1. Should the internal audit function audit the compliance function?

Yes. Just like any other business unit or function, and no matter how much activity it undertakes, the compliance function should be subject to internal audit. As noted in the first article, the maturity of each head office/oversight/policy-setting function is an important matter and I believe that this is something that internal audit should always have a view on, including the maturity of the compliance function.

The role of the internal auditor here will be to audit the positioning and performance of the compliance function. While the role of performing an effectiveness review of a head office/policy-setting function presents challenges for the capability and experience of many internal audit functions, its approach should focus on the principles of:

• organisational design;
• the role of the function;
• the standards to which it operates (methods, processes and tools); and
• the skills of its people and its resources.

These are all matters that are applied when the internal audit function is itself reviewed.

Some issues for boards and audit committees to consider are to:

• take care to strike the right balance so that, as we shall see in the next section, internal audit does not overly collaborate with the compliance function thereby putting its independence in jeopardy when it comes to auditing them. This is particularly the case where the compliance function is recognised to be immature; and
• ensure internal audit has the necessary expertise to audit the compliance function, not just the activity in the business.

2. Can the board get combined assurance from the separate internal audit and compliance functions?

Yes. Internal audit can, in some situations, coordinate with policy-setting/compliance functions to provide assurance by combining audit activity with compliance activity. This involves combining the planning and fieldwork stages of their work and then issuing one report, owned by internal audit, to management. However, a co-ordinated approach requires maintaining clearly separable accountabilities of the two functions and internal audit needs to be clear on the rationale it has adopted to determine if it should collaborate with a policy function or not.

There are a number of benefits to a coordinated approach, such as it can:

• often be welcomed by the business units, where previously there may have been comments about being over-‘audited’ or having multiple ‘audit’ visits to audit the same area;
• lead to a more efficient use of the organisation’s resources; and
• leverage the deeper functional expertise of the policy function, where these skills have not resided in the internal audit function and would otherwise have had to be bought-in.

This approach could work well where there are many different policy functions in an organisation, and where those functions have limited resources of their own to conduct monitoring activities.

However, there are some matters that boards and audit committees need to consider before regularly using this approach, such as:

• the need to preserve the independence of the internal audit function which, at some time, will audit the function with which it has collaborated. Independence is often achieved through clear statements of accountability – and on occasion seeking an external assessment of that compliance function if collaboration is considered too intense;
• it should not be a long-term solution to compensate for a lack of expertise in internal audit; and
• internal audit should, as part of the coordinated process, obtain sufficient evidence including undertaking detailed testing to form its own opinion. The normal risks of self-review should be carefully managed, perhaps using peer review.

3. Should the roles of the internal audit and compliance functions be combined?

Some organisations have recognised that when a growing number of policy functions all undertake monitoring activity, the business can be subject to multiple and uncoordinated visits. In addition, due to the similarity in activity and skills required and the challenge to reduce costs, organisations have sought to combine much of this activity into a single function by merging their compliance and internal audit functions. Such developments have raised the question of maintaining the independence of the internal auditor and whether or not a traditional three lines of defence (3LD) model would be more robust.

I strongly believe that where organisations have sought to have a single reporting line to the board in respect of internal audit and compliance, the overall function should seek to maintain a clear distinction and separation of the functionality of the two activities.

In a number of cases the role of head of internal audit is combined with functional responsibility for other areas of the business. Alternatively, although it might not be seen as good practice, the chief risk officer has been appointed to manage the internal audit function. However, in this situation internal audit should remain a discrete activity.

It is important to have checks and balances in place overseen by the audit committee to preserve independence and be satisfied that the reporting structure is the most appropriate. A key consideration for the audit committee and the board is that the voice of the head of internal audit is still heard at audit committee and board level, particularly if they report to an intermediary.

Some final thoughts

Although in recent years the concept of the 3LD model has become more popular and has been adopted by organisations, it is important for directors and senior management is to be satisfied that:

• the roles and accountabilities of all ‘separable business units and functions’ are clear;
• they know who provides ‘accountability’, ‘oversight’ and ‘assurance’ and ‘independent assurance’; and
• they have a view on whether it is the most appropriate allocation.

Audit committees should be aware of the different scenarios that might exist and understand which model has been adopted by their organisation. A key to success is having a common language of control within the organisation, which lessens the risk of confusion or misplaced assurance and increases the clarity of functional accountabilities. There should also be clarity on the objectivity of the audited or assured information from line management, central functions, other policy owners and internal audit. What some people call ‘audit’ or ‘assurance’ can be misinterpreted depending on its source. There is assurance from the management but only independent assurance from internal audit.

Internal audit should audit the compliance function on a regular basis. It is acceptable for the separate functions of internal audit and compliance to have increased collaboration to ensure efficient use of knowledgeable resources is applied to some assignments, albeit this must be done in a disciplined way and in a way that can be described explicitly to the audit committee. Where organisations have sought to have a single reporting line to the board in respect of internal audit and compliance, they must seek to maintain a clear separation of the respective activities of the two functions to ensure the independence of internal audit.

Finally, whatever model an organisation adopts, be it the 3LD model or an alternative, and/or whatever types of assurance it receives, ultimately it is for the board and the audit committee to understand what they are relying upon. As with business risks, there is not necessarily a right or wrong answer, just informed choices.

Mark Stock is a Partner in PwC and was previously Group Audit Director at Vodafone plc

Non-Executive Directors Group, September 2012