Question: Should our internal audit focus on compliance or strategic risks?
Answer: “It depends,” answers Susan Ulrey, an internal audit and compliance practice leader for two CPA consulting firms who has conducted more than 100 risk assessments.
“I think that [an] internal audit should focus on compliance,” Ulrey says. “Compliance is a very, very critical part of what we do. We are highly regulated. We have privacy and security issues that we need to be responsible for.”
You can’t get away from compliance — but to add value to your organization, you really need to look at those strategic imperatives, Ulrey notes. You really need to do both; it’s not an either/or situation.
Understand that being compliance-focused is not a negative thing at all, but you still must strike the right balance within your organization of compliance and strategic risk, Ulrey points out.