Compliance Audit: Definition, Types, and What to Expect
Compliance audits are a broad topic that can affect many organizations across different parts of an organization. There can be different kinds of compliance audits being performed at any given point in time, and at first glance the world of compliance is full of opacity and acronyms. In this article, we will introduce you to the basics of compliance audits, break down various types, and give some firsthand advice on what to expect and how to successfully navigate a compliance audit.
What Is a Compliance Audit?
Compliance audits are formal evaluations or assessments of an organization’s adherence to frameworks and/or regulatory requirements. Compliance audits are conducted by independent audit practitioners, and most have the following characteristics:
- Based on frameworks or regulatory requirements.
- Evaluates an organization’s posture in-depth based on the guidance and requirements of the target framework or compliance regulation.
- Performed by an independent or third-party auditor.
- Results in some kind of final deliverable, like a report, an assessment, or an audit opinion.
During a compliance audit, businesses should expect to go through interviews about internal controls. You will likely be asked to provide documents or evidence to show that you’re “walking the talk” in carrying out compliance requirements. Auditors must meet their own standards, exercising their judgment and professional skepticism with the aim of reaching “reasonable assurance” that an organization is conducting the activities stipulated by the target framework or regulation.
Let’s take the Sarbanes-Oxley (SOX) Act as an example. Section 302 of the SOX Act requires that a CEO and CFO certify that the financial statements are complete and accurate. There is a lot that goes into drafting the financial statements. For instance, when the company is reporting on how much cash they have on the balance sheet, it is a result of multiple transactions that touch every part of the business. How can the business provide reasonable assurance that the final number that gets reported out to investors is complete and accurate? Some questions that may be asked are:
- How are material transactions reviewed and approved?
- Is the business retaining evidence that the transactions have been reviewed and approved? What type of evidence?
- Is the evidence sufficient?
- Can the auditors obtain the evidence and independently replicate the review?
These are an example of the types of questions you can expect to be asked in a compliance audit.
Purpose and Objectives of a Compliance Audit
Ultimately, the purpose of a compliance audit is to receive a deliverable detailing the organization’s degree of compliance against the target framework or regulatory agency requirements. Depending on the type of compliance audit, an organization might receive an audit opinion, as with SOX and SOC audits. Audit opinions are issued over the efficacy of an organization’s internal controls as they relate to specific criteria. Successful ISO 27001 audits result in a certification. Not all compliance audits are pass or fail; regardless, noncompliance can have less than ideal consequences.
Since compliance audits are performed by third-party, independent auditors, these formal audits are objective, and will often include areas of improvement for the business. Perhaps more poignantly, third-party compliance audits build trust with external organizations and customers, demonstrating that an organization has the necessary controls in place to meet target requirements.
While most companies are compelled to complete compliance audits because of regulatory agency requirements or contractual demands, clients should really approach compliance audits as a multi-faceted tool. In addition to “checking the box” of completing mandatory audits, companies can and should use any findings as an opportunity for improvement, remediating any gaps discovered through the audit process. If corrective action is not possible in the short-term, it’s a good idea to log gaps in your risk register and keep track of remediation status. Demonstrating commitment to continuous improvement mitigates present and future risks.
As third-party risks continue to pose a threat to global cybersecurity, businesses and direct consumers expect more in terms of security, data protection, and privacy from organizations, making SOC 2 attestations and ISO 27001 certifications in demand, perhaps even table stakes for sales discussions. Privacy regulations like GDPR have galvanized other geographies into implementing privacy regulations around personal data, or at least starting the conversation. The Payment Card Industry Security Standards Council (PCI SSC) which governs PCI DSS has released PCI DSS v.4.0 in December of 2022 and plans to sunset PCI DSS v.3.2.1 by 2024 — this change will drive changes to the PCI DSS compliance audit approach.
Audit deliverables may also include recommendations for management and strategy. This third-party advice can help make the case for additional focus on governance, risk, and compliance (GRC) or security.
The Difference Between an Internal Audit and a Compliance Audit
The core difference between internal audits and compliance audits, sometimes referred to as external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are performed by independent, third-party, or external auditors — terms that are sometimes used interchangeably.
The differentiator between these types of audits is also the value-add. Aside from being necessary for many businesses, compliance audits performed by independent auditors give stakeholders another lens to view the organization. Furthermore, internal audits tend to assess an organization’s performance against its own goals, rather than a specific framework.
Mandatory compliance audits differ based on a company’s industry, sector, private/public status, size, and other potential factors. The US government mandates audits for several regulatory areas across finances, transactions, health information, and information security. Publicly traded companies have their financial statements audited on an annual basis, incorporating the stipulations of the Sarbanes-Oxley Act (SOX). For a summary of compliance audit types and their purposes, refer to the table in the following section.
However, compliance audits and internal audits are optimal allies. Ideally, internal audits occur prior to and concurrent with compliance audits, allowing organizations to identify and remediate gaps and prepare for the compliance audit ahead of time. Compliance audits may then identify other opportunities for improvement, while internal audits verify that findings from compliance audits are remediated or improved. Essentially, internal audits can help you find holes before the external audit so that you can prepare an appropriate remediation plan and response – hopefully reducing the risk around that finding. Plus, external auditors always appreciate an organization improving their own processes as a result of internal audits. Embracing the cyclical nature of compliance and integrating processes into operations elevates and matures an organization’s integrated risk program.
Different Types of Compliance Audits
There are a lot of compliance frameworks and regulations out there — and a lot of corresponding audits. Organizations should identify their audit priorities by asking these questions:
- Which regulations am I required to perform compliance audits for?
- Are there any compliance audits required by our partners or customers?
- Are there any compliance audits available that would benefit the organization?
- Looking towards the future, are there any compliance audits that may be required or desirable for the organization?
Healthcare providers and other covered entities, for example, must comply with HIPAA’s regulatory compliance requirements, while publicly traded companies must comply with Sarbanes-Oxley (SOX). Other common frameworks include SOX, SOC 1, SOC 2, PCI DSS, ISO/IEC 27001, FISMA, FINRA, and others.
The list and table below summarize some common types of compliance audits. Organizations are often required to perform more than one compliance audit in a year, which can slow down innovation and increase costs
Types of Compliance Audits
- CMS: Centers for Medicare and Medicaid Services
- Part of the Department of Health and Human Services (HHS), CMS specifically addresses Medicare and Medicaid regulations.
- Who may need it? Organizations that work with Medicare and Medicaid.
- EPA: United States Environmental Protection Agency
- The EPA conducts audits to address environmental regulations, such as the Clean Water Act (CWA), Clean Air Act (CAA), and Toxic Substances Act (TSCA), among others.
- Who may need it? Organizations required to adhere to EPA standards and regulations; or organizations seeking to demonstrate sustainable and environmentally-friendly practices.
- FINRA: Financial Industry Regulatory Authority
- A non-governmental organization, FINRA requires broker-dealers to address nineteen areas of compliance, including Anti-Money Laundering (AML) and Cybersecurity and technology governance.
- Who may need it? Brokerages; broker-dealers; similar financial organizations.
- FISMA: Federal Information Security Modernization Act
- Introduced in 2002 and amended in 2014, FISMA requires government agencies and contracted affiliates to secure systems and sensitive and protected data.
- Who may need it? Government agencies, state agencies that oversee federal programs, and any private businesses that have government contracts.
- GDPR: General Data Protection Regulation
- Effective as of 2018, and passed by the EU in an effort to regulate and protect individuals’ data and privacy.
- Who may need it? Businesses that operate in the European Union or serve EU customers.
- HIPAA: Health Insurance Portability and Accountability Act
- Originally introduced in 1996, HIPAA is a US federal law aimed at protecting sensitive patient health information and informing patients in the event of a data breach.
- Who may need it? Covered Entities (like hospitals) and Business Associates (third parties serving Covered Entities) must comply with the relevant clauses of HIPAA. The definition of Covered Entity versus Business Associate can be found on the US Department of Health and Human Services’ website.
- HR: Human Resources
- Human Resources audits can involve employee information, payroll, and employment laws and regulations.
- All employers may be subject to Human Resources-related audits.
- IRS: Internal Revenue Service
- The IRS audits individuals and organizations routinely to ensure that taxes are paid appropriately and on time.
- Who may need it? All employers may be subject to an IRS audit.
- ISO/IEC 27001 (and other variants): International Organization for Standardization
- ISO, the International Organization for Standardization, publishes international standards across various industries. The ISO 27000 family of standards, including 27001, address information security and privacy.
- Who may need it? ISO audits are optional, but ideal for organizations that:
- Operate internationally, especially in the EU.
- Certify against multiple ISO frameworks.
- Are required by customers or partners.
- OSHA: Occupational Safety and Health Administration
- OSHA compliance audits are aimed at fostering safe and healthy workspaces.
- Who may need it? All employers may be subject to an OSHA audit.
- PCI DSS: Payment Card Industry Data Security Standard
- American Express, Discover, JCB International, MasterCard, and Visa formed the PCI Council in 2006 to develop and enforce data and security compliance standards around credit card information and cardholder data with the aim of reducing fraud.
- Organizations that process more than 6 million credit card transactions annually.
- Note that organizations that process credit card payments must still be compliant with PCI DSS; however, they do not have to conduct a formal compliance audit until transactions exceed 6 million annually.
- SOC 1: Service Organization Controls relevant to Financial Reporting
- Expanded nomenclature calls a SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. SOC 1 compliance audits can cover a variety of processes. Crucially, they can be used by service organizations to show that their services can be relied upon, even when contributing to a customer’s financial statements.
- Who may need it? SOC 1 audits are optional, but ideal for organizations that:
- Provide services to several publicly traded companies.
- Have a material effect on clients or customers’ financial statements.
- Are required by customers or partners.
- SOC 2: Service Organization Controls Relevant to the Trust Services Criteria (TSCs)
- In contrast to SOC 1, which addresses controls that may affect customers’ financial statements, a SOC 2 report covers the internal controls at an organization related to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. Both types were developed by the AICPA.
- Who may need it? SOC 2 audits are optional, but ideal for organizations that:
- Provide services to other businesses, especially SaaS and PaaS organizations.
- Want to build trust with customers.
- Focus on Security, Availability, Processing Integrity, Confidentiality, and/or Privacy.
- Are required by customers or partners.
- SOX: Sarbanes-Oxley Act
- Enacted in 2002 as a response to major fraud at Enron and WorldCom, among others, Sarbanes-Oxley was designed to enforce auditor independence for financial compliance audits and hold executives accountable for representations made in their organizations’ financial statements.
- Who may need it? Publicly traded companies, management, and accounting firms.
5 Fundamental Steps of the Compliance Audit Process
These are five fundamental steps that an independent auditor completes in order to deliver a final report, opinion, or assessment in a compliance audit. Keep in mind that each type of compliance audit will have nuances, scopes, and procedures unique to that framework or regulation. Some teams may opt to do these steps in a different order, or use a variant testing methodology. These steps are written from the perspective of the independent auditor; the steps an organization follows to prepare internally differ from company to company.
1. Research and Readiness
Before landing “on-site” for fieldwork, whether that’s physically or virtually, the compliance auditors performing your audit do some preparation and research on their end. They confirm the scope of the audit, prepare an evidence or audit checklist, plan their approach, and schedule time with the organization’s main point(s) of contact to coordinate and kick off the audit.
If the auditors are the same from previous years, they may prepare by reviewing the prior year report(s), documentation, and work papers to familiarize themselves with the business’s environment. They will want to understand what compliance procedures the business has taken in the past, and confirm if/how those procedures may have changed.
2. Documentation and Evidence Review
As part of their work, compliance auditors will need to review the policies and procedures that govern the business. This may not include all of the organization’s policies and business processes, though will likely include security policies, risk management policies, compliance policies, and those policies that are relevant to the target framework. Other common policies useful for compliance audits include change control policies, identity and user access control policies, acceptable use policies, and third-party risk management policies.
Auditors familiarize themselves with these policies to understand the business, governing principles, who’s who, and even what the IT stack looks like. To narrow the scope of what an organization needs to provide, auditors should generally present a checklist of evidence requests, describing the documentation and artifacts they need to complete the audit. There may be several rounds of back-and-forth on the evidence and requests as auditors work out how all the puzzle pieces fit together. This document review step may continue throughout the duration of the audit, or occur in several rounds depending on the auditors’ approach.
3. Conducting Interviews
To support their knowledge of a business, its internal controls, and its compliance to the target framework, auditors require an interview or walkthrough phase where they ask questions in real time about in-scope processes. They might want to go over a specific piece of documentation to better understand the dates and causes for a transaction, or review a process from end-to-end to identify the controls in place. It’s fair game to ask the audit team for a high-level outline of topics for these interviews so that the right people speak to the processes they own. It’s not a good use of anyone’s time to show up to a process walkthrough… and not have the process owner there because they weren’t invited!
The questions compliance auditors ask in interviews are actually a type of audit test categorized as inquiry. There are other types of audit tests, like inspection or examination and re-performance. Reviewing documents and evidence is considered inspection.
To prepare for this phase, it’s best to have interviewees review the organization’s official policy and procedure documents related to the interview topic. The point person for that interview should develop a thorough understanding of the people, processes, and technologies under their purview. Ultimately, the auditors are looking to replicate the compliance processes, procedures, and reviews that the business is performing. If your organization has resource constraints, or your employees wear many hats, and it’s hard to find dedicated auditor time with key personnel, it’s worth expressing this to the audit team and asking to keep interviews efficient.
4. Process Assessment and Employee Shadowing
At this point, a compliance auditor should have a good understanding of the business and relevant internal controls. They are likely forming an opinion or assessment of effectiveness of the in-scope controls. This assessment comes from the combination of documentation review, interviews, and testing conducted by the auditors.
This is also the phase in which the bulk of testing should occur. Some testing can be performed earlier in the audit but testing should occur after the audit team has confirmed its understanding of the organization’s processes. How can one test a process they don’t understand?
Audit testing involves document review, sometimes of a single instance of a control operating (like showing that a policy was reviewed at least annually), or of a sample of controls operating (like showing that a random sample of 25 employees hired this year signed the Employee Handbook). Auditors note findings, noncompliance, and deviations when they encounter them, potentially resulting in more follow-ups or more testing. While organizations want to avoid deviations and noncompliance as much as possible, human error, outages, and other factors can thwart those plans. In those circumstances, it’s best to document as much as the organization can about the actions taken to mitigate that deviation from the policy and future-proof the organization from having the same deviations in the future.
If you have an audit finding, it’s not the end of the world! Some of the largest and most successful companies in the world have findings in their compliance audits. The degree and duration of deviation from policy matters — how severe are the risks of this audit finding, any mitigating procedures or compensating controls, and how long has this gap existed? If possible, ask if you can provide a management response to any findings, outlining the steps the organization will take to correct the deviation. All of this detail will help the auditors document the finding with the full context in mind. For instance, I had uncovered a finding where a terminated employee received stock when they were not supposed to. However, the business was able to take corrective action as a result of that finding and rescind the transaction. As a result, we were able to report that while there was a finding, there was no net financial impact to the business.
Throughout the audit process, it can be helpful to allow auditors to shadow employees and collect testing evidence in real time — another type of audit testing referred to as observation. By shadowing employees, auditors can see controls operate in action and ask questions ad hoc. Since the pandemic has ushered in a new era of real-time sharing, this shadowing process for auditing has become more efficient, effective, and popular. Some auditors may even record screen sharing sessions to grab screenshot evidence after the meeting — organizations should specify if they do not want this to occur, and for cybersecurity purposes, use secure sharing and video conferencing methods to transfer documents and share screens.
5. Compilation of Compliance Report
After the audit team has completed the majority of their procedures, including document review, conducting interviews, testing, process assessment, and shadowing, the audit team on the ground — those folks you work with on a day-to-day basis — will prepare the target compliance audit work papers and report, noting the results of each phase and their overall assessment. Senior members of the team will perform one or more additional levels of review, sending back comments and questions that the business may need to respond to.
For some types of compliance audits, like SOX, SOC, PCI DSS Level 1, and others, the final audit deliverable must be signed off on by an individual or firm that has the appropriate certifications. Only Certified Public Accountants (CPAs) can sign off on, or issue an opinion for, SOC reports. These auditor certifications and qualifications are issued by formal authorizing bodies, like the AICPA, ISO, PCI Security Standards Council, and others.
Keep in mind that you and your organization have a say in your report. Review the draft report thoroughly for any errors, misstatements, or gaps, and raise them to the audit team‘s attention. There are certain sections of compliance audit reports that can be customized — take advantage of the opportunity to highlight your organization’s dedication to governance, risk, and compliance (GRC).
Once the business receives the final report or deliverable in-hand, signed, and finalized, that particular compliance audit cycle closes… and another one begins!
Tips for a Successful Compliance Audit Process
Compliance is an ongoing activity — it’s an important one that keeps businesses and customers safe, and builds trust between them. It can be a labyrinth of pitfalls and dead ends though, and that’s where the right audit management software makes a difference. Here are some tips to help your next compliance audit go smoothly.
1. Be Prepared
If your organization is pursuing a formal compliance audit, the likelihood is that your organization is paying good money for that audit. It’s not worth going through an audit if you know the business is not ready — and if you go through a compliance audit with poor internal controls, your business could be fined, face litigation, and other less tangible consequences, like losing customers’ trust.
The best way to avoid a painful audit is to be prepared. Review compliance documentation and get your evidence organized, policies updated, and target framework(s) set and scoped. Toggle audit logs on, if they aren’t already. Set log retention to at least 366 days (to account for leap years). Treat compliance like operational musts. Calendarize it! Tee-up stakeholders for successful interviews and shadowing. If compliance audit procedures call for a physical inspection of workspaces, take that into account for planning. That sounds like a lot – and that’s where technology can help you operationalize your compliance program, assisting with scheduling, stakeholder communications, and translating policy into action.
2. Integrate and Automate
Buzz words, we know. Still, we’ll say it — wherever and whenever possible, especially if you’re a small shop, automating controls and integrating across your larger cloud ecosystem is a game-changer. Force code changes to be approved by default at the pull request or release level so that your change controls operate without a hitch. Automatically create onboarding checklists when a new employee is entered into your HR systems, and integrate with other technologies to push out updates without manual intervention. Automate vulnerability scanning by integrating your code base with vulnerability scanning tools. Use built-in tools to achieve efficiencies. By automating and integrating, businesses reduce the risk that compliance activities won’t be documented, or won’t be executed properly.
For periodic controls that operate every week, month, quarter, year, or other variant, set up auto-reminders for process owners and their teams, and do it a few days before the absolute deadline — you’d be surprised how many times I have had to note an audit finding because the Q2 access review occurred during Q3.
Leverage templates heavily — compliance activities should be easily repeatable and integrated into everyday operations. By using templates, employees can spend less time thinking about how to document something and instead refer to an existing template for guidance.
If there is no built-in auditing for a critical system or activity like incident response, integrate or migrate to a task or service management solution like Jira, ClickUp, ServiceNow, or Asana to create tickets for compliance activities automatically.
There’s a saying in compliance that “if it wasn’t documented, it doesn’t exist.” With that in mind, it’s better to have some documentation than no documentation. For instance, the business may have robust review procedures in place. However, if there is no documentation of that review, then the auditors cannot attest to the review procedures. As a general rule of thumb: if you are performing any compliance procedures, make sure to document it.
3. Designate Accountability
Whether it is one main point of contact for the whole audit, having a formal compliance officer, and/or building a team solely for compliance audit, the buck must stop somewhere. We have seen entire audits derailed and budgets bloated because there’s no single point of contact accountable for the audit, and busy folks keep playing hot potato. Auditors will rack up hours sending emails and trying to get in touch with the right people. A connected platform such as AuditBoard keeps this from happening by simplifying communications between stakeholders.
Make sure that someone is accountable for your compliance audit. That individual doesn’t have to know everything — the ideal point person should have a good understanding of the organization’s operations as a whole, and be able to pull in the right contacts for the right topic
From a project management perspective, this will help the audit move along more smoothly.
This does not have to be a separate role, though it is a large project. Technology owners, process owners, and team leads should all have an understanding of the work they are involved in. They serve as ideal personnel to tap for interviews and shadowing during a compliance audit.
4. Leverage Purpose-Built Technology
We’re pleased to say that technology and tools have come a long way since we started our careers in audit. Now, compliance attestations are accessible to organizations of all sizes, and the tools available to tackle compliance challenges continue to improve and diversify. I still love my spreadsheets and don’t see those going away any time soon, but modern organizations need more than a cloud repository, more than spreadsheets, more than dashboards, more than Gantt charts alone — modern organizations need a centralized home base. AuditBoard was designed to facilitate a successful audit process, enabling the execution of core compliance audit steps and best practices.
No matter where you are in your compliance voyage, — whether it’s your first or your hundredth audit — preparedness, leveraging technology, and establishing a culture of risk accountability are the keys to success.
Ariba Iqbal is a Senior Implementation Project Lead at AuditBoard and specializes in RiskOversight implementation. Prior to joining AuditBoard, she was a Senior Consultant in the Risk Consulting department at Focal Point Data Risk, a CDW Company. Ariba brings experience working on multiple types of internal audit engagements for clients in various industries, including manufacturing, financial services, cyber security, and real estate.. Connect with Ariba on LinkedIn.
Christina Ramos, CPA (inactive), is a Senior Manager of Implementation and Professional Services at AuditBoard. Prior to AuditBoard, Christina spent 10 years at Deloitte as an external auditor focused on PCAOB audits, including two years working as a PCAOB advisor in Tokyo, Japan. Connect with Christina on LinkedIn.