How to Develop a Regulatory Compliance Audit Strategy

Michael Nyhuis

Compliance is a non-negotiable part of modern business life. As regulations become more stringent ' and more numerous ' and penalties for non-compliance grow tougher, having a robust approach to compliance is vital.

But simply putting in place structures and processes to manage compliance is not enough; you also need to provide evidence you have implemented — and follow — these procedures. That's where an efficient compliance audit strategy comes in. As the name suggests, compliance audits are an essential part of GRC — governance, risk and compliance — the tools and practices that help organizations achieve their aims while acting with integrity.  

 

What is a Compliance Audit?

A regulatory compliance audit assesses how well your organization adheres to the rules it has to follow and is a fundamental part of any compliance program. This can mean national or global regulations, industry standards, or yin-house, internally mandated rules and codes of conduct.

It also addresses the effectiveness of your internal controls ' how do you track and measure your performance against these externally imposed or internal requirements?

A compliance audit should be independent, not necessarily carried out by someone outside your organization, but someone independent of the work they are assessing.

 

Why Are Compliance Audits Important?

Compliance audits are essential because they give your board full visibility into every facet of your organization, including those areas that might not receive regular attention.

In addition to a better understanding of the business, compliance audits also serve another vital function: they help auditors build stronger relationships with the teams responsible for delivering performance.

Because frontline workers rarely have opportunities to engage with management and the board, they may see compliance audits negatively as an exercise in finding fault rather than a forward-looking process to drive improvement. By engaging with the broader organization, auditors can instill attitudes and behaviors that produce positive change.  

 

Different Types of Compliance Audits

Given the wide range of regulatory standards that have emerged, it's not surprising that there are various types of compliance audits. Here are some of the most important.  

International Organization for Standardization (ISO): There are several different ISO compliance audits. ISO 9001 focuses on quality management systems, ISO 14001 focuses on environmental management systems, and ISO/ICE 27001 focuses on information security and helps companies manage assets such as intellectual property, financial information, employee data and third-party data. ISO certification requires a detailed audit carried out by a third party and can increase customer trust.

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA compliance audit is essential for healthcare insurance providers, healthcare providers, and organizations that provide services to the healthcare industry, such as contractors, vendors, and data centers. The HIPAA compliance audit ensures that all sensitive patient data is protected, kept confidential, and used appropriately.

Payment Card Industry Data Security Standards (PCI DSS): The PCI DSS compliance audit helps keep payment account data and cardholder information secure. PCI DSS compliance is required for all parties that handle, store, process and transmit payment card data, including merchants and service providers.

The Sarbanes-Oxley (SOX) Act: Passed in 2002, the Sarbanes-Oxley Act requires publicly owned companies to publish accurate information about their publicly traded stocks.

Critical points covered in the SOX compliance audit include:

    • Checking that safeguards are in place to prevent data tampering
    • There are controls to track data access
    • Security breaches are detected
    • Security safeguards, their failures, and security breaches are disclosed to SOX auditors

SOC 2: Developed by the American Institute of Certified Public Accountants, the SOC 2compliance audits cover data processing security, confidentiality and privacy. They are designed to show how organizations protect and secure customer data stored in the cloud. There are two main types of SOC 2 audits. Type 1 audits examine how management describes an organization's systems and whether the design of controls is appropriate. Type 1 audits are based on a specific timeline, and the report is issued '''as of' a given date. Type 2 audits also examine how management describes an organization's systems but look at the operating effectiveness of controls. Because they encompass an extended period, usually between 6 and 12 months, Type 2 audits are more rigorous than Type 1 audits.

General Data Protection Regulation (GDPR): In 2016, the passage of GDPR established a single set of data privacy laws for the European Union. Consequently, any business that collects, stores, or processes data of any person living in the EU must comply with GDPR, even if that data is stored outside of the EU. GDPR compliance audits ensure that data protection policies are enforced and that protections against data breaches are in place.
 

The Difference Between Compliance Monitoring and Compliance Audits

This brings us to another point ' the difference between compliance monitoring and compliance audits.

Compliance monitoring: This should be ongoing, a continual process of checks to ensure that your procedures are working as they should. Compliance monitoring is crucial. It can be done by people inside the organization and involved in the processes in question.

Compliance audits: An audit is a specific and distinct piece of work. It can't be done on the fly or in a haphazard way. Taking a structured approach to compliance auditing is essential if you want to capture and monitor all the elements of your approach ' and, importantly, ensure that you address any shortfalls.

Here, we walk through the steps you need to take to develop an effective compliance audit strategy.  

 

How to Do a Compliance Audit: The Process

When developing a compliance audit strategy, there are several issues for consideration:
  • Who will carry out the audit?
  • What should be covered in a compliance audit?
  • What happens to the outputs?
  • Who Should Carry Out a Compliance Audit?

As we've mentioned above, any audit of your compliance performance should be carried out by a disinterested party. Disinterested doesn't have to mean external, though ' if your organization is large enough to have an internal audit team, these might well be the best people to lead your audit. They will, after all, be skilled in the type of forensic investigation needed to meet your compliance audit objectives.

Equally, if you operate in a heavily regulated sector ' healthcare, for instance, or financial services — you will have a compliance officer or an entire department responsible for ensuring you meet your regulatory obligations. In this case, the compliance team may be the best people to audit the approaches taken by various teams across your organization.

For some, an external, third-party auditor may be the most appropriate person, especially if there is no one in a relevant role within your business.

Whether you have internal experts to take on the audit role or have to bring in external help, it's imperative that whoever carries it out is removed from the department being audited and has no vested interest in the findings.  

 

What Should You Cover in a Compliance Audit?

Exactly what a compliance audit will include depends in part on your sector or jurisdiction. Factors like whether your company is private or public and whether it is subject to specific industry regulations can dictate national, state, or local laws you must adhere to.

But some of the boxes in your compliance audit checklist will be the same regardless of these factors. These common elements mean the broad structure of a compliance audit strategy may be the same across industries or jurisdictions.

1. Choose and Brief an Auditor

Ensure you are selecting someone who is a good fit with your organization and understands the rules and regulations you need to abide by. Then brief them thoroughly to understand your compliance audit objectives and the issues you need the audit to address.

2. Prepare for the Audit

Your auditor may provide you with a compliance audit checklist ' or you may have prepared one yourselves. Either way, a checklist approach can be a great way to ensure you have covered all the bases.

3. Ensure You Have All the Documents and Evidence the Auditor Needs

For organizations with less-than-robust compliance practices, this can be the first sticking point. Being able to provide evidence for the processes you have in place, and how you follow them is a vital step in meeting your compliance obligations.

Your auditor will need clear records of your procedures. They may gather these via on-site visits or work remotely, requesting documents to be sent to them and discussing the issues raised via phone or video call.

On-site visits may include the auditor observing current practice and sitting in on organizational activity to get a first-hand view of your processes in action.

 

What Happens to the Outputs from a Compliance Audit Strategy?

If we were adding a a fourth step to the above list, it would be ''receive the auditor's report.'' The report represents the auditor's conclusions and is usually delivered promptly following the audit.

The auditor typically presents these conclusions to the organization's senior executives or board, including your CEO and CFO.

The auditor will talk through their findings and any issues that may have arisen, particularly those that raise red flags regarding regulatory or other compliance.

It's then the organization's responsibility to implement remedial actions. Where your processes and checks have fallen short of expectations, you need to act swiftly to put them right. Sometimes there is a regulatory imperative for this — you may need to rectify any significant failings within a short, designated timeframe.

Even if that is not the case, it's still in the organization's interest to demonstrate you take the recommendations seriously and establish steps to tackle any shortcomings. The auditor will then independently confirm that improvements have been made.  

 

Get Ready For a Compliance Audit Strategy

The prospect of a compliance audit may seem daunting, but it doesn't need to be stressful if you have a strategy in place to prepare. Every organization will have a slightly different idea of how to prepare for a compliance audit. Still, if you can access real-time insight into your compliance obligations and performance against them, you will be well-placed to deal with any auditor's questions.

An increasing number of organizations are turning to compliance management and auditing software to give them this insight and put increased rigor around their compliance processes. Such systems can give you confidence in your approach, knowing it is built on solid data and grounded in accurate insight.

But of course, there are many compliance solutions in the market; knowing how to evaluate them can be key. To find out more about how Diligent's solutions can help to increase the robustness of your compliance management and audit strategies, please contact us.

Related Insights
Michael Nyhuis
Michael Nyhuis is the former Director of Audit & Compliance at Diligent and a modern governance expert with over 25 years of experience.