A compliance audit is a systematic, evidence-based examination of an organization's adherence to a defined set of external rules (statutes, regulations, treaty obligations) or internal commitments (codes of conduct, donor agreements, board policies). Unlike a financial audit, which tests whether financial statements fairly present an entity's position, a compliance audit asks a narrower question: did the entity do what it was required to do?
Typical components include:
- Scope definition — identifying the specific legal or policy framework being tested (e.g., GDPR, anti-money-laundering rules, export controls, grant terms).
- Document review — examining policies, contracts, training records, and transaction logs.
- Testing and sampling — verifying that controls operate as intended across a representative sample of activities.
- Findings and remediation — a written report listing deviations, their severity, and corrective actions, often with management response.
In the public sector, supreme audit institutions perform compliance audits under standards issued by INTOSAI (notably ISSAI 400 on compliance auditing). In the private sector, frameworks such as ISO 19600/37301 (compliance management systems) and the U.S. Sarbanes-Oxley Act of 2002 shape practice. International organizations and NGOs face compliance audits from donors — for example, USAID and the European Commission routinely audit implementing partners against grant agreements.
For IR researchers and MUN delegates, compliance audits are relevant in several contexts. Treaty bodies and monitoring mechanisms — such as the OECD Working Group on Bribery's country reviews under the 1997 Anti-Bribery Convention, or the Financial Action Task Force's mutual evaluations — function as state-level compliance audits, producing public reports that grade jurisdictions against agreed standards. Sanctions regimes likewise generate compliance-audit obligations for banks and exporters.
A compliance audit does not assess whether rules are wise, only whether they are followed. That distinction matters: a clean audit signals procedural conformity, not substantive effectiveness or ethical soundness.
Example
In 2021, the Financial Action Task Force published a mutual evaluation of South Africa, functioning as a compliance audit of the country's anti-money-laundering and counter-terrorist-financing regime.
Frequently asked questions
A financial audit tests whether financial statements are accurate and fairly presented; a compliance audit tests whether the organization followed specific laws, regulations, or contractual rules.
Keep learning