What is a compliance audit?

A compliance audit is an impartial review of an organization’s activities and records to verify adherence to internal and external policies, standards and regulations. It can cover areas such as cybersecurity, data privacy, financial reporting and health and safety.

Compliance audits are often conducted as part of an organization’s compliance management system. A compliance management system, or CMS, is an integrated system used to meet regulatory requirements, internal policies and industry standards.

In addition to regular compliance audits, an effective CMS may also include a board of directors focused on creating a culture of compliance at the enterprise; a chief compliance officer or manager to establish or implement compliance policies and procedures; and compliance monitoring, which entails surveilling operations to identify areas of non-compliance.

The practice of auditing gained a prominent foothold in society during the first Industrial Revolution, as corporations developed and investors sought assurances of their fiscal health through audits of financial records. In the mid-19th century, the UK established a law requiring corporate audits, helping to initiate the development of compliance regulations that continues to this day.¹

Today’s compliance requirements extend beyond the examination of financial statements to include a variety of areas, such as the protection of sensitive information or an organization's adherence to environmental regulations.

To understand the importance of compliance audits, it’s helpful to first consider the contemporary compliance landscape.

Around the world, governments and industry organizations enforce a large and diverse array of compliance requirements for the benefit of consumers, workers, investors and other stakeholders. Infringing upon these requirements can result in massive penalties, sanctions and reputational damage.

For example, companies found in severe violation of the European Union’s General Data Protection Regulation can face fines of up to EUR 20 million or 4% of their annual worldwide revenue, whichever is higher.

Compliance audits can help organizations achieve their business objectives while avoiding such costly consequences. They can empower organizations to determine whether they’re following their own risk management best practices, identifying whether they’re in danger of non-compliance and revealing when corrective action is necessary. Audits also provide assurance to stakeholders regarding regulatory compliance efforts by the organization.

The term compliance audit is often used to refer specifically to an external audit, conducted by independent external auditors. However, internal audits—executed by an internal auditor or audit team within the business—can also fall under the umbrella of compliance audits.

Internal compliance audits often focus on a company’s compliance with its own policies and procedures, as well as improving efficiency in business processes and risk management activities. External audits, however, are often conducted for the purpose of reassuring external stakeholders that a business is adhering to external standards, such as government regulations.

In both cases, the audit process should be conducted in an impartial manner so that its results (findings and recommendations compiled in an audit report) can be used to help organizations and compliance officers maintain ongoing compliance and identify potential compliance risks.

Audit procedures can assess companies’ alignment with compliance standards for different areas and disciplines. These include:

• Cybersecurity
• Data privacy and protection
• Financial reporting and security
• Environmental, social and governance (ESG)
• Health and safety

Audits of organizations’ cybersecurity practices can help ensure they have the right measures in place to manage and respond to cyberthreats ranging from phishing to malware.

One standard commonly used for cybersecurity audits is the US National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This standard provides guidance and best practices that private sector organizations can follow to improve information security and cybersecurity risk management. The framework covers a range of cybersecurity measures including risk assessment, identity management, access control, response planning and recovery activities.

Another major standard underpinning cybersecurity audits is ISO/IEC 27001, also known as ISO 27001. The global information security standard, developed jointly by the International Organization for Standardization and the International Electrotechnical Commission, is a set of requirements for information security management systems within an organization. In effect, it provides a framework for organizations to manage and protect their sensitive data and other information, reducing the risk of data breaches, cyberattacks and other security incidents.

Additionally, there is a cybersecurity audit designed specifically for service providers. Service Organization Control (SOC) reports are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA) to address the risk associated with an outsourced service. A SOC 2 report evaluates the internal controls that an organization has put in place to protect customer-owned data and provides details about the nature of those internal controls.

While cybersecurity audits typically include an examination of an organization’s data protection measures, audits based on certain laws and regulations concentrate specifically on this area. These include audits aligned with laws protecting consumer information and health data privacy.

Laws broadly applying to consumers include the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). For GDPR compliance, businesses are required to use legally approved ways to transfer and process personal data; protect personal data at rest and in transit; and respect EU residents' rights—as established by the law—over personal data collection, use and possession.

For CCPA compliance, companies must adhere to guidelines covering multiple types of personal data for California residents, including birthdate, driver’s license number, passport number, banking account information and credit card or debit card numbers.

One key type of compliance audit in health privacy is the Health Insurance Portability and Accountability Act (HIPAA) audit. Entities covered by this US law—including healthcare providers such as doctors and hospitals, as well as health insurance companies—and their affiliated business associates are required to implement and maintain a set of technical, administrative and physical controls designed to safeguard protected health information (PHI).

Audits of organizations’ financial statements and security controls can evaluate their compliance with laws such as the Sarbanes-Oxley Act (SOX) and industry rules such as the Payment Card Industry Data Security Standard (PCI DSS).

The SOX Act is a US law aimed at preventing corporate fraud. It requires that public companies implement internal controls to protect financial data from tampering; file regular reports with the Securities and Exchange Commission (SEC) attesting to the effectiveness of security controls and the accuracy of financial disclosures; and pass an annual independent audit of their financial statements and controls.

The PCI DSS is a set of security requirements to protect cardholder data—such as primary account numbers (PANs), names, expiration dates and service codes—and other sensitive information throughout its lifecycle.

PCI DSS compliance requires annual reporting by merchants and service providers, and additional reporting following significant changes to the cardholder data environment. Validating compliance also involves continuous assessment of an organization’s security posture, and continuous remediation to address any gaps in security policy, technology or procedures.

Environmental, social and governance (ESG) audits can determine whether enterprises are complying with laws and voluntary frameworks related to environmental and social impacts. These include the EU’s Corporate Sustainability Reporting Directive (CSRD), US Environmental Protection Agency regulations, the Global Reporting Initiative (GRI) and the Sustainability Accounting Standards Board (SASB) Standards.

Safety audits evaluate whether organizations are complying with rules and regulations designed to protect the health and safety of workers. Major standards include ISO 45001, a global health and safety standard developed by the International Organization for Standardization, and, in the US, workplace safety rules set and enforced by the Occupational Safety and Health Administration (OSHA). 

The nature of a compliance audit may vary by type of audit, compliance program, organization and industry. However, there are steps that compliance auditors commonly take during the compliance audit process. These include:

Step 1: Planning the audit

Determine the scope of the audit, its goals and the resources it will require. A compliance audit checklist mapping out the process can prove helpful.

Step 2: Reviewing documents

Review the company’s policies and procedures as well as any other relevant documents, such as various records and contracts.

Step 3: Conducting additional research

Interview employees and/or managers. If relevant, observe operations and internal processes.

Step 4: Compiling a compliance audit report

Document results, findings and recommendations for continuous improvement or corrective actions.

Step 5: Engaging in follow-up

Monitor progress on the implementation of recommended measures or actions.

Software solutions can help organizations track their adherence to compliance requirements and prepare for compliance audits. Leading solutions offer capabilities such as: