It can be embarrassing—not to mention costly—for a company to find out from a regulatory agency or external auditing firm that it has a regulatory compliance problem. Not only can the company incur penalties in the present, but it will likely need to work much harder in the future to fix the compliance breach than if the issue had been discovered earlier.
That’s why companies perform periodic internal audits on their compliance risk management programs. This doesn’t just help companies catch and fix compliance deficiencies before they’re pointed out by external groups. It also helps them assess current compliance policies and brainstorm how they could be improved to increase efficiency, reduce risk, and so on.
To help companies avoid gaps in security and penalties associated with non-compliance, this article will cover how a company can conduct an internal audit on its regulatory compliance operations.
We’ll start with a basic overview of what an internal audit is, and why it’s done.
An internal audit is a risk management practice in which specialized employees are hired by a business to evaluate the effectiveness of its internal controls. These include controls on the company’s accounting procedures, as well as the company’s corporate governance system (i.e. chain of command).
The main purpose of an internal audit is to check that a company’s risk management policies and procedures are both up to standard and working as intended. That includes the timely collection of data for any sort of reporting—including financial—required from the company by regulatory agencies and/or the law.
There are two main benefits to this. The first is that it helps to ensure the company is complying with any applicable legal and regulatory obligations. The second is that it helps management improve the company’s operational efficiency by identifying and correcting problems internally before they must be pointed out by external auditors.
The main differences between internal and external audits are who they are performed for, and thus which standards they typically follow. Internal audits are done by a company for the benefit of its management. Thus, they are typically informal and result in freer input from employees.
External audits, meanwhile, are done by independent professionals or businesses for the sake of outside organizations and stakeholders. So they tend to be much more formal and follow a narrower scope, adhering to standards set by regulators as opposed to companies themselves.
- Internal Audit: Performed by specialized employees inside a company to help management improve risk management and operational efficiency.
- External Audit: Performed by independent individuals or firms on companies to satisfy reporting requirements, allow company stakeholders to make informed investment decisions, or for other purposes external to the company itself.
There are certain other differences as well. For example, in an internal audit, the company can usually pick which employees it wants on the auditing team. This can be helpful if the company wants to audit specific teams or departments, and needs employees on the auditing team who deeply understand the related roles and responsibilities.
In contrast, a company can often choose which external auditing firm to work with but rarely has much control over which employees the firm assigns to audit that company.
Another difference is that, since external audits are performed according to regulatory standards, they sometimes require team members to have specific roles or licenses (such as a certified professional accountant for financial audits). Internal audits, on the other hand, are less formal and usually don’t have these requirements.
Internal audits often follow a framework known as the “5 Cs”. This outlines sets of information that a thorough audit report should contain, in order for it to give the necessary direction that management is looking for.
We’ll explain what each “C” stands for, as well as how it relates specifically to an audit for a compliance and risk management program.
Criteria refers to why the audit was necessary. It should address who asked for the audit to be performed, as well as their justification for doing so. For example, they may have identified a specific issue (or group of issues) that must be investigated. Or the company may have a mandatory external audit coming up, and they are looking to identify and fix potential problems ahead of time.
In terms of compliance, a business may notice an increase in suspicious customer activities in certain areas, or accounting numbers that just don’t seem to add up. Or a previous external audit may have identified some other area of concern that the company was urged to look into. Companies also often perform periodic audits, even when there are no specific issues that need addressing, to catch potential problems before they become non-compliance risks.
Condition refers to how each identified issue relates to any of the company’s objectives or standards. This could be related to following outlined procedures, hitting certain targets, completing required tasks, and so on. It also includes assessments on whether each issue in fact deviates enough from an associated goal or rule to pose a problem.
Some compliance requirements are fairly cut and dry. Others are left for companies to decide how to accomplish, as long as no rules are broken. Still, companies should have clear compliance processes that outline not only what is to be done, but also why it must be done (i.e. what rule or law the action is meant to comply with). This makes it much more straightforward to evaluate whether compliance obligations are being met or not.
If an issue is judged to indeed be problematic because it’s not adhering to a company benchmark or policy, the next question the business needs to ask is why this deficiency happened. That includes who was involved in the processes, what was (or wasn’t) done, and how the error or lapse could have been avoided.
Again, a company should have an unambiguous risk management and compliance policy so it’s simple to tell what exactly went wrong. Sometimes, it’s a matter of employees not being properly trained because they forgot to follow protocol or didn’t know how to handle a specific situation.
In rare cases, it may even be an employee intentionally ignoring procedures for personal gain. In other situations, there may be an issue with the policy itself not being clear or effective enough.
It’s also important for an audit to consider the nature of the problem each issue is causing. A problem may affect only a small part of the company, or it could affect multiple teams, departments, or other facets. Sometimes a problem will only have repercussions inside the company, while other times it can open the company up to external threats.
Regulatory non-compliance can have a variety of consequences for a business. Some of the most obvious ones are penalties from regulatory agencies, including fines, stricter supervision, license suspension, and even jail time for certain employees.
But non-compliance can also open a business up to other threats. These include internal fraud or data leaks; external data breaches and other cyberattacks; service disruptions; civil or criminal legal liability; and losing customer trust.
5. Corrective Action
Finally, an audit should offer ways to fix any identified problems. Solutions should be laid out in clear, practical steps that managers and other employees can take. Each one should also include a follow-up monitoring or review plan to determine if the corrective action is having the intended effect.
For regulatory compliance, correction can involve a number of different remedies. One might be researching new or updated regulations, and revising the company’s current policies to meet them. Another might be bringing in more Regtech tools to automate compliance tasks while limiting the risk of human error. Another may be implementing periodic refresher training and/or modifying new employee training programs to cover regulations that previously weren’t being followed more thoroughly.
A company may have management work more closely with front-line employees for a time, in order to provide guidance for closely following policies that were revised or weren’t tightly adhered to. Certain employees may be subjected to stricter supervision, or other disciplinary measures if it’s believed that they were deliberately and maliciously ignoring compliance protocols.
An internal audit of a company’s compliance and risk management programs consists of a number of general steps. Here’s a quick outline of what needs to be done.
1. Establish the criteria for the audit
The first question to ask when preparing an internal audit is: why is this necessary?
For example, the company may have a mandatory external audit coming up and wants to proactively address compliance issues before a third party points them out. Or an employee may have reported a deficiency or oddity that’s worth looking into. Or another stakeholder may have requested the audit for some other reason.
Knowing why the audit was requested can help define its scope, down to the specific functions and activities that require review. This will help planning and conducting it go much more smoothly.
2. Plan and develop an audit program
Once a company has pinned down why it wants to conduct an internal audit, it next has to determine what (in particular) it wants to audit. Is there a specific department that needs to be looked at, or does the entire compliance team need to be reviewed? Which internal controls are involved? Which policies, laws, or regulations will the audit evaluate? What is the audit’s objective—improved efficiency, reduced risk, tighter compliance, or a combination of those?
This is also when an auditing team should design any fieldwork tests it wants to conduct during the audit, as this may require approval or input by management.
3. Determine how frequently audits need to be conducted
Things change over time, both within a company itself and in the external regulatory environment. So a company should schedule regular internal audits for its compliance program.
This helps it keep on top of potential compliance issues before they become problems that get pointed out by third-party compliance and risk management auditors. It’s also important for a company to periodically review (and, if necessary, modify) its auditing programs’ procedures to account for how regulations may have changed since the previous audit.
4. Teach departments about audit requirements
Usually, departments should be notified well in advance of an upcoming audit. They should also be informed of what information and documentation will be required for the audit. This helps them be prepared for the date the audit is actually conducted.
The main exception to this is if the audit’s purpose is to investigate deliberate illegal or unethical conduct by an employee or employees. Then, obviously, it’s more prudent not to provide advance notice of an audit, in order to avoid giving a potential offender an opportunity to cover up their wrongdoing.
5. Perform field work and interview team members
The audit itself consists of two main components. The first is interviewing employees in the teams being audited. Auditors should have employees explain what they do and why they do it that way, and then compare their descriptions to the company’s official policies on file. This allows for gauging employee competence and determining if (and what) refresher or additional training is needed.
The second part tests internal controls and business procedures to see if their outcomes meet company goals or expectations. For example, at a financial institution, auditors may want to set up a mock phishing scam or money laundering scheme to see if procedures are adequate—and if employees know how to follow them—in order to properly resolve the situation.
6. Record results and report findings
The auditing team should record both employee testimony and trial results, making note of where they deviate from official policy or company expectations. These should then be synthesized into a summary report for senior management to review. The idea is for managers to be made aware of non-compliance risks so they can develop strategies for remedying them.
7. Implement recommended corrective actions
The report should also include suggestions for fixing any compliance problems it identifies. Based on these recommendations, senior management should develop specific and practical action plans to improve areas of the company where compliance is insufficient.
8. Audit the audit
Finally, internal auditors should also note how easy it was for them to conduct the audit, and any obstacles they ran into. This can inform management of how thorough and objective the auditing team’s findings and recommendations are. Problems here may indicate that certain teams or departments may need to be better prepared for audits or conduct themselves differently.
These are facets that will likely be addressed by third-party risk management and compliance auditors. They will be trying to evaluate how much independence an internal auditing team has from the rest of the company’s operations.
Make Use of Unit21’s Tools to Plug Holes in Your Compliance Risk Management Program
As we mentioned, Regtech solutions can often provide convenient fixes to any gaps an auditing team identifies in a company’s regulatory compliance regime. For example, Unit21’s Transaction Monitoring tool allows for broad activity data analysis to more accurately identify threats. And our Case Management system allows for in-depth visual data analysis and automated report filing so suspicious activity investigations are completed promptly.
To learn more about these products, contact us for a demo today.