Compliance Office and Internal Audit Roles and Responsibilities
Key Points:
- Continuing areas of confusion and concern
- Two halves of the same coin with similar but differing roles
- Both perform work independently and free of bias
As healthcare compliance standards have evolved over the years in response to the ever-changing regulatory and enforcement landscape, the role and influence of the Compliance Office have expanded. This expansion has had a major impact on organizations with Internal Auditors, often resulting in internal conflicts and competition between the functions. Some organizations have found ways for these functions to coordinate effectively with one another, often leading to a merging of the two operations. Regardless of how the functions co-exist in an organization, it is essential to find ways to work together and align efforts. While there are similarities, common characteristics, and overlapping responsibilities, there are also distinct differences between the two. Therefore, it is important to begin by defining these respective functions.
Compliance Officers are responsible for the development, implementation, and ongoing management of a compliance program, consistent with the seven standard elements of an effective compliance program. This requires keeping current with the constantly changing legal, regulatory, and business environment. Their responsibilities include promoting a compliance culture by facilitating compliance training; investigating instances of noncompliance with policies and procedures; ensuring all program operations are addressing their compliance high-risk areas; providing assurance that mechanisms are put into place to resolve compliance risks; and communicating the status of the program directly to the CEO and the Board.
Internal Auditors assist their organization by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. They monitor and evaluate the internal control structure and environment for adequacy, efficiency, and effectiveness. Assurance services are performed through financial, operational, and information technology audits, along with other specialized projects and tasks. They must be able to provide independent and objective assurance to management regarding the reliability and integrity of financial and operational functions, ensuring that risks are being managed to an acceptable level, particularly those risks that management has elected to address through internal controls, including compliance risks. To ensure independent and unbiased work, the Institute of Internal Auditors calls for direct reporting to the Audit Committee of the Board.
Internal Audit and the Compliance Office need to be close allies in guarding against regulatory breaches, regulatory and legal violations, poor governance, and overall failure to comply with established rules and standards. Proper coordination of work between these two functions is essential to avoid these wasteful pitfalls. Having similar roles, the potential for duplication and conflicting approaches to issue areas is always present. If unchecked, the results can create gaps, duplicated efforts, fragmented controls, and overall management of risk. Without defined boundaries, accountability becomes difficult. The following suggest ways to address the issues:
- The two functions should meet to work out their relative roles, responsibilities, methods of operation, and reporting obligations. Results should be memorialized in a protocol policy document.
- Have executive leadership and the board understand and agree to the results of the protocol.
- Ensure job descriptions of duties and responsibilities are consistent with the protocol policy.
You can keep up-to-date with Strategic Management Services by following us on LinkedIn.
