People often get compliance and audit confused, so it is helpful to understand these terms because you will encounter them often. Audit and compliance are often associated with legal activities, which is why they are included in this chapter.
In the legal system, compliance is the action of following applicable laws and rules and regulations. Generally speaking, for an organization compliance involves not only following laws and regulations, but also following the organization’s own policies and procedures. Compliance must be documented. With respect to law, it is not enough to say that an organization is compliant. The organization must prove that it is compliant.
Processes that might be used to demonstrate compliance include:
Compliance not only includes the actual state of being compliant, but it also includes the steps and processes taken to become compliant. Compliance usually asks the questions: “What are the rules?” and “How must the rules be followed?” Compliance is demonstrated daily through processes and procedures.
Audit is separate from compliance. An audit is an evaluation and verification that certain objectives are met. An audit can review laws, rules, regulations, policies, and procedures to ensure that an organization is complying with stated requirements. Audit looks at the processes that are put in place to meet compliance objectives and makes sure that those processes are accurate and are actually followed.
Audits may occasionally be performed by independent organizations. An organization also can have an internal audit function that ensures that organizations are following its internal policies and procedures.
An audit is an inspection at a fixed point in time. In the truest sense of the word, audits do not take place daily. An audit usually asks the questions: “Are the rules being followed?” and “How are the rules being followed?”
Sometimes it is helpful to consider an example. Under the FTC’s Red Flags Rule,15 for instance, a covered organization is required to have a written identity theft prevention program. The program that is developed must provide for the identification, detection, and response to activities that could indicate identity theft.
The compliance functions that must be met include:
The questions that would be verified in an audit include:
Compliance is demonstrated by the processes and procedures that an organization uses to meet the law. Audit verifies that those processes and procedures actually do satisfy the legal requirements.