IMPORTANCE OF COMPLIANCE

AUDITING
 compliance audit

• A compliance audit is a comprehensive review of an

organization's adherence to regulatory guidelines. Audit
reports evaluate the strength and thoroughness of
compliance preparations, security policies, user access
controls and risk management procedures over the
course of a compliance audit.
•
• What precisely is examined in a compliance audit varies
depending on whether an organization is a public or
private company, what types of data it handles, and if it
transmits or stores sensitive financial data.
•
• For instance, a Sarbanes-Oxley Act compliance audit
would have to prove that any electronic communication
is backed up and secured with a reasonable disaster
recovery infrastructure. Healthcare providers that store
or transmit e-health records, including personal health
information, are subject to Health Insurance Portability
and Accountability Act laws and regulations. And
financial services companies that transmit credit card
data are subject to Payment Card Industry Data Security
Standard requirements.
 Internal vs. compliance audit
• Internal audits are carried out by employees of a
company to gauge overall risks to compliance and
security and to determine whether the company is
following internal guidelines. Internal audits occur
throughout the fiscal year and reports can be used by
management teams to identify areas that require
improvement. Internal audits measure company
objectives against output and strategic risks.
•
• External audits are formal compliance audits that are
carried out by independent third parties and follow a
specific format that is determined based on the
compliance regulation being assessed. External audit
reports measure if an organization is complying with
state, federal or corporate regulations, rules and
standards.
•
• An auditor's report is used by regulators to assess
possible fines for noncompliance, or by the C-suite to
prove regulatory compliance. An external compliance
auditor may use internal audits to further evaluate
compliance and regulatory risk management efforts.
 Compliance audit procedures
• External audits begin with a meeting between company
representatives and compliance auditors to outline
compliance checklists, guidelines and the scope of the
audit. The auditor conducts reviews of employee
performance, studies internal controls, assesses
documents and checks for compliance in individual
departments.
•
• Compliance auditors will generally ask members of the C-
suite and IT administrators a series of pointed questions
that may include what users were added and when, who
has left the company, whether user IDs have been
revoked, and which IT administrators have access to
critical systems.
•
• IT administrators can prepare for compliance audits using
event log managers and robust change management
software to track and document authentication and
controls in their IT systems. The growing category of
governance, risk and compliance (GRC) software can
enable CIOs to quickly show auditors that an organization
is compliant, helping it to avoid costly fines or sanctions.
 Importance of compliance
• Compliance auditing, either internal or
external, can help a company identify
weaknesses in regulatory compliance
processes and create paths for
improvement. In some cases, guidance
provided by a compliance audit can help
reduce risk, while also avoiding potential
legal trouble or federal fines for
noncompliance.
•
• Much like the laws that drive them,
compliance programs are in a constant
state of flux as existing regulations evolve
and new ones are implemented.
Compliance auditing provides an outline
of internal business processes that can be
changed or improved as regulations and
requirements change.
 YO U
AN K
TH