Myth #5 – I Can Outsource Our Compliance Program



National Outsourcing Assoc. Outsourcing Summit ( )

The final myth in our series is the myth that compliance programs can be outsourced.  While it is very true that a significant portion of compliance activities can and in many instances should be outsourced, the core leadership and direction of the program cannot.  The ultimate responsibility for compliance lies with the executive management and, to a certain extent, the Board of Directors.  The quarterly certification related to internal controls over financial reporting required by Section 302 of the Sarbanes-Oxley law is one of many explicit reminders that responsibility for the effectiveness of the compliance program cannot be outsourced.  The recent trend of regulators like the SEC requiring that companies admit wrong-doing as well as pay fines (versus just paying fines in the past) is another indication that regulators, and indeed the public, are demanding more accountability.  The recent NHTSA maximum fine levied against General Motors with likely criminal charges to follow is an example of such accountability demanded related to compliance requirements outside of those of financial reporting.

There are many sound business reasons to outsource, especially for small to mid-sized companies that are in a mature stage of development.  The level of expertise required to establish and maintain a strong compliance program may not be attainable by such companies in-house because those with such skills are difficult to recruit.  The real difference making skills of a Chief Audit Executive (CAE) are likely to require about 20%-40% of the CAEs time (much higher percentages at larger companies), with the remainder devoted to productive value-added activities but ones that likely can be completed just as well by someone with less experience.  In these circumstances, it is likely better to use a 3rd-party partner with extensive experience to establish, define and maintain the program.  The execution of the program can then be assigned to internal or external resources as is appropriate for the circumstance.   Acquiring expertise is the best reason to outsource.

Specific knowledge is another good reason to consider outsourcing certain compliance activities.  While company-specific knowledge is critical for some compliance activities; knowledge of local language, local customs and local laws is more critical for other compliance activities.  Auditing vendor manufacturing facilities for compliance with laws and your Vendor Code of Conduct is one example.  Auditing a foreign location for compliance related to anti-bribery statutes is another.  I personally completed well over 100 tax returns during my time in public accounting and am a CPA but I would not feel confident planning and performing a detailed audit of the tax function, including proper presentation of tax effects in the financial statements, without seeking the assistance of outside experts.  I know dozens of excellent CAEs but I could not name one that I think would state confidently their expertise in the area of tax and accounting for income taxes.

The timing/immediacy of an issue and/or the cost of travel, especially last minute travel, is another good reason to consider outsourcing.  Investigations of theft or wrongdoing at remote locations (retail stores, sales offices) are excellent examples.  When I became aware of such an issue in my days as CAE, the urgency and location of the situation dictated our decision to use an internal versus external loss prevention professional to perform the employee interviews.

What gives rise to this separation between compliance programs and the internal or outsourced functions that perform them and the broader operations of the company?  Why do many executives view compliance programs as an encapsulated process that must be left to subject matter experts and therefore possible outsourcing?   One culprit is compliance/audit specific tools that are complicated and expensive.  Most charge by “seat” or tranches of “seats” which discourages wide use and adoption.  These systems also require lengthy training session and/or staff with specialized knowledge which both costs training dollars and further discourages widespread use.  I worked for a company that had implemented what is rated as the best Enterprise GRC software by the vaunted “Gartner Magic Quadrant”.  They spent six figures implementing this system and were spending over $10,000 a year in maintenance and NOBODY in the enterprise was using it nor did they know how to use it.  I obtained a proposal they were provided by the vendor for training to use some minor functionality.  This proposal was for more than $20,000.

The recent emergence of “cloud” software in this space provides a major opportunity for a reset.  With easy to use software that is charged by fixed subscription rather than by “seat” like BestGRC, the opportunity now exists to embed the compliance activities by encouraging widespread execution of these activities within one database.  The cloud platform supports execution on PC/tablet/phone by internal or outsourced resources.  Accomplishing the company’s objectives with an integrated compliance program is far easier and more structured than in the past because everyone can work within the same tool.

Cloud technologies better support outsourcing of the work to people with specialized skills.  My experience improving the outsource relationship with our licensing/royalty auditor via migrating his audit work to our audit software helped greatly to integrate this activity into the overall audit plan.  This was a powerful realization that led me to develop a platform for others to do the same.  The same applies to vendor factory compliance and using third-party resources for account reconciliations or audit testing.  When you set standards (i.e., control procedures, audit tests) within your own GRC system with appropriate linkages to controls and risks, to a large extent who performs those activities (internal or external resources) no longer matters.  Essentially, you do not have to worry about an outsourced provider being “on the same page” when they are on your page.

A company cannot outsource the oversight and tracking of their compliance program.  The leaders must embrace this responsibility.   Only those in the E-suite fully know and hopefully understand the risks the company faces currently and those that will arise as a consequence of the planned future direction of the business.   Only appropriate leadership from the top will result in a robust compliance program that leads to achievement of business objectives in all facets, not just financial, and the skill to effectively leverage compliance.

About the Author

Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog.  Find Glenn’s full profile at , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at