What to Do When Compliance Is Wrong

I recently met with a group of internal auditors who work for an organization with manufacturing facilities all over the world. Each facility is subject to strict safety regulations. Compliance with those regulations is a major part of the internal audit plan, as it should be.

Corporate offices had established similarly strict policies and standards designed to ensure compliance with the regulations. However, these facilities produced a variety of products and were subject to different local laws and regulations. But the corporate office valued consistency, so every location was required to follow the same company standards.

At times, a manufacturing plant would believe that a corporate standard wasn't the right practice for their specific business, in their locality. Internal audit was expected to identify when a plant didn’t adhere to the corporate standards.

I believe internal audit should follow a different standard: the standard of promoting what is best for the business. This isn't to say that we should not identify deviations from corporate policy, but we should not immediately call it a “finding." First we must find out why management has not followed the corporate guidance.

Maybe there’s a good reason. Maybe they have found a better way to ensure compliance with the laws and regulations that apply to their business. Maybe they believe the corporate policy doesn’t need to be followed because the laws and regulations are different in their area.

Their arguments might be persuasive — but we shouldn’t immediately agree with them either.

Internal Audit as Arbiter

This is a great opportunity for internal audit to add value.

Find out whether other facilities agree that the corporate policy is imperfect. Perhaps management of this facility has talked to them. If several facilities have the same issue with the corporate mandate, it strengthens the notion that it should be changed.

Internal audit should discuss the deviation and the underlying corporate policy with the owners of that policy. In fact, it might be useful to facilitate a discussion between corporate and the local management team (or teams, if several facilities believe change is needed).

Maybe there’s a great reason for the local teams to adhere to the corporate policy. A reason the local management teams are unaware of.

On the other hand, maybe the corporate policy should be revised.

We won’t know until we hear from all sides, and especially when all sides have talked — and listened — to each other.

One of the problems these conversations may uncover is that the corporate staff are not listening. Maybe they don’t know the business as well as they think, and there are better ways to address the risk of non-compliance.

Maybe new systems and technologies enable a better way to assure compliance, and the corporate policy should be brought up to date.

Internal audit should be careful about second-guessing either local or corporate management on such issues. They are more likely than not to be more knowledgeable — about the laws and regulations and about the business — than audit is.

But where internal audit sees an opportunity to add value, where there are better practices than mandated by corporate policies, it is our responsibility to bring that to the attention of the people best able to make an informed and intelligent decision.

Learning Opportunities

ON DEMAND

Collaboration in a Distributed Workplace: Tools and Techniques of Top Performing Teams

Watch Now

ON DEMAND

Improve Knowledge Sharing: The Key to Employee Productivity

Streamline team collaboration and engagement

Watch Now

ON DEMAND

How McDonald’s Drove Productivity Through an Elevated Employee Experience

In the new remote/hybrid workplace, work/life boundaries are blurred and workplace stress is a top driver of mental health needs.

Watch Now

ON DEMAND

How to Future-Proof Your Employee Experience Strategy in 2023

A framework to navigate through economic uncertainty

Watch Now

ON DEMAND

Challenges to Efficiency in 2023: Your Employees Need the Digital Workplace of the Future

The era of asking employees to do more with less is upon us

Watch Now

ON DEMAND

The Essential Role of Communicators in Fostering Wellbeing in the Digital Workplace

Join us for practical insights on how digital communicators can support employees to thrive in the digital workplace

Watch Now

ON DEMAND

Addressing Employee Needs and Wants with a Digital Workplace

The workplace is getting more and more digital – both in how we work and where we work

Watch Now

ON DEMAND

Maintaining a Human-Centered Approach During Digital Transformation

When it comes to digital transformation - people drive change, not technology

Watch Now

ON DEMAND

The Evolution of Employee Recognition

Leveraging the power of appreciation to improve the employee experience

Watch Now

ON DEMAND

Are You Blocking Your Internal Comms Team Without Knowing It

Best practices & tips to help IC teams thrive

Watch Now

ON DEMAND

Cyber Resilience In The Cloud Is Not Optional

In today’s age of ransomware and widespread cyber attacks, your cloud data needs to be protected.

Watch Now

View All

Related Article: Risk During Times of High Employment and Layoffs

Don't Fall Prey to 'Blind Compliance'

I can recall a couple of situations where the corporate mandate was at least questionable.

In the first, a corporate standard required a separation of two functions (something that auditors love). But the unit my team was auditing was too small to have that separation. We determined that the underlying risk was adequately addressed by other means. I think there was after-the-fact monitoring by management. We worked with the corporate team to grant local management an exception.

In the second, the corporate procurement team had obtained an agreement with a global manufacturing company for the supply of critical components. It established prices for materials used in most of our manufacturing units around the world. However, the procurement team in Malaysia had negotiated a deal with the supplier’s local subsidiary that was far superior. Corporate wanted us to slam the local team for failing to use the global contract. Instead, we suggested that they consider renegotiating the global contract and we considered the local procurement contract a best practice that could be followed by other business units.

It is easy to audit for compliance without thinking about whether the policy or standard is the best practice for the organization, given the risk it is intended to address.

I call that “blind compliance.”

Auditors should think about what they see, listen to all sides when there is a deviation, and seize any opportunity to add value to the business. If we don’t understand why the policy is written the way it is, we should ask, listen and seek to obtain that understanding.

There have been times when my team has asked why the policy is the way it is and management has been surprised. They thought about it, with our help, and changed it.

Policies get out of date, and we have an opportunity to add value by bringing that to management’s attention. Does the policy meet the needs of the business? Let’s not encourage compliance with policies that don’t.

I welcome your thoughts.

Learn how you can join our contributor community.

About the Author

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog. Connect with Norman Marks: