Compliance Glossary

Audit

Businesses in certain regulated industries, or who engage in regulated activities, must develop systems and strategies to ensure their ongoing compliance with the law. These systems include policies and procedures that support compliance with specific requirements, along with strategies for monitoring and assessing the organization’s compliance status and the effectiveness of its compliance management system.

As organizations strive to maintain their compliance status and avoid business interruptions and penalties related to non-compliance, auditing has become a crucial tool for detecting and addressing non-compliant activities or processes and compliance management deficiencies within organizations.

What is an Audit?

An audit is an objective, unbiased evaluation of an organization’s compliance with either external requirements (laws, regulations, or industry-specific compliance requirements) or internal requirements (business rules, guidelines, processes, policies, or procedures).

In the United States, organizations may be subject to many different types of voluntary and compulsory audits based on their industry and the applicable standards and regulations. Each type of audit is governed by different standards that offer specific rules and guidelines for preparing and conducting the audit. Auditing criteria can also change depending on the organization’s status as a public company, private company, non-governmental organization (NGO), or non-profit organization (NPO).

What is the Purpose of an Audit?

In general, the purpose of an audit is to obtain evidence that indicates the organization’s performance against a specified standard or set of requirements.

The purpose of a specific audit can vary depending on the nature of the audit, who initiated the audit, and the underlying reason for auditing. 

An organization may initiate an internal audit to assess whether its own business policies and processes are being successfully followed. The purpose of such an audit could be to detect process efficiencies, assess their impact on organizational performance, and identify opportunities for improvement.

Alternatively, a regulatory body like the Financial Industry Regulatory Authority (FINRA) could conduct an audit of a securities firm to evaluate their trading practices. Unfair trading practices discovered in such an audit could result in fines, penalties, or disbarment for the offending firm.

While internally-initiated audits are typically intended to discover and remedy possible sources of non-compliance, some externally-initiated audits carry with them the possibility of sanctions when non-compliance is discovered within the target entity.

What are the 3 Types of Audits?

Internal Audits

Internal audits are initiated from within the organization and may be used to assess whether the organization effectively complies with its own business rules, policies, and procedures. Along with directly assessing compliance, an internal audit would also look at the organization’s compliance management system and evaluate its effectiveness at preventing and detecting non-compliant acts or errors.

Operational Audits

Operational audits are a more comprehensive type of internal audit where auditors work to evaluate the effectiveness, efficiency and economic impact of operational processes against key organization and business objectives.

Compliance Audits

While internal and operational audits focus on internal processes, a compliance audit measures how effectively the organization complies with externally imposed regulations and requirements for doing business. An organization operating in a heavily regulated industry likely has its own compliance department whose role is to monitor regulatory changes that impact the organization’s compliance status, and regularly assess compliance through auditing activities.

What Happens When You Get Audited?

The consequences of being audited can vary depending on the legal requirements for your specific business and industry, the type of audit, and the organization initiating the audit. 

An audit conducted internally or by a contracted third-party serves primarily to identify potential sources of non-compliance and provide recommendations for meeting regulatory requirements. An audit initiated externally, such as by a vendor partner or a government organization, could potentially result in fines, penalties, or litigation if the target entity is found to be non-compliant with the applicable regulations.

Blog CTA - Demo 3 (See the GAN Platform in action)