3 Steps to Apply Agile Auditing Principles to Ethics & Compliance

Matt_Kelly.png

Spend a few days with 2,500 corporate auditors — which I did not long ago, at the Institute of Internal Auditors’ annual global conference — and you’ll hear lots of talk about risk. You’ll also hear talk about increasing workloads, tight budgets, and struggles to demonstrate value to the rest of the enterprise.

The idea is that audit teams remain lean, rely more on technology or on skills borrowed from other parts of the enterprise, and produce slimmer, more visually designed reports that address deeper, strategic risks. 

So, really, corporate compliance officers would feel right at home.

To get ahead of those challenges to internal auditing, the profession has been moving toward a concept called “agile audit.” The idea is that audit teams remain lean, rely more on technology or on skills borrowed from other parts of the enterprise, and produce slimmer, more visually designed reports that address deeper, strategic risks. 

It’s an intriguing idea, and one that makes sense in a complex, rapidly shifting business landscape. So compliance officers would do well to ponder: could we do something similar in our profession? Is there such thing as agile compliance? 

Indeed there could be. We can start with three principles of agile auditing that are turnkey for the modern corporate compliance program. 

Watch: Connected Roles of Audit, Risk, Legal, and Compliance

1. Agile Compliance Risk Assessment 

First, agile auditing puts more focus on a risk-based approach to auditing, and ties those risks to stakeholder needs. That is, internal audit functions will ask, “What are the most important objectives to all our stakeholders? And therefore, what are the biggest risks to achieving those objectives?” That is a crucial shift in risk assessment, and one that corporate ethics and compliance functions should embrace. 

Traditionally, compliance functions have focused on aligning with regulatory compliance, period. That objective will never fade, but let’s be honest: some of the most serious corporate misconduct challenges today don’t involve regulatory infractions. Personal misconduct, or the public’s perceptions of a company’s ethical reputation, for example, can have enormous consequences for a company’s ability to create value — which is the highest priority for the most important of stakeholders, the company’s board. 

It’s a more dynamic, expansive conversation, that clarifies the connections between good corporate conduct and business objectives.

A more agile approach to compliance risk assessment will involve the CCO talking with senior management and the board, to ask: What are the organization’s most important goals? What types of poor corporate conduct would harm those goals? 

It’s a more dynamic, expansive conversation, that clarifies the connections between good corporate conduct and business objectives. That’s what organizations with mature corporate ethics and compliance programs do, and it’s what all organizations should try to do. 

Read More: New Investments in Internal Audit Can Benefit Compliance by Association

2. Prioritized & Focused Action, Not Perfection

Second, agile auditing focuses more on generating capabilities to address risk, rather than on staffing the perfect audit department. Savvy audit executives know that building the perfect audit department is impossible: they don’t have the budget and couldn’t lure the best talent even if they did. Achieving effectiveness in practice is the more urgent priority.

Instead, agile audit functions spend more time developing capabilities to address whatever risks emerge from the agile risk assessment. That means much more attention to technology, and to building alliances with other parts of the enterprise that do have the talent needed to solve a problem.

Again, compliance functions should love this idea. You’re in the same predicament with budget and staffing challenges. Best-in-class corporate compliance programs will make smart investments in technology that generate and analyze data, while nurturing ties with business functions. This can help you implement practical remediation steps based on your conclusions from that analyzed data.

Best-in-class corporate compliance programs will make smart investments in technology that generate and analyze data, while nurturing ties with business functions.

One example of this concept is a more interactive code of conduct. Configured correctly, that will give the compliance officer more data about what issues are top of mind for employees. Then you can think about what policies need updating, or which subjects need more training.

Likewise, if you automate third-party due diligence and risk management, you generate more data about which parts of due diligence are most troublesome for employees or third parties. Then you can work with business unit leaders in a data-driven way to resolve those workflow choke points. 

3. Assurance Through Visualization, Not Just Documentation 

Third, agile auditing tries to simplify reporting in favor of providing assurance, rather than documentation. I chose this point deliberately, because any time we talk about less documentation, compliance officers can get uneasy. After all, documentation is the stuff we give to regulators in the event of an investigation. Why would a compliance department want less of it? 

GRC Insights: Get Compliance KPIs to Measure Program Performance

Agile auditing isn’t about providing less proof that your risk management program is effective; it’s about providing assurance in better ways: visual reports, driven by data, designed for impact and absorption. Stakeholders could still knock themselves out drilling into underlying data if they want. For example, a Justice Department investigator could still pore over training records, due diligence certifications, or internal control tests. When showing if and how something is being addressed, however, this type of reporting provides a summary that easily communicates: “Yes, this risk is being addressed. Here’s how, and here’s what we need to do next.” 

If you’re using technology shrewdly (principle two) to address the most important risks (principle one), then stakeholders will have more faith in the assurance of that “top page” of the report. You’ll convey more information, more succinctly; and that information will derive from systems that produce data more accurately. 

Those are the principles that deliver more assurance, rather than more documentation. And that, ultimately, is what mature compliance functions need to be able to do. 


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Individuals Are Ethical – Groups not So Much

What the High Rate of CEO Turnover Teaches Executives About Ethics

The latest PwC CEO Success study found that more CEOs were dismissed in the last calendar year for ethical lapses than for financial performance or conflicts with the board. Explore this research and find out what the high rate of CEO turnover can teach all executives, especially the large majority of ethical leaders.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

The Bright Future of Ethics & Compliance Careers in the 2020s

The long arcs of demographics, technology and business shifts point toward a future where the skills of compliance, audit, and risk management professionals will continue to be very valuable. Let’s consider three implications of a next-generation workforce that is more dependent on technology, interdependence and transparency than ever before. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments