Compliance Audit


Compliance audit is an independent examination of the company’s accounts and practices to ensure that they are in compliance with law, regulation and internal policies and procedures. Any practice in the company that leads to the breach of law, regulation or internal policies may result in a serious consequence that prevents the company from reaching its goal.

Compliance audit may include in many fields such as operational, financial, information technology, standards, law and regulatory, etc. In this type of audit, auditors may need to evaluate the staff’s practices at various levels to see whether they are in compliance with regulation and standard policies.

Purposes of Compliance Audit

Compliance audit is performed in order to ensure that the company fulfills its outside obligations, such as laws and regulations. Additionally, it also means to ensure that its staff at various levels follow the internal policies and procedures.

Law and regulation

The main objective of this type of audit is usually to ensure that the company complies with relevant laws and regulations that are placed upon by the government and regulatory bodies.

A serious consequence, such as heavy penalty or removal of license to operate, may occur to the company if it does not follow relevant laws and regulations.

Internal policies and procedures

Besides complying with laws and regulations, compliance audit is also performed to make sure that the business practices of their staff at the various level are in compliance with internal policies and procedures.

Internal controls, policies, and procedures are usually designed to minimize risks that prevent the company from achieving its objective. So, the compliance audit is performed to evaluate if the internal controls, policies, and procedures are effectively implemented by its staff.

Auditors of Compliance Audit

Compliance audit is usually performed by the internal auditors; however, there are also other types of auditors who perform the audit as in the table below:

Types of Compliance Auditor

Internal auditors

They are the internal auditors of the company who perform compliance audit in addition to operational and financial audit.

External auditors from the accounting firm

Sometimes, the company lacks resources and expertise in the field of compliance audit so they may engage the external auditors from the accounting firm to perform the audit for them.

At other times, it may be required by the government or regulatory body to have external auditors performing the compliance audit on the company instead of internal staff.

Government or Regulatory Auditor

Compliance audit may also be performed by the auditors from the government or regulatory body to evaluate whether the company follows the laws or regulations issued by the government or regulatory body.

Technical compliance personnel

Sometimes companies, especially those in the strict regulatory environment, have their own compliance personnel who specialize in the compliance field.

The technical compliance personnel role is to ensure compliance of the business’s practices by performing regular compliance audit.

Compliance Audit Process

Usually, the compliance audit follows the four steps below:

  1. Regulatory Framework
  2. Planning
  3. Examination
  4. Reporting

Regulatory Framework

The first step of the process usually starts with determining and establishing the objectives and requirements of the regulatory framework. In this step, auditors need to define what is the objective of the audit and what framework do they follow.

For example, auditors may define their objective as the aim to report whether activities, financial transactions and information regarding the company’s business are in compliance, in all material respect, with legal and regulatory frameworks that govern them.


The planning of the compliance audit starts with obtaining an understanding of the company’s business and environments in order to identify and assess the risk of material non-compliance.

When assessing the risk of material non-compliance, auditors need to assess whether risk could be due to fraud or error for each compliance requirement. Also, auditors need to consider whether the risk of material non-compliance is pervasive to the company’s compliance. And how many compliance requirements will be affected by the pervasive state.

After assessing the risks, auditors can design procedures response to the risks of material non-compliance. This includes determining the nature, timing and extent of the audit procedures for the audit. In this step, they also need to design an overall audit strategy in order to make sure the audit is carried out in an effective manner.


This is the step of the audit where auditors perform the audit procedures that may include both test of controls and substantive audit procedures. This is to ensure that auditors can gather sufficient appropriate audit evidence in order to form the conclusion about the level of compliance and non-compliance that the company faces.

In this step, auditors should always perform the test of controls over operating effectiveness on each applicable compliance requirement if:

  • Risk assessment results in the expectation of operating effectiveness of control over compliance
  • Substantive procedures alone cannot provide sufficient appropriate audit evidence
  • Test of controls over compliance is required by government or regulatory body

Auditors’ main objective for compliance audit in the examination phase is to obtain sufficient appropriate audit evidence to form the basis of opinion on compliance. In this case, many areas that are included in the financial statement audit will not be required in this type of audit.


Like other types of audits, reporting is also the final step of the compliance audit. In this case, auditors will make a final audit report after complete their review of business compliance processes a whole.

Auditors need to make sure that they have gathered sufficient appropriate audit evidence to support their opinion on compliance before issuing the audit report.

The audit report usually contains the detail of the company’s level of compliance adherence, any violations, and suggestions for improvement. This type of audit report is usually released to the public to comply with law and regulation as well as to gain the public trust and confidence in the company.