Ed. Note-We welcome back Troy McAlister with another guest post. Troy brings 20 years of experience at both public and private companies, in public accounting and in a variety of industries.  Troy has experience in establishing and managing multiple corporate compliance and internal control programs including working directly with and resolving a DOJ appointed monitor.  Troy lives in the greater Houston area, has his MS and BBA from Texas A&M University and a CCEP certification. 

There is no standard approach when it comes to the scope, size and make-up of a company’s compliance department.  Ask ten different compliance officers their opinions and you will undoubtedly receive ten very different answer with the exception of one thing… attorneys.  The compliance profession is dominated by attorneys and compliance programs often default to hiring individuals from legal backgrounds.  This isn’t necessarily a flawed approach as legal expertise is absolutely critical to executing a compliance program.  However, this mindset presents a missed opportunity for compliance programs to establish multi-faceted, wide-reaching programs that are capable of continually evolving and feeding off of diverse skillsets.   Recent guidance, podcasts and webinars have extolled the need for compliance programs to expand their capabilities in the areas of communications, data analytics, systems and internal controls.  While there are a number of different backgrounds that can fill these needs, I am going to specifically focus on individuals with audit, internal controls and accounting backgrounds and why their skillsets embody the concept of “program” within compliance.

For the purposes of this discussion, we will generally refer to these individuals as accountants, however, I believe experience and strengths related to audit and internal controls to be more important to compliance programs than technical accounting expertise.  Now, before you start thinking “but I have internal audit…” it is important to recognize in most cases that internal audit does not report to compliance, has its own goals and objectives, and may not always be available to perform the tasks and objectives the compliance program needs when they need it.  Not to mention internal audit personnel may not be as well versed in the concepts of compliance as full-time compliance personnel.  Further, under the three lines of defense risk model, internal audit serves as a third line of defense and is thus more detective in nature while compliance is in the second line of defense and serves as both a preventive and detective function.

Now, let’s expand on how the accountant skillset fits within and can enhance the capabilities of a compliance department.

Understanding of Operations and Risk – Accountants (auditors more specifically) must obtain an in-depth understanding of their audit client including risks, systems, processes and personnel.  This is performed with every new client and at the start of every new engagement for repeat clients.  Interviews, site visits, reviews of financial results, variance analysis… these are all tools of the auditor who is looking for new, different, unusual or risky activities that would affect their audit approach.  This is a vital and key component of every compliance program to develop and in-depth understanding of operations and to identify new/changing risks that must be addressed by the compliance program.  The approach to do so closely mirrors those used with audit clients.

Program Design and Assessments – Accountants engaged in a financial statement audits must define, adjust and execute a defined program with each audit.  Similarly, accountants responsible for defining internal controls over financial reporting (i.e. Sarbanes-Oxley) must map those controls to the COSO framework.  These programs and frameworks are the basis for adequate procedures to form an opinion on whether financials statements are properly stated or internal controls are operating effectively. Compliance programs now have a number of frameworks to use as the basis of their program including the FCPA Resource Guide, the DOJ Evaluation of Compliance Programs and even COSO ERM frameworks.  Mapping elements of your compliance program to these frameworks gives weight to any assertion that the compliance program is designed and operating effectively.

Designing and Assessing Internal Controls – Accountants have been living in (or rather inundated by) the world of internal controls since the issuance of Sarbanes-Oxley in 2002.  An interesting study is to compare the Sarbanes-Oxley and compliance program life-cycles to realize just how similar the concepts are.  As such, you could find no better skillset to meet the continued focus by enforcement agencies on the identification, design and effectiveness of internal controls in a compliance program.

Use of Systems and Data Analytics – Accountants are used to the world of big data and making sense of endless lines of transactions and information.  Whether it is closing the books or use of computer aided audit techniques, accountants have been implementing systems and designing reports to present data in understandable and actionable formats since they started their career.  Having this skillset in-house allows a compliance department to identify where systems or data analytics are necessary and properly design and implement them quickly.

Continuous Monitoring and Auditing – Use of independent auditors (internal or external) is absolutely appropriate for certain activities.  However, there is no guidance that states all audits must be performed by groups outside of compliance.  As noted above, audit functions may not always be available if you haven’t coordinated with them far in advance or if their groups aren’t adequately staffed with individuals with proper compliance knowledge.  Having an accountant with audit experience in the compliance department allows for flexibility and spontaneity in audit approach.  Further, accountants could design additional monitoring procedures to be executed on a set or rotating schedule consisting of site visits, interviews, walk-throughs, questionnaires, data analytics or many other approaches.  The results of which could be instantaneously incorporated back into the compliance program’s design and approach and thus satisfy continuous improvement guidance by enforcement agencies.

I often focus on the word “program” in compliance program which embodies a continuous process of assessment, implementation, measurement, evaluation, and adaptation.  The make-up of your compliance department should include a skillset which allows your program to adapt and thrive.  The inclusion of individuals from diverse backgrounds such as accounting will play a key role in achieving that goal.

Key Takeaways:

• Updated guidance by the DOJ and SEC are pushing compliance programs further into the areas of data analytics, systems and internal controls.
• Compliance programs require a diverse skillset to meet these expectations and achieve maximum effectiveness.
• Individuals with accounting, audit and internal control backgrounds could play a significant role in helping your program adapt to changing requirements and evolving business practices.

[View source.]