The Difference Between Compliance and Audit
Compliance is the action of following applicable laws and rules and regulations.
- involves following laws, regulations, and the organization’s own policies and procedures
- Compliance must be documented
- organization must prove that it is compliant
- Processes used to demonstrate compliance:
- Creating policies or other organizational governance documents to comply with legal or regulatory requirements
- Comparing compliance requirements against an organization’s daily practices, and modifying those practices as needed
- Developing and implementing monitoring systems in computer systems to alert the organization if security measures required by law or regulation are compromised
- Creating training and awareness activities that educate employees about compliance requirements
- includes the actual state of being compliant and the steps and processes taken to become compliant
- compliance asks the questions:
- What are the rules?
- How must the rules be followed?
- demonstrated daily through processes and procedures
An audit is an evaluation and verification that certain objectives are met.
- separate from compliance
- can review laws, rules, regulations, policies, and procedures to ensure that an organization is complying with stated requirements
- looks at the processes that are put in place to meet compliance objectives and makes sure that those processes are accurate and are actually followed
- may occasionally be performed by independent organizations
- organizations can have an internal audit function that ensures they are following its internal policies and procedures
- audit is an inspection at a fixed point in time
- asks the questions:
- Are the rules being followed?
- How are the rules being followed?
Important
Compliance is demonstrated by the processes and procedures that an organization uses to meet the law.
Audit verifies that those processes and procedures actually do satisfy the legal requirements.