What is a compliance audit? (with an example checklist)

What is a compliance audit?

A compliance audit is a review of an organization's adherence to standards, regulations and other guidelines. Compliance audits generally follow established audit principles and processes, such as those described by ISACA.

Some factors that might determine audits for a company are whether an organization is a public or private company, what types of data it handles and whether it transmits or stores sensitive financial or personal data.

At the conclusion of an audit, auditors complete an audit report that compiles evidence of a company's compliance with applicable regulations and describes how the organization manages controls associated with achieving compliance. Controls might include risk management activities and techniques for measuring compliance.

The regulations, legislation and other guidance that form the basis of an audit are a good indicator of the area of company operations that will be audited. For example, an audit subject might be "evaluating adherence to data protection regulations," and the audit would focus on how well an organization follows laws such as the GDPR. The audit would assess the company's data handling practices, privacy notices and consent tools to make sure the organization is compliant and find any potential risks.

Compliance documentation helps illustrate that an organization is meeting required standards. For example, the documentation might include discussion of a control like "the system continuously examines data traffic to identify and block potential malware."

What is the goal of a compliance audit?

The goal of a compliance audit is to show how well an organization meets specific requirements.

An organization might take on more audit controls than those that are specified by standards or regulations, as a proactive approach to audit controls can improve an organization's risk management framework, help safeguard assets and reinforce stakeholder confidence. Such additional controls might include performing risk assessments and promoting ethical practices within the company.

An internal or external audit can help reveal weaknesses in a company's regulatory compliance activities and lead to corrective action. Failure to follow specific regulations can result in heavy fines and penalties, depending on the statute, so compliance audit recommendations can reduce a company's risk and mitigate potential litigation or fines for noncompliance.

Monitoring the statutes that are relevant to a specific company is an essential compliance-related activity, as statutes are periodically reviewed and updated. Internal processes at an organization can then be updated to reflect changes in regulations and requirements.

Compliance audit preparation checklist and template

Here are the recommended steps to follow during a compliance audit. Some steps vary depending on whether the audit is internal or external.

1. Learn which metrics and controls are the subject of the audit. For example, the EPA might contact an organization to decide whether the organization's practices meet environmental standards, so a suitable audit should focus on EPA requirements.
2. Senior management must approve an audit, whether the audit is internal or external.
3. Decide who will coordinate activities with the auditors if the audit is external. For example, a compliance officer might serve as the main intermediary between the company and external auditors.
4. Establish an audit plan and secure its approval by senior management and others in the organization. For example, an internal audit team might decide the range of the audit, then get approval for carrying out the plan.
5. Figure out who will carry out the audit if it is an internal audit. Internal audit team members should be knowledgeable about the audit subjects so they can carry out a careful and proper examination.
6. Establish a workspace for the auditors to conduct interviews, review evidence and prepare reports.
7. Make sure that the auditors have access to all relevant compliance audit documentation, including any applicable standards, regulations and other metrics. A compliance officer would likely supply external and internal auditors with data and should try to provide more evidence than necessary so auditors won't need to continually ask for more materials to examine.
8. Verify the availability of employees who are subject matter experts and likely candidates for audit interviews. For example, a member of the audit team might contact co-workers about interviews with external and internal auditors and tell them that the auditors might ask them to respond to follow-up inquiries.
9. Conduct pre-audit meetings with the company departments that are likely to be involved in the audit. For example, a company's finance department meeting before an internal audit will help make sure that all involved employees fully understand their roles and responsibilities during the audit.
10. For an external audit, the company's liaison, such as a compliance officer, should hold a pre-audit meeting with the auditors. The meeting should include a review of the auditors' approach and what they will need during the audit. This meeting should also discuss the process for obtaining the attestation that is part of their audit report. During this time, the compliance officer could also present the external auditors with a tentative timeline, which would show that the organization is ready for the audit.
11. For an external or internal audit, the compliance officer or whoever is serving as audit team leader should hold periodic meetings with the auditors to make sure that the audit is progressing and that they can promptly address any auditor needs.
12. Near the end of an internal or external audit, a meeting to review the preliminary audit report can provide opportunities to correct some of the audit findings before the official audit report is issued.
13. An internal or external audit ends with a meeting in which the auditors deliver the completed audit report to compliance stakeholders and discuss the findings and recommendations. The auditors and stakeholders then set up a schedule to address audit findings, if necessary.
14. A compliance officer might provide the audit report's results if needed to obtain a formal certification of compliance from an authorized certification body.
15. A compliance officer creates a schedule to periodically confirm that the organization is keeping its compliance status.

Click here to download our
free compliance audit checklist.

The compliance audit checklist

The audit team can customize the printable template based on the company's needs.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.