compliance audit

Contributor(s): Kassidy Kelley

A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls and risk management procedures over the course of a compliance audit.

What precisely is examined in a compliance audit varies depending on whether an organization is a public or private company, what types of data it handles, and if it transmits or stores sensitive financial data.

Content Continues Below

For instance, a Sarbanes-Oxley Act compliance audit would have to prove that any electronic communication is backed up and secured with a reasonable disaster recovery infrastructure. Healthcare providers that store or transmit e-health records, including personal health information, are subject to Health Insurance Portability and Accountability Act laws and regulations. And financial services companies that transmit credit card data are subject to Payment Card Industry Data Security Standard requirements.

In each case, organizations must be able to demonstrate compliance by producing an audit trail, often generated with data from event log management software, as well as internal and external audits.

Internal vs. compliance audit

Internal audits are carried out by employees of a company to gauge overall risks to compliance and security and to determine whether the company is following internal guidelines. Internal audits occur throughout the fiscal year and reports can be used by management teams to identify areas that require improvement. Internal audits measure company objectives against output and strategic risks.

External audits are formal compliance audits that are carried out by independent third parties and follow a specific format that is determined based on the compliance regulation being assessed. External audit reports measure if an organization is complying with state, federal or corporate regulations, rules and standards.

An auditor's report is used by regulators to assess possible fines for noncompliance, or by the C-suite to prove regulatory compliance. An external compliance auditor may use internal audits to further evaluate compliance and regulatory risk management efforts.

Compliance audits are integral to governance, risk and compliance
Business continuity and GRC programs

Compliance audit procedures

External audits begin with a meeting between company representatives and compliance auditors to outline compliance checklists, guidelines and the scope of the audit. The auditor conducts reviews of employee performance, studies internal controls, assesses documents and checks for compliance in individual departments.

Compliance auditors will generally ask members of the C-suite and IT administrators a series of pointed questions that may include what users were added and when, who has left the company, whether user IDs have been revoked, and which IT administrators have access to critical systems.

IT administrators can prepare for compliance audits using event log managers and robust change management software to track and document authentication and controls in their IT systems. The growing category of governance, risk and compliance (GRC) software can enable CIOs to quickly show auditors that an organization is compliant, helping it to avoid costly fines or sanctions.

Auditors then review business compliance processes as a whole and create a final audit report. Compliance auditors provide details to company leaders about the organization's level of compliance adherence, any violations and suggestions for improvement. The audit report is eventually released publically.

Importance of compliance auditing

Compliance auditing, either internal or external, can help a company identify weaknesses in regulatory compliance processes and create paths for improvement. In some cases, guidance provided by a compliance audit can help reduce risk, while also avoiding potential legal trouble or federal fines for noncompliance.

Much like the laws that drive them, compliance programs are in a constant state of flux as existing regulations evolve and new ones are implemented. Compliance auditing provides an outline of internal business processes that can be changed or improved as regulations and requirements change.

This was last updated in December 2018

Continue Reading About compliance audit

Dig Deeper on Financial services compliance requirements

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your company use compliance audits to improve business processes?
Is it possible to have a compliance audit division within a gaming industry?
Hello DR. MARGARET .. Nice To find this article because it will help me to make my research .. Im NOURA From KSA studying MPA at King saud Uni Now Im preparing for my topic. its about compliance ..
Ms I have inquire please.. If i would to make survey in some corporate or to managers of compliance section in your country could You help me ?
best regards..

File Extensions and File Formats

Powered by: