What Is the Difference Between Compliance and Audit?

People often get compliance and audit confused, so it is helpful to understand these terms because you will encounter them often. Audit and compliance are often associated with legal activities, which is why they are included in this chapter.

In the legal system, compliance is the action of following applicable laws and rules and regulations. Generally speaking, for an organization compliance involves not only following laws and regulations, but also following the organization’s own policies and procedures. Compliance must be documented. With respect to law, it is not enough to say that an organization is compliant. The organization must prove that it is compliant.

Processes that might be used to demonstrate compliance include:

• Creating policies or other organizational governance documents to comply with legal or regulatory requirements
• Comparing compliance requirements against an organization’s daily practices, and modifying those practices as needed
• Developing and implementing monitoring systems in computer systems to alert the organization if security measures required by law or regulation are compromised
• Creating training and awareness activities that educate employees about compliance requirements

Compliance not only includes the actual state of being compliant, but it also includes the steps and processes taken to become compliant. Compliance usually asks the questions: “What are the rules?” and “How must the rules be followed?” Compliance is demonstrated daily through processes and procedures.

Audit is separate from compliance. An audit is an evaluation and verification that certain objectives are met. An audit can review laws, rules, regulations, policies, and procedures to ensure that an organization is complying with stated requirements. Audit looks at the processes that are put in place to meet compliance objectives and makes sure that those processes are accurate and are actually followed.

Audits may occasionally be performed by independent organizations. An organization also can have an internal audit function that ensures that organizations are following its internal policies and procedures.

An audit is an inspection at a fixed point in time. In the truest sense of the word, audits do not take place daily. An audit usually asks the questions: “Are the rules being followed?” and “How are the rules being followed?”

Sometimes it is helpful to consider an example. Under the FTC’s Red Flags Rule,¹⁵ for instance, a covered organization is required to have a written identity theft prevention program. The program that is developed must provide for the identification, detection, and response to activities that could indicate identity theft.

The compliance functions that must be met include:

• Identify activities that could indicate identity theft.
• Determine how the organization will detect such activities.
• Determine how the organization will respond to such activities.
• Create a written identity theft prevention program.
• Educate employees about their responsibilities in the identity theft prevention program.

The questions that would be verified in an audit include:

• Did the organization properly identify activities that could indicate identity theft?
• Did the organization properly determine how it will detect such activities?
• Are the organization’s responses to activities appropriate to prevent identity theft?
• Did the organization create a written identity theft program?
• Was the identity theft program approved by management?
• Are employees meeting their responsibilities under the identity theft prevention program?

Compliance is demonstrated by the processes and procedures that an organization uses to meet the law. Audit verifies that those processes and procedures actually do satisfy the legal requirements.