Virtually every organization is subject to compliance requirements. Compliance audits provide validation of organizations’ adherence to the applicable standards, rules, and regulations. They also help identify deficiencies that could result in a noncompliance violation.
While compliance audits are fine-tuned for various regulations, the broad strokes apply to most organizations. This article not only offers an understanding of what a compliance audit is and is not, but also reviews the compliance audit landscape in terms of types and processes. Summary references are made to specific regulations and include links to other articles that provide more in-depth information.
What is a compliance audit?
A compliance audit is an evaluation of an organization’s adherence to applicable laws, rules, regulations, and standards.
Considered a type of guardrail to protect organizations from missteps, a compliance audit promotes accountability, good governance, and transparency.
It also proactively identifies weaknesses and deficiencies as well as assures propriety or uncovers impropriety.
Compliance audits follow guidelines dictated by the type of audit that detail the approach and processes to follow. They also establish the criteria required for compliance to be achieved and the expectations for reporting.
A formal compliance audit is often preceded by an internal audit that follows these guidelines. The objective is to identify and remediate gaps and ensure a favorable outcome.
Audit reports document an organization’s strengths and deficiencies according to compliance requirements. It covers everything from security policies and user access controls to risk management plans and human resources activities. A compliance audit report documents all aspects of an auditor’s findings and usually follows an established framework designed for each type of audit.
Compliance audits are performed by an independent or third-party auditor. They provide experience with the audit process as well as expertise related to the audit criteria. An auditor who conducts a compliance audit must provide a personal and professional guarantee of the accuracy of their findings and report.
When considering compliance audits, an important distinction is that these are not monitoring tools. Although they are commonly conflated, a compliance audit offers a snapshot view. In contrast, monitoring systems provide an ongoing evaluation that identifies issues as they crop up and ensures that controls continue to meet changing requirements.
Compliance audits for governments
The Lima Declaration (signed during the IX INCOSAI in 1977 and held in Lima, Peru) is considered the gold standard for government auditing. The Lima Declaration details the fundamental components of audits and what is needed to deliver independent, objective compliance audit reports.
The United Nations General Assembly refers to the principles established in the Lima Declaration as “Promoting the efficiency, accountability, effectiveness, and transparency of public administration by strengthening supreme audit Institutions.”
Objectives of a compliance audit
Different compliance audits have varied objectives, but those that are common to all include:
- Assess the effectiveness of an organization’s internal controls
- Avoid fines and other penalties that come with noncompliance
- Detail an organization’s degree of compliance against audit criteria
- Gauge how well an organization adheres to rules, regulations, and standards
- Highlight gaps discovered through the audit process and call out corrective action to achieve compliance
Internal audits vs compliance audits
Internal audit | Compliance audit |
-Conducted by employees or contractors working on behalf of the organization -Larger organizations sometimes have dedicated teams to oversee and execute -Auditors are not responsible for monitoring internal or external compliance -Audit teams sometimes hire outside experts to facilitate planning and validate results -Conducted to assess overall risks to compliance and determine where rules are not being followed -Occur throughout a fiscal year -Measure performance against stated goals in addition to assessing noncompliance risks -Used to verify that issues found in a compliance audit are remediated or otherwise addressed | -Focus on ensuring adherence to codes, standards, and regulations set forth by organizations, standards bodies, and governments -Require in-depth knowledge of applicable laws and regulations as well as internal governance -Formal audits conducted by independent third parties -Follow a specific format determined by the applicable rules (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or the Gramm-Leach-Bliley Act (GLBA)) -Reports provide assessments of how an organization is complying with applicable rules, regulations, and standards -Often mandatory, as dictated by the specific rules of a standard or regulation -Failure to complete and pass the audit can result in penalties (e.g., financial or legal) |
It is worth noting the commonalities between an internal audit and a compliance audit, which include:
- No matter the type of audit, the auditor and audit team must not be directly involved in the area being audited.
- Both internal audits and compliance audits identify deficiencies and provide recommended actions to remediate them.
Types of compliance audits
The following are examples of standards, rules, guidelines, and laws that necessitate internal and compliance audits.
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act
A federal law implemented by the Federal Trade Commission (FTC) that sets rules for commercial email. It defines requirements for the content of messages and recipients’ rights to opt out of future email messages.
Centers for Medicare and Medicaid Services (CMS) (formerly the Health Care Financing Administration)
Part of the Department of Health and Human Services (HHS), the CMS oversees Medicare and Medicaid funding and enforces regulations with compliance audits that confirm funds are used and tracked correctly.
Environmental Protection Agency (EPA)
The EPA works with state, tribal, and other federal authorities to ensure compliance with environmental laws, such as the Clean Water Act (CWA), Clean Air Act (CAA), and Toxic Substances Act (TSCA). Compliance audits that help enforce this include inspections and testing.
Financial Industry Regulatory Authority
Although FINRA is not a government organization, it works closely with the Securities and Exchange Commission (SEC) to enforce a number of rules, including those related to anti-money laundering (AML) and cybersecurity governance. FINRA is authorized to conduct annual compliance audits that review areas such as licenses, advertisements, and day-to-day operations.
Federal Information Security Modernization Act (FISMA)
FISMA compliance is required for any federal agency, state government agency, or contracted affiliate that interacts with federal systems. It assesses compliance with security standards that protect sensitive information.
General Data Protection Regulation (GDPR)
A GDPR compliance audit assesses organizations’ compliance with the rules set forth in the law to regulate and protect individuals’ data and privacy, including how personal data is collected, stored, accessed, and processed.
Healthcare Insurance Portability and Accountability Act (HIPAA)
Healthcare organizations must undergo HIPPA compliance audits to confirm that protected health information (PHI), including electronic records, physical documents, and procedures, is sufficiently secured against unauthorized access or use.
Human Resources (HR)
Human resources compliance audits are performed for internal benchmarking and external rules and regulations. Areas considered in a human resources compliance audit include adherence to federal, state, and local employment laws and regulations in a variety of areas, such as non-exempt workers, inadequate personnel files, and compensation.
Internal Resource Service
The IRS conducts compliance audits to ensure that corporate and nonprofit entities follow the rules and pay the appropriate taxes when they are due.
Occupational Health and Safety Act (OSHA)
OSHA compliance audits assess whether organizations meet required health and safety standards to protect all workers (e.g., those in offices and manufacturing facilities and on construction sites).
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS compliance is enforced by an industry standards body rather than a governmental agency; the PCI Council is comprised of industry leaders (i.e., American Express, Discover, JCB International, MasterCard, and Visa).
State and Local Tax (SALT)
State and local auditors conduct SALT audits to confirm that businesses and individuals have paid the correct amount of state and local taxes, such as income tax and sales tax.
Sarbanes-Oxley Act (SOX)
A SOX compliance audit focuses on financial records and operational controls and holds executives accountable for representations made in their organizations’ financial statements.
Social compliance
A social compliance audit assesses an organization’s overall operations and codes of conduct and its performance related to social responsibility.
Sustainability compliance
A sustainability compliance audit reviews an organization’s efforts to implement practices and procedures to support sustainable operations.
Compliance audit processes
All types of compliance audits rely on clear documentation, communication, and quality control.
Regardless of the type of audit required, some basic processes apply and auditors need to be independent and have full access to all relevant materials.
Variables are based on the type of compliance audit, including the areas covered, departments involved, and reporting requirements.
Planning a compliance audit
Planning for a compliance audit ensures the quality of the output and that it is conducted in an efficient, effective, and timely manner. Key areas to consider when planning a compliance audit include:
- Alert those who will be involved.
- Define the objectives and scope.
- Determine the location of critical subject matter.
- Establish key criteria for the compliance audit.
- Flag potential problems that may be encountered.
- Identify crucial areas to cover.
Performing a compliance audit – gathering the evidence
Documentation is at the heart of a compliance audit. Auditors gather and record evidence of compliance or noncompliance according to the audit criteria. This documentation is used to provide a final assessment at the conclusion of the audit.
The evidence that is collected will vary based on the type of audit and the organization, but the process is the same. Auditors must sufficiently document the evidence used to come to their conclusions.
Key areas to consider when gathering evidence during a compliance audit include:
- Conduct and record formal interviews, as needed, as part of evidence gathering.
- Inspect the infrastructure and workspaces, shadowing employees as needed.
- Meet criteria for sufficiency (i.e., quantity) and quality of evidence needed to explain audit results.
- Obtain relevant and reasonable evidence related to the areas included in the audit.
- Use a compliance audit checklist to ensure all relevant materials have been gathered.
Performing a compliance audit – evaluating evidence and forming conclusions
Once records and documents have been gathered, the auditor must review them and determine whether the organization is meeting compliance requirements. During this phase of the compliance audit, auditors also identify deficiencies that result in noncompliance. Among the criteria considered during this phase are the authenticity and validity of the evidence.
Reporting compliance audit results
A compliance audit concludes with the reporting of results. If the organization is found to be in compliance with the audit criteria, the evidence should be referenced and included in the report.
In the event that an organization is noncompliant in any area, the report should detail the nature and extent, cause, materiality, and effect of noncompliance. The compliance audit report should also indicate whether the issues are isolated or systemic.
Considerations for developing a compliance audit report include:
- Providing details about corrective actions to achieve compliance
- Organizing the evidence included in the report to facilitate easy access
- Supporting the auditor’s conclusions with evidence
- Detailing a complete trail of the audit procedures performed
- Explaining the reasons for the conclusions, with sufficient information to enable an experienced auditor with no connection to the audit to understand the findings
- Assigning accountability for individuals responsible for deficiencies that led to noncompliance and their level of involvement
- Proving that the compliance audit was executed according to relevant standards and covered the criteria for the audit type
Compliance audit opportunities
Although a compliance audit can be onerous, it will also provide the enterprise with valuable insights. These help the organization adhere to rules and regulations, thereby avoiding fines and other penalties.
A compliance audit also helps identify gaps that could result in security breaches or other material issues. In addition, the results of a compliance audit provide guidance on remediation. Taking a positive view toward a compliance audit can enable a smoother process and improve overall results.
Unleash the power of unified identity security
Ensure the security of every enterprise identity, human or machine