Difference between compliance review and audit

The responsibility of compliance function is monitoring whether the organization is complying with regulatory laws and standards and organizations policies. The main objective of the compliance function is to monitor and ensure that the organization is adhering to applicable laws, regulations, third-party contracts, and internal policies.

While the compliance team will also perform compliance reviews, the goal of those reviews is not based on internal audit objectives. You will find that most compliance reviews do not done in detail as the internal audit testing does.

In general, compliance means conforming to a rule such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and have taken the necessary steps to comply with relevant laws and regulations. Due to the growing number of regulations and a need for greater operational transparency the compliance function has acquired a prominent role within organizations.

The concept of compliance ensures that corporations act responsibly and within the regulatory and legal frameworks. This is perhaps the most important benefit of compliance for a business. No business wants to face criminal charges for not adhering to the law. There are so many different regulations and laws with regards to how a business should manage its staff, how stock and advertising is handled, the rules of engagement when buying and selling or negotiating with customers, employee salary, safety rules etc. With a proper compliance team, a company can stay on the right side of the law and operate in a safe manner.

Internal compliance to rules related to safety, wages, employee benefits and protection, and compensation will create a positive environment in the workplace. Employees are more willing to work hard when they feel that that they are being well compensated for their efforts and that they are safely employed. It is important for internal compliance to be adhered to, since it will ensure that employees are satisfied and that all complaints or issues are monitored and addressed properly before they grow and adversely affect the entire corporation.

The relationship between internal audit and compliance

The line between internal audit and compliance may seem unclear at times but they are quite separate functions. Let me explain the difference between internal audit and compliance with an example.

An example of a compliance review might be checking if organization systems comply with company IT security policies. This might be done by having the IT system security teams complete security questionnaires. These questionnaires are typically designed for the teams to provide responses regarding the compliance of their systems and demonstrate at a high level how they achieve compliance.

An audit around the same process would include a full examination of the system to determine if IT security parameters are set according to company policy. The goal of the audit is to independently determine if the systems are secured because they should not just based on what the IT security teams say. So, in this case, after the IT security teams answer questions around how they achieve compliance, the internal auditors confirm that compliance was actually achieved. There is a famous saying in internal audit “trust but verify”.

The audits can uncover deficiencies in specific compliance controls. For example, an internal audit review of gifts, meals and hospitality expenses may uncover deficiencies in compliance with relevant controls. The compliance department and the internal auditor will share an interest in remediation of these deficiencies and ensuring that such remediation is completed by a date certain.

Internal auditors can also review the third-party intermediaries that work with a company office and make sure that due diligence procedures were followed, a written contract was executed and that payments to the third party were properly authorized. Such reviews are important to ensure that third party risks are mitigated.

These are just examples of where compliance departments and internal auditors share common interests. There are many other issues and topics where compliance departments and internal auditors have common interests and objectives.

An effective ethics and compliance program usually includes a strong relationship between compliance departments and key partners, especially internal auditors.

A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls and risk management procedures over the course of a compliance audit.

What precisely is examined in a compliance audit varies depending on whether an organization is a public or private company, what types of data it handles, and whether it transmits or stores sensitive financial data.

Examples of compliance audits

• A Sarbanes-Oxley Act compliance audit would have to prove that any electronic communication is backed up and secured with a reasonable disaster recovery infrastructure.
• Healthcare providers that store or transmit e-health records, including personal health information, are subject to HIPAA, or Health Insurance Portability and Accountability Act, laws and regulations.
• Financial services companies that transmit credit card data are subject to Payment Card Industry Data Security Standard requirements.

In each case, organizations must demonstrate compliance by producing an audit trail, often generated with data from event log management software as well as internal and external audits.

Internal compliance audits vs. external compliance audits

Internal compliance audits are conducted by employees of a company to gauge overall risks to compliance and security as well as to determine whether the company is following internal guidelines. Internal audits occur throughout the fiscal year, and management teams use reports to identify areas that require improvement. Internal audits measure company objectives against output and strategic risks.

External compliance audits are formal audits conducted by independent third parties. They follow a specific format determined by the compliance regulation being assessed. External audit reports measure if an organization is complying with state, federal or corporate regulations, rules and standards.

An auditor's report is used by regulators to assess possible fines for noncompliance or by the C-suite to prove regulatory compliance. An external compliance auditor might use internal audits to further evaluate compliance and regulatory risk management efforts.

Overview of an external compliance audit

External compliance audits begin with a meeting between company representatives and compliance auditors to outline compliance checklists, guidelines and the scope of the audit.

The auditor conducts reviews of employee performance, studies internal controls, assesses documents and checks for compliance in individual departments.

Compliance auditors will generally ask members of the C-suite and IT administrators a series of specific questions that might include what users were added and when, who has left the company, whether user IDs have been revoked, and which IT administrators have access to critical systems.

IT administrators can prepare for compliance audits using event log managers and robust change management software to track and document authentication and controls in their IT systems. The growing category of governance, risk and compliance software can help CIOs quickly show auditors that an organization is compliant as well as avoid costly fines or sanctions.

Auditors then review business compliance processes as a whole and create a final audit report. Compliance auditors provide details to company leaders about the organization's level of compliance adherence, any violations and suggestions for improvement. They eventually make the audit report public.

Importance of compliance auditing

Compliance auditing, whether internal or external, can help a company identify weaknesses in regulatory compliance processes and create paths for improvement. In some cases, guidance provided by a compliance audit can reduce risk and mitigate potential legal trouble or federal fines for noncompliance.

Much like the laws that drive them, compliance programs are in a constant state of flux as existing regulations evolve and new ones are implemented. Compliance auditing provides an outline of internal business processes that can be changed or improved as regulations and requirements change.

What is the main difference between review and audit?

More important, a review does not include the testing of accounting records or other procedures that would normally be performed in an audit. This limitation is important to understand – a common misconception is that a review is a first step that can be easily transitioned into an audit in the following year.

What is the difference between IT compliance and IT audit?

IT compliance is the actions taken by an organization to ensure standards and regulations are met. An IT audit evaluates and monitors the business's ability to maintain these standards. There are several key differences between IT compliance vs. an IT audit.

What is a compliance review?

Compliance review means an on-site examination of motor carrier operations, such as drivers' hours of service, maintenance and inspection, driver qualification, commercial driver's license requirements, financial responsibility, accidents, hazardous materials, and other safety and transportation records to determine ...

Does compliance fall under audit?

Compliance auditing involves the review of an organization's policies, procedures, processes, files, and documentation to determine whether they are in alignment with existing regulations in that industry. Something to note, a compliance audit is not the same as an internal audit.