<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Compliance 101: Independent Audits, Independent Reviews & Self-Testing

3 min read
Mar 23, 2017

When it comes to compliance, risk management, and consulting, there are a few terms you should know so that you set the stage for success. Here, we will define three of those words, and help you understand the key differences between them.

Want to learn how Ncontracts can help reduce your CRA compliance risk?

Get a guided walk-through of CRA software with a compliance expert today!

There are a few key terms related to compliance consulting and risk management that are easy to confuse. Some of the most common ones include:

  • Independent compliance audit,
  • Independent compliance review, and
  • Compliance self-testing

While these are just titles, the concepts they represent do have subtle differences. In this post, we will explain those differences and make sure that you're in a good position to find the right solutions for you. Let's jump right in:

Independent Audit

An Independent Audit assesses the fairness and accuracy of the transactions or processes being tested in accordance with an institution's written policy.

The Auditor's job is to look at the past, present, and future to ensure all activities were carried out in accordance with the company's written polices and procedures. Using detailed procedures and evaluation of written materials, the auditor will evaluate how the area being tested compares to the policy.

Their job is to answer the question “Did the institution do what they said they would do?”

If not, recommendations should be made to ensure correction of the oversight.

These types of engagements are usually very niche and focused on a particular topic, internal process and/or section of a regulation. By definition, an independent audit is limited. If something doesn’t exist in your written policies, it doesn’t get tested.

Independent Review

An Independent Review is an objective, relatively holistic review of the compliance program. It includes discussions with compliance teams, management, and employees to determine if practices meet the needs of the organization and comply with all federal and state regulatory requirements.

The consultant’s job is to look at the present and towards the future to ensure all activities are carried out in accordance with written policy and procedures, while also being aligned with regulatory compliance requirements. The consultant’s job is also to provide advice, training, and collaboration to ensure that the client understands and implements specific regulatory requirements that work within the existing business process and organization.

Their goal is to answer the questions: "Does the current process, which includes policies and procedures, ensure compliance? Are actual practices following the written policy?"

If not, they should be providing recommendations of how it could be changed, who should do it, and to whom the changes need to be communicated.

Independent reviews tend to focus on the operations (e.g. policy, procedures, process) to determine if and ensure that they comply with the institution's policy and federal and state regulatory compliance regulations.

[Read Also: 6 Step Risk Assessment]


A Self-Test, also called a Self-Evaluation, is a common and effective internal monitoring system used by most compliance departments.

A self-test is used to review processes within the institution to determine if policy and procedures for a particular area are are working as intended. It is a first step in proactively testing your compliance management system.

The scope and nature of these evaluations vary widely among institutions based on the company's size, risk profile, and history of documented recommendations (both internal and external).

Self-testing is a precursor to your independent audit or independent annual review.

Ncontracts Viewpoint: No matter which independent testing option is used by an institution (audit or review) it is important that the scope is clearly explained, the person(s) completing the review are qualified, and the results of the engagement are communicated, documented, tracked, and monitored to completion.

If you're looking for a partner in your compliance risk management, including risk assessments or independent reviews, we would be happy to help. Just click here to request a demo.


Subscribe to the Nsight Blog