It’s common for people to use the terms compliance and audit interchangeably, but there’s actually a significant difference between compliance and audit.
Compliance is about meeting legal and regulatory obligations. There are things that every organisation must do to make sure they comply with laws, rules and regulations at a Federal, State and local level. From lodging tax returns to preparing financial reports, these are legally mandated compliance activities that are done periodically. If an organisation doesn’t meet its compliance obligations, it may face significant penalties like fines or even lawsuits and reputational damage.
Corporate compliance also often incorporates an organisation’s own internal codes of conduct. These may outline how people are expected to behave and what things the organisation needs to operate efficiently and effectively.
Many organisations have their own compliance functions. Their role is to enable the business to meet its compliance needs. They aren’t there to tell people what they can’t do, but rather help them meet their objectives and obligations.
To do this the compliance function must not only look at what the organisation currently does but also be involved in more strategic aspects of the business to make sure that it continues to meet its compliance obligations. Compliance is not something that an organisation can set and forget. It’s an ongoing process that should always be open to improvement and may need to change whenever laws and regulations require.
Compliance often works at each level of the business, from senior management through to the shop floor. While significant elements of their role are strategic, compliance also needs to be hands-on when it comes to finding solutions to issues. Without a detailed knowledge of the business, compliance functions can’t help the organisation identify how best to meet its obligations.
An audit involves being independent. Audits are impartial and intended to look at what the organisation has done and make sure that it’s in line with what they said they did. Effectively an audit function monitors and evaluates how effectively and efficiently the business has met its own internal control policies, processes and procedures. It ensures that the policies, processes and procedures of the business are being followed correctly and identifies opportunities for the business to manage its risks. Essentially, the audit function gives the business assurance that its intentions are being followed through.
Many organisations have an internal audit function that is responsible for identifying risks within the business. These risks could be control issues or policies that have not been implemented effectively, for example. The internal audit function searches for control deficiencies and makes recommendations to address these.
The internal audit function is not to be confused with the role of external auditors. Companies are generally required to have their financial accounts and annual report audited by external auditors. This is a very specific role prescribed by legislation, whereas an internal audit function generally has a much wider responsibility that is driven by the organisational objectives and requirements.
A key part of audit’s role is looking back at what the organisation has done and identifying where this may need to change in the future. While there are aspects of strategy to the audit function, it’s far more focused on monitoring the here and now.
Like compliance, audit is a continuing process but one that is often planned or periodic. The audit function will work with management to identify what areas of the business are in most need of review or where controls are at risk. This can cover anything from financial controls to supply chain, inventory management, IT systems or even the organisational culture. Some of these areas are relatively easy to identify, while others like organisational culture, for example, are much more challenging to monitor and assess.
While audit functions by their very nature must get into the detail of a business, they’re most often accountable at the highest level. Audit reports are generally submitted to the board and senior management.
While compliance and audit are like two sides of the same coin, they play very different roles. While audit may monitor what the organisation is doing and find deficiencies in a company’s policies, processes and procedures, it may not identify whether the organisation has actually complied with its legal obligations. However, compliance will look at a policy, process and procedure from the lens of regulatory compliance. Does it meet legal obligations? Are laws being followed? Can the organisation meet its regulatory obligations?
That said, an audit may, and often does, incorporate aspects of compliance. While auditing an organisation, areas where compliance obligations have not been met may be identified as these represent significant risks to the business. Have tax returns been lodged? Are the financial reports completed? Has the company made all the disclosures it’s required to under law?
Compliance is often involved in strategic discussions about where the business is going and what it needs to achieve its objectives in a compliant way. While audit takes those objectives and looks back to see if they were achieved in the way they were meant to be.
Every organisation needs aspects of both audit and compliance. They each play an essential role in the corporate governance of a company and must work together to make sure the organisation is operating effectively.
If you need advice on how to ensure you’re meeting all your company compliance obligations, get in touch with CCASA.