Compliance Audit: What It Is, How to Prepare, and Why You Should Care

compliance audit

“Quis custodiet ipsos custodes? (Who watches the watchmen?)” – Decimus Junius Juvenalis (Juvenal), Roman satiric poet

We’ve spoken before about the importance of meeting high standards with your work.

We’ve also covered, in detail, how failure to comply with industry standards and bad processes cost Zenefits $7,000,000.

This all happened because they weren’t meeting the standards they should have been with their internal processes.

To help stop you from falling afoul of the same fate, we here at Process Street will be covering compliance audits in this post. These are the guidelines that you will need to follow to avoid penalties from external sources for not doing your work satisfactorily.

It doesn’t matter what business you’re in – compliance audits are there to make sure that your customers are getting a satisfactory (or, at least reasonable) service.

We’ll cover:

Let’s get right into it.

What is a compliance audit?

A compliance audit is a series of checks performed externally to make sure that your company is meeting the regulatory standards applicable to your business.

In other words, it’s a way of making sure that you’re carrying out your work up to a basic required standard. The checks are carried out by an external, impartial party to help eliminate bias and keep things fair.

The trouble with discussing compliance audits is that the things being assessed differ greatly depending on the nature and dealings of your company.

For example, each of the following elements will change the standards you have to meet to pass a compliance audit:

Whether you’re a public or private company
The sector you operate in (SaaS, healthcare, etc)
The types of roles you employ within (content writers, graphic designers, programmers, etc)
Local laws and regulations
Whether you take only local or international customers
Whether you retain private data

California law will differ from UK law, doctors have to meet different standards than financial planners, and so on. The only way to know for sure what you need to be compliant with is to look up the industry standards for your own.

One example of a compliance audit is the ISO 9000 family of quality management standards.

If you want to learn more about ISO standards, you can find our blog posts here:

Agile ISO: How to Combine Compliance with Rapid Process Improvement

We’ve also written checklist templates to help you make sure that your company is compliant with the ISO standards relevant to you. Check them out here:

If you couldn’t already tell, we’ve done a lot of work on quality management systems (especially ISO standards) which serve as a base for many official compliance audits. That’s why we’re tackling the topic on the whole in this post.

compliance quality management — A good quality management system goes a long way to preventing any problems with the compliance audits that apply to your business (Source)

While the checklists above won’t automatically make your business ISO compliant, using them to check your business before applying for an external compliance audit is a great way to avoid wasting time and effort on failing the audit.

Why is audit compliance important?

Anybody can say that they’re the best in the world. Heck, just think of the number of grimy coffee shops that you’ve seen with “World’s Best Coffee!” slapped in the window.

The same is true of any business – if left unchecked, there’s little other than word-of-mouth to prevent them from claiming that they offer the best service on the market.

For small businesses (SMBs), this presents less of a threat to their customers (relative to larger companies). Usually, SMBs operate on a smaller scale with less power to mess their customers around.

However, what happens when a large business doesn’t meet the appropriate security standards?

Just speak to (what used to be) Yahoo.

importance of compliance audit — Yahoo’s security wasn’t up to compliance standards. The result speaks for itself. (Source by 1000zen, used under license CC BY 2.0)

A security breach in 2013 compromised the names, dates of birth, email addresses, passwords, security questions and answers of 3 billion users, making it the largest recorded data breach. The revelation knocked $350 million off of its sale price (around 8% of its final price).

Basically, if you don’t at least meet industry standards, you open yourself (and your customers) up to huge problems.

Compliance audits thus help to verify:

The security of sensitive data
The records of financial departments
Payroll
HR policies
Health and safety
Environmental impact
Quality management standards

The audits prove that your team (and company as a whole) is performing its duties in these fields up to a standard that can be trusted by its customers. It not only gives them peace of mind and confidence in you but shows your performance at a measurable level.

If you’re GDPR certified and your main competitor isn’t, for example, a large new lead will be more likely to become your customer than theirs.

Compliance audit types

While assessing bodies may look at several elements at once, the majority put a huge amount of emphasis on the security of sensitive data. This is because data is by far the most dangerous thing for your company to be mishandling.

It doesn’t matter what business you’re in – if your practices lead to a breach of customer data, those customers (and potential new ones) will lose a huge amount of faith in you. Not to mention they’re far more likely to start looking for another, safer business to deal with.

To that end, while the audit you need to adhere to differs depending on the type of business you’re running and the location you’re in, most of them focus on similar aspects.

While I won’t cover every type of compliance audit here, here are some of the main ones which large-scale US companies have to deal with:

General Data Protection Regulation (GDPR)
Health Insurance Portability and Accountability Act (HIPAA)
International Organization for Standardization (ISO)
Payment Card Industry Data Security Standards (PCI DSS)
The Sarbanes-Oxley (SOX) Act
SOC 2

General Data Protection Regulation (GDPR) compliance audit

GDPR is a dense beast that mostly comes down to the protection of customer data in the EU.

Now, I said that these compliance audit checks would concern larger US companies, and this is still true. GDPR regulations apply to any company that has dealings within the EU, no matter the main base of operations.

While the specifics of GDPR are lost in legal jargon (which you should read if it applies to you), the gist of the standards can be summarised thus:

You need to have a system in place to manage data and security.
You need to have that system fully documented.
You need to operate with the parameters of the GDPR, e.g.
- Consent boxes cannot be auto-filled as “yes”.
- Companies must respond to access requests from users within 1 month.
- Requests for personal information must be processed free of charge.

If you want more information, check out our full breakdown of how to be GDPR compliant:

How to Be GDPR Compliant: A Guide for SaaS and Beyond

Alternatively, check out our free GDPR Checklist For Businesses!

Health Insurance Portability and Accountability Act (HIPAA) compliance audit

HIPAA was passed in 1996, and covers anyone dealing with protected health information (PHI) of clients in any form (hard copy, oral or digital).

Another behemoth of legislation, you can find a short, 25-page summary of HIPPA here. However, for those with less patience, I’ll summarise the summary below:

You need to have safeguards to prevent unauthorized access to PHI
These safeguards should be fully documented, checked, and updated according to new technological requirements
These safeguards shouldn’t prevent the sharing of information within your organization where it is required to perform your duties

International Organization for Standardization (ISO) compliance audit

ISO is different from the previous two compliance audits, in that it represents an entire family of checks as opposed to a single focus.

For example, ISO 9001 focuses on quality management to let your business use continuous improvement. Meanwhile, ISO 14001 instead checks that your team has implemented (and is upholding) an effective environmental management system (EMS).

If you want to learn more about ISO standards and use some free checklists to help yourself become ISO compliant, check the What is a compliance audit? section of this post for a full list of our resources.

Payment Card Industry Data Security Standards (PCI DSS) compliance audit

The Payment Card Industry (PCI) Security Standards Council is responsible for the standards that you need to adhere to if you process payment cards at all.

Their Data Security Standards are entirely designed to make sure that your business is safely handling this data. If anything, this is as much for your own good as it is for your customers.

Just think of the damages you’d have to pay if payment card information was leaked due to your bad practices.

To meet their standards, you have to:

“Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for employees and contractors”

The Sarbanes-Oxley (SOX) Act compliance audit

Back in 2002, the Sarbanes-Oxley (SOX) Act was passed in the US, bringing huge changes for the standards that public companies had to meet.

SOX focuses on regulating the financial practices of public companies, how they are governed, and the accountability that executives must take. As you might imagine, this act was created as a response to massive financial scandals in public companies to attempt to prevent the same from happening again.

The checks that must be made in order to be compliant with SOX involve:

Any electronic records you hold, and the management of them
Data protection measures
How accountable executives can be held

SOC 2 compliance audit

Created by the American Institute of CPAs (AICPA), SOC 2 is another set of guidelines applying to those who use the cloud to store customer data (especially technology companies).

To achieve high standards of data security, there are two types of SOC 2 audits which you can be compliant with:

SOC Type 1 – assesses whether a vendor’s systems have the appropriate security measures to safely house customer data in the cloud
SOC Type 2 – focuses instead on the vendor’s operations, including the systems and processes, typically over a period of six months

Again, while these six compliance audits are far from an exhaustive list, they’re a great place to start with knowing what standards you have to meet in your business.

How to prepare for a compliance audit

There’s only one way to prepare for a compliance audit; to look up the requirements to pass it and then rigorously enforce those requirements in your organization.

I won’t go over how to meet the specific requirements of each and every compliance audit out there. Frankly, the best way to know what you need to do is to look up the audits that apply to your business and what you need to do to meet their standards.

However, I can tell you how to prepare yourself to comply with an audit.

Since we deal with customers in the EU, Process Street needs to be GDPR compliant. We made a massive push to ensure that everything was up to standard and ready to go to avoid breaching their rules and damaging our reputation (not to mention risking our clients’ data).

There were a couple of elements that I noticed made a huge difference in this transition, preventing it from being a manic mess of trial and error.

We had a workflow management system already in place
Our continuous improvement system allowed us to easily make changes
The collaboration culture allowed departments to talk to each other and get to the bottom of things faster

Having some kind of business process documentation software is essential to be compliant with an audit. There’s no better way of effectively keeping track of what standards your work currently meets and how successful any improvements are.

We practice what we preach by using Process Street alongside apps like Salesforce to let us perfectly track what we do (and how we do it).

Let me tell you why.

Process Street: The natural compliance audit software

Process Street lets you lay the groundwork of your organization out for anyone to understand. By documenting your processes as superpowered checklists, you make sure that everyone knows what they’re doing, how they should be doing it, and is able to perform their tasks to your high standards no matter how inexperienced they are.

These checklists can be built out with rich text, images, videos, sample emails, files, and more to remove any obstacles between your employees and their work. You can even assign team members to specific tasks or checklists and set due dates to make sure that everyone knows exactly what they need to do and when it’s due.

To cap it all off, you can save time and effort by automating your processes and integrating Process Street with other apps. This lets you automatically take care of busywork like data entry and task creation without having to get your hands dirty and waste your attention on the smaller, robotic tasks.

In other words, your standards can be set, improved and enforced all within Process Street!

Get a head start on your compliance audits by signing up for a free account today.

What compliance audits does your business need to meet? Let us know in the comments below!