How and why you should conduct a yearly business compliance audit

Businesses that are in compliance are operating within all the applicable laws and codes that pertain to their operations, as well as standards and policies set by the company's leadership. Rules, laws, and ordinances can change from year to year, so it can pay to conduct a yearly compliance audit to make sure your business is up to code.

Keeping your business in compliance

"Any organization, regardless of size, should ask itself, 'What are the key compliance issues that, if we violate, could put us out of business or severely set us back?'" says Gerry Zack, CEO of the Society of Corporate Compliance and Ethics and the Health Care Compliance Association. The next question organizations should ask themselves, he adds, is, "'What are we doing to make sure we don't break those rules?' Those two questions, in essence, sum up what a compliance risk assessment is all about."

"Some laws and regulations apply to everyone—like paying your taxes and having the proper licenses," says Alma Angotti, co-lead, global investigations and compliance at Guidehouse.

"Other types of businesses will have special regulations, OSHA, consumer protection, truth in advertising, fraud. If you are a publicly traded company, you will have to comply with financial accounting and disclosure regulations," she says. And, "If you are a financial institution, you will have to comply with many regulations, such as safety and soundness, anti-money laundering, and other consumer protection regulations," she adds.

Staying in compliance with federal, state, and local laws can be tricky, especially if you operate in a heavily regulated industry. "It can be a challenge to keep up," says Angotti.

Which is why conducting an annual audit, or evaluation, of your processes is smart. Just like a routine physical at the doctor or a review of your retirement portfolio, an annual business compliance audit helps you spot weaknesses or areas with the potential for trouble down the line.

Conducting an audit now, during the coronavirus shutdown, may be especially wise.

Because of the money distributed to deal with the pandemic, says Angotti, "many small businesses, municipalities, and state governments will need integrity controls that they may not have had before. For example, they may need to document that they were entitled to the money, that they obtained it properly, and that they spent it properly," she says. "That will be a challenge for some, and very difficult to pull together a year or so down the road in response to an investigation." For that reason, "it will be important to set up those controls now and monitor your compliance with them regularly."

External vs. internal audits

On top of confirming that you're operating legally, according to external rules and regulations, it's important also to verify that the company's own policies and procedures are being followed and that they match the corporate bylaws and other business-specific guidelines. Those company functions may involve accounting, information technology (IT), security, hiring, or marketing, to name a few.

An external audit is conducted by an outside third-party who is knowledgeable about the company's industry, can assess where the business is in compliance, and is at risk of non-compliance, which can be costly. Being out of compliance generally involves fines and penalties.

An internal audit is less formal and is typically conducted by an employee as a first step toward confirming compliance. The employee conducts their own assessment, comparing current policies and procedures with legal mandates and best practices within the industry. "Generally, the internal compliance auditing function focuses on compliance issues that are most material to the organization, based on a risk assessment, and tailors its auditing procedures accordingly," Zack says.

In both cases, a compliance report is usually issued, much like a home inspection, that identifies which processes are in compliance and which are not, so that they can be corrected.

Where to start a compliance audit?

Before you can begin to assess whether your operations are in compliance, you first need to know which regulations are relevant for your company. Angotti says she creates a map of the applicable regulations they test for or the controls the business should have in place to manage the risk.

To create your own map, or list, consider what are the laws you're aware of that you're following? How about building codes, if you own your facility? Or EPA standards? How about hiring practices? Or government security and privacy standards?

What regulations have you agreed to abide by? Make a list, or a compliance calendar.

Once you have that list, you can begin to compare your policies and procedures to determine if your business is, in fact, in compliance with relevant regulations and standards.

Angotti's process involves reviewing "written policies and procedures, interviewing key employees, and testing transactions and other records to see if the compliance program the business [has] in place is appropriately designed, fit for purpose, properly implemented, and sustainable," she says.

What to do when you're not in compliance?

If you've discovered that you're not in compliance before a government official has, you're in luck. That means you may have time to take action and correct any errors before an official audit is scheduled that could result in fines.

Angotti works to find the "root cause" and get specific recommendations on "how to close the gap." When she prepares compliance recommendations, "We identify those deficiencies that mean the business is currently out of compliance and must be fixed immediately," as well as less critical corrections "that might make the compliance program more efficient, more effective, or meet industry better practices."

An annual compliance audit "is probably one of the best ideas to make sure that your program is doing what you think it is doing and is updated when necessary," Angotti says.