Compliance Auditing 101: Types, Regulations and Processes

A compliance audit is an independent evaluation to ensure that an organization is following external laws, rules, and regulations or internal guidelines, such as corporate bylaws, controls, and policies and procedures. Compliance audits may also determine if an organization is conforming to an agreement, such as when an entity accepts government or other funding. Although most people are familiar with financial audits, such as those for public companies through the Sarbanes-Oxley Act (SOX) or individual or corporate tax audits through the Internal Revenue Service (IRS), compliance audits are not merely financial. Audits may also review IT and other security issues, compliance with HR laws, quality management systems, and other areas. Compliance is one leg in the tripod of GRC, which stands for governance, risk, and compliance.

Compliance is important for many reasons. Aside from signifying levels of professional standards, like the ISO 9000, ISO 14000, and other guidelines, noncompliance with regulatory guidelines may bring sanctions and penalties. Penalties for noncompliance with federal regulations, such as Sarbanes-Oxley, are specified through the Federal Sentencing Guidelines Act and apply fines based on a formula that calculates the most recent offenses and determines whether the organization employs a compliance officer who communicates regulatory needs to the organization.

Boards of directors are also often accountable for operations and need to see audit reports. If a regulatory agency does investigate, proof of a compliance program is important to show that the organization has controls and other mechanisms that can detect deficiencies and even illegal activity.

Depending on the circumstances, the audit may be conducted by an employee, such as an internal auditor, a certified public accountant, a third-party auditor, or a government auditor. In many circumstances, auditors may seek the expert advice of outside specialists, such as lawyers.

Audits provide recommendations on ways to make improvements or corrective actions and to prevent future deficiencies or nonconformities. Audits review for effectiveness to determine the number of compliant versus non-compliant processes. Audits also help organizations to stay in compliance with frequently changing federal regulations. In addition, audits identify areas of risk for noncompliance within the organization and report these appraisals to management and the appropriate regulatory entity as applicable.

Essentially, a compliance audit asks if you are doing what you said you would do.

A compliance audit gauges how well an organization adheres to rules and regulations, standards, and even internal bylaws and codes of conduct. Part of an audit may also review the effectiveness of an organization’s internal controls. Different departments may use multiple types of audits. For example, accounting may use internal, compliance, and operational audits. Audits may be required by different levels of government.

• Internal Audits: Although some conflate the notions of compliance audits and internal audits (often using personnel from an internal audit team), these two types of audits represent separate approaches. Internal audits ensure that an organization follows process, procedures, and guidelines — in other words, its own internal controls. This type of audit also guarantees that these controls prevent and detect errors or illegal acts. A compliance audit, on the other hand, ensures that the organization is fulfilling outside obligations, such as rules and regulations, agreements, or standards. Internal audits may be operational, IT, financial, or regulatory, but are conducted using formal audit methodologies appropriate to the subject area. Internal audits are not available to regulators and tend not to be made public, although sometimes social compliance audit results are released as part of a company’s rebranding. Internal audits may be conducted prior to an outside compliance audit to ensure that the organization is following standards.
• Compliance Audits: Compliance audits differ from internal audits in that they are outward-facing, ensuring that the company complies with regulations or codes of conduct. Ideally however, both internal and compliance audit functions share the same language (and even software) to make sure that reviews are comprehensive.
• Operational Audits: Operational audits determine how efficient and effective different departments and activities are and whether these areas function in alignment with the mission and intent of the organization.

Auditing Is Not Monitoring

An audit is not the same thing as ongoing monitoring. Audits are discrete experiences, akin to projects, and are usually conducted by disinterested outsiders. Monitoring is an ongoing effort to ensure that controls accurately guide processes. Monitoring is also the responsibility of management.

Who Conducts Audits?

Internal audits are usually conducted by employees. Larger organizations may keep an entire department to manage internal audits. However, to maintain objectivity, it is essential that the auditor have no direct connection to the area or department being audited. An internal auditor or audit manager has the specific duty to inform management of changes or deficiencies in controls and to recommend actions to improve controls and processes. Still, internal auditors are not responsible for monitoring internal or external compliance. Some feel that special training is not required for the internal auditing role. Auditors may also hire experts, such as university professors, to review practices.

For compliance audits, large organizations in particular may support an entire compliance department headed by a compliance manager to ensure adherence to codes, standards, and regulations. In fact, as the number of federal regulations has grown beyond the number of government auditors available to monitor compliance, the number of internal compliance officers has also grown. Compliance staff members have knowledge of the pertinent laws, regulations, and internal codes of conduct and bylaws. They may also have sufficient subject-area knowledge, like mechanical or environmental engineering for instance, to conduct operational audits. Individuals with a financial background would focus on accounting matters.

Within the United States alone, multiple voluntary and compulsory audits exist based on standards and regulations. Financial audits in the U.S. are governed by generally accepted auditing standards (GAAS), which provide guidelines for preparing for and conducting audits. Government Auditing Standards apply to the audits of government organizations as well as to the programs and activities of contractors who receive government funds. Such standards may also apply to nonprofit organizations and non-government organizations that receive government funds. Audit evaluation criteria may also change based on whether a company is public or private. Often, federal agencies offer compliance support in the form of hotlines and websites to help organizations navigate regulatory labyrinths.

The following are just a few of the possible audit standards and guidelines in the U.S.:

• Compliance Auditing Considerations in Audits of Government Entities and Recipients of Government Financial Assistance (AU 801): This guideline specifies definitions, management roles, and requirements for compliance audits of financial situations for government entities and organizations that receive government funding. They are published and managed by the Public Company Accounting Oversight Board (PCAOB).
• Sarbanes-Oxley Act (SOX): SOX compliance audits require a specific audit of financial records and financial and operational controls. In addition to payroll and finance departments, IT departments are subject to particular audits to ensure controls for disaster recovery for electronic communications, appropriate change management tools, and complete audit trails.
• Social Compliance: Social compliance and sustainability codes of conduct define employee working rights, health and safety rights, and environmental sustainability standards. Audits verify that suppliers and facilities in a supply chain adhere to the guidelines. Nonconformities may trigger sanctions, including loss of brand business.
• Healthcare Insurance Portability and Accountability Act (HIPAA): HIPAA compliance audits check that organizations follow the standard for protecting personal data in healthcare. Organizations that handle personal healthcare information (PHI) must ensure the physical, electronic, and procedural security of data.
• Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of standards that businesses must implement to be certified to store, process, or transmit electronic payments. If your organization processes more than six million credit card transactions per year, an annual audit is compulsory to ensure that networks, systems, and processes can protect sensitive information and detect breaches in a timely manner.  
• Human Resources (HR): Although various types of HR audits exist, a legal compliance audit verifies that an entity follows federal, state, and local employment laws and regulations. Particular areas of concern for companies include the misclassification of non-exempt work and inadequate personnel files.
• Payroll: Payroll compliance audits determine whether an employer is complying with collective bargaining agreements.
• Internal Revenue Service (IRS): The IRS audits individuals, corporations, and nonprofit entities to ensure that income taxes are paid. The IRS refers to their audits as examinations because they follow tax code and not generally accepted accounting principles.
• State and Local Tax (SALT): State and local auditors may review records of business and individuals to verify that state and local taxes, such as income tax and sales tax, are paid.
• Financial Industry Regulatory Authority (FINRA): FINRA is not a government body, but it works together with the Securities and Exchange Commission (SEC). FINRA specifies annual audits for financial, brokerage, securities, and investment firms. This entity checks licensing, advertisements, and day-to-day activities to verify that trading practices are fair. Repercussions for a poor audit result can include fines, suspensions, or disbarment.
• Can-Spam Act: This is a federal law implemented by the Federal Trade Commission (FTC) that governs bulk mail and commercial electronic messages to eliminate offensive,  annoying, or misleading commercial email. The law applies to commercial business and also to nonprofit organizations. Commercial email senders may want to audit their system for opt-out efficiency and audit vendors.
• Occupational Health and Safety Act (OSHA): OSHA implements workplace health and safety standards for most workers, including office workers, and extends to those in such fields as manufacturing, construction, private education, and disaster relief. OSHA audits ensure that workplaces are hygienic and hazard-free.
• Environmental Protection Agency (EPA): The EPA works with state, tribal, and other federal authorities to promote adherence to environmental laws. Environmental integrity is ensured by inspections and testing, but also through a robust self-monitoring and self-reporting mechanism.
• Securities and Exchange Commission (SEC): The SEC audits financial institutions, such as securities advisors, to ensure that investors are well-informed about purchases and that clients are fairly treated.
• The Centers for Medicare and Medicaid Services (CMS) (formerly the Health Care Financing Administration): The CMS is an agency within the federal Department of Health and Human Services. It oversees Medicare funding and partners with states to administer Medicaid. Audits of facilities are conducted regularly to ensure funds are used and tracked correctly.
• ISO 14001: Established in 1996 by the International Organization for Standards, the ISO 14000 series and the certifiable standard, 14001, is an internationally designed guidance for businesses to limit environmental impact through reducing waste and using supplies more efficiently. Certification is voluntary, but requires an initial audit and periodic maintenance audits.
• Social Compliance: Social compliance standards center on sustainable labor and environmental practices throughout a company’s supply chain. Standards may be specified in laws and regulations, in company-drafted codes of conduct, or in policies that are agreed upon by various industries. Social compliance audits are often required by brands, but paid for and initiated by suppliers.
• SSAE-16: Statements on Standards Attestation for Engagements governs reports on controls at financial service organizations, such as data centers, ISPs, and other entities that may store, handle, or transmit sensitive data.

ISO 9001: An internationally agreed-upon quality management standard, ISO 9001 certification is voluntary, but requires an initial audit and periodic maintenance audits.

Depending on the type of audit, many departments in one firm may be subject to an audit, from finance to payroll to production to IT to sales. Auditors may interview employees throughout the hierarchy. However, particular emphasis is placed on managers. AU 801, for example, holds management responsible for understanding compliance requirements, ensuring that adequate controls are in place to sustain compliance, regularly checking to certify that compliance is met, and then implementing corrective actions to mitigate deficiencies or nonconformities. With SOX compliance audits, CEOs and CFOs must attest to the integrity of controls and the accuracy of financial reports. PCI compliance audits may interview CIOs, CTOs, and IT admins to determine how users are tracked and to review the audit trail from IT event log and change management software.

Although regulations of standardized weights, measures, and practices can be traced back to craft and merchant guilds of the Middle Ages, regulations and compliance grew mainly with the Industrial Age. Governments, professional groups, and social welfare organizations sought increased oversight and control over business practices. Internal auditing was the first innovation beginning in the 1970s, as companies sought to ensure the integrity of their own practices. In addition to voluntary certification standards, such as the ISO 9000, the previous century saw the rise of government monitoring authorities. For example, besides multiple federal agencies that conduct their own audits, the Office of the Inspector General includes a sub-office in each federal department.

Compliance can seem to present organizations with a predicament in which they are liable for penalties whether they work to comply or not. Deficiencies discovered in a regulatory audit may be subject to fines. However, any deficiencies that are not discovered in an audit may still subject an organization to a third-party lawsuit. Deficiencies disclosed in self-auditing and self-reporting can still garner significant penalties.

An auditor may work alone or in collaboration with other functions, like human resources, IT, legal and security. An auditor must have access to records. In addition, auditing questionnaires and formal interviews provide a richer picture of the organization’s situation. Depending on the area of audit, statistical or judgemental sampling may be used. Statistical sampling provides an existing model of conformities and outliers. Judgemental testing may not allow for generalization to a wider sample, but the types and numbers of nonconformities and outliers may indicate risk areas.

Whether the audit is internal or for compliance, management must understand that they are ultimately responsible for creating internal controls and ensuring compliance. In general, most sources agree that all levels of management are responsible for creating appropriate policies and procedures and monitoring them to verify adherence.

Here are the steps in a compliance audit:

1. The organization contacts the auditor. The auditor and the organization decide if the auditor’s expertise is a good fit.
2. The auditing firm sends a proposal either to the company or to the attorney for instances where compliance audits should invoke client-attorney privilege.
3. At a preliminary meeting, the auditor describes the guidelines for the audit and what is required. The auditor may provide auditing checklists, so the client can prepare.
4. For a small organization, the auditor may work by phone. The organization completes audit questionnaires and supplies the auditor with needed documents. The auditor may work on site to view documents, walk through work spaces, study infrastructure and security features, and interview management and employees.
5. The report should be delivered within a relatively short time. In the case of social compliance audits of facilities, the turnaround may be as fast as the next day. At the  final meeting, the auditor presents and discusses the report and makes recommendations to address any areas of risk. Whether working under a regulatory deadline or not, organizations should generally remedy any deficiencies within 120 days to ensure that they complete corrective actions and don’t simply shelve them until the next audit. However, auditing firms usually also offer follow-up support to help organizations remedy any risks or deficiencies. Auditors then verify that measures have been met.

Healthcare organizations are required to abide by stringent security measures and remain compliant with the HIPAA guidelines, meaning compliance audits are extremely necessary to ensure that a business is following external rules, regulations, policies, and procedures, while also accurately tracking how confidential information, like protected health information (PHI), is stored and secured.

HIPAA regulations mandate that healthcare organizations implement compliance auditing procedures to establish plans of action for conflict of interest procedures, compensation agreements between related organizations, and federal claim monitoring. Compliance audits establish a clear line of communication between all members of an organization, and ensure visibility into regulatory guidelines and the organization’s adherence to them.

Since healthcare companies must always remain compliant and regularly audit their processes and guideline adherence, they need a tool to help them keep track of all policies and procedures, provide critical information for reviews, and ensure that the integrity of their business is not in jeopardy.

Smartsheet is a work execution platform that enables healthcare companies to improve auditing processes, manage external rules and regulation information, and track and store historical records in one centralized location, while meeting or exceeding all of HIPAA’s regulatory requirements. Streamline reporting, organize all necessary information in one centralized location, and roll up compliance reports for increased visibility.

Interested in learning more about how Smartsheet can help you and maximize your efforts? Discover Smartsheet for Healthcare.

Used in many industries, including software development, a compliance test is a non-functional test that is performed to ensure that something meets the specified standards and requirements for the deliverable.

In auditing, a compliance test confirms the presence of controls and their application. Substantive tests verify the integrity of controls and the actual accuracy of documents, such as balanced accounting sheets.

Almost every industry may be subject to audit. For that reason, many different types of auditors exist:

• External auditors from accounting firms
• Regulatory auditors with legal backgrounds
• Technical compliance auditors to check safety issues at plants  
• Quality assurance auditors with manufacturing and production experience
• State, local, municipal, and regulatory auditors
• Various U.S. government regulatory auditors

Auditors require a sufficiently solid background in audit to review laws, regulations, and guidelines, although they may recruit the help of lawyers or other subject-matter experts, particularly for those instances when regulatory guidelines or policies are not definitive. On the other hand, auditors must have the communication skills to clarify the relevance of law and policy to employees at all levels of the company.

In general, in addition to domain training, auditors must have a minimum of a bachelor's degree. For career advancement, they should have a master’s degree. Public accounting firms, for example, might require knowledge of the Financial Accounting Standards Board and the Statements of Financial Accounting Standards (SFAS) for financial auditing. Auditors in many fields may find it useful to have skills in operations research, statistical analysis, auditing, quality management, and general consulting.

Professional improvement and support come to compliance auditors through assorted organizations, each often geared toward a speciality. Here are the major credentials and professional organizations associated with compliance auditing:

• Society of Corporate Compliance and Ethics (SCCE): This nonprofit organization offers individual memberships to help compliance professionals stay current through training, conferences, and certification. Voluntary certifications include Certified Healthcare Compliance (CHC), Certified Healthcare Privacy Compliance (CHPC), Certified Healthcare Research Compliance (CHRC), Certified Healthcare Compliance Fellow (CHC-F), Certified Compliance and Ethics Professional (CCEP), Certified Compliance and Ethics Professional International (CCEP-I), and Certified Compliance and Ethics Professional Fellow (CCEP-F).
• American Institute of Chartered Public Accountants (AICPA): This organization assists with professional development for general accounting and with guides and checklists for tax compliance auditing.
• Health Care Compliance Association (HCCA): HCCA offers professional development and networking for compliance auditors across a range of regulated health care entities.
• National Society of Compliance Professionals (NSCP): This is a professional association for compliance professionals in the financial industry, including securities. It offers the Certified Securities Compliance Professional (CSCP) certification on successful completion of Utica College’s 12-month online securities compliance course.

According to PayScale.com, the median salary for compliance auditors in the U.S. is around $55,000. Entry-level pay can start in the low 30 thousands. Managerial compliance roles in the sciences and medicine can garner more than $100,000 annually.

The following are definitions of some of the basic aspects of compliance auditing. For a detailed list of accounting audit definitions, see PCAOB document AU 801.

• Applicable Compliance Requirements: These are compliance requirements that are subject to the compliance audit.
• Audit Evidence: Information that the auditor must report as part of a prescribed audit. This includes details collected during an audit that allow an auditor to reasonably form an opinion about the documents, procedures, and processes being audited.
• Audit Risk: This is the risk that an auditor will express an inappropriate audit opinion on the entity's compliance and on the documents under review.
• Control Risk: This refers to the possibility that an organization’s internal controls may not detect or prevent compliance deficiencies.
• Due Professional Care: This concerns an auditor’s effort to collect appropriate audit evidence to show that financial statements do not contain material misstatement.
• Generally Accepted Accounting Principles (GAAP): The accounting guidelines for reporting financial statement transactions that are used most frequently in the United States.
• Generally Accepted Auditing Standards (GAAS): This is a U.S. standard for planning, implementing, and following up on compliance audits.
• Government Auditing Standards: These are guidelines that are specific to the U.S. government for financial audits, attestation engagements, and performance audits. They are also known as the Yellow Book or generally accepted government auditing standards (GAGAS).
• Going Concern: A business is considered a going concern when it can be reasonably expected to continue to operate for a minimum of 12 additional months.
• Grantor: A grantor is the government agency that provides funding for a government program.
• Internal Controls: The operating standards a client uses to prevent or uncover mistakes
• Pass-through Entity: This is an organization that receives funding from a grantor or elsewhere and provides all or part of those funds to another organization to administer a government program.
• Management Assertions: These are statements that an organization’s management makes concerning financial documents.
• Materiality: Materiality is the importance of an aspect of financial reporting in relation to other financial questions.
• Objectivity: This is when one approaches an audit with no preconceptions about the client or their compliance situation.
• Sampling: This refers to a significant subset of a population of data or records that is used to represent the whole.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.