IIA: Auditing for compliance

25 September 2013

The Compliance function plays a second line of defence role within corporate governance, but it also has a place in the first line of defence for its own activities with ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.

As part of the overall risk assessment of an organisation internal audit should include compliance risk within their audit plan. 

To assist with an audit of compliance here are some top tips.

• Confirm that responsibility for oversight and stewardship of the corporate compliance programme has been allocated to a chief compliance officer/senior officer level that reports into the executive team.
• Ensure that there is an adequate internal staffing team and/or access to external resources with sufficient knowledge and experience of regulatory compliance.
• Confirm that there is support from executive management with clear and direct access to the board.
• Ensure that there is a corporate compliance committee in place.
• Obtain the most up-to-date compliance standards, policies and procedures to confirm existence, level of detail/clarity, review dates and ensure that they have been authorised by senior executives.
• Establish accessibility and communication of compliance standards, policies, and procedures to all employees and other company representatives such as consultants and sub-contractors.
• Ensure that training programmes are in place to ensure that employees and other company representatives are aware of their compliance responsibilities.
• Talk to employees and other company representatives to ensure that they are clear about their individual responsibilities.
• Understand the systems and processes in place for issuing updates and revisions of guidance to ensure it is well communicated.
• Identify and review monitoring and auditing systems are in place to detect intentional or unintentional regulatory non-compliance by employees and other company representatives.
• Confirm and review the maintenance and publication of a whistleblower phone line and e-mail account to enable confidential reporting of potential regulatory breaches without fear of reprisal.
• Confirm that enforcement of compliance standards, policies, and procedures is through appropriate, consistent disciplinary procedures.
• Ensure that where breaches have been identified all reasonable steps are taken to prevent future similar occurrences, including review of controls and making any appropriate changes to the compliance programme.

Press release

© IIA - The Institute of Internal Auditors