The Current State of the Compliance and Internal Audit Partnership


By Michael Volkov
Principal, The Volkov Law Group

Compliance officers and internal auditors are natural partners and allies in the compliance governance landscape.  As the compliance profession and influence grew, compliance officers often leaned on internal auditors for help in assessing risks, uncovering financial misconduct, and assessing compliance functions and controls.  Recently, however, I have noticed some changes in their relationship, suggesting that they both are maturing and gaining independence from each other.

Since Sarbanes-Oxley, internal auditors have gained in the corporate ladder, and rightfully so.  Internal audit was given an greater responsibilities for ensuring accurate financial reporting.  Congress mandated a greater responsibility and sought to improve internal and external audit functions.  Corporate boards gave internal auditors increased power and access to more resources.  If the internal auditor requested staff and resources, the audit committee would be hard-pressed to deny such a request.

In contrast, chief compliance officers have never enjoyed the same level of authority, access to resources and overall influence at the board level as the internal auditor.  Since the CCO and the internal auditor usually report to the same audit committee, CCOs and internal auditors helped each out, formed alliances and developed synergies, especially in areas where auditing and compliance functions overlapped.  This usually worked out to both parties’ benefit.

Two recent trends, however, have transformed this close and natural partnership.  First, CCOs are becoming more influential on their own, meaning that they have matured professionally and gathered their own constituencies, created their own relationships, and promoted their own connections with senior management and the board.

Second, internal auditors are busier than they ever have been with more projects, day-to-day responsibilities, and focus on financial reporting systems and overall system management.  Internal auditors do not have the time nor the resources to conduct compliance audits or focus on specialized compliance auditing, particularly in the area of measuring compliance with controls.

Given these trends, CCOs have begun to develop their own auditing or compliance review protocols and functions.  CCOs recognize that conducting their own independent audits of compliance functions can quickly improve monitoring and assessment capabilities and improve the accuracy and speed of compliance program improvements.

My generalization is just that – a general observation.  Of course, there are still situations where compliance and internal audit continue to work closely with each other.  The separation of CCOs and internal audit, however, is not a negative trend but reflects the positive growth in compliance.  Internal audit has extraordinary responsibilities being placed on it, especially as companies seek to reduce reliance on outside consultants and auditing firms.

On substance and in practice, internal audit and compliance will always operate with close respect for each other and coordinated perspective on corporate financial and compliance controls.  Even as they mature, they will remember the old days of close affiliation while maintaining a close eye and support for the respective functions dedicated to improving overall corporate governance.  Compliance and audit will continue to learn from each other and maintain a mutual admiration for their roles.


  1. I found this article very timely as my compliance department is trying to develop its own audit and monitoring protocols and risk assessment tools. It would be great to know if tools used by compliance departments are different from those used by internal audit. Can you share any resources? Thanks!

  2. In my prior days of working as inhouse compliance officer, I did develop my own risk assessments and audits, etc, but partnered with internal audit on some larger projects or those where they had more expertise. A great example of partnering was an audit of physician contracts. I reviewed the actual agreements and supporting documentation, internal audit reviewed the actual payments. That was a very big audit but with the collaboration it was feasible.

Comments are closed.