If you work in the compliance industry, you’ve probably heard the term ‘integrated compliance program’ tossed around at one point or another. Perhaps it was at a conference (when events still happened), maybe it was in a meeting discussing your program’s goals, or it could have even been in our latest eBook. Regardless of how… Read More
Thanks to regulation, most large, global organizations are required to maintain a compliance program. Management teams within such organizations are responsible for:
- Identifying, understanding, and complying with the established compliance requirements
- Establishing and maintaining controls that assure ongoing compliance with applicable rules
- Evaluating and monitoring compliance with applicable rules on an ongoing basis
- Implementing corrective actions to address instances of non-compliance, including those discovered as part of a compliance audit.
Organizations that operate in regulated sectors like finance and healthcare are subject to industry-specific laws and requirements.
What is a Compliance Audit?
A compliance audit is a review of an organization’s compliance status with respect to the applicable regulatory guidelines and to evaluate the effectiveness of the organization’s internal controls on compliance.
A compliance audit may be undertaken voluntarily, or it may be required by law. Compliance audits are usually performed by a third-party organization in accordance with generally accepted auditing standards (GAAS) and Government Auditing Standards (Yellow Book) for financial audits.
What is the Purpose of a Compliance Audit?
The purpose of a compliance audit is to establish whether the target entity is effectively complying with applicable rules, and to assess the effectiveness of the entity’s internal compliance controls.
An auditor’s principle objectives when conducting a compliance audit are:
- To identify applicable audit and reporting requirements and perform procedures to address those requirements.
- To obtain sufficient audit evidence to support the formation of an opinion on whether the target entity met the requirements for compliance.
While management teams may use the results of a compliance audit to identify and remedy sources of noncompliance, regulators may review the results of a compliance audit to determine whether any punitive measures (fines, penalties, etc.) should be applied to the organization for noncompliance.
What Types of Compliance Audits Exist?
Several different types of voluntary and mandated compliance audits may be applicable for organizations in the United States. These include, but are not limited to the following:
Passed in 2002, The Sarbanes-Oxley Act requires public companies to comply with control on financial reporting that are designed to encourage transparency and prevent organizations from misleading shareholders about their financial position or results.
Healthcare Insurance Portability and Accountability Act (HIPAA)
Companies that collect personal health information (PHI) in the USA must comply with the data security and privacy rules in the HIPAA act.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS applies to businesses who collect credit card information from consumers to process payments. Organizations who process high volumes of these transactions must submit to an annual audit of their networks and systems to ensure that sensitive information is adequately protected.
Internal Revenue Service (IRS)
The IRS may perform audits of an individual or business to verify their compliance with the United States tax code and ensure that the entity has correctly calculated and paid taxes on their income.
State and Local Tax (SALT)
Just like the IRS, state and local auditors may perform compliance audits of a business to ensure that local and state tax liabilities have been met.
How Do You Prepare for a Compliance Audit?
There’s no one-size-fits-all approach for compliance audit preparation—it depends on your organization, the industry or niche in which you operate, and which types of compliance audit are applicable to your business. In general, we can recommend the following:
- Ensure that your management team fully understands the organization’s legal responsibilities with respect to compliance.
- Adopt an integrated compliance management (ICM) platform that supports your most critical compliance initiatives.
- Conduct a mock compliance audit by assigning an internal auditing team or contracting a third party auditor. Identify any compliance issues and resolve them before your “official” compliance audit to avoid penalties.