I’ve worked in the IT Audit, Risk and Compliance field for many years and even teach an IT Audit course. One of the things that I see people mix up the most is the difference between Internal Audit and Compliance in an organization. These are two different functions, and each team has different responsibilities.
In this post, I will break down the difference between Internal Audit and Compliance.
The 3 Lines Model (Formerly the 3 Lines of Defense)
Before we talk about the difference between internal audit and compliance, let’s look at the 3 Lines Model from the Institute of Internal Audit (IIA). This used to be referred to as the 3 Lines of Defense but was changed in 2020. The model update helped to change the way people viewed risk management as a defensive role based on the previous title.
According to the Institute of Internal Audit (IIA), the updated model helps “organizations better identify and structure interactions and responsibilities” among those the key players in the model. The updated model outlines the roles of the key players and in my opinion is less prescriptive about the department that need to be involves as previously spelled out in the prior model. I’m going to refer to both models in this post because I think the old model is better at providing examples while the new model tries to be more generic.
The 3 Lines Model from the Institute of Internal Audit shows the different areas responsible for risk management in an organization. Each line is typically a separate function and has a unique role to play in risk management. The first and second lines used to be distinct in the old model but have now been combined under a ‘Management’ role. However, upon reading the description of hot to apply the model as provided by the IIA, the second line is still seen as the oversight function to the first line. That is one of the reasons I’m still using the old model for explanation purposes.
Let’s now review each line in the model.
First Line Role
The first line includes those responsible for managing risk on the front line, which are typically the process owners. The process owners are those that typically perform job functions that require some element of risk management. Their primary responsibility is to own and manage risks associated with day-to-day operational activities. Other roles assumed by the first line include design, operation, and implementation of controls. This means they can design, implement, and operate controls for their processes. As an example, the IT Security team can design password controls, configure the system to match the password controls and ensure that all system configurations stay in line with the controls.
Second Line Role
The second line includes the functions that provide expertise, support, and oversight to the first line. The risk management and compliance functions are typically part of this role and they help with the identification of emerging risks in daily operation of the business. The second line teams do this by providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support risk and compliance management. The process owners usually don’t have a full understanding of frameworks, policies, and tools, so the risk management team provides guidance on how they can better manage risks within their operational processes.
So, for example the risk management team can provide guidance on the industry-leading password security policies. The risk management team also monitor the effectiveness of controls implemented by the process owners in alignment with the risk appetite of the organization.
Third Line Role
The third line is the Internal Audit team. This Internal audit team provides objective and independent assurance of the controls implemented in the organization. While their key responsibility is to assess whether the first- and second-line functions are operating effectively, they also report to the governing body of the organization. So, internal audit performs independent tests of the controls and typically reports back to the board and audit committee directly to avoid influence by management. In addition to that, internal audit also provides assurance to regulators (for example, federal regulators) and external auditors that the controls across the organization is effective in their design and operation.
So now that you see what the 3 lines model is, it will be easier to explain the difference between internal audit and compliance.
Responsibilities of the Audit Function
The internal audit team is responsible for independent testing to determine if audit objectives have been met. The audit function evaluates how effectively the organization has met their internal control requirements. This includes reviewing of policies and procedures as well as controls testing to conclude on effectiveness of controls. So, you can say that the audit function provides assurance around the organization meeting audit and control objectives.
The scope of internal audit can be broad to cover internal controls over financial reporting, fraud investigation, and compliance with other laws and regulations.
Responsibilities of the Compliance Function
The compliance function is responsible for monitoring whether the organization is complying with regulatory laws and standards and organizations policies. The main objective of the compliance function is to monitor and ensure that the organization is adhering to applicable laws, regulations, third-party contracts, and internal policies.
While the compliance team will also perform compliance reviews, the goal of those reviews is not based on audit objectives. You will find that most compliance reviews may not go as deep as the audit testing does.
The relationship between internal audit and compliance
The line between internal audit and compliance may seem blurred at times but they are quite distinct functions. Let me explain the difference between internal audit and compliance with an example.
An example of a compliance review might be checking if organization systems comply with company security policies. This might be done by having the system security teams complete security questionnaires. These questionnaires are typically designed for the teams to provide responses regarding the compliance of their systems and demonstrate at a high level how they achieve compliance.
An audit around the same process would include a full examination of the system to determine if security parameters are set according to company policy. The goal of the audit is to independently determine if the systems are secured because they should not just based on what the security teams say. So, in this case, after the security teams answer questions around how they achieve compliance, the auditors confirm that compliance was actually achieved. One saying in audit is usually, trust but verify.
Hope this example helps to show the difference between internal audit and compliance roles.
From a career perspective, the great thing is that you can move between those functions pretty seamlessly, especially if you have an audit background. Once you have a good knowledge on how to perform IT Audits, you can work very comfortably in compliance roles. You can also make the move from compliance to audit quite easily after getting some additional knowledge on how to perform audit testing.
If you want courses that teaches about IT Audits using a practical, hands-on approach, then check out these courses that I offer on my course site.
- IT Audit Fundamentals: Introduction to IT Audit, Controls and Controls Testing: A foundational course that teaches the basics of IT Audits and Controls with 10 practical learning activities, quizzes, and assignments.
- IT Audit Fundamentals Comprehensive Program: A practical, comprehensive, hands-on training program that teaches you how to perform IT Audits like an experienced professional.
There you have it. The difference between audit and compliance? Did this post help you clarify the difference between those two functions? Which of the areas would you be interested in working in?
You can also check out these other related posts.