Internal auditors play a crucial role in understanding and ensuring regulatory compliance. While some may view regulatory compliance as a lesser risk to address out of obligation, in fact, it’s a critical element of the risk and control environment for the organization and all stakeholders. Regulatory compliance refers to the adherence to laws, regulations, guidelines, and specifications from an authoritative body relevant to an organization's operations. Violations of regulatory compliance can lead to legal penalties, damaged reputations, and operational disruption. However, it's important to note that many regulations are designed to ensure controls are in place to mitigate common risks. This article provides internal auditors with a comprehensive understanding of regulatory compliance, the risks associated with non-compliance, and the approaches to auditing controls related to regulatory compliance.
Internal audit’s role in a robust compliance framework
Importance of regulatory compliance
Understanding the importance of regulatory compliance necessitates a deep dive into the risks that regulations are designed to mitigate. Most regulations are born out of a need to protect a specific group. For instance, the SOX Act was enacted to shield corporate stakeholders from fraudulent financial reporting following the collapse of several large public companies. In this instance, the regulation aimed to safeguard the company's shareholders, employees, and customers. By ensuring uniform compliance with the regulation, the act also fosters fair competition in the market, preventing any company from gaining an unfair advantage by sidestepping compliance and ensuring the protection of every group the regulation was intended to cover.
Regulators can assess fines and take legal action against organizations for non-compliance, serving as a stark reminder of the consequences of negligence. These consequences act as a motivator to push organizations to take the regulation seriously. The extent of the consequence often indicates how critical the regulator views the regulation. In the SOX example, non-compliance can lead to jail time for a corporation's CEO and CFO, underscoring the seriousness of regulatory compliance.
Key elements of regulatory compliance
Internal auditors can divide regulatory compliance into three key elements: laws and regulations, standards and guidelines, and policies and procedures.
Laws and regulations: When discussing regulatory compliance, we generally think about laws, but the scope also includes similar requirements from authoritative sources. Laws are formal legal requirements enacted by the government that everyone must follow, while regulations and rules are more detailed guidelines that supplement a law. For example, in the US, the Securities and Exchange Commission's (SEC) climate disclosure rule requires registrants to include climate-related risks in their annual reports and registration statements, which supports the Securities Act of 1933 (i.e., a law) requiring "complete and truthful disclosure" to stakeholders.
Standards and guidelines: Industry-specific standards and guidelines often complement legal regulations. Professional bodies or industry associations usually develop standards to interpret laws and regulations in a way that is specific to smaller audiences. As an example, public accountants follow Generally Accepted Accounting Principles (GAAP), which are a set of accounting standards that US companies and accountants must follow when preparing financial statements. Just like those of us in internal audit, we follow our profession's Global Internal Audit Standards. While individuals outside of accounting and audit professions may never interact with these standards, they are vital to the accounting practice.
Policies and procedures: Organizations then develop internal policies and procedures to ensure compliance with laws and regulations supporting applicable standards and guidelines. Policies are typically definitive statements on how an organization intends to act, while procedures are detailed process guides for people to follow. Internal controls are examples of processes designed to mitigate the risk of regulatory non-compliance.
Common examples of regulatory compliance
Regulatory compliance ensures organizations operate within the boundaries of governmental and industry-specific regulations. The regulations cover various issues, including financial practices, data protection, environmental standards, labor laws, and many others. Regulatory bodies establish these rules to protect consumers, ensure fair business practices, and maintain market integrity. Depending on an organization's location, size, and industry, internal auditors may need to audit compliance with different sets of regulations.
Globally, many governments are establishing privacy laws to protect individuals and organizations. For example, the General Data Protection Regulation (GDPR) sets stringent data protection standards for organizations handling personal data in Europe and for any organization handling information gathered from Europeans. Depending on your region and industry, other Consumer Data Privacy Laws will likely impact your audit plan.
As new risks emerge, governments enact laws in an effort to protect stakeholders. Recent examples include efforts to control AI, such as the EU Artificial Intelligence Act (AI Act). According to the European Council, the law is designed to "foster the development and uptake of safe and trustworthy AI systems across the EU's single market by both private and public actors. At the same time, it aims to ensure respect of fundamental rights of EU citizens and stimulate investment and innovation on artificial intelligence in Europe." Additional AI-related laws are likely to follow from other regions.
Some regulations are specific to certain industries. For example, financial institutions must comply with a host of banking regulations. These regulations are far-reaching and extend to other organizations and companies. Major retailers, for instance, will often offer credit cards to customers. The retailers will need to abide by a variety of banking regulations related to lending. Similarly, healthcare providers must adhere to the Health Insurance Portability and Accountability Act (HIPAA) to protect individual health records. The same requirements apply to any organization handling medical information, such as software companies that house those records. A data breach from that software could also represent a HIPAA violation.
Finally, as mentioned earlier, public companies in the US are required to follow the Sarbanes-Oxley Act (SOX). Similar regulations exist in other regions, such as UK SOX (UK), C-SOX (Canada), and J-SOX (Japan). SOX regulations have led to intense scrutiny over business processes and IT processes related to financial transactions and data flows that impact financial reporting.
Click below to view a demo of TeamMate+ Audit
Durée: 2 minutes, 54 secondes
Mitigating regulatory compliance risk
To mitigate regulatory risk, organizations must first identify the specific compliance risks they face. The evaluation involves understanding all applicable regulations based on the region and industry's laws, regulations, and standards. The organization's general counsel and legal team should be a primary source for starting the conversation about applicable regulations. The internal audit team should also conduct a comprehensive risk assessment to identify areas where the organization may be vulnerable to non-compliance.
Regulatory compliance programs
The organization should implement a robust compliance program to mitigate regulatory compliance risks. Key components of an effective compliance program include:
- Governance structure: Establishing a governance structure with clear roles and responsibilities for compliance. The structure could include appointing a Chief Compliance Officer (CCO), forming a compliance committee, and working with internal audit to establish a review process.
- Policies and procedures: Developing and documenting policies and procedures that align with regulatory requirements. The documents should be accessible to all employees and regularly updated.
- Training and awareness: Conduct regular training sessions to ensure employees understand compliance requirements and their role in maintaining compliance.
- Monitoring and reporting: Implementing systems to monitor compliance activities and report any issues. Monitoring includes regular internal and external audits and reporting mechanisms for employees to raise concerns.
- Third-party management: Ensuring third-party vendors and partners comply with relevant regulations. Third-party management may involve conducting due diligence, regular assessments, and including compliance clauses in contracts.
All elements of the program work together to ensure compliance with regulatory requirements.
Leveraging technology in regulatory compliance
Like other risks, regulatory compliance can leverage technology to significantly enhance an organization's compliance efforts. Some compliance management systems are designed to manage a specific regulation or aspect of compliance, while other software solutions manage and track compliance activities, required documentation, internal audit activities, and issue reporting. For example, a healthcare organization may rely on software to track the location from which employees access patient records to ensure no HIPAA violations occur by accessing personal information from outside the US. Data analytics can be used to identify trends, detect anomalies, and predict potential compliance issues. This type of software should send automated alerts to the IT Security team or even take action to shut the access down.
Regular review and improvement
Meeting regulatory compliance requirements is an ongoing process that requires continuous review and improvement. The compliance program should include a mechanism for staying current on new and changing regulations. The updates should then be sent to all internal parties within the compliance workflow, including internal audit. The regulatory compliance program would then be subjected to both internal and external audits to assess compliance status and identify areas for improvement. Whenever applicable, the entire organization should be aware of new and changing regulations through training and awareness activities to foster a culture of compliance.
Auditing controls related to regulatory compliance
Auditors must thoroughly understand the regulatory environment applicable to the organization. Knowing which laws, regulations, and standards apply to the organization's operations allows the internal audit team to assess and prioritize which reviews to include in the audit plan. The audit team can then familiarize themselves with the organization's internal policies and control procedures related to compliance.
Internal auditors will then conduct the audit in two phases: evaluating control design and testing control effectiveness. The first phase requires auditors to have a deep understanding of the regulation to decide if the controls the organization has implemented address the risk of non-compliance. At this point, auditors are also looking for any gaps in the control environment that would require the organization to add additional controls. For example, a public corporation may implement IT controls over their primary financial applications for SOX compliance, but they may not have considered support applications that have indirect access to affect financial data.
Any issues that arise during a regulatory compliance audit are extremely critical since non-compliance could lead to fines or potentially severe legal consequences. Once the audit is completed, the regulatory compliance audit results must be shared with the organization leaders so they can start remediating the exposure, but internal auditors should work closely with internal legal counsel to determine the distribution of the results, which could be confidential.
Regulatory compliance is more than an obligation
In conclusion, regulatory compliance is a cornerstone of a robust risk and control environment within any organization. The multifaceted nature of regulatory compliance — encompassing laws, standards, guidelines, and internal policies — necessitates a comprehensive and dynamic approach from internal auditors. Internal auditors play a pivotal role in identifying, assessing, and mitigating compliance risks, thereby safeguarding the organization from legal penalties, reputational damage, and operational disruptions.
Ultimately, regulatory compliance is not merely a legal obligation but a strategic imperative that supports organizational resilience and stakeholder confidence. Internal auditors, with their deep understanding of regulatory requirements and risk management expertise, are integral to this endeavor, ensuring that organizations operate within the bounds of the law while achieving their business objectives.