A Plan for Regulatory Change. A top-down assessment model can help internal auditors keep tabs on regulations and ensure the organization is prepared for what lies ahead.

Author:Haig, Nancy

Noncompliance with laws and regulations carries potentially steep consequences for organizations. Fines, penalties, sanctions, debarment, and public relations nightmares are among the many impacts of compliance failure, not to mention the reputational damage and loss of business that may occur. Moreover, failure to identify and consider laws and regulations may result in missed business opportunities and lack of strategic alignment. In many ways, neglecting to address and manage regulatory change can lead to significant organizational harm.

In fact, The IIA's recent OnRisk 2020 research identified regulatory change as one of the most critical risks facing organizations this year. Other risks included cybersecurity, data protection, business continuity, talent management, and third parties. Depending on the industry, each of the risks identified in the report may have a regulatory component. For example, organizations that fail to protect personal data through a cybersecurity control framework can face significant penalties. The data may have been processed through an insufficiently vetted third party, or by unqualified employees whose inclusion in the organization resulted from inadequate talent management. If a data breach occurs, the organization must be able to respond within regulatory time frames and, depending on the significance of the breach, possess reliable crisis response and business continuity plans.

Internal auditors have a responsibility, under the International Standards for the Professional Practice of Internal Auditing, to help ensure their organizations are addressing and managing regulatory risk effectively. According to Standard 2120: Risk Management, internal audit "must evaluate the effectiveness and contribute to the improvement of risk management processes." More specifically, according to The IIA's interpretation for this standard, "The internal audit activity must evaluate risk exposures relating to the organizations governance, operations, and information systems regarding ... compliance with laws, regulations, policies, procedures, and contracts." Practitioners may benefit from an assessment tool aimed at achieving that objective.


Using a top-down framework based on compliance guidance from the U.S. Federal Sentencing Guidelines, internal auditors can assess whether the organization is addressing and managing regulatory change effectively. Governments of other countries have emulated the guidance when outlining steps to ensure compliance with major laws and regulations. It can guide auditors, step by step, through a structured review of what's to be expected by regulators in the management of regulatory risk.

Identification of Laws and Regulations The group responsible for identifying regulatory change can vary from one organization to the next. Depending on the size, regulatory complexity, and maturity of the organization, internal auditors may be able to perform a top-down assessment of how well the enterprise risk management program, or risk management function, identifies and manages changes in regulatory risk. Moving down a level, if these functions do not exist or are ineffective, auditors can assess the overall compliance program, if one exists. Otherwise, the legal department...

To continue reading