A compliance audit also reviews whether an entity complying with internal rules, regulations, policies, decisions, and procedures.
An entity required to comply with the local law and regulations or they will face penalties or fine. Some fine is only for a certain monetary amount and some fine requires a close operation.
Types of compliance review:
In general, the compliance audit performs its audit against certain requirement as follows:
1) Local law and regulation:
The entity need to make sure that they are operating in compliance with the law, and related law. To ensure this business might need to set up proper business procedures and processes. Or sometime, they might need the legal consultant to have their decision advised.
Entity sometime setting the legal department to review on the certain significant process. It wants to make sure that the penalty is minimized and the right procedure that complies with the law is in place.
Along with this, the entity might need its internal audit department to have its review on the compliance section with local law requirements.
The internal auditor might need to assess the significant procedures and process, as well as certain official documentation.
2) Business-related regulation and framework:
Besides reviewing against local law and regulation, compliance auditors might need also to review compliance with related regulations and frameworks.
For example, if the corporation is listed on the stock exchange outside the country that they are operating. Then they need to make sure that the entity complies with the requirement of that stock exchange requirement
The compliance auditor also needs to review these areas by checking whether the related entity’s current practices follow the requirement.
If not complying with, the compliance auditor needs to discuss with related departments as well as chief executive that the findings found, as well as the recommendation that makes by the auditor.
All the finding need to report to the audit committee and the board of directors for their action.
3) Entity’s policy, procedure, and processes:
The compliance auditor also performs its audit again entity’s internal policy, procedure, and processes. Those internal policies and procedures are very important to the entity for sustainable growth.
Fail to comply with the internal policy and procedure might lead to a waste of time and resources. Serious in-compliance could lead to serious fraud.
Compliance audits sometimes performed by the compliance officer and sometime performed by internal auditors.
The big company has compliance departments work separately from internal audit departments.
Who is normally perform a compliance audit?
A compliance audit is normally conducted by the internal auditor and sometime services could be offered by external auditors.
Sometime internal audit department leaks of resources or leak of competency to provide the services. In such a case, the entity might need to seek services from an external firm to provide the services.
Internal audit is the independence department and works under the direct supervision of the audit committee.
The compliance audit report is communicated to the related department or division, CEO, and CFO. The reporting result is direct to the board of directors and the audit committee.
For the big corporations, compliance officers are the one that enforces each unit, department, or division to compliance with the required procedures, policy, regulations, and laws.
The compliance officer is also the one who performed a compliance audit sometime.
Review industry best practices for methodology
As part of a risk assessment, it is important to review industry guidelines to understand best practices and to better assess what constitutes risk in this scenario.
Important industry documentation to review might include:
- ISO 27001,
- NERC CIP,
- and J-SOX
Types of Compliance Documents
When viewing compliance documents, you can filter on the following types:
- Attestation. A Payment Card Industry (PCI) Data Security Standard (DSS) Attestation of Compliance document.
- Audit. A general audit report.
- Bridge Letter (BridgeLetter). A bridge letter. Bridge letters provide compliance information for the period of time between the end date of an SOC report and the date of the release of a new SOC report.
- Certificate. A document indicating certification by a particular authority, with regard to certification requirements and examination results conforming to said requirements.
- SOC3. A Service Organization Controls 3 audit report that provides information relating to a service organization’s internal controls for security, availability, confidentiality, and privacy.
- Other. A compliance document that doesn’t fit into any of the preceding, more specific categories.
Types of Environments
The environments, or business pillars or platforms, to which the documents belong include:
- OCI. Oracle Cloud Infrastructure is a set of complementary cloud infrastructure services that let you build and run applications and services in a highly available hosted environment.
- PAAS. Oracle Platform as a Service (PaaS) provides various platforms to build and deploy applications within the public, private, or hybrid cloud.