Management, the Boards and the senior officers need assurance and assessment that several types of risks—operational, compliance, financial, reputational, IT security, fraud and strategic—are identified and monitored and managed at the company by the first-line of defence. A framework identifies who is accountable and identifies the risks that fall under the territory of the other lines of defence like internal audit or compliance officers.

A generic corporate governance framework or a specific GRC element or subject is the first step for assurances, management, and addressing multiple compliance concerns. The standards can then be used by internal audit, risk managers, IT security, or any other related GRC function to ensure that;

  • Is everything functioning normally?
  • Understand how to address issues and areas that are not functioning normally.
  • Work effectively with the primary focus on fulfilling corporate organisational

Three lines of defence

After addressing the above issues, the framework can include additional dimensions. These dimensions are added to change the governance framework to an internal control framework with one or more of these issues: risk assessment, the control environment, monitoring the control activities and communication depending on the organisation’s weaknesses.

The Compliance framework then contains the components of corporate risk and control that includes the famous three lines of defence structure: the CEO in the Second Line above compliance, legal, HR, and the rest; the board in the Third Line above internal audit.

The results and performance of the framework can then provide the structure and basis for valuable horizontal conversations about governance, risk, and compliance with other parts of the organisation. For example, the questions and need for decisions can flow vertically between middle management, executives and the board of directors.

If compliance disclosures are complicated, try reporting non-compliance

In multiple surveys, between 70 and 75% responded that the chief compliance officer reports compliance violations to the board and top management, reports on the status of various compliance issues as they get resolved, and report on emerging compliance risks. However, reporting on regulatory fines and penalties, reporting on compliance performance metrics and conducting an annual enterprise-wide compliance risk is in the low 60% category. These issues and concerns must then be included in the framework.

Compliance activities are not easy, and most compliance officers are challenged in their responsibilities to report and disclose issues and concerns to the attention of top management. The framework must also address the mission of audit executives on routine compliance matters and what must be brought to the attention of the audit committee, who are primarily reviewing the annual enterprise risk assessment and the organisation’s most significant risks.

Relation between compliance officers and the audit team

Therefore the framework must identify and elaborate on the difference between compliance and audit responsibilities. Compliance officers supervise and monitor the risks in motion, including ethics training, internal investigations or evaluating emerging risks. However, the internal audit role and responsibilities must be systematically planned and punctuated.

The above solution provides the platform for compliance officers and the internal audit to discuss and compare the top risks regularly. The audit can also help compliance officers determine how well a compliance program works. Both can report their findings to senior leaders in one voice and have a unified opinion on risk assurance.