What is a compliance audit?
Last editedNov 2020 4 min read
Are you confident that your business is operating in compliance with financial, technological, safety, and environmental regulations? Whether providing products or services, there are rules that must be satisfied both at the local and federal level. Compliance audits confirm that your company is adhering to these standards. Expect files, documentation, and internal processes to be verified as part of this type of audit. Here’s a closer look at what compliance auditing means and how it’s performed.
Understanding compliance auditing
At its core, a compliance audit evaluates whether an organization is following specific rules or standards. These may be imposed by government regulatory bodies pertaining to taxation, IT security issues, health and safety standards, or environmental protection.
Compliance auditing is mainly used to evaluate whether the company is following external regulations, but it can also be used at a corporate level. A compliance audit might be performed to determine whether a subsidiary company follows the wider corporation’s procedures and policies.
Why is compliance auditing necessary?
Compliance auditing is vital to ensure that a business is not operating outside of legal or financial guidelines. The process can be used to assign international ISO standards or to assign penalties if a company isn’t complying with essential safety standards. A compliance program helps businesses put controls in place to detect future problems while creating a paper trail of accountability. Regulatory agencies or business stakeholders might request the results of an audit.
Finally, a compliance audit can make the business more efficient in the future. Audits of this nature highlight inconsistencies in a company’s processes, showing where there might be room for improvement. Any compliance auditing process will also include recommendations for ways to correct these problems and prevent them, moving forward.
Compliance and internal audit comparison
While internal audits ensure that a company follows its procedures, compliance auditing ensures that it meets outside regulatory standards. The main difference between the two types of auditing processes is that the results of an internal audit are usually not shared with external organizations. By contrast, compliance audits create results that are meant to be shared with outside regulators or board members.
A compliance and internal audit can sometimes go hand in hand, with a company conducting an internal audit to catch any problems before compliance auditing begins. This could help the business avoid fines or other deterrents.
A third type of auditing is an operational audit, which looks closely at an organization’s efficiency. These, like internal audits, are kept within the organization and are not outward-facing like a compliance audit.
Who is responsible for compliance auditing?
While an organization’s employees conduct an internal audit, compliance auditing is often more complicated. Larger companies might choose to create an entire department dedicated to compliance, with subject-specific experts on hand to ensure that the organization complies with federal codes and standards. Compliance professionals have in-depth knowledge of their subjects, from finance to IT security.
Regulations might differ depending on the type of organization involved. For example, public or non-profit companies must follow different rules than those in the private sector.
What rules must compliance audits follow?
Every country has its own sets of standards that organizations must adhere to at the federal level. For financial audits, this includes the Government Auditing Standards (GAAS), which act as guidelines.
Here are a few examples of major regulatory acts and bodies within the United States. Each comes with its own set of standards that would be considered part of the compliance auditing process:
Sarbanes-Oxley Act (SOX): Passed by Congress in 2002, the SOX act was designed to protect investors with data protection and executive accountability best practices. As a result, compliance audits for the Sarbanes-Oxley Act look at payroll, finance, and IT departments. This includes an audit of financial records as well as compliance with electronic communication security.
Healthcare Insurance Portability and Accountability Act (HIPAA): For organizations that deal with personal healthcare data, HIPAA compliance is essential. A compliance audit in this department would check that the company is protecting personal data with proper security systems to safeguard confidentiality.
Payment Card Industry Data Security Standard (PCI DSS): Businesses that process over six million credit card transactions each year are required by US law to conduct an annual audit. This type of compliance audit ensures that the proper standards are in place to protect and store electronic payment information.
Internal Revenue Service (IRS): While IRS regulations are involved in any financial audit, this deals specifically with whether or not the organization follows tax codes. An IRS audit checks compliance at the federal level. Separate compliance audits deal with business records at the state or local levels.
Financial Industry Regulatory Authority (FINRA): FINRA works with the government’s Securities and Exchange Commission (SEC) to ensure businesses comply with trading practice standards. Investment firms or brokerages that don’t comply could face fines or suspensions.
Environment Protection Agency (EPA): The EPA works with government authorities at the state and federal levels to ensure that companies comply with environmental laws.
Occupational Health and Safety Act (OSHA): From retail to construction industries, businesses must ensure that workplaces adhere to health and safety regulations. An OSHA compliance audit would focus on this aspect of the company.
This is by no means an exhaustive list of the regulations that must be examined during compliance auditing but gives some idea of the diverse agencies involved. In addition to US-specific acts, the International Organization for Standards (ISO) applies globally. For example, the ISO 14000 certifications ensure that businesses reduce waste, while ISO 9001 focuses on management quality. ISO certifications are voluntary but do require periodic compliance audits.
What are compliance audit procedures?
The process is set in motion when an organization requests an audit. Compliance auditors might work together as part of a team or as an individual. In either case, the auditor examines records and conducts formal interviews with management and employees to collect evidence. Depending on the type of compliance audit, the auditor might also need to conduct on-site visits to observe workspaces and infrastructure. A compliance audit checklist and questionnaires are used to fill in any blanks as the auditor gathers statistics and identifies issues.
After gathering evidence and compiling a compliance report, the auditor will present this information and make recommendations. With this information in hand, companies can fix any risk or deficiency areas, potentially avoiding corrective actions or penalties.
Are there any compliance audit challenges?
With any compliance audit, there’s a chance that the process will uncover deficiencies. These are often subject to penalties, including fines. Penalties will still apply even when the company works to fix the issue for better compliance. However, it’s always important to undertake these compliance audits, or the organization could risk more severe penalties, including lawsuits and suspension.
We can help
GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.