Compliance audit and internal auditors

Internal audit should most definitely be involved with a company’s compliance audit efforts since “compliance withapplicable laws and regulations” is an integral part of COSO’s definition of internal control.

However, it is important to remember that compliance efforts are management’s responsibility. The role of internal audit isto verify that management meets that responsibility through the risk assessment and audit process. Ultimately, management must own the responsibility around compliance in the applicable locations and areas.

The IIA Standards, which follow the COSO model, acknowledge that regulatory compliance risk is part of internal audit’s role. Compliance with applicable laws and regulations is an integral part of the definition of internal control.

Internal audit’s involvement in a company’s compliance efforts is directly supported by Standard 2100 – Nature of Work, which says the internal audit activity must evaluate and contribute to the improvement of governance, risk management and control processes.

Standard 2120.A1 further notes that internal audit must evaluate risk exposures relating to the organization’s governance, operations and information systems regarding the reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations and contracts. Internal auditors standards provide that intenal auditors be significantly involved in an organisations compliance audit efforts.