Audit is not the function that fulfills obligations. It’s the function that verifies you are keeping your commitments associated with them.
What delivers on obligations is an Operational Compliance Program.
Here's a breakdown of the different functions:
Audit: An audit is an independent review process that verifies if an organization is following the rules and procedures it has set for itself. It's like a financial examiner looking at a company's books to make sure everything adds up. An audit can identify areas where controls are weak or where procedures aren't being followed. However, it seldom validates effectiveness with respect to achieving goals, performance targets, or compliance outcomes.
Operational Compliance Program: This is the program that actually ensures an organization meets its obligations. It's a set of policies, systems, processes, procedures, and training that helps an organization understand and follow the rules, conform to standard practices, achieve performance targets, and advance compliance outcomes. An effective compliance program will have things like a code of conduct, clear guidelines for different activities, and regular monitoring to identify and address any issues. It will also have continuous improvement processes to improve its effectiveness over time.
Imagine you promised a friend you'd help them move (your obligation). An audit would be like calling them afterwards to see if they actually moved (verification). But the real key to fulfilling your obligation is keeping your promise to show up on moving day and helping them lift boxes (compliance program).
That is the purpose of an operational compliance program. It is the proactive function that helps you meet your commitments, while an audit is the reactive assessment that verifies if you're doing what you said you would.
Compliance Effectiveness
The heart of an effective compliance program is integrity - closing the gap between what we promised and our actions. Integrity is a measure of compliance performance and a leading indicator of effectiveness:
Compliance Integrity = Number of Promises Kept / Number of Promises Made
If you want to know how well compliance is working measure how well an organization keeps its promises and commitments.
However, the final word on whether or not obligations are satisfied will always be the authority that created the obligation. For external obligations this may be a regulatory agency, court judgments, or legislature. When it comes to internal or voluntary obligations this will be corporate or organizational governance.
Auditing of voluntary obligations can and is often misunderstood. For example, if you adopt an ISO standard for quality, the certification you receive is based on a conformance audit with that standard. While this standard is voluntary it creates an obligation to maintain the practice or risk losing your certification.
What's important to realize is that certification audits do not validate if you have met your internal obligations associated with goals, performance targets, or quality outcomes. These obligations are defined by the organization acting in the role as internal regulator and it's these obligations that internal audit should be evaluating.
In many cases internal audit is only concerned with external or legal obligations. The interesting thing is there are just as many internal as there are external obligations. Organizations may report on these but seldom have the programs to advance or make progress towards the promised outcomes. ESG and Sustainability obligations fit into this category although others exist across every compliance domain.
What Does this Mean for Compliance?
Audit plays an important role to verify organizational practices but is not the function that delivers on internal or external obligations.
The function that is responsible is an Operational Compliance Program which works with the business to make and keep promises with respect to satisfying obligations. While it doesn’t own the obligations it provides the expertise and capabilities to equip the business to always stay between the lines and ahead of risk.
Failure to deliver on obligations is not a failure of audit but rather a failure of your compliance program. An effective compliance program will always let you know in real-time if you are keeping your promises with respect to both internal and external obligations. This helps organizations make course corrections while there is still time to do something about it – something that audit cannot provide.