In order to understand an internal compliance audit, it is helpful to first define what internal audits are and then look at how the compliance aspect fits into that picture. Whether the entity is for-profit, non-profit, publicly held or privately owned, all require an internal review of operations on a regular and consistent basis. Sometimes, such reviews are legally required while others are considered best practices for healthy corporate functioning and growth.
There are basically four types of internal audits:
- Financial
- Operating
- Compliance
- Information
Internal compliance audits in the complex world of today are mandatory roles in a healthy business model. They serve to not only strengthen relationships with employees and customers but they also create a culture of compliance. The focus of compliance audits is usually quite narrow and clearly defined before an audit begins but this can still be a source of concern for employees.
Compliance audits not only rely on documentation but also on visual inspections and interviews with employees who actually perform the work being audited. This can lead to internal tensions and misunderstandings if not handled correctly. Often, employing a third party to handle this aspect of the business is a wise move.
Third parties do not have any preconceived notions about employees or their performance, thus providing a level of objectivity that might otherwise be missing from the process. Internal compliance is a necessary aspect of a sound business, so bringing in a third party earlier than later to conduct routine internal compliance audits is always preferable to considering this after a problem has been discovered.
These audits vary by the type of industry, location of the company or entity and regulatory requirements. Some examples include:
- Contractual – Designed to ensure that the company is complying with any contractual requirements that may be included to meet customer specifications.
- Governmental – Entities that receive government grants or other funds have various contractual obligations.
- Industrial standards – Health agencies must comply with HIPPA regulations. Food handlers and sellers have various health regulations that need constant compliance oversight.
- Risk management – Safety in the workplace requires constant monitoring and compliance audits are most often seminal to this oversight. The Occupational Safety and Health Administration (OSHA) has numerous regulations that must be complied with in order that some types of workplaces remain operational.
Fraud and theft are the most common crimes revealed by compliance audits. However, many companies do not support the prosecution of these employees/perpetrators for fear of bad publicity. Sometimes, these offenders are pursued in civil litigation. In rare cases, non-compliance with OSHA regulations which result in severe injury or death to an employee can translate to negligent homicide in criminal court.
There are no regulations or legislation that address compliance audits specifically. However, as has been mentioned, these audits are often combined with other types and as such fall within broader legislative interests. The Public Company Accounting Reform and Investor Protection Act (Sarbanes-Oxley) of 2002 and signed by President Bush, deals with publicly held companies and internal auditing.
This Act greatly expanded the internal auditing functions, required top management to sign off on all financial audits and increased the responsibilities of Boards of Directors. While this Act deals with financial audits, it speaks to the importance of self-policing. Following the collapse of corporate giants such as Enron and Worldcom, investor confidence was shaken and Sarbanes-Oxley was enacted in an attempt to restore it.
This is important for private companies because if they are going to be purchased by a public company, the private company must be in compliance with this Act for several quarters prior to the purchase. In New York, the State Governmental Accountability Audit and Internal Control Act, Chapter 814, of 1987 requires that all state agencies develop systems of internal controls.
Violations revealed by internal compliance audits that may violate the law would most often fall within civil statutes. Those usually carry fines and possible court levied injunctions against businesses.
An audit plan is the first step in the procedure. This plan lays out the scope of the audit and identifies areas of risk or potential problems. Implementation of the audit requires an investigative approach. Limiting the number of people two are interviewed assures that confidentiality is maintained as much as possible and the audit is completed quickly to avoid interference with day to day operations.
An audit report is then prepared and provided to management. Compliance audit reports are often a matrix which provides management with insight as to what the current condition is and timelines for future inspections once improvements or changes are instituted. Compliance audit reports are dynamic documents unlike other types of audit reports which may be done yearly or biannually.
Most often audits combine elements from each of these types. An internal audit is a systematic analysis of the process by which an entity operates. These types of inspections allow for internal fraud or theft of funds or assets to be identified early and dealt with as soon as possible. They often focus on:
- Cash manipulation
- Revenue misstatements
- Income manipulation
- Understatement of payables
- Inventory or other asset thefts
Compliance, in this sense, is essentially about conforming to laws or regulations. Thus, the mission of an internal compliance audit is to identify gaps between regulations and procedures. They focus on the task, the employees conducting the task, the product produced or service rendered by the task, etc. in order that any problems or risks are uncovered and dealt with before they might be recognized by a third party like the media.
They also point up problems that legally must be reported to regulators. Internal compliance audits can focus on a company’s compliance with laws, regulations or contractual agreements with clients and customers. They can also review the conduct of employees to see that the internal rules and standards are being honored.