<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Internal Audit 101: Audits vs. Compliance Reviews

5 min read
Jul 16, 2020

What’s the difference between an audit and a compliance review?

Both an audit and a compliance review require expertise. Both help surface systemic issues. But there are several key differences that clearly separate the two.

Audit vs compliance comparison review

What’s an Audit?

An audit is a formal process where an independent party objectively examines the effectiveness or veracity of a process, report, or other metrics.

Independent auditors bring fresh eyes to the task of assessing the effectiveness of a program. Because they have no personal involvement in developing or executing the programs they are auditing, they are able to deliver unbiased findings and recommendations.

Audits can be performed internally or externally by a third party, but the outcome should be the same: findings that detail problems and recommendations for corrective actions. Auditors will attest to (i.e. vouch for) their findings and the best ones are Certified Internal Auditors (CIA) that have proven their competency and professionalism. 

Audits can be used to evaluate both financial and non-financial areas of an institution, including: 

Related: 5 Must-Have Elements of an Effective Audit Program 

Auditors go by the book. They might examine transactions, activity logs, and risk assessments to ensure accuracy, completeness, and timeliness. Financial and regulatory reports may be examined to determine if they were filed as required. 

Audits generally follow a set schedule or audit program, and the results are reported to the board.

Related: You Can’t Handle the Truth: Why Auditors Get a Bad Name When They Should Be Celebrated

What’s a Compliance Review?

A compliance review, also known as compliance monitoring or compliance testing, is the practice of conducting informal audits on current processes to find out whether people are following compliance requirements or if there is a problem with a particular process.

This differs from an audit in several ways. First, a compliance review isn’t conducted by an independent party. It’s performed by the compliance department. This is often done with checklists to guide compliance staff through what needs to be reviewed based on key compliance indicators.

Second, compliance reviews are done on more of an ad hoc basis and aren’t necessarily planned and scheduled in advance like an audit. Third, results are reported to the department head, who then decides if findings are critical enough to be brought to the board.

Read also: How to Lighten Your Compliance Management Workload

An Example of a Compliance Review

A good example of a compliance review would be reviewing a fixed number of account opening documents to make sure the branch staff collected the correct information to meet BSA/AML/OFAC requirements.

Learn more about compliance reviews with our free guide:
Compliance Review Roadmap for Financial Institutions

New call-to-action  

Exercises like this one help the compliance department assess the effectiveness of its policies and procedures and make adjustments as needed. If done successfully, it will result in fewer findings when auditors arrive.

Audits must have objective, clearly defined standards 

Not just anyone can review materials at a financial institution and call themselves an auditor. A true audit follows clearly established standards to ensure an audit is thorough, ethical, and objective.  

Some of the most well-known standards come from: 

  • The Auditing Standards Board of the American Institute of Certified Public Accountants (ASB of AICPA)
  • The Institute of Internal Auditors (IIA) 
  • Public Company Accounting Oversight Board (PCOB) 
  • International Organization of Standardization (ISO) 

For example, the ASB is responsible for “developing, updating and communicating comprehensive standards and practice guidance that enable practitioners to provide high-quality, objective audit and attestation services to non-issuers in an effective and efficient manner.” It maintains standards for SSAE 18 audits and the resulting SOC 1 and SOC 2 reports.

An audit that isn’t conducted using a systematic, independent, and clearly defined standard isn’t an audit.

Audits: You get what you pay for 

Audits are both time consuming and expensive (whether in internal resources or paying a third party) because a thorough audit requires experience and time. It is detailed and methodical, not casual or rushed. 

You’re also paying for objectivity. Auditors shouldn’t approach an audit with a specific outcome in mind. They shouldn’t care how many findings they uncover (though a good auditor will always find at least a few). They are there to let you know what went right, what went wrong, and offer suggestions on what you can do to improve your institution. They are paid whether or not you institute their recommendations.   

Compare that with a “free” audit. Free audits aren’t thorough, aren’t conducted by credentialed auditors, and—worst of all—aren’t objective. It’s like when you bring your car into a dealership for servicing, and the dealership often includes a free “multi-point vehicle inspection.” It’s not out of the kindness of their hearts. The dealership is looking for opportunities to upsell you, and they almost always find something. 

The same is true for free audits. A company that gives you a “free cyber audit” isn’t there to assess your program top to bottom from policies and procedures to employee training. It isn’t going to go through the full FFIEC Cybersecurity Assessment Tool (CAT) to provide an overall audit of your cyber maturity.  

That company is looking for a specific type of cyber problem: ones where it can sell you a solution to fix the problem whether it’s for password management, data loss prevention, or fraud prevention.

It’s not an audit. It’s a sales pitch.

It’s also a solution in search of a problem. 

The danger is that even if the information is accurate and you have a cyber weakness that needs to be corrected, the information is coming from a company that has a specific solution for solving the problem. It’s not going to talk about the weaknesses it can’t help you fix—even if it would be more efficient and cost effective to address all the problems together using a different company’s tool.  

It’s not an audit. It is not independent, and it does not conform to any recognized standard. 

It’s a limited review conducted by a biased party. 

A sales pitch is not an audit 

When a company offers a free audit, recognize it for what it is: a sales pitch.

While potential third-party vendors can offer valuable insights and ideas for making improvements, anyone offering an audit is selling you a bill of goods. At best, it’s a review. At worst, the vendor is providing a selective assessment of your institution that helps them set the agenda for a sales call—instead of letting your institution tell the vendor about your challenges and goals.

Don’t let a free audit give you false confidence in a solution or the needs of your institution. Leave the auditing to the professionals.

Did you know that Nverify contains over
75 compliance review templates?


Subscribe to the Nsight Blog