For a few years now, a new species has been making a nuisance of itself within companies... call us the compliance departments or, in smaller companies, the lone crusaders that are compliance officers. We started to emerge in the wake of various scandals, which we don't have to list here (any longer). Unfortunately, we have been in an unintentional conflict ever since. Loved by almost no-one, we are nevertheless pleased when we receive support from our colleagues and still only want what is best for the company and the protection of its best interests. Jenny Schmigale, in her position as Group Compliance Officer at Scandlines Germany GmbH, explains why compliance does not want to be an enemy at all.
Compliance wants to ensure compliance with laws and regulations in the company. Based on an analysis of compliance risks, relevant risk-minimizing measures such as guidelines and processes are derived and deployed within the company via appropriate communication and training. Furthermore, regular reviews are conducted to ensure whether these guidelines/instructions are being adhered to and whether the members of the company are conducting themselves in a legally compliant manner. This also includes the investigation of incidents which, for example, are reported to the Compliance Department via a whistleblower system. Together, all these elements form the "Compliance Management System".
Of course, we cannot carry out all these activities on our own with regard to all the legal or regulatory requirements which apply within an organization. We can only "animate" one system and rely on everyone else to take part. Because both the function and the job description have not been around for that long, compliance structures within companies still differ very widely.
Unfortunately, there are many functions in companies that were not happy about the arrival of the compliance departments. Functions that should actually be our friends, such as risk management or internal auditing. Instead of rejoicing over colleagues with the same objectives and proactively passing on methods they have already developed, etc., there is an ongoing struggle and wrangling over power.
Let us take a look at the position of the once much-valued auditors today. As recently described in a blog article published here, about 11% of them don't like it at all that another department should suddenly come with the idea of carrying out audits, when this is after all something which should remain exclusively reserved only to them. In addition, there are a further 30% who at least subliminally admit to having doubts as to whether the second line is really truly independent.
In terms of compliance and audits, this leads to two conflicting situations: There are the regular audits that we, Compliance Management, carry out to ensure compliance with its rules, processes and controls. In addition, if there is an indication of a violation of these very rules, processes and controls, it may be necessary to conduct investigations within the company. Such information can be received, for example, through the whistleblower system established by the company.
Of course, depending on their mandate, auditors may well be entitled to check everything in the company. This means, of course, that they can also check compliance with compliance rules, processes and controls. It can even check whether these elements themselves are appropriate and effective from its standpoint. The extent to which the audit department carries out compliance investigations in the company depends on many things, and in particular its mandate. This type of investigation can thus be carried out by the compliance department itself, by the audit department, but also by external experts too. Ideally, the compliance department has the mandate and can decide who will provide it with support, depending on the case in hand and the specialist knowledge required. Many companies have not clearly defined responsibilities in this area. This leads to frustration for all involved. It would also be conceivable, for example, to have a purely preventive compliance department that would hand over all responsibility for audits and investigations. Under certain circumstances, employees may even then be more willing to dare to address grievances. There could be many possible solutions...
The bad thing about this wrangling is that both functions lose acceptance within the company as a result. Other departments simply do not understand the problem. After all, both functions are part of the "control and monitoring functions" and "get on people’s nerve" on regular basis, asking the same or similar questions and, to top it all off, they sometimes check the same facts again and again – perhaps at intervals of only a couple of weeks in between. We need to work together better on this. At the very least, to coordinate the audit plans and use the same terminology. Often we also need to obtain the same information (e.g. on the status of certain projects in the company). Why can't we exchange information on this or make joint appointments with the departments so that they don't have to explain everything to us twice or three times over?
Compliance Management is confronted with the accusation that they lack independence as a second line of defense function. For one, it is simply not the case that Compliance Management does not already have a certain independence from the First Line of Defense. And secondly, it does not claim at all to want to remain above scrutiny in the audits performed by the audit department– in fact, on the contrary, the independent and objective view this provides as to how the rules themselves are designed is very welcome. In this respect, there should be more rather than less control of these specific processes and controls, if indeed any such controls exist at all. It is undoubtedly a matter of concern to those in compliance that the internal audit department does not audit its area more regularly, when it is one that nevertheless often requires regular monitoring. It is only by means of such audits that Compliance Management itself can continuously adapt and improve its Compliance Management System.
In addition, both Compliance and Internal Audit have recently found themselves confronted with new requirements and this is something they could help each other with. As it is for internal auditing, digitization is also an important topic for compliance. Topics like Continuous Audit are relevant issues for both sides – so why not work on them together? Does Internal Audit really want to have to act upon every "indication"/report that comes through the system?
Ultimately, there is one more thing that may be worth noting: Compliance management is an area that really requires a very diverse skillset: from understanding legal texts and the like, to skills in risk management and training, and auditing and investigative skills, to name but a few, etc. Especially small compliance departments or what are frequently "one-man/woman" shows will rarely be able to cover all these areas themselves. It is, however, in your interest is to establish a functioning Compliance Management System that covers all important elements. If other functions in the company already cover or would be able cover certain tasks in a certain form or with certain methods, then in principle nobody should have anything against it. It would just be nice if we could talk things over briefly beforehand and coordinate our approach. Ultimately, as people who work in Compliance, we are colleagues who are very good at mediating and taking on board other people’s points of view.
So, Dear Colleagues from the audit department, why don't we just sit down round the table together? And simply discuss who has the better competence and/or methodology to conduct investigations and audits in our special individual cases or how we can help each other more effectively? Alternatively, we could work on a common terminology or methodology, or at least coordinate our audit plans so that the operational departments do not feel overrun by us exercising our "control and monitoring functions" at the same time? Ultimately, we both want to achieve the same thing: To provide our management with the assurance that the risks in a defined area of responsibility are "under control".
IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January 2013, https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf (10.02.2019)
DIIR – Deutsches Institut für Interne Revision e. V. Drafted by the Working Group on "Interne Revision in der Versicherungswirtschaft" [Internal Audit in the Insurance Industry]: "Zusammenarbeit der Internen Revision mit Risikocontrolling und Compliance" [Cooperation between Internal Audit and Risk Management and Compliance], DIIR-Schriftenreihe 43, Berlin: Erich Schmidt Verlag GmbH & Co. KG, 2010.
Deloitte on the Future of Compliance: https://www2.deloitte.com/de/de/pages/audit/articles/future-of-compliance.html