Compliance is a non-negotiable part of modern business life. As regulations become more stringent and more numerous and penalties for non-compliance grow tougher, having a robust approach to compliance — including an effective compliance audit strategy — is vital.
But simply putting in place structures and processes to manage compliance is not enough; you also need to provide evidence you have implemented — and followed — these procedures. That’s where an efficient compliance audit strategy comes in. As the name suggests, compliance audits are essential to governance, risk and compliance (GRC) because they document the tools and practices that help organizations achieve their aims while acting with integrity.
Here, you'll learn:
- What a compliance audit is and why they're important
- Types of compliance audits
- Three steps to conducting a compliance audit
- What a compliance audit report should include and how to ensure those reports deliver meaningful insights to the board
What is a compliance audit?
A compliance audit is the process of independently evaluating an organization to ensure that external rules, regulations and laws are being followed, as well as corporate bylaws, policies and procedures.
A compliance audit comprehensively reviews an organization’s adherence to regulatory guidelines. It also addresses the effectiveness of your internal controls to determine how you track and measure your performance against these external and/or internal requirements.
A compliance audit should be independent, not necessarily carried out by someone outside your organization, but someone independent of the work they are assessing.
Why are compliance audits important?
Compliance audits are essential because they establish an organization’s adherence to the rules, regulations and standards. They also give your board full visibility into every facet of your organization, including those areas that might not receive regular attention.
In addition to a better understanding of the business, compliance audits also help auditors build stronger relationships with the teams responsible for delivering performance who rarely have opportunities to engage with management and the board. By engaging with the broader organization, auditors can instill attitudes and behaviors that produce positive change.
Different types of compliance audits
Given the wide range of regulatory standards that have emerged, it’s not surprising that there are various types of compliance audits. Here are some of the most important.
- International Organization for Standardization (ISO): Several different ISO compliance audits exist. ISO 9001 focuses on quality management systems, ISO 14001 focuses on environmental management systems, and ISO/ICE 27001 focuses on information security and helps companies manage various types of data.
- Health Insurance Portability and Accountability Act (HIPAA): The HIPAA compliance audit ensures all patient data is protected and is essential for healthcare insurance providers, healthcare providers, and organizations that provide services to the healthcare industry.
- Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS compliance audit helps keep payment account data and cardholder information secure and is required for all parties that handle, store, process and transmit payment card data.
- The Sarbanes-Oxley (SOX) Act: Passed in 2002, the SOX compliance standards require publicly owned companies to publish accurate information about their publicly traded stocks.
- SOC 2: Developed by the American Institute of Certified Public Accountants, the SOC 2 compliance audits cover data processing security, confidentiality and privacy to show how organizations protect and secure cloud data. There are two main types of SOC 2 audits.
- Type 1 audits: examine how management describes an organization's systems and whether the design of controls is appropriate. Type 1 audits are based on a specific timeline, and the report is issued ”'as of” a given date.
- Type 2 audits: also examine how management describes an organization's systems but look at the operating effectiveness of controls. Because they encompass an extended period, usually between 6 and 12 months, Type 2 audits are more rigorous than Type 1 audits.
- General Data Protection Regulation (GDPR): As of 2016, any business that collects, stores or processes the data of any person living in the EU must comply with GDPR, even if that data is stored outside of the EU. GDPR compliance audits ensure that data protection policies are enforced, and protections against data breaches are in place.
The difference between internal audits and compliance audits
Internal audits and compliance audits have seemingly similar processes and purposes. Yet the differences are significant and come down to what’s being audited and why it’s being audited.
Internal audit examines the entire internal control environment to identify any and all organizational risks. This includes audits of all financial, information technology and operational systems. Compliance audits are more limited in scope, looking specifically at whether the organization is compliant with all relevant laws, rules and regulations, and they tend to focus in on high-risk compliance policies and procedures.
How to conduct a compliance audit
How you conduct a compliance audit depends in part on your sector or jurisdiction. Factors like whether your company is private or public and whether it is subject to specific industry regulations can dictate national, state, or local laws you must adhere to, all of which will impact the structure of your audit.
Regardless of your company size or industry, your compliance audit strategy should establish the following:
- Who will carry out the audit?
- What should be covered in a compliance audit?
- What happens to the outputs?
Incorporate the answers to those questions in the following steps, which are common to most compliance audits:
1. Choose and brief an auditor
An impartial party should carry out any audit of your compliance performance. If your organization has an internal audit team, they might be the best people to lead your audit because they’ll already be skilled in forensic investigation. If you operate in a heavily regulated sector like healthcare, you will have a compliance officer or department who can complete the audit. For some, an external, third-party auditor may be the most appropriate person, especially if there is no one in a relevant role within your business.
Whoever you choose, make sure they are a good fit with your organization and understand the rules and regulations you need to follow and don’t have a vested interest in the outcome. Then brief them thoroughly to understand your compliance audit objectives and the issues you need the audit to address.
2. Prepare for the audit
Your auditor may provide you with a compliance audit checklist — or you may have prepared one yourselves. Either way, a checklist approach can be a great way to ensure you have covered all the bases.
3. Ensure you have all the documents and evidence the auditor needs
This can be the first sticking point for organizations with less-than-robust compliance practices. Being able to provide evidence for the processes you have in place, and how you follow them is a vital step in meeting your compliance obligations.
Your auditor will need clear records of your procedures. They may gather these via on-site visits or work remotely, requesting documents to be sent to them and discussing the issues raised via phone or video call.
On-site visits may include the auditor observing current practice and sitting in on organizational activity to get a first-hand view of your processes in action.
Compliance audit example
One requirement of HIPAA is that healthcare organizations complete an internal audit annually, though many organizations audit their own systems bi-annually or even quarterly. This makes healthcare organizations and providers a great example for compliance audits.
Let’s say you’re a health insurance provider. You store and manage patient data related to their policies, claims and treatment history. Because healthcare is highly-regulated, you likely have an in-house compliance office or department responsible for all audits.
That person or team would need to maintain an audit checklist. Your other departments will also need to keep thorough documentation that all processes are HIPAA compliant. When it comes time for a compliance audit, your compliance audit or team will follow that checklist to compile all evidence, then use their findings to compile an audit report that includes recommendations for mitigating any possible lapses in compliance.
Compliance audit report
Audit compliance reports present the auditor’s findings to help examine an organization's compliance environment and suggest avenues for improvement. Audit compliance reports can reveal potentially troublesome areas that might expose the organization to the risk of fines or litigation.
The structure of the report depends on whether you’re preparing it for an internal or external audience. External audit reports, like those from a regulatory agency, will need to show that the organization is operating in good faith and is a strong candidate for remediation. Internal audit reports are typically for senior executives or the board and recommend how the organization can fix any possible regulatory or compliance issues.
A successful compliance audit report should include:
- Identify the auditors: Provide background information on the auditors to establish the auditors’ authority and professional expertise. Readers need to know what qualifies them to make informed judgments on compliance initiatives.
- Specify the logistics of the audit: Give a clear and thorough accounting of the audit itself. For example, What processes or activities were examined? What checklists or guidelines were used as measurements? In short, this is where auditors establish the criteria of the audit.
- Present the findings of the audit: Present overall conclusions and recommendations based on the audit's purpose and logistics. Within this summary, it is useful to address the condition, including what caused success or failure and the effects of each, like loss of revenue.
- Recommend improvements: It is standard for the report to provide advice for strengthening compliance protocols and concrete steps that the organization may take to reduce deviations.
Deliver value through compliance audit
The prospect of a compliance audit may seem daunting, but it can create value for your organization if you have a strategy prepared. Every organization will have a slightly different idea of how to prepare for a compliance audit. Still, if you can access real-time insight into your compliance obligations and performance against them, you will be well-positioned to tackle compliance audits as your organization evolves.
Compliance management and auditing software can give you this insight and put increased rigor around your compliance processes. Such systems can provide you with confidence in your approach, knowing it is built on solid data and grounded in accurate insight.
See Diligent’s audit management solution in action to find out how automated workflows throughout the entire audit lifecycle can help you maximize the impact of every audit.