When is a Compliance Officer Not a Compliance Officer?

2014-snell-roy-speaking-headshot-200By Roy Snell

A compliance officer checks the work of others for ethical and regulatory compliance.  It is very similar to the role of an auditor.  Auditors check the accuracy of financial statements.  Auditors do not complete financial statements.  If an auditor completed financial statements, the audit profession would say that person was not an auditor.  Auditors are expected to be independent.  You cannot be independent if you are checking the work you perform.  An individual that performs work that must be occasionally checked for compliance with the rule of law… cannot be called a compliance officer.

[bctt tweet=”@RoySnellSCCE When is a #Compliance Officer Not a #Compliance Officer?”]

The whole purpose of creating the compliance profession was to have an independent person check the work of others.  There have been a few instances in which a compliance officer has been accused of wrongdoing by the enforcement community for submitting false or inaccurate documents to the government.  Technically speaking, the individual submitting these documents to the government is not a compliance officer.  The person completing the documents works in operations. They should have a different title and that person’s work should occasionally be checked for compliance with the rule of law by a compliance officer.

The compliance profession is relatively new and not always well understood.  Some companies are using the term compliance officer for jobs that do not fit the fundamental definition of a compliance officer.   On occasion, a compliance officer is asked by their organization to manage some area of operations.  Some compliance officers are asked to perform legal work.  In these instances, the compliance officer should explain the need for independence to their organization and that taking over operations of any kind or performing legal work is not appropriate.

This is also one of the many reasons why compliance should be separate from legal.  You cannot perform legal work and then check the legal work you perform for compliance with the rule of law.  There is no independence.  Similarly the compliance officer should not have their annual review done by anyone whose work they must check.  That would be as illogical as having the CFO audit their own work or perform the annual review of the people that audit them.



  1. I think compliance officers differ from auditors, in that compliance officers establish what should be in the compliance program. So there is a background in legal since lawyers (presumably) understand what should be in a compliance program. Auditing of the compliance program is just one part of it. Executing the compliance program may be part of the compliance officer’s job, and so this becomes the operational responsibility of the compliance officer. In that case, it may be appropriate to have someone else check the work of the compliance officer..

  2. I agree Ted. A compliance department, much like any other department, should have periodic review and suggestions for improvement.

  3. The mission statements of Compliance and Audit are very similar, and you do not need a legal background to develop and implement an effective compliance program. Compliance is more about implementing policies and procedures that comply with laws and regulations. To be effective, Compliance needs to understand operations on the ground floor. Be able to work across many silos on committees and understand how to effectively monitor, audit, and investigate, which is why auditors and nurses make terrific compliance professionals and leaders. While Compliance is not truly independent, the their roles and mission are much like Audit’s.

  4. Agree with personnel issue. I was an attorney in a healthcare compliance hospital position. When I reviewed issues we focused on process improvement. I created our sentinel event policy which encouraged open communication. If it looked like litigation we would consult outside counsel. We never hid anything and I am proud of my work and affiliation with a well run hospital. I sleep well at night knowing I have high ethical values and expect the same of others, we did a lot of good by erasing fear and using mistakes to improve delivery of care. Healthcare Compliance Officers are not new in hospitals. They may have had other titles. Certification is a more recent development. Perhaps your discussion to have overseers is more of a financial issue. Layers should not be the answer. If someone will commit fraud then it is a bad apple that will be revealed. I can only speak to my own work and I like to think the majority of other HCCO work the same.

  5. Unfortunately, many compliance professionals fail to make the independence arguments you suggest when saddled with inappropriate job duties for our profession. Depending on company size and internal political dynamics, advocating for this level of independence is often easier said then done. It’s crucial that executive leadership be educated by the CO about risks to compliance program effectiveness caused by insufficient independence which can be used against the company by regulators should an actual or perceptual problem occur.

    To the comments below, IA should audit aspects of compliance “operations” (how we conduct compliance activities) like any other critical organizational function. As to a CO needing a legal background, some large companies have privately stated they will not hire a CO with a J.D., others require it, while many seem neutral. I believe the most valuable qualifications for compliance professionals in general seems to be a strong combination of leadership, operations, and/or project management experience, along with solid soft skills for relationship building and a willingness to learn and advocate compliance trade fundamentals from resources like HCCA and CEB.


  6. I enjoyed the post. I’d like to start a dialogue on something Joel mentioned below in passing. “Depending on company size” is something important to me in my current role, but I think important for the compliance profession to tackle as well.

    Certainly, a publicly-traded, global organization, with 10’s of thousands of employees should have a compliance officer, who is independent of the GC, independent of Internal Audit, and HR, and Operations, and Finance, and Accounting, and Business Development, and reports/communicates directly to the board. On the other end of the spectrum, a domestic, private sole-member LLC consulting firm with less than a dozen employees could not afford or be reasonably expected to have a completely independent compliance professional who did no other work. The sentencing guidelines even allude to the scale of the company as an important (but vaguely described) factor in evaluating mitigation for compliance programs.

    As a profession, rather than simply starting with behemoth organizations and trying to create an autonomous independent role defined by what it doesn’t do, should we also be starting at the bottom, and asking:

    (a) when it’s a 2 to 15 (or 20 or 25) person company, do the primary compliance responsibilities fall on the supervisor, recognizing that he or she has other more substantial (time-wise) responsibilities?
    (b) when it’s large enough (based on some criteria the profession should be able to articulate) to hire it’s first person with the word compliance in their title, can we recognize that person’s role will not be limited to compliance work?
    (c) and when a company hires it’s first in-house counsel, do we want to be recommending that that person *can’t* fill a compliance role too?

    To me, while I like the goal of complete independence, in small to medium sized privately held regional companies, I sometimes find that ‘the perfect’ becomes the enemy of ‘the good.’ As a profession, I think we would be better to promote both the good and the perfect, and be better at defining the context for each.

    I was a compliance professional for 6 years, getting my PE, the best ethical credential I could find, before I went to law school as the next evolution in a compliance career. Since graduating from law school, I’ve been hired as an attorney, and I’ve been hired as a compliance professional, and I’ve been hired as both. It’s hard for employers, especially small employers, to understand our profession if we can’t define it for their context in a workable way.

    • Hi John,

      I found the below linked PDF by HCCA sometime back to be helpful in analyzing how independent compliance officers should be based on a risk scoring methodology. It’s not perfect, an interesting idea that may help.


      I strongly believe it’s inadvisable for in-house counsel to also be the compliance officer (CO) based on years of guidance and past enforcement by regulators. For highly regulated industries, doing so would almost certainly be used by a prosecutor/regulator during any enforcement action and weaken a legal defense strategy. That fact alone is compelling enough to ask why any in-house counsel would willingly allow such a risk to the company (their client) by accepting a joint counsel/compliance officer appointment.

      I’ve also always wondering if a CO with a JD should retire their state bar membership. Are there any ethical duties as an active member of a state bar that conflict with the ethical duties of being a Compliance Officer when the JD is not in a counsel role?

      Feel free to LinkedIn me if want to ever discuss further! Can exchange contact info.


      Joel Gray

  7. I do agree with everyone that smaller organizations need to give the compliance role to someone who may also have other responsibilities. We need to work our way out of that conflict of interest as soon as the organization can devote one full time person to compliance. What concerns me more is that organizations that are large enough to separate compliance from operations are not separating compliance from other responsibilities. Good discussion my friends.

  8. Great post certainly i am having the same problem in my company no one in the management is ready to understand what compliance is

  9. At my last job, I supported and approved high risk payments to Healthcare Organizations and Providers. I also was assigned to complete quarterly audits of all payments released. This was SOA and internal control requirement. So while not a Compliance Officer, it seems to me that this approach was in violation of either SOA or the internal control.

    Thoughts anyone?

  10. Robert, my comments are really focused on how the compliance profession defines their role, much like any other profession has done. We really are talking about guidance, not a rule of law. I am not speaking from a legal perspective or representing any prescribed audit standards/controls. I would suggest you contact experts in the filed or an attorney.

    • Thanks. Can anyone comment on the CCEP exam and what type of questions I will encounter?

  11. I am viewed as the police officer. Any law, rule, regulation or policy I am responsible for. When an employee does not follow, and something goes wrong I am brought in for all discussions and I am at fault whether I know about the incident or not. I must not be providing the right education.

  12. I am a compliance officer in a very large public hospital and work separately from IA and the general counsel.

    The roles have different focus. I have spent time in IA and also been to law school so I have seen all sides of the street and the divisions focus are completely different if done correctly, even though they are all risk based.

    Our hospital is adament that the compliance person be skilled at compliance and not be what you sometime see elsewhere, such as an RN. I have RNs do clinical documentation reviews, but they could not pull apart a physician agreement if their life depnded on it, nor understand the complexity of vendor relations. Even though it is still a part, compliance has moved beyond billing, charging and coding, which is why RNs were so common in the past as compliance staff. Yet you still see some hospitals wanting their CO to be an RN. It is better that the CO has an RN on their staff. The CO is a multifaceted leader across operations, legal, clinical, financial, etc and has to be able to piece it all together.

    And if having been to law school, our hospital does not want the CO be a licensed atty. It can come back to bite you.

    We preferably would want an MJD in Health Law (like Loyola has now) as opposed to a general JD.

    Our GC represents the hospital in legal matters. Even our GC says compliance and legal and IA do not belong together.

    In fact the OIG is very straight forward now that the CO does not even report to legal. With that said, why should they be combined? IA generally sits in fianance and again the OIG is adament that the CO not report to the CFO. Another hint.

    It has taken time but many healthcare providers are dividing them. While we all deal with risk, we deal with it differently.

    I interact with both divisions regularly for different reasons but our jobs are completely different.

  13. My problem is a separate one. I am independent and report to the CEO just like the OIG says I should…, etc. The problem is that it is all to meet the “paper requirements” for a compliance program. I am not invited to staff meetings. I am instead told that the Chief Legal Officer will inform me of when something needs to go to compliance. The CEO, my boss, has seen me all of 1 hour in the last 8 months and my requests for meetings are placed at low priority through his administrative assistant. My office is nowhere near the C suite. All of the CEOs direct reports meet together, team build together and I am not invited to the table, no matter how many times I have asked. My annual budget (minus salary and hotline license) is $1000 (yes one thousand dollars or about $3 dollars a day) and I am in a 700 bed hospital and am it for compliance.

  14. I quite agree that, you cannot be independent if you are checking the work you perform. This further illuminates my thought on, Compliance officers functioning as a level check for statutory returns to their Regulators. The Risk here is that, a breach can occur out of an oversight, which may be revealed by a later review or checks by the same Compliance officer. It behooves on the Compliance officer to report all breaches, even now, he is a party to a breach.

    The Compliance role is often perceived to be such that must “ensure” Compliance hence, you will find Compliance officer getting more involved in Operational functions in a bid to guarantee Compliance. This act will eventually rubbish the essence of having the Compliance leadership as the linchpin which holds all other elements together, in the Compliance program. To say Compliance is a business enabler at this instance, is contradictory ridden.

Comments are closed.