Today the scope of compliance is much broader and its impact on business far greater than ever before. Despite greater regulation and the risk of noncompliance, some companies may not be taking their responsibility for identifying and managing compliance risk particularly seriously. Organisations should Identify, prioritize, and assign accountability for managing existing or potential threats related to legal or policy noncompliance—or ethical misconduct—that could lead to fines or penalties, reputational damage, or the inability to operate in key markets.
A survey conducted in 2014 by Compliance week indicates 40 percent of companies did not perform an annual compliance risk assessment. Further a study conducted by IIA indicates 38 percent of chief audit executives (CAEs) did not use compliance or regulatory requirements as a resource to establish the audit plan.
The Three Lines of Defense
The Three Lines of Defense model advocates for clearly defined responsibilities over three aspects of risk: risk ownership, risk monitoring, and risk assurance. Functions that own and manage risks are the first line. Various risk control and compliance functions that monitor risks are the second line. The role of internal audit — the third line of defense — is providing assurance to stakeholders (the board of directors, the audit committee, executives) that compliance risk can be managed at acceptable levels. Finding that “acceptable level” — the balance between the potential cost of risk and the amount of resources to mitigate it — is, of course, part of the challenge.
Role of Internal Audit
Determine and prioritize risks to aid in developing the internal audit plan, helping to provide the board and the executive team with assurances related to risk management efforts and other compliance activities.
Internal audit engages in two types of audit one that determines if there is appropriate compliance, and one that determines whether there are controls in place to provide reasonable assurance that there is appropriate compliance. Internal audit should focus on the management of compliance risk not an opinion on whether there is compliance. It’s possible for the company to be in compliance one day and not the next. In addition, internal auditors are experts in processes and controls, not necessarily in all the nuances and complexities of laws and regulations. Internal audit’s ability to perform its role can be helped or hindered by the structure in which it functions. The IIA recommends that internal audit report functionally to the board and administratively to the CEO to help protect internal audit’s independence. Financial statement and internal control risks, as well as some operational and compliance risks that are likely to materially impact the performance of the enterprise or financial statements
The Responsibilities of the Board and Audit Committee
Theboard and the audit committee are key stakeholders in the compliance risk function. While organizations may operate differently, responsibilities of the board should generally include the following:
Obtainassurance that management is handling compliance risk. Ask to be alerted should there be any significant violations of laws and regulations.
Askquestions of internal audit, management, and the compliance function about the company’s capabilities. Are the right people and the right culture in place? Is there a guarantee that, if problems are identified by employees, they will be reported and action taken? Is there a reasonable level of assurance that the company is compliant with the applicable standards and regulations of its industry?
Obtaintraining on compliance.
Theauditcommittee’s compliance risk responsibilities may also vary from one organization to the next, but they should be clearly outlined in the committee’s charter. The audit committee may also ask the internal audit department to audit the second line of defense, focusing on significant strategic risks.
Further,the audit committee and the board should thoroughly review and approve internal audit’s plan and ensure it is focused on both appropriate compliance and operational risks, particularly when industry standards may not reflect all the risks to the business.
How to make effective compliance risk assessment
Collecting inputs from a cross – functional team
Buildonwhat has already been done:
Establishclear risk ownership of specific risks and drive toward better transparency:
Maketheassessment actionable vSolicitexternal input when appropriate vUseplainlanguage that speaks to a general business audience: vPeriodically repeat the risk assessment
Conclusion
The constantly changing regulatory environment increases the vulnerability of most organizations to compliance risk. This is particularly true for those organizations that operate on a global scale. The complexity of the risk landscape and the penalties for non-compliance make it essential for organizations to conduct thorough assessments of their compliance risk exposure. A good ethics and compliance risk assessment includes both a comprehensive framework and a methodology for evaluating and prioritizing risk. With this information organizations will be able to develop effective mitigation strategies and reduce the likelihood of a major noncompliance event or ethics failure, setting themselves apart in the marketplace from their competitors.
