The line between internal audit and compliance may seem blurred at times, but they are quite different functions. Let me explain the difference between internal audit and compliance with an example.
An example of a compliance review might be to check whether the organization’s systems comply with the company’s IT security policies. This can be done by having IT systems security teams complete security questionnaires. These questionnaires are typically designed for teams to provide feedback on their system compliance and demonstrate at a high level how they achieve compliance.
An audit around the same process would include a thorough examination of the system to determine whether IT security parameters are set according to company policy. The goal of audits is to independently determine whether systems are secure, not just based on what IT security teams say they are. So, in this case, after IT security teams answer questions about how they achieve compliance, internal auditors confirm that compliance was indeed achieved. There is a famous saying in internal audit “trust but verify”.
Audits may uncover deficiencies in certain compliance controls. For example, an internal audit review of gifts, meals and hospitality expenses may uncover deficiencies in compliance with relevant controls. The Compliance Department and the Internal Auditor will share an interest in remediating these deficiencies and ensuring that such remediation is completed by a specified date.
Internal auditors can review third-party intermediaries who work with company offices and ensure that due diligence procedures are followed, a written contract is executed, and payments to third parties are properly authorized. Such reviews are important to ensure third party risks are mitigated.
These are just examples where compliance departments and internal auditors have common interests There are many other issues and topics where compliance departments and internal auditors have common interests and objectives.
An effective ethics and compliance program typically includes a strong relationship between the compliance department and key stakeholders, particularly internal auditors.