Internal auditors often rely on the assurance provided by second line of defence compliance teams, yet comments and discussions among those attending the Compliance Audit and Assurance course suggest that many compliance teams lack basic tools that would make their work easier and more reliable. While those who attend the course gain valuable tools and reference materials, internal auditors could also offer more assistance to those in their own organisations – and could benefit from the results.
This course is part of the IIA Certificate in Internal Audit and Business Risk as well as being a popular stand-alone in-house training choice. It has been designed for compliance and assurance professionals working in the second line of defence. The course has been running for around six years, but the issues highlighted in the early workshops still dominate the group discussions.
Many of those in the second line of defence have been appointed to that role because they are subject matter experts. Their brief is to conduct assurance reviews, but many have no practical knowledge of how to do this. From an organisational point of view, this lack of experience and understanding in the second line is worrying, since the assurance they provide is likely to be relied on by internal and external stakeholders. If the methods used to gain that assurance are weak, what is its quality?
Most compliance teams are not large – indeed, sometimes only one person provides assurance. Some are set up with inadequate forethought, and many have a reporting line that gives them little power to influence management to make appropriate changes.
Only a few compliance teams conduct risk assessment as part of the annual planning process, so the idea of introducing a risk-based planning and periodic planning approach is a new concept for many attendees. Most are also unaware of the boundaries of their assurance universe. We can talk about the “compliance universe” In the same way we talk about the “audit universe”, although it is more compact because it is based only on the activity that they provide assurance on.
Another of our main discussion points is that of internal controls; what is a control, how do you design a control, the different types of control and the impact of control failure. The majority of people in compliance functions do not know how to identify and assess controls, yet this is fundamental to assessing whether risks are being managed or not.
Most compliance teams still follow a process-based approach to their assurance reviews. While internal auditors might assume that compliance assurance work is about testing controls, this is not necessarily the case. Most test compliance against legal requirements, regulations, policies and procedures, but do not test the controls within these. The controls are the points at which an error or irregularity can occur – by focusing on these, the compliance team can work more efficiently and effectively.
Other areas of concern that are frequently raised are the lack of a systematic use of working papers and sampling methods. This is why we include a set of templates in the course materials that can be completed as a case study. This range of working papers is new to many people: for example, an opening letter to advise stakeholders that the review is taking place, a risk and control matrix, test strategy and terms of reference. I know that lots of delegates go on to adapt these templates for their own use in their workplace.
Sample sizes for testing can range from just one to quite sophisticated statistical sampling levels. However, the number of people who tell me they do not have a sampling strategy or plan is surprising, given that one of the key components of quality evidence is the sufficiency of the sample size. Where the sample size is inadequate and does not allow for the risk maturity of the activity under review, stakeholders could, and often do, challenge it.
The people I meet from the second line on the compliance courses are all eager to learn about the methodologies they can incorporate into their working practices – it is a pleasure to work with them. It is disappointing that most do not have any interaction with internal audit, since we can add much value by being more involved in the education and development of those in the second line of defence.
Marian Silltow is the tutor for the Compliance Audit and Assurance module of the Certificate in Internal Audit and Business Risk.
For more information about the course visit charterediia.uk/training
This article was first published in November 2019.