The Compliance Officer (“CO”) and Internal Auditor (“IA”) bear a lot of similarities in mission. They both work to ensure organizational compliance with all applicable laws, regulations, standards, policies/procedures, and the Code of Conduct, as well as addressing high-risk areas. Their work is to be done in an independent and objective manner. Both should have unrestricted access to a company’s records, documents, property, and personnel; and the authority to discuss initiatives, policies, and procedures regarding risk assessment, internal controls, and compliance. However, these similarities can sometimes cause confusion and tension. The growth of the CO functions over the last few years has led in many organizations to a blurring of the line with IA and growth of tension in competition for resources and attention from management. In resolving these issues, many consider (a) the elimination or outsourcing the IA function; (b) the merging of the two functions; or (c) forging better cooperation and coordination of effort.
Compliance Officer Function
The DHHS Office of Inspector General (OIG) in the compliance guidance states the CO’s primary responsibilities should include assisting in establishing methods to improve efficiency and quality of service and to reduce the vulnerability to fraud, abuse and waste through ongoing compliance monitoring by program managers and ongoing audits for effectiveness of these efforts.
Internal Auditor Function
The IA function varies according to a number of variables, including the size and complexity of the organization. It employs a systematic, consistent, standard-based, disciplined approach to its work, and brings expertise and understanding to systems of internal controls that protect against the impact of non-compliance. The Institute of Internal Auditors (“IIA”) establishes standards for the function that is broad in scope, in that it can be applied to both financial and non-financial arenas. The larger the organization, the more likely it is to have a robust IA function; conversely, the smaller the entity, the less visible will be the function, and in very small organizations it may disappear entirely.
Elimination or Outsourcing of the IA Function
There can be no option to eliminate the CO function; however, this cannot be said about IA. Many smaller organizations are deciding to either eliminate or outsource IA. The IA function, unlike the external auditor, does not render financial opinions, and its work is primarily focused on non-financial operational audits. As such, many organizations look to either eliminate or outsource IA.
Merging of Functions
There are problems, not necessarily insurmountable, with merging the two functions. First, there is a general attitude (often misplaced) that auditors are only interested in finding problems, and are therefore viewed as a threat to both management and employees. This attitude arises in part from the IA focus on documents, operations, and controls, not people. Overcoming this stereotypical image can be a real challenge for the IA. By contrast, the role of CO is supposed to be a neutral to both management and the work force. A major expectation for the CO is to be a communication bridge from employees to management. The CO must build trust with both management and employees. An open line of communication between the compliance officer and staff are viewed by the OIG as critical to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. As such, the CO function manages the hotline and other channels of communication. So, there is the problem of who gets merged into whom. The tone and direction of the merged function will in large part be dictated by which function is on top.
CO and IA Cooperation and Coordination of Effort
Economy of scale may be best achieved by having the CO and IA functions cooperate, coordinate and complement each other in identifying and addressing compliance high-risk areas. Appropriate ongoing auditing for high-risk areas is a large part of the mission of both functions, which include determining if managers are meeting their obligations for ongoing monitoring for compliance with applicable rules, regulations, and laws. It is necessary to verify monitoring is being done properly and validate the controls are effective in achieving desired outcomes. This involves ongoing auditing that needs to be independent of the program operations ;it is left to the organization to decide how this is to be done, and by whom. Both the CO and IA can participate in this effort, as well as other program managers, external auditors, and consultants, or any combination thereof. IA can also provide support to the compliance function is in a consulting capacity with regard to sharing its understanding of the necessity for internal controls and how they are supposed to work. IA can provide valuable advice in helping operating managers strengthen their own internal compliance controls to verify that they are working as intended.
If CO and IA are to co-exist, it is advisable for them to develop a coordinated annual audit plan based on an enterprise-wide risk assessment that addresses such areas as compliance with applicable rules, regulations and laws.
Richard P. Kusserow served as the DHHS Inspector General for over eleven years. He is the author of nine books related to compliance and is the founder and CEO of Strategic Management, a firm providing specialized compliance advisory services to over 2,500 clients. The firm’s services include providing Interim/Designated Compliance and Internal Audit Officers. For more information, contact him at email@example.com.
Copyright © 2013 Strategic Management Services, LLC. Published with permission.