Spend a few days with 2,500 corporate auditors — which I did not long ago, at the Institute of Internal Auditors’ annual global conference — and you’ll hear lots of talk about risk. You’ll also hear talk about increasing workloads, tight budgets, and struggles to demonstrate value to the rest of the enterprise.
The idea is that audit teams remain lean, rely more on technology or on skills borrowed from other parts of the enterprise, and produce slimmer, more visually designed reports that address deeper, strategic risks.
So, really, corporate compliance officers would feel right at home.
To get ahead of those challenges to internal auditing, the profession has been moving toward a concept called “agile audit.” The idea is that audit teams remain lean, rely more on technology or on skills borrowed from other parts of the enterprise, and produce slimmer, more visually designed reports that address deeper, strategic risks.
It’s an intriguing idea, and one that makes sense in a complex, rapidly shifting business landscape. So compliance officers would do well to ponder: could we do something similar in our profession? Is there such thing as agile compliance?
Indeed there could be. We can start with three principles of agile auditing that are turnkey for the modern corporate compliance program.
1. Agile Compliance Risk Assessment
First, agile auditing puts more focus on a risk-based approach to auditing, and ties those risks to stakeholder needs. That is, internal audit functions will ask, “What are the most important objectives to all our stakeholders? And therefore, what are the biggest risks to achieving those objectives?” That is a crucial shift in risk assessment, and one that corporate ethics and compliance functions should embrace.
Traditionally, compliance functions have focused on aligning with regulatory compliance, period. That objective will never fade, but let’s be honest: some of the most serious corporate misconduct challenges today don’t involve regulatory infractions. Personal misconduct, or the public’s perceptions of a company’s ethical reputation, for example, can have enormous consequences for a company’s ability to create value — which is the highest priority for the most important of stakeholders, the company’s board.
It’s a more dynamic, expansive conversation, that clarifies the connections between good corporate conduct and business objectives.
A more agile approach to compliance risk assessment will involve the CCO talking with senior management and the board, to ask: What are the organization’s most important goals? What types of poor corporate conduct would harm those goals?
It’s a more dynamic, expansive conversation, that clarifies the connections between good corporate conduct and business objectives. That’s what organizations with mature corporate ethics and compliance programs do, and it’s what all organizations should try to do.
2. Prioritized & Focused Action, Not Perfection
Second, agile auditing focuses more on generating capabilities to address risk, rather than on staffing the perfect audit department. Savvy audit executives know that building the perfect audit department is impossible: they don’t have the budget and couldn’t lure the best talent even if they did. Achieving effectiveness in practice is the more urgent priority.
Instead, agile audit functions spend more time developing capabilities to address whatever risks emerge from the agile risk assessment. That means much more attention to technology, and to building alliances with other parts of the enterprise that do have the talent needed to solve a problem.
Again, compliance functions should love this idea. You’re in the same predicament with budget and staffing challenges. Best-in-class corporate compliance programs will make smart investments in technology that generate and analyze data, while nurturing ties with business functions. This can help you implement practical remediation steps based on your conclusions from that analyzed data.
Best-in-class corporate compliance programs will make smart investments in technology that generate and analyze data, while nurturing ties with business functions.
One example of this concept is a more interactive code of conduct. Configured correctly, that will give the compliance officer more data about what issues are top of mind for employees. Then you can think about what policies need updating, or which subjects need more training.
Likewise, if you automate third-party due diligence and risk management, you generate more data about which parts of due diligence are most troublesome for employees or third parties. Then you can work with business unit leaders in a data-driven way to resolve those workflow choke points.
3. Assurance Through Visualization, Not Just Documentation
Third, agile auditing tries to simplify reporting in favor of providing assurance, rather than documentation. I chose this point deliberately, because any time we talk about less documentation, compliance officers can get uneasy. After all, documentation is the stuff we give to regulators in the event of an investigation. Why would a compliance department want less of it?
Agile auditing isn’t about providing less proof that your risk management program is effective; it’s about providing assurance in better ways: visual reports, driven by data, designed for impact and absorption. Stakeholders could still knock themselves out drilling into underlying data if they want. For example, a Justice Department investigator could still pore over training records, due diligence certifications, or internal control tests. When showing if and how something is being addressed, however, this type of reporting provides a summary that easily communicates: “Yes, this risk is being addressed. Here’s how, and here’s what we need to do next.”
If you’re using technology shrewdly (principle two) to address the most important risks (principle one), then stakeholders will have more faith in the assurance of that “top page” of the report. You’ll convey more information, more succinctly; and that information will derive from systems that produce data more accurately.
Those are the principles that deliver more assurance, rather than more documentation. And that, ultimately, is what mature compliance functions need to be able to do.