Virtually every organization is subject to compliance requirements. Compliance audits provide validation of organizations’ adherence to the applicable standards, rules, and regulations. They also help identify deficiencies that could result in a non-compliance violation.
While compliance audits are fine-tuned for various regulations, the broad strokes apply to most organizations. This article not only offers an understanding of what a compliance audit is and is not but also reviews the compliance audit landscape in terms of types and processes. Summary references are made to specific regulations and include links to other articles that provide more in-depth information.
What is a compliance audit?
A compliance audit is an evaluation of an organization’s adherence to applicable laws, rules, regulations, and standards.
Considered a type of guardrail to protect organizations from missteps, a compliance audit promotes accountability, good governance, and transparency. It also proactively identifies weaknesses and deficiencies as well as helps assure propriety or uncover impropriety.
Compliance audits follow guidelines dictated by the type of audit that detail the approach and processes to follow. They also establish the criteria required for compliance to be achieved and the expectations for reporting.
A formal compliance audit is often preceded by an internal audit that follows these guidelines. The objective is to identify and remediate gaps and ensure a favorable outcome.
Audit reports document an organization’s strengths and deficiencies according to compliance requirements. It covers everything from security policies and user access controls to risk management plans and human resources activities. A compliance audit report documents all aspects of an auditor’s findings and usually follows an established framework designed for each type of audit.
An independent or third-party auditor performs compliance audits. They provide experience with the audit process as well as expertise related to the audit criteria. An auditor who conducts a compliance audit must provide a personal and professional guarantee of the accuracy of their findings and report.
When considering compliance audits, an important distinction is that these are not monitoring tools. Although they are commonly conflated, a compliance audit offers a snapshot view. In contrast, monitoring systems provide an ongoing evaluation that identifies issues as they crop up and ensures that controls continue to meet changing requirements.
Why compliance audits are important
The primary importance of compliance audits is that they help organizations adhere to laws and standards. Other reasons that compliance audits are important is that they can support organizations’ efforts to mitigate risks, build trust, and foster sustainable growth as illustrated in the examples below.
Building trust and reputation
Organizations that demonstrate compliance with regulatory and other laws, rules, and standards build trust amongst stakeholders, including employees, customers, and partners, as well as the public at large. Transparent compliance reporting signals accountability and integrity in business operations.
Ensure legal and regulatory adherence
Compliance audits help organizations adhere to national and international laws, industry regulations, and contractual obligations. Failing to meet these requirements can result in severe penalties, lawsuits, and loss of licenses. Regular compliance audits ensure that organizations’ operations and practices are aligned with regulatory requirements.
Facilitate operational efficiency and continuous improvement
Conducting regular compliance audits provides insights into internal processes and highlights areas for improvement. Compliance audits drive a cycle of continuous improvement and help organizations maintain high operational standards and stay competitive.
Mitigate risks and enhance security
Through compliance audits, companies can identify vulnerabilities and operational risks. For example, a cybersecurity audit may uncover weaknesses in data protection, helping organizations avoid data breaches. Compliance efforts ensure proper security controls are in place, mitigating threats that could disrupt operations, damage assets, or compromise sensitive data.
Objectives of a compliance audit
Different compliance audits have varied objectives, but those that are common to all include:
- Assess the effectiveness of an organization’s internal controls
- Avoid fines and other penalties that come with noncompliance
- Detail an organization’s degree of compliance against audit criteria
- Gauge how well an organization adheres to rules, regulations, and standards
- Highlight gaps discovered through the audit process and call out corrective action to achieve compliance
Internal audits vs. compliance audits
There are commonalities between an internal audit and a compliance audit, which include:
- No matter the type of audit, the auditor and audit team must not be directly involved in the area being audited.
- Both internal audits and compliance audits identify deficiencies and provide recommended actions to remediate them.
Despite the commonalities, internal and compliance audits are quite different.
Internal audits
- Internal audits are conducted by employees or contractors working on behalf of the organization.
- Larger organizations sometimes have dedicated teams to oversee and execute internal audits.
- Internal auditors are not responsible for monitoring internal or external compliance.
- Internal audit teams sometimes hire outside experts to facilitate planning and validate results.
- Internal compliance audits are conducted to assess overall risks to compliance and determine where rules are not being followed.
- Internal audits occur throughout a fiscal year.
- In addition to assessing non-compliance risks, internal audits measure performance against stated goals.
- Internal audits are used to verify that issues found in a compliance audit are remediated or otherwise addressed.
Compliance audits
- Compliance audits are focused on ensuring adherence to codes, standards, and regulations set forth by organizations, standards bodies, and governments.
- Compliance audits require in-depth knowledge of the applicable laws and regulations as well as internal governance.
- Compliance audits are formal audits conducted by independent third parties.
- Compliance audits follow a specific format determined by the applicable rules (e.g., Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or Gramm-Leach-Bliley Act (GLBA)).
- Compliance audit reports provide assessments of how an organization is complying with applicable rules, regulations, and standards.
- Compliance audits are often mandatory as dictated by the specific rules of a standard or regulation.
- Failure to complete and pass a compliance audit can result in penalties (e.g., financial or legal).
Types of compliance audits and requirements
Compliance audits and requirements fall into several broad categories based on the area of focus. The following are the main types of compliance audits.
Cybersecurity and data privacy
This category addresses how organizations protect digital assets and help ensure data privacy. Areas covered by these compliance audits are data protection, data privacy, network security, encryption, and incident management and response. Examples of cybersecurity and data privacy compliance audits include:
- (CCPA)—data privacy rights for California residents
- General Data Protection Regulation (GDPR)—EU-wide data privacy regulation
- ISO/IEC 27001—information security management standards
- NIST Cybersecurity Framework—guidelines for improving cybersecurity posture (required for U.S. federal government agencies)
ESG (environmental, social, and governance)
ESG compliance audits require organizations to demonstrate accountability in environmental, social, and governance practices. These compliance audits focus on long-term value creation, environmental stewardship, social impact, governance transparency, and ethical governance. Examples of ESG compliance audits include:
- ESG Reporting—measures and discloses environmental, social, and governance impacts
- United Nations Sustainable Development Goals (SDGs) —framework for sustainability initiatives
Environmental and sustainability
Environmental regulations and sustainability compliance audits are intended to help ensure that organizations meet their commitments to reduce their environmental footprint. These compliance audits focus on environmental impact, waste reduction, energy efficiency, carbon neutrality, and sustainability reporting. Examples of environmental and sustainability compliance include:
- Carbon Disclosure Project (CDP)—framework for reporting greenhouse gas emissions
- EU Green Deal and Climate regulations—targets for achieving net-zero emissions
- Global Reporting Initiative (GRI) standards—sustainability metrics covering environmental impacts
- ISO 14001—environmental management system requirements
Financial and regulatory
These audits help ensure that organizations adhere to legal regulations and financial reporting standards and focus on financial integrity, accounting accuracy, fraud prevention, and transparency. Examples of financial and regulatory compliance audits include:
- International Financial Reporting Standards (IFRS)—consistent financial reporting across countries
- Payment Card Industry Data Security Standard (PCI-DSS) —secure handling of credit card information
- Sarbanes-Oxley Act (SOX)—financial transparency and controls within public companies
Health and safety
Health and safety compliance audits are meant to protect employees, customers, and the general public. Key areas of focus for these audits are workplace safety, public health, product safety, and employee well-being. Examples of health and safety compliance audits include:
- FDA regulations—safety and efficacy in food, drugs, and medical devices
- ISO 45001—occupational health and safety management system
- Occupational Safety and Health Administration (OSHA)— workplace health and safety standards
Industry-specific
Some industries have specific compliance frameworks to address their specialized nature. Examples of industry-specific compliance audits include:
- Aerospace and Defense
- International Traffic in Arms Regulations (ITAR)—regulates the export of defense-related items
- Cybersecurity Maturity Model Certification (CMMC)—cybersecurity framework for defense contractors
- Energy and utilities
- ISO 50001—energy management systems
- North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)—cybersecurity standards for the electric grid
- Healthcare
- Health Insurance Portability and Accountability Act (HIPAA)—protects sensitive health information
- FDA regulations—safety of pharmaceuticals and medical devices
Social and labor
This compliance audit category helps ensure that organizations follow fair labor practices, human rights, and diversity, equity, and inclusion (DEI). Examples of social and labor compliance audits include:
- Equal Employment Opportunity (EEO)—non-discrimination in hiring and workplace practices
- Global Reporting Initiative (GRI)—framework for disclosing social impacts and labor practices
- ISO 26000—social responsibility guidelines
- SA8000—standards for workplace safety, fair wages, and working conditions
Social compliance
A social compliance audit assesses an organization’s overall operations and codes of conduct and its performance related to social responsibility.
Sustainability compliance
A sustainability compliance audit reviews an organization’s efforts to implement practices and procedures to support sustainable operations.
Compliance audits for governments
The Lima Declaration (signed during the IX INCOSAI in 1977 and held in Lima, Peru) is considered the gold standard for government auditing. The Lima Declaration details the fundamental components of audits and what is needed to deliver independent, objective compliance audit reports.
The United Nations General Assembly refers to the principles established in the Lima Declaration as “Promoting the efficiency, accountability, effectiveness, and transparency of public administration by strengthening supreme audit Institutions.”
Examples of regulatory compliance audits
The following are examples of standards, rules, guidelines, and laws that necessitate internal and compliance audits.
CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act
This is a federal law implemented by the Federal Trade Commission (FTC) that sets rules for commercial email. It defines requirements for the content of messages and recipients’ rights to opt out of future email messages.
Centers for Medicare and Medicaid Services (CMS) (formerly the Health Care Financing Administration)
Part of the Department of Health and Human Services (HHS), the CMS oversees Medicare and Medicaid funding and enforces regulations with compliance audits that confirm funds are used and tracked correctly.
Environmental Protection Agency (EPA)
The EPA works with state, tribal, and other federal authorities to ensure compliance with environmental laws, such as the Clean Water Act (CWA), Clean Air Act (CAA), and Toxic Substances Act (TSCA). Compliance audits that help enforce this include inspections and testing.
Financial Industry Regulatory Authority
Although FINRA is not a government organization, it works closely with the Securities and Exchange Commission (SEC) to enforce a number of rules, including those related to anti-money laundering (AML) and cybersecurity governance. FINRA is authorized to conduct annual compliance audits that review areas such as licenses, advertisements, and day-to-day operations.
Federal Information Security Modernization Act (FISMA)
FISMA compliance is required for any federal agency, state government agency, or contracted affiliate that interacts with federal systems. It assesses compliance with security standards that protect sensitive information.
General Data Protection Regulation (GDPR)
A GDPR compliance audit assesses organizations’ compliance with the rules set forth in the law to regulate and protect individuals’ data and privacy, including how personal data is collected, stored, accessed, and processed.
Healthcare Insurance Portability and Accountability Act (HIPAA)
Healthcare organizations must undergo HIPPA compliance audits to confirm that protected health information (PHI), including electronic records, physical documents, and procedures, is sufficiently secured against unauthorized access or use.
Human resources compliance audits are performed for internal benchmarking and external rules and regulations. Areas considered in a human resources compliance audit include adherence to federal, state, and local employment laws and regulations in a variety of areas, such as non-exempt workers, inadequate personnel files, and compensation.
Internal Revenue Service (IRS)
The IRS conducts compliance audits to help ensure that corporate and nonprofit entities follow the rules and pay the appropriate taxes when they are due.
Occupational Health and Safety Act (OSHA)
OSHA compliance audits assess whether organizations meet required health and safety standards to protect all workers (e.g., those in offices and manufacturing facilities and on construction sites).
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS compliance is enforced by an industry standards body rather than a governmental agency; the PCI Council is comprised of industry leaders (i.e., American Express, Discover, JCB International, MasterCard, and Visa).
State and Local Tax (SALT)
State and local auditors conduct SALT audits to confirm that businesses and individuals have paid the correct amount of state and local taxes, such as income tax and sales tax.
Sarbanes-Oxley Act (SOX)
A SOX compliance audit focuses on financial records and operational controls and holds executives accountable for representations made in their organizations’ financial statements.
Compliance audit processes
All types of compliance audits rely on clear documentation, communication, and quality control.
Regardless of the type of audit required, some basic processes apply, and auditors need to be independent and have full access to all relevant materials.
Variables are based on the type of compliance audit, including the areas covered, departments involved, and reporting requirements.
The main steps in a compliance audit include:
- Planning
- Gathering the evidence
- Evaluating the evidence
- Forming conclusions
- Reporting the results of the audit
Planning a compliance audit
Planning for a compliance audit ensures the quality of the output and that it is conducted in an efficient, effective, and timely manner. Key areas to consider when planning a compliance audit include:
- Alert those who will be involved.
- Define the objectives and scope.
- Determine the location of critical subject matter.
- Establish key criteria for the compliance audit.
- Flag potential problems that may be encountered.
- Identify crucial areas to cover.
Performing a compliance audit – gathering the evidence
Documentation is at the heart of a compliance audit. Auditors gather and record evidence of compliance or non-compliance according to the audit criteria. This documentation is used to provide a final assessment at the conclusion of the audit.
The evidence that is collected will vary based on the type of audit and the organization, but the process is the same. Auditors must sufficiently document the evidence used to come to their conclusions.
Key areas to consider when gathering evidence during a compliance audit include:
- Conduct and record formal interviews, as needed, as part of evidence gathering.
- Inspect the infrastructure and workspaces, shadowing employees as needed.
- Meet criteria for sufficiency (i.e., quantity) and quality of evidence needed to explain audit results.
- Obtain relevant and reasonable evidence related to the areas included in the audit.
- Use a compliance audit checklist to ensure all relevant materials have been gathered.
Performing a compliance audit – evaluating evidence and forming conclusions
Once records and documents have been gathered, the auditor must review them and determine whether the organization is meeting compliance requirements. During this phase of the compliance audit, auditors also identify deficiencies that result in non-compliance. Among the criteria considered during this phase are the authenticity and validity of the evidence.
Reporting compliance audit results
A compliance audit concludes with the reporting of results. If the organization is found to comply with the audit criteria, the evidence should be referenced and included in the report.
In the event that an organization is noncompliant in any area, the report should detail the nature and extent, cause, materiality, and effect of non-compliance. The compliance audit report should also indicate whether the issues are isolated or systemic.
Considerations for developing a compliance audit report include:
- Providing details about corrective actions to achieve compliance
- Organizing the evidence included in the report to facilitate easy access
- Supporting the auditor’s conclusions with evidence
- Detailing a complete trail of the audit procedures performed
- Explaining the reasons for the conclusions with sufficient information to enable an experienced auditor with no connection to the audit to understand the findings
- Assigning accountability for individuals responsible for deficiencies that led to non-compliance and their level of involvement
- Proving that the compliance audit was executed according to relevant standards and covered the criteria for the audit type
Compliance audit opportunities
Although a compliance audit can be onerous, it will also provide the enterprise with valuable insights. These help the organization adhere to rules and regulations, thereby avoiding fines and other penalties.
A compliance audit also helps identify gaps that could result in security breaches or other material issues. In addition, the results of a compliance audit guide remediation. Taking a positive view toward a compliance audit can enable a smoother process and improve overall results.
