Compliance Audit Procedures
Compliance audit procedures are the structured sequences of planning, evidence-gathering, testing, and reporting activities that determine whether an organization conforms to applicable laws, regulations, standards, and internal policies. This page covers the definition and scope of formal audit procedures, the mechanics that govern how they operate, the regulatory frameworks that drive their design, and the boundaries between audit types. Understanding these procedures is essential for organizations subject to federal mandates such as those administered by the Securities and Exchange Commission (SEC), the Department of Health and Human Services (HHS), or the Occupational Safety and Health Administration (OSHA), where audit failures can trigger enforcement actions and financial penalties.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps (Non-Advisory)
- Reference Table or Matrix
Definition and Scope
A compliance audit is a formal, independent, or semi-independent examination that assesses whether an entity's operations, records, policies, and controls satisfy defined requirements established by regulatory agencies, standards bodies, or contractual obligations. The scope of any given audit is bounded by the mandate authorizing it — whether that is a statutory requirement, a contractual clause, or a self-initiated internal review.
The Institute of Internal Auditors (IIA) defines compliance auditing as a subset of assurance services that evaluates adherence to criteria set by external bodies. NIST Special Publication 800-53, Revision 5 (NIST SP 800-53 Rev. 5) addresses compliance auditing in the context of federal information systems under the CA (Assessment, Authorization, and Monitoring) control family, requiring that organizations assess security and privacy controls at defined frequencies. The Health Insurance Portability and Accountability Act (HIPAA), enforced by HHS, mandates audit controls under 45 CFR § 164.312(b), requiring covered entities to implement hardware, software, and procedural mechanisms that record and examine access to electronic protected health information.
Scope dimensions include organizational units covered, time periods under review, the population of transactions or records subject to sampling, and which regulatory frameworks apply. A full-scope audit under the Sarbanes-Oxley Act of 2002 (SOX), for example, must cover all material financial reporting controls under Section 404, while a targeted HIPAA audit may cover only a specific application or department. For an overview of how scope is formally defined and bounded, see Compliance Scope.
Core Mechanics or Structure
Compliance audit procedures follow a recognizable structural sequence regardless of the regulatory domain. The major phases are:
1. Audit Planning and Scoping
The audit team establishes objectives, identifies applicable requirements, and defines the audit universe. A written audit plan documents the criteria, the population under review, sampling methodology, and resource allocation. Risk-based audit planning, as described in IIA Standard 2010, prioritizes higher-risk areas for more intensive testing.
2. Fieldwork and Evidence Collection
Auditors collect evidence through document review, observation, inquiry, and analytical procedures. ISACA's Control Objectives for Information and Related Technologies (COBIT 2019) framework specifies that evidence must be sufficient, reliable, relevant, and useful to support audit conclusions. Evidence types include transactional records, system-generated logs, policy documents, training records, and interview notes.
3. Testing and Analysis
Controls are tested for both design effectiveness (whether the control is structured appropriately) and operating effectiveness (whether the control functioned consistently during the review period). For financial audits governed by the Public Company Accounting Oversight Board (PCAOB), AS 2201 establishes requirements for testing internal controls over financial reporting.
4. Findings Development
Each deficiency is characterized by condition (what was found), criteria (the requirement violated), cause (why the deficiency occurred), and effect (the risk or harm resulting). This four-part structure is standard in government auditing under the Government Accountability Office's (GAO) Government Auditing Standards (the "Yellow Book").
5. Reporting
Audit reports communicate findings, conclusions, and — depending on audit type — recommendations or required corrective actions. Federal audit reports under the Single Audit Act (31 U.S.C. § 7501–7507) must be submitted to the Federal Audit Clearinghouse within 30 days of the auditor's report, or nine months after the fiscal year end, whichever is earlier (OMB 2 CFR Part 200).
6. Remediation Tracking
Post-report follow-up confirms that corrective actions are completed within agreed timelines. The process framework for compliance establishes the governance structure that links audit findings to remediation ownership.
Causal Relationships or Drivers
Audit procedures are shaped by three primary drivers: regulatory mandate, risk exposure, and organizational governance maturity.
Regulatory mandate is the most direct driver. The SEC's Office of Compliance Inspections and Examinations (now the Division of Examinations) conducts inspections of registered investment advisers under the Investment Advisers Act of 1940, requiring firms to maintain and produce records on demand. The Environmental Protection Agency (EPA) uses compliance monitoring and enforcement authority under statutes including the Clean Air Act and the Clean Water Act, with civil penalty ceilings that can reach $70,117 per day per violation for certain Clean Water Act infractions (EPA Enforcement Annual Results).
Risk exposure drives the intensity and frequency of audit procedures. Organizations operating in high-risk environments — handling sensitive personal data, managing federal grant funds, or operating safety-critical infrastructure — face audit cycles calibrated to the probability and consequence of control failure. The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook specifies that risk assessments should directly inform audit frequency for financial institutions.
Governance maturity determines whether organizations treat audits as reactive events or integrated control functions. Mature compliance programs, as described by the Department of Justice's Evaluation of Corporate Compliance Programs guidance (updated 2023), embed continuous monitoring alongside periodic audits, reducing the gap between control failure and detection.
Classification Boundaries
Compliance audits are classified along three primary axes:
By Auditor Independence: Internal audits are performed by employees or contracted staff reporting to the organization's governance structure. External audits are performed by independent third parties. Regulatory examinations are conducted by government agencies with statutory authority.
By Subject Matter: Financial compliance audits assess adherence to accounting standards and financial reporting requirements. Operational compliance audits evaluate adherence to operational policies and procedures. IT compliance audits cover information security controls, system access, and data handling. Environmental and safety audits assess adherence to EPA and OSHA requirements.
By Trigger: Scheduled audits occur at pre-defined intervals (annual, biennial). For-cause audits are initiated by a specific event, complaint, or identified risk indicator. Surprise audits occur without advance notice — a technique used by the FDA under 21 CFR Part 820 for medical device manufacturers and by OSHA for workplace safety inspections under 29 CFR Part 1903.
Classification boundaries matter because they determine auditor qualifications, applicable standards, and the legal weight of findings. A finding from an external PCAOB-registered auditor carries different consequences than an internal audit observation. Similarly, compliance documentation requirements differ substantially between internal and regulatory audit contexts.
Tradeoffs and Tensions
Depth vs. Coverage: Comprehensive testing of every control is resource-prohibitive. Statistical sampling introduces confidence intervals and the risk that untested items conceal deficiencies. The GAO Yellow Book and AICPA auditing standards both address sampling sufficiency, but there is no universally correct sample size — it depends on population size, expected error rate, and tolerable risk.
Independence vs. Institutional Knowledge: External auditors offer independence but lack organizational context. Internal auditors have contextual depth but may face pressure from management. Many organizations use a co-sourcing model, but neither pure model eliminates the tension entirely.
Standardization vs. Risk-Responsiveness: Prescriptive audit programs ensure consistency but may not adapt to emerging risks. Purely risk-based programs offer agility but create comparability problems across audit cycles, complicating trend analysis and benchmarking.
Audit Burden vs. Operational Continuity: Intensive evidence requests consume operational staff time. Particularly in small organizations, audit preparation can divert resources from service delivery for weeks. Federal agencies acknowledge this under the Regulatory Flexibility Act (5 U.S.C. § 601 et seq.), which requires analysis of audit burden on small entities.
Common Misconceptions
Misconception: A passed audit means the organization is fully compliant.
Correction: An audit opinion reflects the sample tested over the period reviewed. Controls could fail outside the testing window or in untested populations. PCAOB AS 2201 explicitly acknowledges that an audit of internal controls does not guarantee the absence of all deficiencies.
Misconception: Internal audits carry no external significance.
Correction: Regulators including the OCC, FDIC, and SEC actively review internal audit workpapers during examinations. A weak internal audit function is itself a control deficiency that can elevate an organization's risk rating.
Misconception: Compliance audits and financial statement audits are the same.
Correction: A financial statement audit (under GAAS or PCAOB standards) issues an opinion on whether financial statements are fairly presented. A compliance audit issues conclusions on adherence to specific regulatory or contractual requirements. The two may overlap but serve distinct purposes under different authority frameworks.
Misconception: Audit findings must be accepted as final.
Correction: Auditees have formal response rights in most frameworks. Under 2 CFR Part 200, auditees submit written responses to findings in the audit report itself. Under GAO Yellow Book engagements, management responses are required to be included in the final report.
Checklist or Steps (Non-Advisory)
The following sequence reflects standard compliance audit phases as documented in the IIA International Standards for the Professional Practice of Internal Auditing and GAO Government Auditing Standards:
Pre-Audit Phase
- [ ] Identify applicable regulatory frameworks and requirements (statutes, regulations, standards)
- [ ] Define audit objectives and scope boundaries in writing
- [ ] Conduct or review an existing compliance risk assessment to prioritize audit areas
- [ ] Prepare or obtain the audit universe — the full population of applicable controls, processes, or transactions
- [ ] Assign auditor qualifications appropriate to the subject matter
- [ ] Issue formal engagement notification to auditee management
Fieldwork Phase
- [ ] Request and collect initial evidence package (policies, procedures, logs, contracts)
- [ ] Conduct walkthroughs of key processes to verify understanding
- [ ] Apply sampling methodology and document sample selection rationale
- [ ] Perform control testing — design effectiveness, then operating effectiveness
- [ ] Document all evidence with unique reference identifiers traceable to audit workpapers
- [ ] Issue interim findings or preliminary observations to auditee for factual accuracy review
Reporting Phase
- [ ] Draft findings using condition/criteria/cause/effect structure
- [ ] Classify findings by severity (e.g., material weakness, significant deficiency, observation)
- [ ] Provide auditee with draft report and document management responses
- [ ] Finalize report incorporating management responses where required by applicable standard
- [ ] Distribute final report to authorized stakeholders per governing protocol
- [ ] Log findings in issue-tracking system with assigned owners and remediation deadlines
Post-Audit Phase
- [ ] Validate that corrective actions are implemented within committed timelines
- [ ] Re-test remediated controls where findings were rated significant or material
- [ ] Archive workpapers per applicable record retention compliance requirements
- [ ] Update the risk assessment to reflect residual risk after remediation
Reference Table or Matrix
Compliance Audit Type Comparison Matrix
| Audit Type | Governing Standard / Body | Auditor | Trigger | Output | Legal Weight |
|---|---|---|---|---|---|
| Internal Compliance Audit | IIA International Standards | Internal / Co-sourced | Scheduled or risk-based | Internal report | Governance / management use |
| SOX Section 404 Audit | PCAOB AS 2201 | External (PCAOB-registered) | Annual (public companies) | Auditor attestation | SEC filing requirement |
| Single Audit (Federal Grants) | 2 CFR Part 200 / GAO Yellow Book | External CPA | Annual (≥ $750,000 federal expenditures) | Single Audit report | Federal Audit Clearinghouse submission |
| HIPAA Compliance Audit | 45 CFR Parts 160, 164 / HHS OCR | HHS OCR or external consultant | Scheduled or for-cause | Audit findings letter | HHS enforcement authority |
| OSHA Inspection | 29 CFR Part 1903 | OSHA Compliance Officer | Programmed, complaint, or post-incident | Citation and proposed penalty | Statutory enforcement |
| EPA Compliance Evaluation | Clean Air/Water Acts; 40 CFR | EPA or state agency | Scheduled or complaint-driven | Inspection report | Civil/criminal referral authority |
| IT Security Assessment | NIST SP 800-53 Rev. 5; FedRAMP | Third-party assessment org (3PAO) | Authorization or annual | Security Assessment Report (SAR) | ATO determination |
| Financial Institution Examination | FFIEC Handbooks; 12 CFR | Federal bank regulator (OCC, FDIC, Fed) | Supervisory cycle | Report of Examination | Regulatory rating (CAMELS) |
References
- NIST Special Publication 800-53, Revision 5 — Security and Privacy Controls for Information Systems and Organizations
- GAO Government Auditing Standards (Yellow Book), 2018 Revision
- OMB 2 CFR Part 200 — Uniform Administrative Requirements, Cost Principles, and Audit Requirements
- PCAOB Auditing Standard AS 2201 — An Audit of Internal Control Over Financial Reporting
- HHS Office for Civil Rights — HIPAA Audit Program
- EPA Enforcement Annual Results Data
- DOJ Evaluation of Corporate Compliance Programs (updated 2023)
- IIA International Standards for the Professional Practice of Internal Auditing
- ISACA COBIT 2019 Framework
- FFIEC IT Examination Handbook
- OSHA 29 CFR Part 1903 — Inspections, Citations, and Proposed Penalties
📜 13 regulatory citations referenced · ✅ Citations verified Feb 25, 2026 · View update log