Compliance Audit
A compliance audit gauges how well an organization adheres to rules and regulations, standards, and even internal bylaws and codes of conduct. Part of an audit may also review the effectiveness of an organization’s internal controls. Different departments may use multiple types of audits. For example, accounting may use internal, compliance, and operational audits. Audits may be required by different levels of government.
Depending on the circumstances, the audit may be conducted by an employee, such as an internal auditor, a certified public accountant, a third-party auditor, or a government auditor. In many circumstances, auditors may seek the expert advice of outside specialists, such as lawyers.
Audits provide recommendations on ways to make improvements or corrective actions and to prevent future deficiencies or nonconformities. Audits review for effectiveness to determine the number of compliant versus non-compliant processes. Audits also help organizations to stay in compliance with frequently changing federal regulations. In addition, audits identify areas of risk for noncompliance within the organization and report these appraisals to management and the appropriate regulatory entity as applicable. Essentially, a compliance audit asks if you are doing what you said you would do.
Whether the audit is internal or for compliance, management must understand that they are ultimately responsible for creating internal controls and ensuring compliance. In general, most sources agree that all levels of management are responsible for creating appropriate policies and procedures and monitoring them to verify adherence.
Here are the steps in a compliance audit:
The organization contacts the auditor. The auditor and the organization decide if the auditor’s expertise is a good fit.
The auditing firm sends a proposal either to the company or to the attorney for instances where compliance audits should invoke client-attorney privilege.
At a preliminary meeting, the auditor describes the guidelines for the audit and what is required. The auditor may provide auditing checklists, so the client can prepare.
For a small organization, the auditor may work by phone. The organization completes audit questionnaires and supplies the auditor with needed documents. The auditor may work on site to view documents, walk through work spaces, study infrastructure and security features, and interview management and employees.
The report should be delivered. At the final meeting, the auditor presents and discusses the report and makes recommendations to address any areas of risk. Whether working under a regulatory deadline or not, organizations should generally remedy any deficiencies within 120 days to ensure that they complete corrective actions and don’t simply shelve them until the next audit. However, auditing firms usually also offer follow-up support to help organizations remedy any risks or deficiencies. Auditors then verify that measures have been met.