- Introduction
The overall governance structure of an organisation, practicing good corporate governance, includes at least an internal audit function, a risk management function and a compliance function. In our opinion, the starting point for setting a corporate governance culture in an organisation is an overall Enterprise Risk Management (ERM) framework. Such a framework facilitates the determination of the risk appetite and risk tolerance of the organisation. Where ERM is practised, the compliance risk framework should be a sub-framework of the ERM framework. One of the key elements of the relationship between ERM and internal audit is that the ERM process assists with focusing both internal and external audits’ efforts on high risk areas. This article focuses on internal audit and not external audit.
The size of an organisation, and the industry within which it operates, influences the need for a compliance function as well as an internal audit function. Different industries have different needs for the compliance and internal audit functions. Current indications are that all industries are getting increasingly regulated. For instance banks, insurers and retailers have different requirements and legislation to comply with, with compliance requirements in retailers lagging the banking and insurance industries. In banks and insurers, the monitoring of compliance with specific legislative requirements, in all areas of the organisation, is done by the compliance teams. In organisations where compliance is still in its fledgling state, monitoring is often delegated to internal audit. International best practice is that monitoring should be performed by the compliance function and not by internal audit. One of the reasons is that compliance is better positioned to monitor on a continuous basis, whereas internal audit will only be able to monitor compliance on an annual or bi-annual basis. In some instances there are either legislative1 or industry requirements that prescribe that internal audit must functionally be separate from compliance. It is therefore imperative that a compliance function operates effectively and is properly co-ordinated with an equally effective internal audit function.
The purpose of this article is to define the different roles and responsibilities of internal audit and compliance within an ERM framework in South Africa.
- Compliance Mandate
Depending on the industry within which a company operates, a compliance mandate is either a legislative requirement or a corporate governance imperative2. For instance, in the financial services industry in South Africa, the following regulatory requirements govern the compliance function:
- Section 17 of the Financial Advisory and Intermediary Services Act3 requires that a financial services provider appoint a Compliance Officer to monitor compliance with the Act.
- Rule 15.5 of the Policyholder Protection Rules in terms of the Long Term Insurance Act4 requires that insurers and intermediaries provide for monitoring systems to measure compliance with these Rules.
- Section 43 of the Financial Intelligence Centre Act5 requires that an accountable institution appoint a person with the responsibility to ensure compliance by the employees and the accountable institution with their obligations in terms of the Act.
- Regulation 47 of the Banks Act6 requires that the Compliance Officer:
- establish a line of communication to line management, in order to monitor compliance with regulatory requirements, and
- require members of line management to monitor compliance with regulatory requirements as part of their normal operational duties.
It is one thing to have a legislative framework forcing an institution to have a compliance function, but it is another matter to ensure board and management buy-in and the co-operation between the various governance functions. There are two broad approaches here, either a top-down approach with the board and senior management buying into the compliance and internal audit processes and putting their weight and support behind these functions, or a bottom up approach7, where staff and junior management buy-in is obtained prior to approaching the board and senior management for support. It is advisable to use a combination of both these approaches to ensure support for these governance functions at all levels of the organisation. This is achieved through active lobbying and road-shows to the staff and junior management, as well as board and senior management approval of a compliance risk management framework.
- Compliance Framework
A compliance framework is essentially a compliance strategy for the organisation. After obtaining the buy-in of the organisation, it is important to ensure that the compliance framework is documented and formally approved by the board or relevant committees. Based on King II and current Companies Act8 requirements it is advisable to table the framework at a Compliance Risk Committee (or equivalent), thereafter the Risk Committee, Audit Committee and for final approval to the Board of Directors.
It will not be sufficient simply to table the framework at a Compliance Risk Committee, because that does not ensure buy-in and commitment at the highest levels of the organisation.
Once this framework is adopted and implemented, it needs to be reviewed annually, because of the changing South African legal landscape.
The US Securities and Exchange Commission has already made it a statutory requirement for Registered Investment Advisory firms to have a compliance process, which includes the appointment of a Chief Compliance Officer, a comprehensive compliance manual and an aggressive testing policy to ensure that all compliance-related systems are working effectively.9
The Chief Compliance Officer should be central to the Compliance Framework. Even in a decentralised model, the head of compliance should be able to take the lead, give guidance and input into the appointment, performance reviews and monetary rewards of all the compliance officers. The head of compliance should at least be able to set minimum qualification and experience levels applicable to compliance officers.
- Compliance manual and guidelines
If a compliance framework is the compliance strategy document for the compliance function, then it follows that there should be an operational plan to support this. This operational plan is in the form of a compliance manual and guidelines.
A documented compliance manual should include best practice guidelines and template examples, so that new compliance officers can walk into an organisation, follow the guide and know exactly what to do on a day-to-day basis.
This needs to be a user-friendly, plain language document that covers at least the following:
- Risk identification process
- Compliance risk management plan development and implementation
- Monitoring plan and methods of monitoring
- Reporting on non-compliance, i.e. forums and templates and reporting lines
- Escalation of non-compliance issues
- Special projects
This document should be easily accessible and be updated at least annually to ensure it stays aligned with international best practice.
Traditional Compliance Model
The traditional compliance process10 starts with the identification of compliance risk in the business, developing and implementing a compliance risk management plan, monitoring the implementation of the plan and reporting thereon.
The monitoring process should be as comprehensive as possible. This process should make use of various methods, depending on the business needs and the inherent risk of that process. Monitoring tools could be sign-off reviews, adequacy reviews, mystery shopping or re-performance.
The traditional compliance model was updated in 2007 and now also makes reference to training.11
Training should include staff and compliance officers. Compliance officers should be trained on how to be a compliance officer and also on the legislation itself. Training should be ongoing to ensure that staff are familiar with the latest regulatory requirements, and for compliance officers to ensure that they are familiar with the latest compliance trends. The training could take various forms. It could be face-to-face training, accredited by the various sectoral training authorities12, or simply workshops with awareness training. It could be web-enabled or a manual process. For training programmes to be successful, it is important to make them compulsory with incentives and penalties built into the process. For instance, to ensure that compliance officers stay abreast with regulatory changes, it could be made compulsory to attend a bi-monthly update workshop. Attendance (or non-attendance) is then one of the factors in the performance management process.
- Foundation Approach to Compliance
The authors of this article have identified that there is one area missing in the traditional compliance model. A successful compliance function is built on relationships. These relationships are in the form of senior management, board and staff buy-in, relationships with industry bodies, the regulators and other governance functions such as internal audit.
The function of the head of compliance should be to oversee this end-to-end process and address compliance issues at a strategic level. This function should include the authority to oversee the activities of the various business units within the organisation from a compliance perspective.
At the different levels in an organisation, compliance officers should be appointed to provide guidance to the business unit for which they are responsible n terms of legislation with which they need to comply. The compliance officers should also make sure monitoring takes place and that their areas are adequately staffed to undertake guidance and monitoring activities.
Monthly compliance risk committee meetings need to be in place as part of the ERM framework and to provide a platform for compliance officers of the different business units to discuss and advise business of the compliance risks facing the business unit, updates on action taken and current status. These risks should be logged on the risk register and monitored as part of ERM.
- Victimisation and job security
The compliance function should be independent, which boils down to issues such as reporting lines and overviews done at various levels in the organisation, and whether or not spot checks are done?
The compliance officer should have the authority to inform his business unit head that a non-compliance issue needs to be reported as soon as it is discovered, because an independent process picks up the issue in due course of business. It is better to report and address non-compliance without undue delay, rather than wait for it to be detected and then having to answer uncomfortable issues on the matter. This aspect links back to the customer relationship between the compliance officer and management. The better this relationship is, the easier it is to address non-compliance matters speedily.
The compliance function should be structured in such a manner that whistle-blowing is effective. There should be job-security for the compliance officers to move both vertically and horizontally in the organisation without fear of victimisation and the risk of being exposed as a whistle-blower.
Compliance officers mostly report to line management or to the CFO. If the compliance officer reports to line management, it should preferably be to the head of the business unit, to ensure that the compliance officer is perceived as senior by the business. Which will assist in creating the right compliance environment. Independence may be compromised if the compliance officer reports to a line manager. If the compliance officer reports to the CFO, independence is assured, however, business might not be engaging with the compliance officer and involving him in the business. To ensure total independence, the compliance officer should also report to the audit or risk committee.13
There is a perception amongst compliance officers that it is better not to report non-compliance, but rather to assist management in rectifying the non-compliance prior to it being detected by others than the compliance officer. The reason for this behaviour is that management may victimise compliance officers and hold back on salary increases and promotions. This is not conducive to a well-functioning, reliable compliance function.14
- Relationship with Internal Audit
According to Newton15, internal audit should focus on financial risks in the enterprise-wide risk management framework and it may focus on both financial and operational audits. Compliance should assess the regulatory risks highlighted in the enterprise-wide risk management framework and then document factors that aggravate the risk (such as business volumes), then set policy and monitor implementation thereof. In our mind, this thinking could be outdated because the internal audit function should also focus on corporate governance in its testing. One aspect of corporate governance is to establish whether the compliance function is functioning efficiently and effectively. Internal audit should focus on all high risk areas in its testing, including compliance, and should not be restricted.
The recommended practical relationship between internal audit and compliance can be described as follows:
- Internal audit should be performing periodic audits on the compliance function and adherence to the compliance framework, an end-to-end compliance process, and applicable legislation.
- Internal audit provides feedback in an audit report of non-compliance with specific legislation, action plans and target dates to correct this.
- The results of these audits are communicated to management, the risk committee and the audit committee.
- Where a non-compliance issue is of significant concern, this is escalated to the appropriate board committee.
- Actions to resolve identified audit issues should be reported at the risk committee as part of the ERM framework, until the issue is resolved.
Internal audit cannot perform compliance monitoring. It is only positioned to provide assurance on the compliance process for a specified period. Compliance monitoring can only be effective if the implementation thereof is continuous. In an ideal world, internal audit should review the compliance function annually and provide an opinion on whether or not the compliance is functioning properly.
- Compliance audits
- Compliance process and compliance officers
There are different tiers of audits:
- Tier 1 – pure compliance, i.e. does the compliance function have a mandate, framework and documented processes.
- Tier 2 – looks at specific legislation and expresses an opinion as to whether the compliance monitoring and subsequent reporting is accurate.
- Tier 3 – addresses operational compliance to ensure that the compliance function works closely with the operational side of the business.
In terms of section 404 of the Sarbanes-Oxley Act16, it is necessary to include an internal control report in the annual financial statements. It does not specify whether this is in the form of risk, internal audit or compliance monitoring reports.17
- Auditing compliance itself
It is important to audit the compliance function to ensure that it is functioning effectively. If the compliance process is shown to be efficient, then it could sway the regulator to reduce fines that are incurred when non-compliance does occur.18
- Compliance monitoring versus internal audit
As discussed above, compliance monitoring is a continuous process, which ensures that business is conducted in compliance with the applicable regulatory requirements. Internal audit’s role is to ensure that the compliance process itself is functioning effectively.
In some industries, compliance officers are forced to have a 12 month monitoring cycle. This is in line with international best practice for auditors, who audit high risk areas every 12 months. It might be necessary to monitor specific processes more regularly than annually. There may be a business need to ensure continuous compliance, due to significant compliance events or regulatory changes.19
- Company processes and procedures as they relate to compliance
The Compliance Institute of South Africa advocates that compliance should be auditing business processes and procedures. Internal audit is already auditing these processes and procedures, therefore it should not be necessary for compliance to duplicate the efforts of internal audit. These tests should only be performed by compliance in so far as continuous monitoring is necessary and an annual review is not adequate. An example would be suspicious transaction monitoring in an anti-money laundering control environment.20
iii. Legislation
Once an end-to-end compliance process has been implemented, the process starts afresh. In the South African context legislative changes occur regularly and it is important to keep the compliance officers updated and the content of the compliance process relevant.
The compliance team has a choice to outsource this function or to do it itself at a central point. Very often the budget of the compliance department determines which choice is exercised.
The role of internal audit would be to audit if these processes are functioning effectively.
- Conclusion
Legislation governing different industries dictates the size and role of the compliance function within an organisation. Both the compliance and internal audit functions fit within the larger risk management framework in an organisation. The relationship between compliance and internal auditing depends on the maturity of the functions in the organisation. Where the size of the organisation is sufficient, monitoring is performed by a compliance function. Best practice is for internal audit to perform a yearly review of the compliance function’s activities, and to provide assurance to the board and audit committee on the effective operation thereof.
References:
1 Financial Advisory and Intermediary Services Act 37 of 2002
2 King, M.E. (2002) King Report on Corporate Governance for South Africa Institute of Directors: 73-81.
3 Financial Advisory and Intermediary Services Act 37 of 2002
4 Long Term Insurance Act 52 of 1998
5 Financial Intelligence Centre Act 38 of 2001\]
6 Banks Act 94 of 1990
7 Jameson, S.E. (2006). The CAE’s many hats. Internal Auditor, August:35-37.
8 Companies Act 61 of 1973
9 Kelvin, J.B. (2006) Chief Compliance Officers of the RIA Firms Must Test Compliance Systems. Journal of Financial Service Professionals, March: 37
10 Various Authors (2007) Generally Accepted Compliance Practice: Generally Accepted Compliance Framework The Compliance Institute of South Africa: 28-32
11 Various Authors (2007) Generally Accepted Compliance Practice: Generally Accepted Compliance Framework The Compliance Institute of South Africa: 28-32
12 Skills Development Act 97 of 1998
13 Anonymous (2006) Audit: Internal audit needs to “tip the balance” back from Sarbanes Oxley compliance The Corporate Board January/February: 28
14 Standard Bank case
15 Newton, A. (2002) The Handbook of Compliance: Making Ethics Work in Financial Services Mind Into Matter: 79
16 Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745)
17 Perrin, S. (Undated) Compliance – Here we go again. Insight, no page number.
18 Schwartz. E. (2006) Hotlines for Compliance InfoWorld: Reality Check
June: 8
19 Kelvin, J.B. (2006) Chief Compliance Officers of the RIA Firms Must Test Compliance Systems. Journal of Financial Service Professionals, March: 37
20 Financial Intelligence Centre Act 38 of 2001
Janet Terblanché LLM, is an Admitted Attorney and Notary and the head of Compliance at the Momentum Group Ltd. Reinette van der Merwe CA(SA), Mcom, is the head of Strategy and Innovation at Absa Private Bank. Celeste Schlebusch BProc LLB, is head of Corporate Governance Audit at the FirstRand Group Internal Audit.