The prospect of an “audit” can evoke feelings of concern within an organization; the word carries with it connotations of intense scrutiny and the active quest for mistakes. This sense of caution can be heightened when auditing is combined with “compliance”.
Yet compliance is a far-reaching term – one that refers to a company’s relationship with numerous regulations and mandates. Compliance initiatives can pertain to legal departments, document retention, security or data management, amongst many other areas. Compliance programs exist as a way to demonstrate that the company is operating within its legal limits.
How should your organization prepare for its next compliance audit? What’s involved in the process, what do you need to know, and how can technology help?
What is a compliance audit?
Compliance auditing is the process of independently evaluating an organization to ensure that external rules, regulations and laws are being followed, as well as corporate bylaws, policies and procedures.
A compliance audit involves a comprehensive review of an organization’s adherence to regulatory guidelines. IT, security, HR and quality management systems may also be reviewed as part of the regulatory compliance auditing process.
Who performs compliance auditing?
Compliance audits can be either an internal or external process.
Internal audit teams comprise employees from within the organization; these individuals will have been tasked with evaluating the effectiveness of a particular department or compliance initiative. When creating such a team, it is important to select detail-oriented members who are both thoroughly familiar with the content of the regulations and the company’s actions in response to those regulations. Internal audit teams will document their observations and report their findings to appropriate management for review.
External audit teams consist of specialized professionals representing the various governing or regulatory bodies: typically, this will include independent accountants, security analysts or IT specialists. External audit teams report their findings to their respective regulatory organizations, as well as to the company in question. External audits are particularly important because they carry with them the threat of sanction or legal action.
What is the purpose of a compliance audit?
The purpose of regulatory compliance auditing is to establish an organization’s adherence to the rules, regulations, standards and – in some cases – bylaws and codes of conduct set by the company.
An audit is conducted impartially, in many instances by independent, professional outsiders. It reviews and examines the effectiveness of an organization and the controls that it has in place.
Types of compliance audits
Many types and variants of compliance audits exist. In the United States alone, here are just a few of the many types of compliance audits that can impact organizations:
Sarbanes-Oxley Act (SOX) Audit: If the auditing team is examining the organization’s handling of SOX regulations, auditors will look to be assured that all electronic communications are backed up and secured, with reliable disaster recovery procedures in place. This audit will examine financial records, financial and operational controls and will also explore payroll and finance departments, and IT disaster recovery protocols for electronic communications, amongst other areas of interest.
HIPPA Compliance Audit: Healthcare providers who store or transmit electronic health records are subject to the mandates of HIPAA (Health Insurance Portability and Accountability Act of 1996), which concerns the security and responsible use of the personal information contained in patients’ medical files. The physical, procedural and electronic security of data must be ensured as part of this auditing process.
PCI DSS Compliance Audit: Companies that process and transmit credit card data must fall in line with PCI DSS (Payment Card Industry Data Security Standard) regulations. This is a clear set of standards, essential for businesses to implement, in order to store, process or transmit electronic payments. An annual audit is compulsory for any organization that processes more than six million credit card transactions per year.
Social Compliance Audit: An organization’s suppliers and facilities must adhere to social compliance and sustainability codes of conduct, to include employee health and safety, working rights, and environmental sustainability standards.
Internal Revenue Service (IRS): The IRS’ audits cover individuals, corporations and nonprofit entities alike, ensuring that all appropriate income taxes are paid. The IRS’ audits are referred to as examinations.
ISO 14001: The International Organization for Standards’ 14001 s the internationally designed certifiable standard that demonstrates a company is addressing its environmental impact through waste reduction and efficient working practices. This voluntary certification, much like the quality management standard ISO 9001 certification, requires both an initial audit and subsequent maintenance audits periodically.
<h2>What do compliance auditors look for?</h2>
Compliance audits vary depending on the particular compliance initiative examined or the regulatory body conducting the audit.
A range of factors can influence an audit’s contents, including whether the company is publicly or privately owned, what sort of data the company handles, and whether the company transmits or stores sensitive financial information.
Yet irrespective of the differences between regulatory bodies, all audits tend to measure a company’s fitness in three key areas: security, user access control and risk management policy.
Security: If an organization handles sensitive information, all available measures must be taken to ensure data is safe from fraud or abuse. The unauthorized storage, sharing or sales of customer information can result in fines or other sanctions. With the enactment of the EU’s GDPR (General Data Protection Regulation), the range of information considered private has widened considerably, causing many organizations to review their policies concerning customer data.
User Access Control: A key step in providing overall data security is instituting and maintaining user access control – creating a series of password-protected barriers between the data and the general public and limiting access to only authorized employees. Quality access control also includes the creation of action logs, documenting each change in data that takes place and recording which user instigated that change.
Risk Management: Compliance teams will look to identify the ways in which an organization recognizes and mitigates a risk factor. This can be anything that might represent a threat to the company’s successful operation and may include the possibility of corruption, unfavorable publicity or even a natural disaster. Compliance auditors want to know that your organization has plans in place for dealing with these various possibilities to ensure the company’s long-term success.
It is likely that compliance auditors will need to contact an organization’s CIO, CTO and IT administrator. They may ask for an up-to-date employee roster, a list of all IT administrators with access to critical information, as well as a list of all personnel departures and proof that any unused access IDs have been revoked.
Five steps to plan internal compliance auditing
Investing time in an internal audit can be invaluable; this can reveal weaknesses or deficiencies in a compliance initiative at an early stage, providing the opportunity to remedy the situation and before the organization is placed at risk of legal sanction.
Five key steps can pave the way to a successful internal audit:
- Choose a team of experienced and motivated employees with a breadth of skills, who are familiar with both the department under examination and the details of the compliance measures.
- Review copies of departmental procedures and cross-reference them with regulations to ensure that they are all compliant.
- Examine reports in reference to production and volume to determine an appropriate sample size for the audit. If the audit is focused on contracts, for example, 100 out of 500 would be an adequate ratio to determine an overall trend; a lesser number may provide false audit results.
- Create a robust checklist that each auditor should closely reference when reviewing a file. The details of the list will vary depending on the type of department the audit concerns, but the goal is to provide a measure of consistency from auditor to auditor.
- Develop a clear system for reporting the findings and suggestions to the organization’s management and necessary employees.
Technology solutions to support compliance auditing
Robust entity management systems can provide valuable resources to help ease the burden of compliance audits.
Data verification and consolidation can ensure that your company operates with a single, reliable source of information, and customizable compliance modules help create instantly accessible audit trails.
For more information on how Diligent Compliance can help you prepare for a compliance audit, schedule a demo today.