In the most recent issue of The IIA Tone at the Top periodical, the topic of the ever increasing amount of time the board and audit committees spend on compliance oriented issues is examined. The authors noted “5 steps” the board and/or the audit committee can take to “tame the beast” which from my vantage point and experience these “steps” range from the very practical to “hmmm, not quite sure about that one”. Here is a link to the periodical:
https://na.theiia.org/periodicals/Public%20Documents/TaT_August_September_2014.pdf
Step 1 – Keep compliance in perspective is a bit odd to me because if the CAE and the board don’t understand what the top residual risks are at all times coupled with the top compliance risks are at all times something is terribly wrong from an overall governance perspective. Secondly, if the board and/or the audit committee spend too much time focusing on items that pose much less risk to the organization there is a fundamental problem that must be addressed quickly! And if the board and/or audit committee don’t understand how much time to spend on both topics either on their own or in a formal committee meeting, again, there is a fundamental issue that needs to be addressed.
Step 2 – Enlist other committees – makes sense given the velocity of risk, e.g. compliance and reputational risks given the current business environment particularly with the alarmingly high number of credit card related security breaches that seem to be in the news every week. In my opinion, the average board member and/or audit committee member does not understand some risks well enough such as cybersecurity which is a great example of how a board could or in most cases probably should enlist other committees to assist or a more effective approach may be for the board to enlist the assistance of a 3rd party to work with them on cybersecurity issues. See the attached report just issued by the IIARF on the board’s role on cybersecurity:
Step 3 – Appoint a Chief Compliance officer – in my opinion, this one fits in the huh? category. While I understand completely why highly regulated companies may want to employ such a resource such as in the FI and Healthcare industry and companies with significant global operations may want to do the same, the average company will say wait a minute, by leveraging the 3 Lines of Defense model, coupled with a strong internal audit function (the 3rd line of defense) can’t the organization properly manage compliance risks across the business enterprise? Absolutely!
Step 4 – Ensure a unified, coordinated approach – agree 100%. Yet I find some companies struggle with this when compliance and internal audit are completely segregated and where both functions are just not on the same page and are allowed by the board and senior management to carry on this dysfunctional behavior.
Step 5 – Ask the right questions – Agree 100% and I am sure more could be added!
When I answered the two polling questions of “How confident are you that your organization is effectively balancing compliance demands with other strategic risks?” and “Over the next 3 years, do you expect the level of resources needed by internal audit to address compliance demands to increase, decrease or remain the same?”, not surprisingly, the results for question 1 showed that 65.5% of the respondents answers ranged from moderately confident to slightly confident and the results for question 2 showed that 67.6% of the respondents noted that internal audit will have to increase headcount to better address compliance risks.