Internal Audit

Internal Audit of a ‘Second-line-of-defense’ Function

Deloitte has supported an international company in a highly regulated industry, with the Assessment of their ‘second line’ Compliance Program. The recommendations connected with the Assessment were used as input for changes in the organizational structure, responsibilities and to develop a Roadmap to embed a risk-based compliance framework within the organization.

During the project, Deloitte developed the ‘Nine Compliance Components’ Framework. We assessed:

  1. The overall maturity level of the current Compliance Program.
  2. Whether the compliance function focuses on the right compliance risks.
  3. If there are similarities or differences on how compliance is managed across different regions and countries.
  4. The integration of the compliance function with other Assurance functions in the first and second line (Legal, Risk Management, Internal Controls, Internal Audit).

We reviewed documentation (policies, procedures, examples), interviewed employees of the Ethics & Compliance department, as well as stakeholders from other governance functions and business management of different regions and countries in order to obtain comprehensive insight. This was supported through surveys and comparison of outcomes with industry good practices.

The recommendations arising from the assessment were used to develop a Roadmap towards greater maturity of the Compliance Program and integration thereof within the organization in order to ensure the high-risk compliance risks are adequately covered by the right function and without leaving gaps or creating duplications. In addition, the organizational structure, including reporting lines, were updated to embed a more efficient and effective organization whereby management has timely insights into the issues that matter.

The Compliance Components Framework

Contact us

Michiel van Hulsteijn


Morten Egelund


$(document.head).append(''); $(document.head).append('