alphaspirit - Fotolia

FAQs about compliance audits in IT

New and more complicated regulations have made compliance audits a fact of life for modern organizations. Learn about IT's role in the audit process in this FAQ.

Complying with the increasing number of regulations has made leveraging IT essential. That's particularly true...

in the automation of processes to handle the information in an organization's possession.

As requirements grow, systems that both facilitate compliance and demonstrate to a compliance auditor that standards for security and data protection have been met are an increasingly critical area of IT operations. Learn more in this FAQ.

What is a compliance audit?

According to, a compliance audit is a "comprehensive review of an organization's adherence to regulatory guidelines." Compliance auditing reports generally survey internal systems, such as user access controls and security policies, to test whether the organization is meeting its regulatory obligations. Most reviews are conducted by independent, external parties, such as government auditors or consultants with IT expertise. Organizations are asked to demonstrate that they have policies and procedures in place for achieving compliance. Some regulations, such as the Sarbanes-Oxley Act, also require that internal auditors assure that internal control systems are effective.

Some organizations also choose to implement internal auditing processes to test compliance procedures and identify potential violations and take corrective action before regulators conduct their official reviews.

How are compliance audits different?

Not all audits are the same. For instance, a software compliance audit will be very different than a financial audit of a public company's quarterly results. Both compliance and financial audits involve reviews of internal control systems by independent parties, but the scope and subject of the reviews differ. A financial audit checklist focuses primarily on controls related to accounting and financial reporting systems to determine whether the resulting financial statements are accurate, fair and complete. A compliance audit examines an organization's internal systems and IT controls more broadly to test whether a particular set of regulatory requirements is being met.

What regulations require compliance audits?

Until recently, the concept of a compliance audit typically evoked the 2002 Sarbanes-Oxley Act (SOX). Officially entitled the U.S. Public Company Accounting Reform and Investor Protection Act, SOX pertains to all publicly traded companies. A growing body of federal law, however, requires audits of internal control systems to ensure compliance with regulations. Some laws are industry-specific, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), officially entitled the Financial Modernization Act. Additionally, there are industry-set standards that impose audit requirements, such as a PCI compliance audit mandated by the Payment Card Industry Data Security Standard (PCI DSS).

Compliance audits are achieved in different ways depending on the regulations being enforced. The vast majority will involve an assessment of IT systems because such systems have become integral to compliance processes. Auditors typically meet with CIOs, CTOs and IT managers to discuss how these systems are secured and who has access to them. Auditors also request documents that demonstrate that an organization is meeting its regulatory requirements.

Sarbanes-Oxley Act: A compliance audit evaluating conformity with the Sarbanes-Oxley Act requires a company to explain the process by which it generated the figures on its financial statements and how those numbers can be validated. Financial reporting processes at public companies generally rely on IT systems. As a result, the controls for those IT systems will be at the heart of an assessment of SOX compliance. The law requires reports on how effective the controls and procedures for financial reporting are, which means companies have to document and be able to demonstrate how the processes are secured and how well they work. Nonfinancial systems, as well as financial systems, may be evaluated in a compliance audit.

Learn more in this SOX FAQ.

PCI DSS: The challenges associated with PCI compliance and audits are quite different from those associated with the Sarbanes-Oxley Act. PCI DSS establishes very specific compliance measures, leaving little room for differing interpretations. Author Greg Nolann pointed out the difficulties an organization can confront in addressing both types of compliance challenges in "Seeking Compliance Nirvana," an article for the Association for Computing Machinery. "SOX and PCI address similar goals but take approaches that are 180 degrees apart," he wrote. "SOX doesn't specify a standard; instead it says to use some other established methodology or set of practices. PCI, on the other hand, specifies exactly what you must do, who can do it, where it applies, and how to determine if you are compliant."

Learn more in this PCI DSS FAQ.

HIPAA: Healthcare providers that store or transmit electronic health records are subject to HIPAA requirements. The Center for Medicare & Medicaid Services, a division of the U.S. Department of Health and Human Services (HHS), provides a checklist of the kinds of information an auditor of HIPAA regulations requests. Experts recommend that an organization figure out which checklist items have been addressed and then prepare a statement that explains why they were or were not implemented to prepare for a HIPAA compliance audit. It is also important that you make a written policy for records management and retention available for review and have staff training up to date.

Learn more in this HIPAA FAQ.

Who performs compliance audits?

Compliance auditors are generally government auditors or contractors, so that there is an independent, third-party certification to ensure organizations avoid auditing standard violations. Some regulations, however, require internal as well as external audits. Under the Sarbanes-Oxley Act, for example, internal auditors assure that internal control systems are effective. Industry-established regulations can also require internal audits. Under PCI DSS, most merchants are required to bring in an external Qualified Security Assessor for a compliance audit. In a particular set of circumstances, some merchants can use an internal auditor instead.

Internal audits are sometimes conducted in preparation for external compliance audits. It is important to make sure policies and practices are up to date, enforced and documented. Since organizations should be prepared to turn over the documents at the auditors' request, they should be stored in noneraseable, nonrewriteable formats and located where they can be accessed easily and retrieved quickly.

IT managers can prepare for audits by deploying information management tools, such as event log managers and change management programs, to make it easier to track and document internal controls and demonstrate compliance to auditors.

Preparing for a SOX audit can take hundreds of hours. Preparation requires reviewing information on the internal controls for financial data -- such as security, implementation, disaster recovery and change management -- and verifying the controls as well as the data.

Compliance management: How to keep the IT auditors away

With compliance regulations and legislation constantly changing, keeping up can be tricky. Find your way through the confusion and learn how to avoid IT audits.

What is the role of IT in a compliance audit?

After the introduction of numerous state data breach and protection laws, a central responsibility of IT is now to protect sensitive data within an organization. This responsibility encompasses keeping track of who can access the data and how. Given that IT systems are integral to financial reporting and other regulatory requirements, an assessment of the IT system's internal controls is also critical to a compliance audit process. This applies not only to compliance audits that involve the Sarbanes-Oxley Act but also to the Gramm-Leach-Bliley Act, HIPAA, HHS regulations and more.

Effective compliance frameworks should be supported by IT systems that suit a particular organization and the relevant regulations. Document management, event log management software, change management software and other tools can help achieve compliance with regulations and facilitate compliance audits.

An organization's IT professionals now work closely with other sides of the business, such as finance, legal and internal audit, to meet compliance goals. IT professionals should also collaborate with these departments in preparing for a compliance validation and then helping during the auditing process.

Avoid enterprise risk with compliance system controls

A lack of internal controls over activities and systems can lead to failed compliance initiatives and increased risk to the enterprise.

What are the penalties for noncompliance?

Failure to comply with regulatory obligations -- which include compliance audits -- can result in fines and prison terms, depending on the area of noncompliance. Under the Sarbanes-Oxley Act, for instance, the destruction of relevant email can result in fines up to $5 million and 20 years imprisonment. Noncompliance with the GLBA can result in five years in prison, as well as fines.

Regulations established by industry bodies, such as the New York Stock Exchange or the PCI Security Standards Council, do not include imprisonment for noncompliance but do impose fines.

For more on regulation-specific fines, review our recent FAQ sections on HIPAA penaltiesHITECH penaltiesPCI DSS penalties and SOX penalties.

More compliance FAQs?

Get caught up on regulations and more with our IT compliance FAQs.

Let us know what you think about the story; email [email protected].

Next Steps

More SearchCompliance FAQs:

What are the Privacy Shield compliance requirements?

What will be included in the International Cybersecurity Principles?

Will the U.S. government require access to encrypted communications?

Dig Deeper on Regulatory compliance audits