Internal Auditors: Here are Five Ways to Properly Manage Your Rising Compliance Costs
Compliance is a cost of doing business. But how well organisations manage compliance risks and related compliance costs is an increasingly competitive differentiator - affecting revenues, margins, reputation and customer experience.
In this article, the second in our Cost of Non-Compliance series, Kainos’ Nick Stone, a former auditor of over 20 years, looks at five ways internal audit teams can better control the ever-increasing costs of their compliance efforts.
In my recent article “Struggling to articulate the cost of non-compliance? An auditor’s view on how to champion regulatory technologies”, I examined why the cost of non-compliance exceeds the cost of compliance.
Within that blog, I looked at the top categories of compliance spend which were noted as:
- Information systems and compliance technology
- Incident response
- Audit (external and internal)
- Public relations & communications
- Program management and training
Which of these spend categories represent preventive risk strategies – and which are reactive?
Preventive risk management strategies attempt to anticipate and avoid risks through effective internal controls. Reactive risk management practices respond to risk after a risk event occurs or is detected. In my opinion, organizations should emphasize preventive risk management strategies to control compliance costs.
Let’s return to our list of top compliance spend. Technology tops the list. If implemented well, can be a preventive control. Interestingly, the next three biggest spend categories are all responses to risk, reactive in nature. The next preventive strategy doesn’t surface until you bump into training further down the line.
A wise man once said that “an ounce of prevention is worth a pound of cure.” So, on that note, here are five tips that honor that importance of preventive risk management and may help you to manage your costs of regulatory compliance.

1. Develop a risk-aware culture
A risk-aware culture is the most valuable asset a company can have to achieve and maintain effective compliance. Effective organizations make risk management a part of how they conduct business and reward performance. Compliance, after all, is simply a byproduct of effective risk management. To develop a risk-aware culture, the Board and executive leadership have to make it a priority by formalizing risk management accountability, defining a structured risk management function and implementing an enterprise risk management (ERM) program. If done well, ERM becomes how you conduct business, not an incremental cost. COSO ERM 2017, ISO 31000 and RIMS are great places to start your ERM journey.
2. Conduct a risk assessment
Compliance risk is one of several different types in common risk taxonomies (operational, financial reporting and fraud being the other broad types). The process starts with clarifying the business environment and the prevailing regulatory requirements, laws/statutes, standards and interpretive guidance affecting your business. This is often the job of multiple functions including Legal, HR, Finance, and Compliance. Effective risk assessment processes define a framework that surfaces requirements across business functions and allows the organization to develop a shared view of risk using multiple criteria. These include perceived control maturity, financial impact, operational importance and resource/expertise risk. Business risks evolve as regulations change, so using a recurring risk assessment helps you keep a pulse on the key compliance risks affecting your organization.
3. Make sure you have the right people
Effectively managing risk requires a mix of skilled individuals who can cover the risks to which an organization is exposed. According to a recent survey, compliance leaders ranked challenges finding people with the right subject matter expertise as their top concern. Organizations need processes that bring together experts in their field to agree on a shared view of risk, whether this is hiring the experience, building the experience internally or buying the experience from third parties. A pragmatic combination of all options is advised. Consider incorporating People & Expertise risk into a periodic resource assessment to ensure you have the right team with the right compliance skillsets to respond to the changing regulatory landscape.

4. Invest in controls and training
Most risk management frameworks culminate in defining risk responses and measuring the effectiveness of those responses. And in many cases, a risk response takes the form of an internal control. Internal controls operate best when defined in a formal system that maps out risks, controls, processes and accountability. Controls must clearly define what needs to happen, why it’s important, who is responsible, and how to evidence effective control operation. Sounds simple, but many organizations just do not invest the effort to formalize internal control expectations. This is a common short-sighted behavior that can be corrected through increased audit frequency or after costly non-compliance incidents (fine, fees, penalties, consent orders, breaches). Once defined, systems of internal control require maintenance, refinement and training to ensure they remain effective and relevant.
5. Evaluate compliance technology options
Recent surveys suggest that over 30% of businesses use technology to support regulatory compliance efforts. Examples of compliance technology include tools that support regulatory reporting, risk management (GRC, control automation), identify management (KYC, AML, anti-fraud), compliance rules (changes to regulations, laws), and transaction monitoring (continuous audit, monitoring and risk detection). Once risk and controls are clearly identified and codified, technology can, and should, be used to help organizations scale compliance efforts. Where possible, technology should be deployed to enable preventive controls to preempt desired compliance outcomes. Continuous monitoring technology can then be positioned to highlight exceptions to rules sets defined to highlight potential non-compliance. Control automation and continuous monitoring technologies have multiple benefits including a) improved control design, operation and coverage, b) lower risk of non-compliance , c) increased operational resource capacity, and d) lower audit fees. In fact, some studies show that automating a percentage of your key internal controls correlates into a similar percentage decrease in audit fees (up to 25%).
Technology is an effective way to level-up your compliance efforts and help your organization scale to the ever-changing risk landscape. We recommend using compliance technology to automate internal controls, including a healthy emphasis on preventive controls, that help avoid downstream costs of non-compliance.
But we’ve put technology last in our list of tips to properly manage compliance costs because effectively deploying compliance technology requires a solid risk management foundation. Tone at the top, risk assessments, compliance expertise and mature internal controls all are needed to form the bedrock of good risk management.
Why not try our ROI calculator to help you start a realistic conversation about the business case for Workday compliance technology?
Find out how much you could save, or avoid, per year by investing in Workday control automation.