department. On the other hand, audits themselves should be independent and objective, as is Internal Audit, for the most part. Where there is special knowledge required subject matter experts should be engaged. Not unlike an Internal Audit, a compliance audit and monitoring plan should leverage where possible be scalable to risks and resources and use appropriate tools such as self-assessments, exit interviews, etc.

As a side note, the chief compliance officer oftentimes reports inappropriately to legal counsel. To be effective, the chief compliance officer should report at a minimum with a dotted line to the Board of Directors while coordinating with, but not reporting to legal counsel.

The evolution of Corporate Compliance departments and coordination with traditional Internal Audit departments continues to develop. There certainly is a place in the company for compliance testing specialized in corporate compliance. And, there continues to be an ongoing need for Internal Audit testing.  There is no perfect answer for procedural compliance testing by either department. Rather the Compliance Department and Internal Audit department should work together to define and coordinate their own charters, and maximizing skill sets and appropriate structure where feasible.  For a more in-depth look at the subject, you can download our eBook:"Corporate Compliance vs IT Audit" by click the button below.


Sam H. Carr is the Managing Partner of Carrtegra, LLC. Sam has over 30 years of experience in accounting, auditing, financial management and consulting. Sam has focused much of his career on process improvement and redesign. Sam holds an MBA and is a CPA, CIA, CISA and a Certified Compliance and Ethics Professional (CCEP). Sam is a finance and operations executive with broad-based experience that includes 12 years as a CFO or Chief Accounting Officer in both public corporations and private entities, and fourteen years with an international public accounting firm. Sam orchestrated an Initial Public Offering of a consolidation of dental practices throughout the United States. In addition to his IPO experience, he owns a powerful track record of demonstrated skills in a wide range of business environments including designing financing, mergers and acquisitions and growth companies. Sam has been the Chief Executive of a management consulting firm for the most recent 10 years. Sam’s focus has been substantially on quality of services and valued solutions as well as client and employee retention.