Compliance Audit Procedures
Compliance audit procedures define the structured methods organizations use to verify adherence to applicable laws, regulations, internal policies, and industry standards. This page covers the definition, mechanics, classification boundaries, and common misconceptions surrounding compliance audits across major US regulatory frameworks. Understanding audit procedures matters because regulatory agencies including the SEC, OSHA, and HHS routinely use audit findings as the basis for enforcement actions, penalty assessments, and consent decrees.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
A compliance audit is a formal examination that evaluates whether an organization's operations, controls, and records conform to a defined set of external or internal requirements. The scope of "compliance" in an audit context is not generic — it is bounded by a specific regulatory regime, contractual obligation, or standards framework applicable to the organization being examined.
The compliance-standards-overview provides foundational context for the layered regulatory environment within which audits operate. At the federal level, compliance audit authority is distributed across agencies: the Department of Labor enforces audit requirements under the Employee Retirement Income Security Act (ERISA), the Environmental Protection Agency (EPA) conducts compliance audits under the Clean Air Act and Clean Water Act, and the Office for Civil Rights (OCR) at HHS enforces HIPAA audit requirements under 45 CFR Part 164 (HHS OCR HIPAA Enforcement).
Scope in a compliance audit is determined by three factors: the regulatory domain (environmental, financial, healthcare, labor), the organizational unit under review (entity-wide, business unit, single process), and the time period covered. GAAS (Generally Accepted Auditing Standards), maintained by the AICPA, distinguish between financial audits and compliance audits, with the latter focused on regulatory conformity rather than financial statement accuracy.
Core mechanics or structure
Compliance audits follow a phased structure regardless of regulatory domain. The phases are consistent across frameworks published by the Government Accountability Office (GAO) in Government Auditing Standards (the "Yellow Book") and by the Institute of Internal Auditors (IIA) in the International Standards for the Professional Practice of Internal Auditing.
Phase 1 — Planning and scoping. The audit team identifies applicable requirements, defines the audit universe, assesses risk to prioritize coverage, and develops an audit plan. The IIA Standard 2200 requires that audit plans document objectives, scope, timing, and resource allocation for every engagement.
Phase 2 — Fieldwork and evidence collection. Auditors collect evidence through document review, transactional testing, interviews, direct observation, and system walkthroughs. Evidence must be sufficient, reliable, relevant, and useful — criteria codified in GAO Yellow Book Chapter 6 (GAO Yellow Book).
Phase 3 — Evaluation and finding development. Evidence is compared against the applicable criteria (statute, regulation, policy, or standard). Deviations are documented as findings, classified by severity, and associated with specific criteria references.
Phase 4 — Reporting. Findings are communicated to management, with a formal written report identifying deficiencies, root causes, and corrective action requirements. Under HIPAA, audit reports issued by HHS OCR trigger a 10-business-day general timeframe for covered entities.
Phase 5 — Follow-up. Open findings require corrective action plans and validation testing. The IIA Standard 2500 requires chief audit executives to establish a follow-up process to monitor the disposition of results communicated to management.
Causal relationships or drivers
Compliance audits are triggered by four distinct causal categories: regulatory mandate, risk-based internal scheduling, external event response, and contractual obligation.
Regulatory mandate is the most direct driver. ERISA Section 103 requires plan administrators of large employee benefit plans (those with 100 or more participants) to include a certified audit in annual Form 5500 filings (DOL ERISA). The Federal Acquisition Regulation (FAR) at 48 CFR 42.101 establishes contract audit requirements for federal contractors, administered by the Defense Contract Audit Agency (DCAA).
Risk-based scheduling drives internal audit programs. Organizations using the COSO Internal Control — Integrated Framework allocate audit resources based on a risk assessment matrix that weights likelihood and impact of noncompliance events. High-risk processes receive annual audit cycles; lower-risk processes may be audited on 3-year rotations.
External event response includes regulatory investigations, whistleblower complaints, and publicized industry violations. SEC enforcement actions frequently catalyze voluntary compliance audits by peer firms in the same sector. For compliance-risk-assessment purposes, reputational exposure following a peer's enforcement action constitutes a recognized trigger event.
Contractual obligation arises in vendor agreements, government contracts, and licensing arrangements. SOC 2 examinations, governed by AICPA AT-C Section 320, are contractually required by enterprise buyers of cloud and SaaS services as a condition of vendor approval.
Classification boundaries
Compliance audits fall into four primary classifications based on auditor independence, scope, and regulatory purpose.
Internal audits are conducted by an organization's own audit function. They follow the IIA Standards and are not independent in the legal sense, but provide management with ongoing assurance.
External/independent audits are conducted by third-party firms with no financial interest in the auditee. External compliance audits are required by specific regulations — for example, the Single Audit Act (31 U.S.C. § 7501–7507) mandates independent audits for entities expending $750,000 or more in federal awards in a single fiscal year (OMB Uniform Guidance 2 CFR Part 200).
Regulatory/agency audits are conducted by or on behalf of a government agency. EPA facility inspections, OSHA compliance audits, and IRS employment tax audits fall in this category. These audits carry enforcement authority that internal and external audits do not.
Second-party audits are conducted by a customer or contracting party against a supplier or vendor. Common in supply chain compliance, these audits verify adherence to contractual quality, environmental, or labor standards — often referencing ISO 9001 or SA8000 criteria.
Tradeoffs and tensions
Three significant tensions recur in the design and execution of compliance audit programs.
Depth versus breadth. Comprehensive coverage of the entire regulatory footprint conflicts with resource constraints. Statistically valid sampling — as defined in GAO Yellow Book §6.53 — allows auditors to draw conclusions about populations without testing every transaction, but introduces sampling risk. Organizations that prioritize breadth sacrifice deficiency detection rates in high-risk areas; those that prioritize depth create coverage gaps in lower-priority domains.
Independence versus efficiency. Regulatory mandates for auditor independence (IIA Standard 1130, SEC auditor independence rules under Regulation S-X) limit the extent to which audit functions can leverage operational personnel for evidence collection. Strict independence preserves objectivity but increases audit duration and cost. Some organizations address this by using a co-sourcing model — retaining external auditors for independence-sensitive areas while using internal staff for lower-risk testing.
Transparency versus privilege. The attorney-client privilege and work-product doctrine can protect compliance audit findings from disclosure in litigation, but only when audits are structured as legal investigations directed by counsel. Routine compliance audits conducted by non-legal staff are generally not privileged. Organizations that over-rely on privilege assertions risk having those assertions rejected in discovery, exposing findings to adverse use.
Common misconceptions
Misconception: Passing a compliance audit means the organization is fully compliant.
A compliance audit covers only the scope, time period, and sample defined in the audit plan. A clean audit opinion does not certify compliance across all operations or all regulatory requirements. GAO Yellow Book §6.17 explicitly limits audit conclusions to tested items.
Misconception: Internal auditors cannot conduct compliance audits with adequate rigor.
The IIA International Standards establish professional requirements — including competency, objectivity, and evidence standards — that produce reliable internal compliance audit results when followed. The distinction between internal and external audits relates to independence level, not inherent methodological quality.
Misconception: Regulatory audits require advance notice.
OSHA has authority to conduct unannounced inspections under 29 U.S.C. § 657 (OSHA Inspection Authority). EPA inspections under 40 CFR Part 68 may similarly occur without prior notification. The assumption of advance notice is operationally dangerous.
Misconception: Compliance audits and financial audits are interchangeable.
Financial audits test whether financial statements are fairly presented under GAAP. Compliance audits test whether operations conform to specific regulatory or policy criteria. The two may be conducted in parallel but address distinct questions under distinct standards.
Checklist or steps (non-advisory)
The following sequence reflects the standard phases of a compliance audit engagement as described in IIA Standards and GAO Yellow Book guidance.
- Define audit scope — identify applicable regulatory requirements, affected business units, and the audit period.
- Conduct preliminary risk assessment — rank in-scope areas by likelihood and potential impact of noncompliance.
- Develop audit program — document specific objectives, testing procedures, sample sizes, and evidence requirements for each in-scope area.
- Issue engagement letter or notification — inform auditee management of audit timing, scope, and documentation requests.
- Collect and review documentation — gather policies, procedures, training records, permits, licenses, contracts, and transaction records.
- Perform testing — execute transactional tests, system walk-throughs, and interviews; document evidence to support each conclusion.
- Identify and classify findings — compare evidence against criteria; classify findings by severity (critical, significant, minor) and document root cause.
- Issue draft report — distribute findings to management for factual review; record management responses and proposed corrective actions.
- Issue final report — finalize report incorporating management responses; distribute to appropriate governance bodies.
- Track corrective actions — monitor completion of remediation steps against agreed timelines; validate closure through follow-up testing.
Detailed compliance-documentation-requirements govern what records must be retained to support audit evidence at each step.
Reference table or matrix
| Audit Type | Auditor | Independence Level | Primary Standard | Regulatory Examples |
|---|---|---|---|---|
| Internal Compliance Audit | Internal audit function | Organizational | IIA Standards (2200 series) | Internal HIPAA review, SOX self-assessment |
| External Compliance Audit | Independent CPA or auditor | Legal/regulatory | AICPA AT-C §205; GAO Yellow Book | Single Audit Act, ERISA Form 5500 audit |
| Regulatory/Agency Audit | Government agency | Statutory | Agency-specific (OSHA, EPA, IRS, HHS OCR) | OSHA inspection, EPA facility audit, IRS payroll audit |
| Second-Party Audit | Customer or contracting party | Contractual | ISO 19011; SA8000; customer-specific | Supplier quality audit, federal contractor audit (DCAA) |
| SOC Examination | Licensed CPA firm | Independent | AICPA AT-C §320 | SOC 2 Type II for cloud vendors |
Severity Classification Reference (IIA Practice Advisory 2320-1)
| Finding Severity | Definition | Typical general timeframe |
|---|---|---|
| Critical | Immediate risk of regulatory violation or material harm | Corrective action within 30 days |
| Significant | Control weakness with elevated noncompliance exposure | Corrective action within 60–90 days |
| Minor | Limited-scope gap with low risk impact | Corrective action within 6 months |
| Observation | Best-practice improvement, no violation identified | Management discretion |
References
- GAO Government Auditing Standards (Yellow Book) — U.S. Government Accountability Office
- HHS OCR HIPAA Compliance and Enforcement — U.S. Department of Health and Human Services
- OSHA Enforcement and Inspection Authority (29 U.S.C. § 657) — U.S. Department of Labor, Occupational Safety and Health Administration
- OMB Uniform Guidance — 2 CFR Part 200 (Single Audit) — Office of Management and Budget
- DOL ERISA — Employee Retirement Income Security Act — U.S. Department of Labor, Employee Benefits Security Administration
- IIA International Standards for the Professional Practice of Internal Auditing — Institute of Internal Auditors
- AICPA Auditing Standards — AT-C Section 320 — American Institute of Certified Public Accountants
- DCAA Contract Audit Manual — Defense Contract Audit Agency