Skip to content
Haufe Akademie

Compliance audit - everything companies need to know

0
Compliance Updated on from Online editorial office 6 minutes

Small and large companies have to comply with a large number of laws and regulations in their day-to-day operations. If companies fail to comply with applicable regulations on corruption, money laundering, environmental protection or occupational health and safety, this can not only be expensive, but can also damage their good reputation. To prevent this, regular compliance audits should be carried out. We show you what is important here.

Compliance Audit: Definition

A compliance audit is an independent assessment process for a company or organization. The purpose of the audit is to ensure that the company complies with external rules, regulations and all applicable laws as well as internal company policies and procedures. The audit can assess compliance with environmental protection laws, the Money Laundering Act or safety requirements or occupational safety regulations.

The compliance audit process is intended to minimize the risk of fines, penalties and other legal consequences. In addition, an independent audit process can strengthen the trust of customers, investors and other stakeholders in the company and improve the efficiency and effectiveness of the organization's internal processes.

Internal vs. external compliance audits

Companies have the option of conducting compliance audits internally or having them carried out by external audit organizations.

Internal audits are initiated primarily to check compliance with internal guidelines and external regulations. They serve to improve internal processes and minimize risks.

For external audits, on the other hand, independent third parties are commissioned. These are certified auditors or authorities that meet compliance audit requirements in accordance with international standards such as the ISO standard. External audit organizations offer an objective assessment of compliance and thus strengthen credibility with external stakeholders. As a result of a successful external compliance audit, companies receive a certificate, e.g. an ISO 19600 certificate.

Internal audits can be part of the certification efforts. These audits are then carried out regularly in order to continuously improve compliance within the company.

Categories Internal audits External audits
Implementation own company independent:r third:r
Objective Improvement of internal processes, risk minimization Objective assessment of compliance, ensuring credibility
Advantages Lower costs, deeper knowledge of the organization, flexible schedule Greater objectivity, independent perspective, stronger external credibility
Disadvantages Less independence, possible lack of objectivity, possibly less expertise higher costs, external schedule, less knowledge of the organization
Presentation of results mostly confidential mostly public in the form of certificates, mandatory public for listed companies

Legal basis and framework conditions for a compliance audit

The legal basis and framework conditions for a compliance audit depend on various factors such as the industry, the company location and the applicable laws and regulations. In addition, internal company guidelines usually define the compliance framework.

  • Laws: Laws relevant to compliance include the Money Laundering Act, the Cartel Act, the General Data Protection Regulation and the Occupational Health and Safety Act, as well as applicable environmental protection standards.
  • Regulations: In addition to laws, regulations from supervisory authorities may also be relevant, e.g. requirements from BaFin or the Federal Office for Security and Information Technology (BSI).
  • Compliance policies: Every company should have its own policies on various compliance topics, e.g. anti-corruption, anti-money laundering or Privacy notice .
  • IDW PS 980: The IDW PS 980 standard of the Institute of Public Auditors in Germany (IDW) provides a framework for conducting compliance audits.
  • International standards: There are also international standards for compliance audits, e.g. ISO 19600.

Compliance audit checklist: This is important for preparation

If you are conducting an internal compliance audit, you should consider the following in advance:

Which compliance areas should be covered?

  • Who is responsible for what during the audit? When and where does the audit take place? What methods are used?
  • Which documents are required? This could be documentation on employee training, for example.
  • Which guidelines and laws form the basis? These include internal compliance guidelines as well as legal requirements.
  • Who is part of the audit team? Ideally, these should be trained employees.

Important aspects when conducting a compliance audit

A compliance audit consists of many individual stages. These can vary depending on the company. The most important parts of the audit include the following steps:

  • Interviews with employees: Interviews with relevant employees from all areas and hierarchical levels can be used to raise awareness of the topic of compliance and check how compliance requirements are being adhered to.
  • Checking documents: A random check of relevant documents, e.g. contracts, invoices or minutes, provides information on the status of compliance efforts.
  • Observation of processes: By observing relevant processes, compliance with guidelines and procedures can be checked as part of the audit.
  • Checking the controls: Various tests can be used to check the effectiveness of internal controls.

The major challenges in carrying out audits include, on the one hand, human resources and, on the other, training selected employees to carry out the audits. In addition to technical expertise, it must also be ensured that internal employees act as independently as possible.

After the audit: measures and reporting

Once the compliance audit has been carried out, the results are summarized and evaluated in order to derive appropriate measures. Following an external audit, certification can then take place.

  • Summarizing the results: All findings and conclusions are documented in the company.
  • Assessment of compliance risks: Potential compliance risks are identified on the basis of the documentation. These risks are then assessed, including the probability of occurrence and the potential extent of damage.
  • Recommendations for improvement: Finally, the compliance team develops recommendations for improving the compliance programs and processes.

The final report can be presented to relevant stakeholders and management.

The important thing is: After the audit is before the audit. All recommendations and compliance guidelines should be continuously monitored. This is one of the most important challenges for companies. They must ensure that permanent, reliable and impartial monitoring is guaranteed.

Ultimately, a compliance audit is an ongoing process and not a one-off audit.

A fictitious example of a compliance audit

Let us assume that a company is conducting a compliance audit in the area of Privacy notice to ensure that it meets the Privacy notice General Data Protection Regulation (GDPR).

This is what the preparation looks like:

  • Establishing the audit objectives: The aim of the audit is to check whether the company complies with the GDPR with regard to the collection, storage, use and disclosure of personal data.
  • Setting up the audit plan: The audit team plans interviews with Employees from various departments, e.g. marketing, human resources, IT. It also plans the review of documents.
  • The team obtains the necessary documents: The audit team obtains all relevant documents, e.g. data protection guidelines, contracts with processors, data protection notices.
  • Put together an audit team: The audit team is made up of internal auditors with specialist knowledge of data protection law.

Implementation:

  • Interviews with employees: The audit team conducts interviews with Employees from different departments to understand how they handle personal data.
  • Review of documents: The audit team randomly checks relevant documents to ensure that they meet the requirements of the GDPR.
  • Observation of processes: The audit team observes processes, e.g. the collection of customer data, to check compliance with the GDPR.
  • Testing of controls: The audit team tests the effectiveness of the internal controls for the protection of personal data.

Evaluation:

  • Summarizing the results: The audit team documents all findings and conclusions.
  • Compliance risk assessment: The audit team identifies potential compliance risks in the area of Privacy notice and assesses their probability of occurrence and the extent of damage.
  • Recommendations for improvement: The audit team develops recommendations for improving the company's data protection management.

Reporting:

  • Preparation of an audit report: The audit team prepares a report that documents all relevant information, e.g. audit objectives, methodology, results, recommendations.
  • Presentation of the audit report: The audit team presents the results to the management and the data protection officer.
  • Follow-up: The audit team monitors the implementation of the recommendations and reports on progress.

FAQ on compliance audits

  • What is a compliance audit?

A compliance audit is an independent review by internal employees or external audit organizations to ensure that a company complies with all applicable laws, regulations and internal guidelines.

  • Why is a compliance audit important?

Compliance audits help companies to reduce the risk of fines, penalties and other legal consequences. They can also help to strengthen the trust of customers, investors and other stakeholders and improve the efficiency and effectiveness of the organization's internal processes.

  • Who carries out compliance audits?

Compliance audits can be carried out by internal or external auditors. Internal audits are usually conducted by the organization's compliance department, while external audits are conducted by independent third parties.

  • How often should compliance audits be carried out?

The frequency of compliance audits depends on the size and complexity of the organization as well as the type of laws and regulations. As a rule, however, compliance audits take place at least once a year.

Conclusion

Compliance is an important topic for SMEs, as it not only influences internal processes, but also has a major external impact. For this reason, compliance audits are essential to ensure that applicable laws, as well as internal regulations on corruption, environmental protection and occupational safety, are reliably observed in all areas of the company. It is a major challenge to sensitize your own employees to the topic of compliance and to build up internal know-how.

The Haufe Akademie supports you in training your employees in compliance matters. Benefit from practical seminars and experienced trainer who share their know-how online, in-house or locally in your area.

Share the post on:

About the author

Online editorial office

Further contributions

Did you like this article?
Our free newsletters keep you up to date on company topics at
.
Simply register:
www.haufe.de/akademie/newsletter

We welcome feedback and suggestions at
service@haufe-akademie.de

Copyright by Haufe Akademie GmbH & Co. KG, Lörracher Str. 9, 79115 Freiburg. Reproduction only with the permission of Haufe Akademie .