Despite the initial concern about the new compliance requirements for legal services providers regulated by the SRA. It is pleasing to note the steps that firms are taking to comply with their compliance obligations and to ensure that their compliance officers are equipped to deliver the responsibilities of their roles effectively as from 1 January 2013. However, it is increasingly evident that the role of internal audit as an integral part of their compliance arrangements is not fully recognised.
The purpose of internal audit in legal services firms is to provide independent and objective assurance to the ‘Managers’ (role as defined in the SRA Handbook) that their systems and controls for regulatory compliance are fit for purpose. Although there is no mandatory regulatory requirement for legal services firms to have an internal audit function. Internal audit is recognised as an essential element in the governance arrangements of successful organisations irrespective of their size or industry sector.
The current focus by legal services firms in putting in place systems for compliance advice, compliance tracking and reporting is commendable. However, it seems that the role of internal audit appears not to be getting sufficient attention. It appears that there is some misunderstanding between the functions of compliance monitoring and internal audit. As the role of COLP is likely to be filled by more senior management in many legal firms e.g. managing partner or senior partner. The need to have clarity between the role of compliance monitoring and internal audit becomes more important in order to enhance objectivity and independence.
PWC’s ‘three lines of defence’ is a helpful model to assist firms to clarify the different but complimentary responsibilities of compliance officers and internal audit. PWC’s recent whitepaper (Fortifying your defenses – The role of internal audit in assuring data security and privacy) on information security provides a useful summary of the critical role of internal audit to achieve desired compliance outcomes.
Some may dismiss the relevance of internal audit to legal services providers on the basis that the majority of existing providers are small firms with no desire or rationale to adopt a more ‘corporate structure’ in the future. Others may suggest that the risks facing their firms are not significant to justify the expenditure on internal audit.
However, I take a contrary view because outcomes focused regulation requires all providers irrespective of size to deliver positive outcomes for their consumers. So rather than firms focusing only on implementing systems and controls to avoid negative outcomes, which is the traditional approach to compliance and risk management. Legal services providers must take proactive steps to ensure that their systems and controls are delivering the right outcomes as the new regulatory requirements are designed to encourage providers to ensure that positive outcomes are achieved.
I accept that there is no ‘one size fits all’ model of internal audit for legal services providers but every firm should consider how best to cost effectively obtain independent and objective assurance on its controls and systems. For some firms a dedicated in house internal audit function will be appropriate whilst for others an outsourced arrangement would be more appropriate. A hybrid approach of combining an in house function and outsourced provision could prove effective for some firms. Whatever model is adopted, it is important that the internal audit function can demonstrate the following characteristics as recommended by the National Audit Office (Report – The effectiveness of internal audit in central government – June 2012).
An effective internal audit service should employ staff or external contractors, or both, who:
- can provide objective assurance independent of management, report to and influence senior management, and is seen as capable by the rest of the organisation;
- can influence organisational change by recommending management actions that improve proportionate and effective control and which are implemented in a timely manner; and
- have the professional skills and competencies to undertake high-quality,rigorous internal audit and can commission and quality assure specialist support where necessary.
Source: National Audit Office
The recommendations of the National Audit Office are relevant because legal services providers as custodians of client money share a broadly similar duty to central government departments with regard to the appropriate utilisation of funds committed to their trust, which is why regularly ensuring that financial and operational controls are fit for purpose is critical.
Furthermore, the traditional classification of many legal services firms based on their small staff numbers and/or their turnover can sometimes be misleading in view of the substantial amounts of client money that some have to handle annually in order to serve the best interests of their clients. Therefore, it is reasonable to expect legal service providers irrespective of their size to have an appropriate internal audit function.
So how does a firm decide the appropriate internal audit structure taking into account the culture and needs of the organisation. The choice for each firm would be heavily dependant on their priorities for internal audit, which would change over time as the approach to risk management develops. Some of the key drivers that may influence the chosen approach are outlined in the following table.
A proactive approach to ensuring that the controls in legal services firms are fit for purpose through an effective internal audit function demonstrates a culture committed to providing a high level of assurance to its stakeholders. This is increasingly important for legal firms providing services to both individual and institutional consumers. Therefore demonstrating that internal audit supports and reinforces a firm’s approach to risk management could be a critical success factor in becoming or remaining a partner with an institutional consumer that is committed to managing risk more effectively through its value chain. So ensuring that you control your controls may affect your long-term sustainability.