Lessons from compliance and the intersection of enterprise risk management and internal audit

At the Society of Corporate Compliance and Ethics’ (SCCE) annual Higher Education Compliance Conference in June 2021, a diverse set of college and university compliance professionals shared their perspectives on a variety of compliance topics. Baker Tilly facilitated a panel discussion with compliance leaders from two private universities to share their perspectives and lessons learned on compliance and the intersection with enterprise risk management (ERM) and internal audit.

The discussion panel focused on three primary objectives:

• Understanding key interdependencies between compliance, ERM and internal audit
• Exploring how collaboration leads to an enhanced culture of compliance and ethical behavior
• Sharing experiences and lessons learned from leveraging relationships between compliance and other institutional partners

The panel focused on three overall themes:

Theme 1: How do the elements of an effective compliance program align with or differ from ERM?

Institutions often leverage the framework set forth in the Federal Sentencing Guidelines to develop a customized compliance program that can support both ethics and compliance. Effective compliance programs typically include the following elements:

• Preventing and detecting criminal conduct
• Having leadership oversight of the compliance program
• Rejecting individuals with a history of misconduct from leadership positions
• Providing effective training on compliance programs
• Monitoring the mechanism(s) used for reporting
• Using positive reinforcement/punishment for misconduct
• Initiating investigations in a timely manner
• Implementing periodic modifications to the compliance program

While compliance programs are often driven by external regulation, ERM is geared towards helping institutions identify and mitigate risks that may impede attaining strategic goals and objectives. Additionally, ERM is rooted in creating a risk-aware culture that takes a consistent approach to risk management, often through enhanced and informed decision-making with a goal of achieving efficiency and optimization.