Many in-house lawyers and chief compliance officers over the past 10 years have found themselves, at one time or another, struggling to find common ground with their colleagues in internal audit. Developments such as the passage of the Sarbanes-Oxley Act, the 2008 Department of Justice memorandum on bringing criminal charges against corporations, known as the “Filip Memo,” and the release of the DOJ and Securities and Exchange Commission's guidance regarding the Foreign Corrupt Practices Act have triggered an expansion of the internal audit and legal and compliance functions. Unfortunately, this has created confusion as to those functions' respective roles, and, in some cases, led to nonproductive turf wars.

The audit and compliance functions have similar goals, namely, managing risks and ensuring adherence to company policies and procedures and legal and regulatory requirements. However, while internal audit's role is to objectively test a company's internal controls and examine its processes, the legal and compliance function is more qualitative, focusing on risk assessments, program design, training and the actual implementation of policies and procedures. The aim of the two functions is similar, but their approaches differ, which can occasionally cause compliance and internal audit to clash. By harnessing the objective analytic skill of internal auditors and combining it with the legal and compliance team perspectives, a corporation can more effectively manage its risks.

Evolution of Internal Audit and Legal and Compliance

A decade of corporate crime and the passage of Sarbanes-Oxley fundamentally increased the importance and stature of a company's internal auditors, as well as its chief compliance officer and general counsel. Although Sarbanes-Oxley does not specifically address the duties of internal auditors, its enhanced reporting requirements and the increased risk of penalties associated with noncompliance with the law have led to a larger role for internal auditors and, more importantly, a direct line of communication with the audit committee. Additionally, the accounting fraud cases of the 2000s involving WorldCom and Enron demonstrated the importance of strong internal accounting controls. These developments changed the scope and visibility of the internal audit function. At WorldCom, the internal auditors were reported to have been auditing coffee packets and filters with an eye toward employee theft. In contrast, today, most internal audit functions are key players in managing a company's risks.

Recent developments have also resulted in higher stakes and increased responsibility for legal and compliance officers. Similar to the passage of Sarbanes-Oxley, the roles and responsibilities of general counsel and chief compliance officers have rapidly changed due to a changing regulatory environment. Since 2004, the DOJ has issued guidance on corporate prosecutions, and the DOJ and SEC collectively issued the FCPA resource guide with a section dedicated to the hallmarks of an effective compliance program. These changes are capped off by the DOJ's decision not to pursue Morgan Stanley on FCPA charges based on the company's effective ethics and compliance program. In the wake of the Morgan Stanley case, what general counsel, or for that matter audit committee, wants to oversee the less than effective compliance program that leads to corporate charges or wrongdoing?

Potential Conflict Between Auditors and In-House Counsel

While the renewed focus on internal compliance by both in-house auditors and lawyers has, in some ways, been extremely beneficial to improving corporate risk management, a byproduct of the expanded scope of these functions is that they can come into conflict, with potentially disastrous results. Traditionally, the internal auditors, chief compliance officers and in-house counsel come into contact when the internal auditors uncover a potential legal or regulatory issue while conducting a routine audit. This could range from a violation of company compliance policies regarding travel or nonretaliation, to a failure of internal accounting controls, to a potential FCPA violation. The general counsel is then charged with investigating the issue and recommending remediation steps to management and the board of directors.