Everyone Wants Compliance… Until It Conflicts with the Business

Almost every organisation says the same thing: 

“Compliance is important.” “We take AML/CFT seriously.” “We want to manage our risks.” 

Investments are made in policies, monitoring tools, awareness training, and periodic audits. On paper, things often look solid: processes exist, controls are in place, and reports are neatly discussed in governance meetings. Yet in practice, we continue to see the same problems resurface. Large files in which money laundering risks go undetected for years, transactions that were never critically reviewed, or organisations caught entirely off guard when a regulator concludes that their controls fall seriously short. 

That rarely happens because no one knew what the rules were. Far more often, the problem has a different root cause: the tension between Internal Audit and the business. 

That tension is usually not openly visible. No one explicitly says that risks are unimportant or that compliance gets in the way. But as soon as audit findings touch on commercial objectives, client relationships, capacity, or revenue, the dynamic often shifts quickly. Findings get nuanced, priorities change, and discussions suddenly revolve less around risk and more around feasibility, timing, or “the reality of the business.” 

And that is precisely where a vulnerability arises that many organisations underestimate. 

When Internal Audit and the business end up on opposing sides, risks do not disappear. They simply become less visible. This dynamic is not limited to internal audit departments. It also surfaces regularly in external internal audit engagements, where independence can come under pressure the moment conclusions become commercially or organisationally uncomfortable. 

In this article, we explore that tension. We look at why it is so persistent, and how organisations can prevent audit from becoming a process in which everyone participates but no one truly listens. 

 

The Core of the Problem: Audit and Business Often Speak a Different Language 

On paper, Internal Audit and the business share the same objective: a commercially sound, safe, and sustainable organisation. In practice, however, the two functions are often evaluated against entirely different interests. 

Internal Audit is expected to make risks visible, critically assess processes, and independently evaluate whether controls are genuinely effective. The business, by contrast, is primarily driven by growth, client satisfaction, speed, and commercial results. As long as those interests remain balanced, audit and the business complement each other well. The problem arises when risk management directly conflicts with commercial reality. 

An audit finding rarely represents just a theoretical risk. In practice, it often means additional work, stricter controls, delays in onboarding, difficult client conversations, or higher operational costs. And that is precisely why resistance emerges. 

That resistance is not always conscious. In fact, many business managers are genuinely convinced they take risks seriously. At the same time, they feel pressure to keep processes workable, meet targets, and stay ahead of competitors. This gradually creates a situation in which risks are not actively ignored, but are systematically downplayed or relativised. 

This tends to manifest in three recurring tensions. 

 

Three Areas of Tension Between Internal Audit and the Business 

The Gap Between Theory and Practice

One of the biggest frustrations from the business side is the feeling that audit does not sufficiently understand how processes work in practice. Auditors examine files, procedures, and regulations, while commercial teams deal daily with client pressure, deadlines, revenue targets, and operational constraints. As a result, audit findings are regularly experienced as theoretical or difficult to implement. 

That frustration is sometimes understandable. An audit recommendation may be entirely logical on paper but lead to longer onboarding trajectories, more escalations, or additional workload for operational teams. The risk, however, arises when feasibility is consistently placed above risk management. 

When that happens, organisations begin to make concessions, whether consciously or not. Findings are “reprioritised,” deadlines are pushed back, or shortcomings are framed with arguments such as “we’ll lose clients if we do this” or “this is operationally not feasible.” In the short term, that may feel pragmatic. In the longer term, it creates precisely the conditions in which risks can grow without anyone truly intervening. 

Audit as Police Officer Rather Than Partner

A second area of tension emerges when audit is primarily seen as a function that comes to point out mistakes. Many organisations claim that audit is a “business partner,” but in practice employees still frequently experience it as a controller, police officer, or box-ticking machine. 

That perception tends to develop when audits are heavily focused on deviations, shortcomings, and reporting, without sufficient attention to the underlying causes of behaviour or process issues. As a result, employees feel assessed rather than supported. 

The consequences often show up subtly in behaviour. Doubts are raised less readily, escalations are withheld, and risks are resolved internally rather than formally reported. Not because employees are deliberately hiding risks, but because people naturally become more defensive in an environment where mistakes appear to carry primarily negative consequences. 

Within AML/CFT, this is a serious problem. Many major incidents do not arise because signals were entirely absent, but because employees no longer felt safe raising concerns or gradually came to see irregularities as normal. When audit is exclusively associated with control and accountability, the very openness needed to surface risks in time begins to disappear. 

Overconfidence and the Belief That “It’s Fine Here”

The third area of tension may be the most insidious: organisational overconfidence. Many organisations that later face serious AML/CFT deficiencies were convinced for years that their controls were essentially in good order. 

That perception is most common in organisations that have never received a significant fine, have relied on the same processes for years, or place their trust in existing monitoring tools and experienced staff. Over time, a conviction forms that the organisation understands its risks and that serious incidents are something that happens to others. 

That is precisely where the danger lies. 

Risks typically develop gradually. Temporary workarounds become permanent, alerts become routine, exceptions become normal, and systems slowly become outdated. Because incidents do not occur, it feels as though the controls must be effective. That feeling persists until a regulator, enforcement agency, or internal investigation reveals that certain signals were missed for years. 

In hindsight, it often turns out that the signals were there all along. Audit findings had been flagged earlier, employees had raised concerns, or systems had been underperforming for some time. Yet no one felt sufficient urgency to look at the situation critically. 

And that is precisely why overconfidence is so dangerous within AML/CFT. It causes organisations not to actively ignore risks, but simply to take them less and less seriously. 

 

External Internal Audit: Independence Remains Complex 

Some organisations use external parties for their internal audit function. In those cases, these tensions often become even more complex. An external party must operate independently, while simultaneously remaining dependent on the client for budget, contract renewals, and the commercial relationship. 

This does not mean that external auditors consciously report more leniently, but it does create a tension that is difficult to fully ignore in practice. Particularly where organisations are sensitive to critical conclusions, pressure can emerge to soften formulations, reprioritise findings, or direct audits toward “safer” topics. 

It is also not uncommon for organisations to seek auditors that better align with their expectations or culture. That need not be problematic in itself, but it can lead to situations where independence gradually shifts from critical assessment to relationship management. 

That is precisely why effective external internal audit requires more than technical expertise. It also requires the willingness to keep naming uncomfortable conclusions, even when those conclusions are commercially or organisationally sensitive. 

 

How to Prevent Audit and Business from Remaining at Odds 

The solution does not lie in less audit or softer findings. The problem does not disappear by framing risks more gently. Organisations become stronger when audit and the business understand each other better without losing sight of their respective roles. 

That starts with auditors who have a genuine feel for the practical realities of the business. An audit that fails to account for operational context quickly loses credibility, however strong the substantive findings may be. At the same time, the business must accept that risk management is sometimes uncomfortable, time-consuming, or commercially inconvenient. 

It also helps when audit conversations focus less on blame and more on underlying causes. The question “what went wrong?” is valuable, but asking “why does this behaviour occur?” and “what incentives drive these choices?” often yields far more actionable insights. 

Finally, effective collaboration requires a culture in which employees feel safe raising doubts. The most vulnerable organisations are usually not those where mistakes are made, but those where no one feels able to name them. 

 

Conclusion: The Real Struggle Is Not Between Audit and Business 

Ultimately, the real struggle is not between Internal Audit and the business. It is between short-term and long-term thinking, between commercial pressure and risk awareness, and between comfort and confrontation. 

That is precisely why audit plays a difficult but important role. Not as a police officer or a box-ticking machine, but as a function that makes visible where organisations are becoming vulnerable. That matters most at the moments when commercial interests, time pressure, or organisational sensitivities are at their greatest. 

Because ultimately, the largest problems rarely arise because organisations lack rules. They arise when organisations gradually convince themselves that the risks will probably turn out to be manageable after all. 

And that is precisely where good audit needs to cut through. 

 

Next Article

In the next article, we examine an uncomfortable truth: Internal Audit versus Business. Why audit teams are so often seen as a brake on progress, and how to change that. 

 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com