Tag: internal audit

Categories
AI Today in 5

AI Today in 5: January 15, 2026, The AI for IA Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI for internal audit. (DataSnipper)
  2. The CISO’s guide to cyber AI. (Darktrace)
  3. Building the business case for legal-driven AI. (Harvey)
  4. The human-in-the-loop for financial crime risk assessments. (FinTechGlobal)
  5. Warren Buffett compares AI risk to the risk of nuclear war. (Yahoo!Finance)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Innovation in Compliance

Innovation in Compliance: Navigating Cybersecurity Compliance: From Physical Audits to AI Frameworks with Lori Crooks

Innovation is present in many areas, and compliance professionals must not only be prepared for it but also actively embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox visits with Lori Crooks, a seasoned professional in the field of cybersecurity and audit assessments, to discuss the evolution of auditing practices from physical infrastructure to cloud and AI.

Lori shares insights from her extensive career, highlighting key federal compliance frameworks like NIST 800-53, FedRAMP, and NIST 800-171. Lori stresses the importance of proactive compliance strategies and scalable GRC programs. As AI integration accelerates, she also addresses the challenges of adapting compliance frameworks to keep pace with technological advancements and the need to foster collaboration within organizations to effectively meet regulatory requirements.

Key highlights:

  • Federal Auditing Frameworks
  • Proactive Compliance Strategies
  • Scalable GRC Programs
  • AI and Compliance Landscape
  • Future of Auditing in the Age of AI

Resources:

Lori Crooks on LinkedIn

Cadra

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Check out my latest book, Upping Your Game-How Compliance and Risk Management Move to 2023 and Beyond, available from Amazon.com.

Innovation in Compliance was recently honored as the number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
Everything Compliance

Everything Compliance: Episode 154, The Law Firms in Trouble Edition

Welcome to this edition of the award-winning Everything Compliance. In this episode, the quartet of Matt Kelly, Jonathan Marks, Karen Moore, and Karen Woody is hosted by Tom Fox, the Compliance Evangelist.

  1. Karen Moore reviews changes to the UK Modern Slavery Act. She shouts out to her nephew, who graduates from Georgetown Law School this week, and to the NFL superfan for allegedly causing Shedeur Sanders to drop to the 5th round before being drafted in the recent NFL Draft.
  2. Matt Kelly, the Matt Galeotti speech updates the DOJ Corporate Enforcement Policy for white-collar actions. He rants about the GOP’s attempt to ban states from regulating AI.
  3. Jonathan Marks considers the role of internal audit in tariff compliance and why tariffs should be considered a strategic risk. He rants about MLB caving to President Trump and allowing those who bet on baseball back into the fold.
  4. Karen Woody considers the impact, fallout, and congressional investigations of the law firm’s dealings with President Trump. She shouts out to the Washington & Lee Law School graduating class 2025.
  5. Tom Fox shouts out to the Disney TV series Andor.

The members of Everything Compliance are:

Tom Fox, the Voice of Compliance, is the host, producer, and sometimes panelist of Everything Compliance. He can be reached at tfox@tfoxlaw.com. The award-winning Everything Compliance is part of the Compliance Podcast Network.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Settlement of OCC Charges for Wells Fargo Internal Auditors

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly take a deep dive into the settlement of charges by the OCC with two former top audit executives at Wells Fargo for their oversight failures during the bank’s fake accounts scandal.

The Wells Fargo banking scandal is a cautionary tale of unchecked corporate misconduct and the critical role of auditor accountability. This scandal, which erupted due to Wells Fargo’s creation of fake accounts driven by unrealistic sales targets, exposed the bank’s dysfunctional corporate culture and raised questions about the efficacy of internal audits and the broader implications of regulatory actions. They discuss the scandal as emblematic of the broader issues stemming from repealing the Glass-Steagall Act, which blurs the lines between investment and consumer banking, fostering an environment where misconduct could thrive. Kelly points to the enormity of banks’ post-Glass-Steagall repeal as a breeding ground for potential misconduct and highlights the negligence of Wells Fargo’s leadership in failing to curb unethical practices. Both Fox and Kelly underscore the necessity for a comprehensive reevaluation of compliance and audit roles to prevent future scandals of this magnitude.

 

Key highlights:

  • Settlement of OCC Charges in Wells Fargo
  • Impact of Regulatory Actions on Auditors
  • Unethical Sales Goals Impacting Corporate Culture
  • Glass Steagall Act Repeal: Wells Fargo Impact

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – The Role of Internal Audit in Export Controls

Welcome to the award-winning FCPA Compliance Report, the longest-running compliance podcast. In this episode, Tom welcomes Jonathan Marks, who discusses the role of internal audit in export control compliance.

Jonathan starts by defining export controls and their significance: regulations governing the export, re-export, and transfer of goods, technology, and services across borders to protect national security and enforce foreign policy. As a Compliance Profession, you should recognize the severe impacts of operational disruptions, supply chain issues, and national security risks resulting from non-compliance, emphasizing the need for comprehensive compliance frameworks. Internal audit responsibilities are expanded, stressing the necessity of robust policies, clear responsibilities, consistent employee training, and thorough risk assessments.

Jonathan discusses practical internal audit strategies, including evaluating high-risk transactions, identifying compliance gaps, and regularly monitoring and testing compliance controls through transaction testing, data analytics, third-party due diligence, and incident response mechanisms. Jonathan underscores the importance of collaboration between internal audit, legal, compliance, and supply chain teams to ensure an integrated and proactive compliance approach, thereby mitigating risks and strengthening corporate governance.

Key highlights:

  • Understanding Export Controls and Compliance
  • Role of Internal Audit in Export Controls
  • Key Areas for Internal Audit Focus
  • Testing and Monitoring Controls

Resources:

Jonathan Marks on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Categories
Blog

The Critical Role of Internal Audit in Export Controls Compliance

Export control compliance is a high-stakes area that many companies overlook until it is too late. With regulatory frameworks such as the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), and the Office of Foreign Assets Control (OFAC) sanctions programs, businesses must be vigilant. Internal audits have a key role in ensuring compliance and mitigating the significant risks of violations, ranging from hefty fines and reputational damage to potential debarment from government contracts.

Understanding Export Controls Compliance

Export controls govern the export, re-export, and transfer of goods, technology, and services across borders. They aim to protect national security, enforce foreign policy objectives, and prevent sensitive materials from reaching unauthorized parties.

Key U.S. Export Control Regulations

Several major regulatory frameworks govern export controls in the U.S.:

  • Export Administration Regulations (EAR) – Overseen by the Bureau of Industry and Security (BIS), the EAR covers dual-use goods items with both civilian and military applications.
  • International Traffic in Arms Regulations (ITAR) – Managed by the State Department, ITAR regulates defense-related exports.
  • Office of Foreign Assets Control (OFAC) – OFAC administers sanctions programs that restrict trade with specific countries, entities, and individuals.

Violating these regulations can cause severe legal, financial, and reputational consequences, including multi-billion-dollar penalties and exclusion from government contracting.

The Risks of Noncompliance

Export control noncompliance carries significant risks:

  • Legal and Financial Risks – Companies can face substantial fines, criminal charges, and debarment from government contracts. For some organizations, debarment can be a financial death sentence.
  • Reputational Risk – Failing to comply can lead to reputational damage, including negative press, loss of customer trust, and shareholder worries.
  • Operational Disruptions – Supply chain disruptions and market access restrictions can cripple a business, especially in industries such as aerospace, defense, and technology.
  • National Security Risks – The inadvertent transfer of technology with military applications to unauthorized parties can have serious geopolitical ramifications.
  • Cybersecurity Threats – Controlled data can be exploited to compromise national security if exposed to foreign adversaries.

Internal Audit’s Role in Export Controls Compliance

Given these risks, internal audits must proactively ensure robust compliance frameworks are in place. This includes:

1. Evaluating Compliance Frameworks

A strong compliance framework begins with clearly defined policies and procedures that align with export control regulations. Internal audits should assess whether these guidelines are well-documented, communicated, and consistently enforced across the organization. A key component of compliance is designated ownership, and organizations must assign clear responsibilities for managing export controls and ensuring accountability at every level. Without clear ownership, compliance efforts can become fragmented and ineffective. Additionally, internal audits should evaluate the effectiveness of training programs designed for employees who handle controlled items and data. Training should be comprehensive, regularly updated, and tailored to different roles within the company. Employees must understand their responsibilities, potential red flags, and the legal implications of noncompliance. An ongoing training program strengthens the organization’s culture of compliance and minimizes the risk of accidental violations.

2. Conducting Risk Assessments and Monitoring

Internal audit plays a critical role in identifying and mitigating risks associated with export controls. Auditors should conduct risk assessments to pinpoint high-risk transactions, products, and business units susceptible to violations. These assessments help organizations allocate resources effectively and focus on areas of greatest concern. Compliance gaps can expose organizations to significant risks, making it essential for auditors to assess whether existing controls are sufficient or improvements are needed. In addition, internal audits should monitor red flags that may show potential compliance breaches. Common red flags include shipments to embargoed countries, unusual customer requests related to product specifications or destinations, and sudden changes in routing or documentation. Proactive monitoring allows organizations to detect and address potential violations before they escalate into larger compliance issues.

3. Auditing and Testing Export Controls

Regular audits and testing of export controls are necessary to ensure regulatory compliance. Transaction testing is a fundamental internal audit practice verifying whether export licensing and classification rules are correctly followed. This process helps identify inconsistencies or errors that could lead to compliance failures. Another essential tool is data analytics, which can uncover anomalies in export transactions. Analyzing patterns, trends, and deviations allows auditors to flag suspicious activity and investigate further. However, data analytics is only effective if the organization understands the key risk indicators and integrates them into monitoring systems. Third-party due diligence is crucial in assessing compliance risks within supplier and distributor relationships. Auditors should evaluate whether third-party partners adhere to export regulations and implement adequate controls to prevent illicit activities. Failure to conduct due diligence can expose companies to liability for the actions of their business partners.

4. Strengthening Incident Response and Investigations

A strong incident response mechanism is a cornerstone of an effective export controls compliance program. Internal audits should evaluate whether the company has robust reporting mechanisms encouraging employees to report potential violations. A well-structured reporting system, such as an anonymous hotline, can help organizations detect issues early and address them promptly. Investigations must be handled efficiently, with a structured approach for triaging allegations and determining their severity. Internal audits should assess whether the organization follows best practices in conducting investigations and whether findings are documented appropriately. Corrective actions are another critical component—compliance gaps identified during investigations must be addressed promptly to prevent recurrence. Internal audits should ensure that corrective actions are implemented effectively and lead to lasting improvements in compliance practices.

5. Collaborating with Legal, Compliance, and Supply Chain Teams

Export compliance is a cross-functional responsibility, requiring collaboration between internal audit, legal, compliance, and supply chain teams. Internal audit should work closely with these departments to develop an integrated approach to managing export risks. Strong partnerships improve transparency and facilitate open communication, essential for identifying and addressing compliance challenges. Legal and compliance teams provide expertise on regulatory requirements, while supply chain teams play a crucial role in tracking the movement of controlled goods. Internal audits should ensure that all stakeholders are aligned in their efforts and that compliance initiatives are well-coordinated. Internal audits can enhance monitoring mechanisms by ensuring that information-sharing processes are efficient and potential compliance risks are escalated appropriately. A collaborative approach strengthens the organization’s overall compliance posture and minimizes regulatory exposure.

Red Flags That Demand Further Scrutiny

Export control violations often result from either negligence or intentional circumvention of regulations. Key warning signs include last-minute changes to product specifications, especially if such modifications appear designed to bypass regulatory restrictions. Altered shipment destinations should also raise concerns, particularly those involving high-risk or embargoed countries. Requests to route shipments through third countries may signal attempts to evade sanctions, while unusual payment methods or routing through non-traditional banks can indicate illicit activities. These red flags necessitate heightened due diligence and should be promptly escalated for further investigation. A proactive compliance approach that integrates continuous monitoring, effective auditing, and cross-department collaboration is essential in mitigating these risks and ensuring adherence to export control regulations.

Export control compliance is not just a regulatory obligation but a fundamental aspect of risk management and corporate integrity. Organizations that prioritize compliance through robust frameworks, continuous risk assessments, and proactive internal audit functions can avoid costly penalties and reputational damage. By fostering collaboration across departments and maintaining vigilance against red flags, companies can strengthen their compliance posture and build trust with regulators, partners, and customers. A proactive and integrated approach to export control compliance ensures business continuity and long-term success in an increasingly complex global trade environment.

Categories
Everything Compliance

Everything Compliance: Episode 150, The Musk On Edition

Welcome to this edition of the award-winning Everything Compliance. In this episode, Matt Kelly, Jonathan Armstrong, Jonathan Marks, Karen Woody, and Karen Moore join the full gang to examine various issues for compliance professionals under the incoming administration.

  1. Jonathan Armstrong looks at the car crash coming for DeepSeek in the EU. He shouts out to Peter Mandelson, the new UK Ambassador to the United States.
  2. Karen Moore looks at the reframing of DEI. She shouts out about the film on September 5.
  3. Matt Kelly considers the Bondi Memo on changes in DOJ enforcement focus and mentions Alexei Navalny’s memoir.
  4. Karen Woody examines the new SEC Crypto Taskforce and mentions the award-winning play Hadestown.
  5. Jonathan Marks provides a tutorial on the role of internal audit on export controls. He also shouts out to his hometown team, the Philadelphia Eagles (now the Super Bowl-winning Philadelphia Eagles).
  6. Tom Fox shouts out to (conspiracy) Bill Simmons for opining that the Dallas Maverick’s trade of Luka Doncic was a ploy to force the state of Texas to allow gambling in this state.

The members of Everything Compliance are:

The host and producer, rantor (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, by clicking here.

Categories
Blog

Auditors and Compliance: Part 2 – Ten Key Takeaways for Compliance Professionals

The PCAOB’s recent information release, SPOTLIGHT Auditor Responsibilities for Detecting, Evaluating, and Making  Communications About Illegal Acts, is a critical guide for compliance professionals. The SPOTLIGHT sets out the role of auditors in assessing a company’s compliance with laws and regulations, particularly how auditors must identify, evaluate, and communicate potential illegal acts. However, for compliance officers, the SPOTLIGHT highlights areas where compliance and audit functions intersect and emphasizes collaboration’s importance to maintaining regulatory adherence and upholding financial integrity. Yesterday, we reviewed the roles and duties assigned to auditors. Today, we will dive into the 10 key takeaways for compliance professionals, outlining what they need to know to align their efforts with audit processes and effectively support their organization’s commitment to compliance.

  • Understand the Auditor’s Role in Identifying Illegal Acts

Auditors have a duty to detect and evaluate illegal acts that could materially impact a company’s financial statements. This includes assessing the potential effect of any illegal activity on the company’s financials and reporting these issues to management, the audit committee, and sometimes to the SEC. Compliance professionals need to understand this role to support auditors in fulfilling these obligations, especially by maintaining a strong compliance program that actively monitors regulatory adherence. Compliance should ensure that internal policies align with PCAOB standards and legal requirements, helping auditors conduct a thorough risk assessment as part of their evaluation.

  • Maintain Transparent and Open Communication Channels

Transparency and open communication are vital for a successful compliance-audit relationship. Auditors depend on information from management, the audit committee, and legal counsel to identify and evaluate potential violations. Compliance professionals should facilitate open communication with auditors and provide timely access to relevant information. This includes documentation from internal investigations, responses to auditor inquiries, and any corrective actions taken to address potential illegal acts. Proactively sharing information about compliance efforts demonstrates a commitment to ethical practices and supports auditors’ work to provide an accurate assessment of the company’s financial statements.

  • Foster a Strong Internal Reporting Culture

Auditors must inquire about complaints and tips, including those from whistleblower programs. For compliance professionals, this highlights the importance of fostering an internal reporting culture where employees feel safe raising concerns. A robust whistleblower program and other internal reporting mechanisms help identify potential illegal acts early, allowing the company to take action before issues escalate. Compliance teams should ensure employees know how to report concerns confidentially and clearly communicate that the company prohibits retaliation against whistleblowers. This can help create a steady pipeline of information that aids both compliance and audit functions in proactively addressing potential issues.

  • Document Document Document

Thorough documentation is crucial in every compliance arena, whether regulatory reporting, high-value transactions, or industry-specific regulations. (The Tom Fox Mantra Document Document Document.) Compliance professionals should maintain clear records of all compliance activities, internal investigations, and responses to auditor inquiries. By providing auditors with well-documented information, companies can help auditors assess whether any potential illegal acts are isolated incidents or indicative of broader compliance concerns. Such documentation facilitates the audit process and demonstrates to regulators a serious commitment to compliance.

  • Prioritize High-Risk Areas with Targeted Monitoring

Auditors focus on high-risk areas in their evaluations, such as transactions or activities with greater potential for legal violations. Compliance professionals should proactively monitor these high-risk areas to detect and mitigate issues before they escalate. For instance, compliance in industries with high regulatory scrutiny should ensure that the organization adheres to all industry-specific legal requirements. Regularly evaluating high-risk areas through targeted monitoring helps create a solid foundation for internal and external financial statement audits, reducing the chance of undetected illegal acts.

  • Be Prepared to Act on Auditor Findings Promptly

When auditors identify potential illegal acts, it is essential for compliance to respond swiftly and decisively. This involves conducting a thorough internal investigation and determining any required disclosures or corrective actions. From there, you should perform a Root Cause Analysis and then proactively address any concerns from auditors to help the organization maintain transparency and avoid further regulatory scrutiny. A prompt response strengthens the relationship between the compliance and audit functions and demonstrates to auditors and regulators a proactive approach to managing and mitigating compliance risks.

  • Strengthen Leadership’s Commitment to Compliance

The PCAOB emphasizes the importance of a “tone at the top” in its guidance, noting that auditors consider a company’s commitment to compliance when assessing potential illegal acts. Compliance teams should work with executive leadership to promote a strong culture of ethics and compliance, as this can significantly impact employee behavior and organizational practices. A commitment to compliance at the leadership level signals to employees that ethical conduct is a priority, supporting the organization’s overall compliance efforts. When leadership promotes compliance, employees are more likely to report concerns, and auditors can rely on the company’s internal controls and integrity.

  • Prepare for Potential Notification

If auditors discover a material illegal act and management fails to take appropriate action, the auditor may be required to notify the SEC or DOJ. For compliance professionals, this highlights the importance of swift and transparent responses to any findings of illegal activity. Working closely with auditors to address material findings and avoid potential SEC/DOJ notification is crucial. When the compliance function demonstrates a proactive approach to addressing auditor findings, it helps maintain the organization’s reputation, strengthens auditor relationships, and reduces the likelihood of regulatory intervention.

  • Regularly Review and Update Compliance Training

Auditors also assess a company’s internal compliance functions, including how well employees understand and adhere to compliance obligations. Regular compliance training ensures that employees are informed about identifying and reporting illegal acts, understand whistleblower protections, and know the resources available to them. Compliance professionals should review and update training programs frequently to address any changes in laws or regulations and any emerging risks specific to the company’s industry. Effective training reinforces employees’ commitment to ethical behavior and supports the company’s internal controls, bolstering the compliance-audit relationship.

  • Emphasize Materiality Assessments in Compliance Evaluations

When auditors evaluate the impact of illegal acts, they consider both quantitative and qualitative materiality. Compliance teams should adopt a similar approach when assessing potential violations. For instance, even a small illegal payment could be material if it raises ethical concerns or results in contingent liabilities. By considering potential violations’ financial and reputational implications, compliance teams can better assess the materiality of issues and take appropriate corrective action. This approach aligns with auditor standards and helps create a thorough and effective compliance environment.

Strengthening Compliance and Audit Collaboration

The PCAOB’s guidance reminds compliance professionals that a proactive approach to detecting, evaluating, and addressing potential illegal acts is essential. By understanding the auditor’s role and aligning compliance practices with PCAOB and SEC standards, compliance teams can effectively support auditors and contribute to a thorough evaluation of the organization’s adherence to laws and regulations.

A corporate compliance function plays a crucial role in creating a transparent, accountable organization where employees feel empowered to raise concerns and management responds promptly to address potential issues. Strong compliance-audit collaboration enables companies to build trust with regulators and stakeholders, demonstrating a commitment to ethical business practices. By implementing these takeaways and fostering a culture of compliance, companies can better navigate regulatory requirements and mitigate the risk of material misstatements or regulatory penalties, upholding the integrity of their financial statements and safeguarding their reputation in an increasingly scrutinized environment.

Categories
Blog

Auditors and Compliance: Part 1 – Auditors and Illegal Acts

Regarding compliance, one area that requires heightened attention is the role of auditors in detecting, evaluating, and communicating illegal acts. Recently, the PCAOB issued a document entitled SPOTLIGHT Auditor Responsibilities for Detecting, Evaluating, and Making  Communications About Illegal Acts. It outlines public auditors’ responsibilities when assessing a company’s compliance with laws and regulations. These responsibilities have far-reaching implications for corporate compliance professionals, as they directly influence how auditors evaluate and report on potential illegal acts that can impact financial statements and overall corporate integrity.

Over the next couple of blog posts, I will review this  SPOTLIGHT. In today’s blog post, we will unpack the auditor’s responsibilities for a compliance program, including the steps for identifying illegal acts, the evaluation process, and the requirements for reporting findings to management, audit committees, and possibly the SEC. Tomorrow, I will set out 10 key takeaways for the compliance professional regarding their role in interacting with auditors for compliance regimes.

Detecting Illegal Acts: A Critical Component of the Audit Process

Auditors must design and execute procedures that ensure reasonable assurance of detecting illegal acts that could materially affect a company’s financial statements. This duty is rooted in federal securities laws, specifically Section 10A of the Securities Exchange Act of 1934, which mandates that auditors remain vigilant to possible violations of laws and regulations during audits.

Detecting illegal acts is more than due diligence—it’s essential to safeguarding shareholder interests and preserving the integrity of financial markets. This underscores the importance of robust systems that actively monitor and report on regulatory adherence across business operations for compliance officers.

Auditors rely on multiple techniques and resources to identify potential illegal acts, such as:

  • Inquiries-They often begin by questioning management, the audit committee, and internal or external legal counsel.
  • Document Review-Auditors frequently review board minutes, regulatory correspondence, SEC filings, legal counsel letters, and other corporate documents that could reveal legal non-compliance.
  • Risk Assessments-Auditors must understand the company’s industry, regulatory environment, and external factors that could signal legal risks. This assessment helps them target high-risk areas where violations are more likely.

Auditors also investigate complaints and tips, including those from internal whistleblower programs. They may examine unusual transactions or related-party dealings that could indicate red flags. For compliance professionals, it’s crucial to maintain open channels for employees to report concerns without fear of retaliation and promptly address any issues flagged by auditors or internal investigations.

Evaluating Potential Illegal Acts: Procedures and Standards

Once an auditor becomes aware of a possible illegal act, they must determine whether it could materially impact the company’s financial statements. This evaluation requires auditors to understand the incident’s nature and context, often involving management and sometimes higher-level personnel who can provide insight into the situation.

The PCAOB standards and Section 10A mandate that auditors not only detect but also evaluate the likelihood that an illegal act has occurred. Here’s how they proceed:

  1. Gathering Evidence. Auditors may examine relevant documents—such as invoices, contracts, and payment records—to verify the facts surrounding the incident. They might also consult the auditing firm’s legal counsel or senior personnel for additional perspectives.
  2. Materiality Assessment. Materiality is a cornerstone of evaluating illegal acts. Auditors assess whether the potential violation is significant enough to warrant disclosure, focusing on quantitative and qualitative factors. For example, a small illegal payment may be deemed material if it could result in contingent liabilities or raise ethical concerns that affect the company’s reputation.
  3. Assessing Impact on Financial Statements. Auditors must evaluate how the illegal act impacts financial statement amounts, including the need for possible contingent liabilities, fines, or penalties. If senior management is implicated, this raises additional questions about the reliability of other information provided by the company.

This underscores the importance for compliance teams to maintain clear documentation and open communication channels with auditors. Keeping a well-documented trail of internal investigations, responses to auditor inquiries, and corrective actions can help ensure that potential illegal acts are evaluated accurately and comprehensively.

Communicating Illegal Acts: Auditor Obligations for Disclosure

Auditors have specific obligations to communicate illegal acts that come to their attention. The PCAOB and Section 10A set out requirements for notifying management, the audit committee, and, in some cases, the SEC. Here is what companies need to know:

  • Communication with Management and the Audit Committee. If an auditor identifies an illegal act, they must inform the appropriate management level and ensure that the audit committee is aware. This notification must occur as soon as possible before issuing the auditor’s report. The goal is to allow management and the audit committee to take corrective action and disclose any potential impacts to shareholders.
  • Reporting to the Board and the SEC. If the illegal act is deemed material and management fails to take timely and appropriate action, the auditor has a duty to report to the company’s board of directors. Under Section 10A, the auditor must notify the SEC if the board fails to remedy the situation within a specified timeframe. This step underscores the importance of accountability in corporate governance and compliance, as it introduces potential regulatory consequences for inaction.
  • Impact on Auditor Opinion. The auditor may issue a qualified or adverse opinion if the illegal act materially affects the financial statements and is not adequately disclosed or corrected. In cases where the auditor cannot obtain sufficient evidence to assess the impact of the illegal act, they may even disclaim an opinion. In extreme cases, the auditor may consider resigning from the engagement if the company does not take appropriate remedial actions.

This means that prompt and transparent responses to potential illegal acts are crucial for companies. Failing to address issues raised by auditors can lead to negative audit opinions, regulatory investigations, and significant reputational damage.

Strengthening Compliance Programs to Address Auditor Requirements

The PCAOB’s recent guidance emphasizes robust compliance programs’ role in facilitating audits and managing risks related to illegal acts. Compliance professionals should take the following steps to align their programs with PCAOB and SEC expectations:

  1. Develop Clear Policies and Reporting Mechanisms. Ensure that your compliance policies explicitly address legal requirements relevant to your industry and geographic region. Implement reporting mechanisms that allow employees to raise concerns anonymously, fostering a culture of transparency and accountability.
  2. Conduct Regular Risk Assessments. Just as auditors assess risk during their engagements, compliance teams should regularly evaluate areas prone to legal violations. High-risk areas like financial transactions, related-party dealings, and regulatory filings should be monitored closely.
  3. Provide Comprehensive Training. Equip employees with the knowledge to identify and report illegal acts. Include training on whistleblower protections and internal reporting mechanisms, ensuring all employees understand their role in upholding legal and ethical standards.
  4. Enhance Documentation and Transparency. Documenting compliance efforts is crucial, especially for areas that could attract auditor scrutiny. Keep detailed records of internal investigations, management’s responses to auditor inquiries, and any corrective actions to address potential violations.
  5. Establish a Strong Tone at the Top. Finally, fostering a culture of compliance begins with leadership. Management should demonstrate a clear commitment to legal and ethical standards, providing resources and support to compliance teams. When leadership prioritizes compliance, employees are more likely to report concerns, which can ultimately prevent illegal acts from going undetected.

The Path Forward

The PCAOB’s SPOTLIGHT is a valuable checkpoint for companies to evaluate their internal controls and compliance programs. Auditors play a vital role in identifying illegal acts, but the responsibility for maintaining legal compliance ultimately rests with the company. Companies can navigate this complex landscape and mitigate the risk of material misstatements or regulatory penalties by implementing a strong compliance program, fostering transparency, and responding promptly to auditor inquiries.

The bottom line? Even under the incoming second Trump Administration, a proactive approach to compliance is not simply best practice; it is an essential core of doing business ethically and in compliance. Compliance professionals should work closely with auditors, ensuring the company is prepared to detect, evaluate, and address any potential legal issues that could impact financial reporting. The goal is a collaborative effort where compliance and audit functions work together to uphold the integrity of the financial statements and the trust of stakeholders.

Join us tomorrow, where we will consider the 10 key takeaways for compliance professionals from SPOTLIGHT.

Categories
Blog

Leveraging Machine Learning with the Right Internal Audit Solution

Visitors face an ever-expanding landscape of challenges and opportunities in today’s world. Machine learning (ML) represents a transformative force, offering new ways to enhance audit quality, efficiency, and insight. But how can internal auditors effectively integrate this technology into their workflows? The key lies in choosing the right internal audit solution that seamlessly incorporates ML capabilities, ensuring auditors are equipped to tackle today’s complexities while preparing for tomorrow’s challenges.

Machine learning (ML) is a subset of artificial intelligence that focuses on developing systems that can learn from and make decisions based on data. In internal auditing, ML can automate repetitive tasks, identify patterns in large datasets, and even predict future trends. This not only speeds up the audit process but also enhances the accuracy and depth of audit insights.

Key Applications of Machine Learning in Internal Audits:

  • Risk Assessment: ML algorithms can analyze vast amounts of data to identify risk patterns and anomalies, helping auditors focus on areas with the highest risk.
  • Control Testing: Automated ML tools can test controls more frequently and thoroughly than manual processes, increasing the likelihood of detecting control failures.
  • Fraud Detection: ML can help predict and identify fraudulent activities based on historical audit data, thereby reducing potential losses.
  • Predictive Analytics: ML can forecast potential non-compliances or areas where controls might fail, allowing auditors to be proactive rather than reactive.

Selecting the right software solution is crucial when integrating ML into internal auditing. There are some critical factors to consider. The ML-powered audit solution must seamlessly integrate with IT infrastructure and data systems. This integration ensures auditors can leverage ML capabilities without disrupting existing workflows or data integrity. As organizations grow and data volumes increase, the ML solution should be able to scale accordingly. This includes handling more extensive datasets and adapting to new audits and compliance requirements.

ML can be complex, but the user interface of the audit solution should be different. A user-friendly interface that simplifies complex processes allows auditors to utilize ML features effectively without needing specialized training. Your chosen solution should offer advanced data analytics features, including data visualization tools, which help auditors make sense of the patterns and anomalies detected by ML algorithms. These tools are crucial for translating ML insights into actionable audit decisions. Any ML solution must comply with relevant data protection regulations, such as GDPR in the European Union or HIPAA in the United States. Additionally, the solution should have robust security measures to protect sensitive audit data from unauthorized access or breaches.

If there is one overlap between ML and traditional internal audit, it is that solutions for internal audit are not static, and ML is no different. ML continuously learns from new data and auditing experiences. This capability ensures that the system evolves and improves its accuracy and effectiveness. Finally, tech support is critical, especially when deploying complex technologies like ML. The right solution provider should offer comprehensive support and training, helping audit teams fully understand and leverage ML capabilities.

Successfully implementing an ML-powered audit solution involves more than just selecting the right software; you should have a planned strategy for an effective implementation. Some strategies for effective implementation include engaging relevant stakeholders early in the process, including IT, compliance, and executive teams, to ensure alignment and address any concerns. Test before implementation so that pilot tests of the ML solution can be conducted in specific audit areas before a full rollout. This helps identify any issues and refine the system for better performance. Training on any new system is critical, especially with an advanced ML solution. You should provide extensive training and support to audit staff to help them adapt to the latest tools and processes.  But as with any new rollout, it does not stop with implementation, as there should be continuous monitoring and continuous improvement as warranted.  Change management practices can facilitate a smoother transition and higher adoption rates.

As the complexity of business environments and regulations continues to grow, the role of internal audit becomes increasingly critical. Leveraging machine learning within audit solutions offers a path forward to keep pace with these changes and stay ahead of them. By choosing the right ML-powered internal audit solution and implementing it thoughtfully, audit departments can transform operations, delivering more value and stronger organizational compliance. The future of internal auditing is not just about adapting to changes—it’s about leading the charge with innovation and insight.