Comply or Explain (To The Judge)

The U.S. Department of Justice announced this month indictments against executives at Volkswagen, air-bag manufacturer Takata, and three global banks involved in foreign currency trading. This bold action, which reinforced earlier warnings from U.S. regulators that executives and board members will be held personally accountable for wrongdoing, likely sent shudders across corporate C-suites around the world.

Just last week, Samsung’s top executive was kept in a holding cell while a court deliberated whether to issue a warrant for his arrest. Ultimately no arrest warrant was issued for Lee Jae-yong, but he remains the subject of a special prosecutor’s investigation relating to a scandal that led to the impeachment of South Korean President Park Geun-hye. This highly public melodrama comes on the heels of the company’s disastrous rollout of its Galaxy Note ​7 model.

It has become exceedingly clear in recent years that compliance failures are no longer merely a risk for fines and penalties to companies. Instead, government officials are increasingly likely to haul offending executives in front of judicial authorities. Instead of the old expression “comply or explain,” for contemporary offenders, it is “comply or explain (to the judge).” 

Internal auditors are unlikely to be able to save offending executives in their organizations from the consequences of their own misdeeds. However, they do have an obligation to champion good governance and provide assurance on the effectiveness of compliance controls. Since the turn of the century, corporate compliance failures already have cost the companies involved billions of dollars in lost revenue and fines. The related reputational damage and loss of goodwill has been just as severe. Yet, astoundingly, these kinds of scandals continue to occur on a regular basis. This signals to me that the pressures of today’s dynamic and challenging business environment are not just exposing but exploiting weaknesses in governance.

This is the why I included advocating for good governance in my recent blog post, ​”5 Resolutions for Internal Auditors in 2017 to Prepare for the Future.”

I wrote: 

Ultimately, good governance practices are what make or break companies, and having an independent and objective evaluation of the effectiveness and efficiency of those practices is critical to success.

I believe every organizational failure includes a breakdown in governance somewhere along the line. Too many of the recent high-profile scandals had clear governance breakdowns that if recognized and addressed could have avoided the problem.

It is a fundamental function of internal audit to evaluate and improve the effectiveness of risk management, control, and governance processes for the organization – especially where statutory and regulatory compliance are concerned. This specific wording comes from the definition of internal auditing contained in the International Professional Practices Framework (IPPF).  What’s unwritten — yet should be understood — is that internal auditors must also be advocates for the critical business processes that foster effective compliance.

Here are several ways internal auditors can help strengthen governance and mitigate compliance risks:

• Assess compliance risks continuously. On the basis of continuous risk assessments, ensure the internal audit plan is regularly updated to reflect significant/emerging compliance risks.
• Clearly identify governance processes examined in every engagement. By identifying the specific governance processes in engagement reports, internal audit reminds management and the board of the value of varied governance processes, from those designed to deter fraud to those that protect against data breeches.
• Develop trust relationships with stakeholders. As trusted advisors, internal audit will be more likely to be invited to provide input on strategies and goals that may impact governance and ensure effective compliance.
• Keep your house in order. Every chief audit executive must ensure the effectiveness of compliance controls within the internal audit function itself. It’s hard to preach the value of compliance risk management and effective governance if you have governance and compliance failures of your own. Having a quality assurance and improvement program in place is a must.
• Don’t forget about culture. There is a symbiotic relationship between governance and culture. When one goes bad the other suffers. Most of the high-​profile compliance failures had a cultural component as a root cause. Educating stakeholders about this fundamental relationship is one of the most important ways to ensure effective compliance and good governance.

I’m certain there are other ways to keep effective compliance risk management and good governance top of mind within the internal audit function and the minds of our stakeholders. As technology and the globalization of trade continue to accelerate, we must not only learn to audit at the speed of risk, we must ensure the building blocks for mitigating risk — compliance controls and governance processes — are protected.

As always, I look forward to your comments.​