Compliance and Audit Response


Within the United States alone, multiple voluntary and compulsory audits exist based on standards and regulations. Financial audits in the U.S. are governed by generally accepted auditing standards (GAAS), which provide guidelines for preparing for and conducting audits. Government Auditing Standards apply to the audits of government organizations as well as to the programs and activities of contractors who receive government funds. Such standards may also apply to nonprofit organizations and non-government organizations that receive government funds. Audit evaluation criteria may also change based on whether a company is public or private. Often, federal agencies offer compliance support in the form of hotlines and websites to help organizations navigate regulatory labyrinths.

The following are just a few of the possible audit standards and guidelines in the U.S.:

  • Compliance Auditing Considerations in Audits of Government Entities and Recipients of Government Financial Assistance (AU 801): This guideline specifies definitions, management roles, and requirements for compliance audits of financial situations for government entities and organizations that receive government funding. They are published and managed by the Public Company Accounting Oversight Board (PCAOB).


  • Sarbanes-Oxley Act (SOX): SOX compliance audits require a specific audit of financial records and financial and operational controls. In addition to payroll and finance departments, IT departments are subject to particular audits to ensure controls for disaster recovery for electronic communications, appropriate change management tools, and complete audit trails.


  • Social Compliance: Social compliance and sustainability codes of conduct define employee working rights, health and safety rights, and environmental sustainability standards. Audits verify that suppliers and facilities in a supply chain adhere to the guidelines. Nonconformities may trigger sanctions, including loss of brand business.


  • Healthcare Insurance Portability and Accountability Act (HIPAA): HIPAA compliance audits check that organizations follow the standard for protecting personal data in healthcare. Organizations that handle personal healthcare information (PHI) must ensure the physical, electronic, and procedural security of data.


  • Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of standards that businesses must implement to be certified to store, process, or transmit electronic payments. If your organization processes more than six million credit card transactions per year, an annual audit is compulsory to ensure that networks, systems, and processes can protect sensitive information and detect breaches in a timely manner.


  • Human Resources (HR): Although various types of HR audits exist, a legal compliance audit verifies that an entity follows federal, state, and local employment laws and regulations. Particular areas of concern for companies include the mis-classification of non-exempt work and inadequate personnel files.


  • Payroll: Payroll compliance audits determine whether an employer is complying with collective bargaining agreements.


  • Internal Revenue Service (IRS): The IRS audits individuals, corporations, and nonprofit entities to ensure that income taxes are paid. The IRS refers to their audits as examinations because they follow tax code and not generally accepted accounting principles.


  • State and Local Tax (SALT): State and local auditors may review records of business and individuals to verify that state and local taxes, such as income tax and sales tax, are paid.


  • Financial Industry Regulatory Authority (FINRA): FINRA is not a government body, but it works together with the Securities and Exchange Commission (SEC). FINRA specifies annual audits for financial, brokerage, securities, and investment firms. This entity checks licensing, advertisements, and day-to-day activities to verify that trading practices are fair. Repercussions for a poor audit result can include fines, suspensions, or disbarment.


  • Can-Spam Act: This is a federal law implemented by the Federal Trade Commission (FTC) that governs bulk mail and commercial electronic messages to eliminate offensive,  annoying, or misleading commercial email. The law applies to commercial business and also to nonprofit organizations. Commercial email senders may want to audit their system for opt-out efficiency and audit vendors.


  • Occupational Health and Safety Act (OSHA): OSHA implements workplace health and safety standards for most workers, including office workers, and extends to those in such fields as manufacturing, construction, private education, and disaster relief. OSHA audits ensure that workplaces are hygienic and hazard-free.


  • Environmental Protection Agency (EPA): The EPA works with state, tribal, and other federal authorities to promote adherence to environmental laws. Environmental integrity is ensured by inspections and testing, but also through a robust self-monitoring and self-reporting mechanism.


  • Securities and Exchange Commission (SEC): The SEC audits financial institutions, such as securities advisors, to ensure that investors are well-informed about purchases and that clients are fairly treated.


  • The Centers for Medicare and Medicaid Services (CMS) (formerly the Health Care Financing Administration): The CMS is an agency within the federal Department of Health and Human Services. It oversees Medicare funding and partners with states to administer Medicaid. Audits of facilities are conducted regularly to ensure funds are used and tracked correctly.


  • ISO 14001: Established in 1996 by the International Organization for Standards, the ISO 14000 series and the certifiable standard, 14001, is an internationally designed guidance for businesses to limit environmental impact through reducing waste and using supplies more efficiently. Certification is voluntary, but requires an initial audit and periodic maintenance audits.


  • Social Compliance: Social compliance standards center on sustainable labor and environmental practices throughout a company’s supply chain. Standards may be specified in laws and regulations, in company-drafted codes of conduct, or in policies that are agreed upon by various industries. Social compliance audits are often required by brands, but paid for and initiated by suppliers.


  • SSAE-16: Statements on Standards Attestation for Engagements governs reports on controls at financial service organizations, such as data centers, ISPs, and other entities that may store, handle, or transmit sensitive data.


  • ISO 9001: An internationally agreed-upon quality management standard, ISO 9001certification is voluntary, but requires an initial audit and periodic maintenance audits.

Click here to contact me and discuss your companies audit and compliance needs.