How Can Internal Audit and Compliance Co-Exist and Coordinate?

Similarities Between Internal vs. Compliance Audits

In many organizations, the Compliance Office and Internal Audit occupy similar space, leading to tension, rivalry, and competition for resources. This raises the concern as to whether they can co-exist peacefully. Matters are further complicated because they share many common characteristics in their work.

Both independently and objectively analyze, review, and evaluate existing procedures and activities to report on conditions and recommend improvements. Compliance Offices focus on operations to ensure that all activities are carried out in accordance with the prevailing regulatory requirements, that appropriate policies and procedures are in place and being followed, and that potential violations of the Code of Conduct, policies, rules, and regulations are addressed.

Similarly, Internal Auditors are generally called upon to examine and evaluate the adequacy and effectiveness of internal controls in meeting established applicable laws, rules, and policies, providing assurance that processes are operating efficiently and economically. How these functions operate varies considerably among organizations, depending on a number of factors, such as the organization’s size and complexity or its defined roles. Frequently, these roles overlap, especially with regards to ongoing auditing of high risk areas to ensure program compliance.

Differences Between Internal vs. Compliance Audits

With all their similarities, there are significant differences as well. Compliance is primarily concerned with regulatory risk and therefore the scope of operations. In comparison, Internal Audit is concerned with all risks to the organization and employs a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes; and furnish analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed.

Unlike Compliance Officers that come from a variety of educational backgrounds, Internal Auditing is a profession that is supported by a focused educational discipline, following established standards of the Institute of Internal Audit. The Internal Auditor’s function varies between both financial and non-financial arenas. They are trained to develop an annual audit plan based on enterprise-wide risk assessments that address such areas as financial risk, information technology, operations, and compliance with applicable rules, regulations, and laws.

Blurring Lines Between Internal and Compliance Audits

The growth of the Compliance Office function in health care organizations has further blurred the lines between it and Internal Audit. Whereas in larger organizations there may be a full staff of Internal Auditors performing a wide range of activities that overlap with the compliance officer’s functions, many mid-size organizations will have very limited resources available for internal auditing. In smaller organizations, it is not uncommon to find the Internal Audit function being subsumed under the Compliance Office.

Steve Forman, CPA, a nationally recognized Compliance Program expert who served over ten years as the Vice President for Audit and Compliance for one of the nation’s largest hospital systems, clearly understands and has addressed the often complex interplay and competing roles of internal auditors and compliance officers. He has written extensively on the subject and notes that in his experience, harnessing the two functions will result in more effective results for the Compliance Program and strengthen both offices in the eyes of management and the Board. He states: “It is unfortunate whenever these two critical functions fail to coordinate their efforts and work together, using their respective expertise. I found that coordinating efforts increased significantly the effectiveness of our Compliance Program.” Forman suggests that “the key is developing a better understanding the mission and capabilities of each function in supporting the Compliance Program.” He suggests that the starting point should be developing a protocol document (policy/procedure) that defines each office’s role and how they would work together.