If I have a pound for every time I was asked this question I would have… well probably about £60 at a rough guess! But that is not the point.
The point it is that it is a question that not only should you be able to provide an answer to, but one that should also be considered as part of an organisations strategic and structural planning.
The first thing to be clear about is that they are fundamentally just titles. Whilst titles should help people understand what individual functions do, it does not really matter who does what providing all required activities are undertaken and that functions work cooperatively.
Therefore what follows is a little guidance and some suggestions; you should put structures in place that suite your organisation, its size, its structure and its products, services and delivery channels.
Firstly it is critically important that an Internal Audit function is fully independent if it is to be able to carry out their assurance role effectively.
However I have long argued that whilst Compliance must have the appropriate level of independence, there also has to be a strong element of cooperation, and indeed even a degree of integration, with the business if it is going to be able to provide its advisory and educational roles effectively. And this is where the two functions diverge.
Internal Audit’s objective is fundamentally assurance. Looking at the past and present to provide assurance that all activities are being carried out in accordance the written policy and procedure.
Compliance’s objective is fundamentally operational. Looking at the present and towards the future to ensure that all activities are carried out in compliance with the prevailing regulatory requirements, because the appropriate policy and procedures are in place and being adhered to.
So of course there is overlap, and so the two functions must work cooperatively. Compliance monitoring is auditing by another name, and if Audit make recommendations to change policy and procedure on the back of their monitoring, and then follow up to ensure that this has been done, then of course they are also carrying out an operational role.
But it is the Compliance Function that is more likely to be involved operationally due to its horizon scanning, project input and management and education remits.
To put this another way, one simple definition I often use is that Audit generally ask the question “are we doing what we said we would do?” whilst Compliance ask “does what we have said we would do ensure compliance (providing we actually do it), how is this going to/likely to change and who needs to know about it?”
And finally there are two important operational considerations that must be taken into account. The Compliance Function is concerned with regulatory risk only, and the scope therefore of operations is more restricted than that of the Internal Audit Function, who are concerned with all risks to the organisation.
And of course Compliance must be audited to make sure that we are doing what we have said we will do.
So do try not to annoy them!
If you're interested in an ICA qualification in governance, risk and compliance more information can be found on our ICA certificates and diplomas page. Alternatively, please call +44(0)121 362 7506 and we’ll happily talk you through your study options