Performing a compliance audit is a way to prove that the organization is compliant with regulatory and international standards and also measure how the organization’s operations are regulated, risk balanced, measurable, and can be monitored.
Based on the results of an audit, the organization will then prepare for formal certification or a renewal audit to confirm that any audit findings have been addressed. Such certifications can strengthen trust in an organization and give it a competitive edge.
This type of audit provides a holistic review of an organization's adherence to regulatory guidelines. It is meant to evaluate how well the organization meets the requirements of internationally recognized standards.
Independent security or IT consultants first evaluate the strength and thoroughness of compliance preparations. Subsequently, auditors review the implementation of the organization’s policies, controls, and risk management procedures, collecting evidence using a compliance audit process, over an agreed upon period of time.
What Is Examined?
What is examined in such an audit will differ depending upon whether an organization is a public or private company, what kind of data it handles, and if it transmits or stores sensitive financial data. For example, health regulatory requirements might include a particular requirement that any client electronic communication must be backed up and secured using a rigorous data encryption process and redundant infrastructure that ensures successful recovery using the organization’s business resumption plan.
Examples of Audit Areas
Healthcare providers that store or transmit e-health records, like Personal Health Information, are subject to HIPAA (Health Insurance Probability and Accountability Act) requirements in the USA. Canada has two federal privacy laws. The Canadian Privacy Act covers the personal information-handling practices of federal government departments and agencies. The Personal Information Protection and Electronic Documents Act (PIPEDA), is the federal private-sector privacy law. Other provincial-level regulations apply to specific areas such as healthcare information.
Financial services companies that store, transmit, and process credit card data are subject to PCI DSS (Payment Card Industry Data Security Standard) requirements.
For each of the above standards, the organization must also be able to demonstrate compliance to requirements by producing evidence in the form of process documents and formal audit trails, generated by data from system and application event logs.
What Do Auditors Examine?
While carrying out compliance audit processes, auditors examine all of the compliance requirements from the respective regulatory authority for the applicable industry (e.g., PCI DSS, HIPAA, PIPEDA, ISO 27001, etc.).
Compliance auditors will generally question CIOs, CTOs, and IT administrators with a series of pointed questions over the course of an audit. These may include reviewing which users were given access to an application system and when, who has left the organization, whether user IDs were properly revoked, and which IT administrators have trusted administrative access to critical systems.
IT administrators prepare for compliance audits by collecting data from event log management software and change management software to provide evidence of properly working authentication and control systems and documentation.
The compliance audit process may seem complicated and expensive, but it is both crucial and necessary for any organization that provides services that require adhering to any of the regulatory standards. Serious audit findings that are not promptly remediated may not only strip the company of certifications but cause it to lose business.
Conducting regular compliance audits on a periodic basis also provides CIOs, CTOs, and IT management with information on where to correct and improve controls in the organization. Making these enhancements to daily operations can help an organization maintain its competitive advantage in the business environment.