I - Introduction

1. Definition of Compliance Audit

- A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.
- Audit reports evaluate the strength and thoroughness of compliance preparations, security policies,
user access controls and risk management procedures over the course of a compliance audit.
- Compliance audits are conducted by independent audit practitioners, and most have the following
characteristics:
+Based on frameworks or regulatory requirements.
+Performed by an independent or third-party auditor.
+Results in some kind of final deliverable, like a report, an assessment, or an audit opinion.

2.Types of Compliance Audits

- There are several types of compliance audits, each focusing on different aspects of an organization's
operations and regulatory requirements. Some common types include:
+Regulatory Compliance Audits: These audits focus on ensuring compliance with specific laws,
regulations, and industry standards relevant to the organization's operations.
+Financial Compliance Audits: examine financial statements, accounting practices, internal controls,
and financial reporting processes.
+Operational Compliance Audits: Operational compliance audits assess adherence to internal
policies, procedures, and operational standards established by the organization.
+Information Security Compliance Audits:
+Privacy Compliance Audits:
+Quality Management System (QMS) Audits:
.
3.Key Components of Compliance Audits
- A compliance audit is a systematic examination of an organization's operations and practices to ensure
adherence to laws, regulations, and internal policies.
- It helps identify any non-compliance issues and provides recommendations for corrective actions.
- To conduct an effective compliance audit, certain key components need to be considered.
+ Define Audit Objectives and Scope: determining the specific regulations, laws, or internal policies
that need to be assessed.
+ Develop an Audit Plan: outlines the audit methodology, procedures, and timelines.
+Gather Relevant Data and Documentation:
+Perform Testing and Evaluation:
+Provide Recommendations and Corrective Actions:
+Follow-up and Monitoring: follow up on the implementation of corrective actions and monitor
progress.
II. Regulatory Landscape
1. Overview of Relevant Regulations
- An overview of relevant regulations about compliance audits would depend on the industry, jurisdiction,
and specific regulatory requirements applicable to the organization. However, some common areas
where regulations often impact compliance audits include:
- Law on Independent Auditing 2011 (No. 67/2011/QH12): regulates the principles, conditions, scope,
and form of independent audit activities; the rights and obligations of practicing auditors; auditing firms,
branches of foreign auditing firms in Vietnam and the units that are audited.
- 67/2011/QH12 in Vietnam, Law No. 67/2011/QH12 of March 29, 2011, on independent audit in
Vietnam (thuvienphapluat.vn)
-
- The State Audit in Vietnam - Decision 155/QD-KTNN 2021:Provides regulations on inspection and
comparison at regulatory bodies, organizations, and individuals involved in state audit activities.
- Quyết định 155/QĐ-KTNN 2021 kiểm tra đối chiếu tại các cơ quan tổ chức cá nhân có liên quan
kiểm toán (thuvienphapluat.vn)
- Decision No. 02/2020/QD-KTNN: The audit process regulates the order and procedures for
conducting audit work performed by the State Audit
- Decision No. 02/2020/QD-KTNN dated October 16, 2020 on Audit procedures of State Audit
(thuvienphapluat.vn)

III.Preparing for a Compliance Audit

1. 5 Fundamental Steps of the Compliance Audit Process

- Sure, here are the five fundamental steps of the compliance audit process:
+Step 1: Research and Readiness: Auditors prepare by confirming the audit scope, planning their
approach reviewing past reports and documentation to understand any changes in procedures.
+Step 2: Documentation and Evidence Review: Auditors review relevant policies and procedures,
focusing on areas like security, risk management, and compliance by request specific evidence from
the organization
+Step 3: Conducting Interviews: Auditors conduct interviews to gain insights into the organization's
processes and controls by asking questions to understand procedures and verify compliance.
+Step 4: Process Assessment and Employee Shadowing: assess the effectiveness of controls
through testing and observation. They identify any deviations from policy and assess their severity,
often collaborating with the organization to address findings.
+Step 5: Compilation of Compliance Report: The audit team compiles their findings into a report,
which undergoes review by senior members.

IV. Conducting the Compliance Audit

1. Planning and Preparation
- In general, compliance audit planning has two aspects.
+First, auditors develop an overall strategy for the scope, emphasis, timing and conduct of the audit.
+And two, auditors, based on that strategy, prepare an audit plan that shows detailed approach and
specific steps for the nature, timing and extent of procedures to be performed, and the reasons for
selecting them.
2. Fieldwork Execution
- Conducting audits starts after finalizing an audit strategy and audit plan; including gathering and
evaluating evidence, forming conclusions, documenting the audit process and communicating with the
auditable entities.
- In the planning phase, auditors review the internal controls and institutional arrangements to prevent,
detect, and rectify instances of noncompliance before they start gathering audit evidence.
- These are a few steps in a compliance audit:
+Step 1: After connecting with the auditor, the organization decides if the auditor’s expertise is a good
fit.
+Step 2: At a preliminary meeting, the auditor explains the audit guidelines and what is required. The
auditor may provide auditing checklists so that the client can prepare.
+Step 3: Once the organization completes audit questionnaires and supplies the auditor with the needed
documents, the auditor may work on-site to view documents, walk through the workspaces, study
infrastructure and security features, and interview management and employees.
+ Step 4: At the final meeting, the auditor discusses the report and makes recommendations to address
any areas of risk. Whether working under a regulatory deadline or not, organizations should generally
rectify any deficiencies within 120 days to ensure that they have completed the corrective actions.
Sometimes, auditing firms do follow-up support to help organizations rectify any risks or deficiencies.

3. Reporting and Findings

- Reporting involves reporting the deviations from and violations of the applicable authorities so that
corrective actions may be taken, and those responsible for such deviations or violations could be held
accountable for their actions.
- The report, presents the results of its audit to the intended users, and other relevant users on the
responsible party’s compliance with the stated criteria.
- Provides an chances for the responsible party to take corrective action towards addressing instances
of non-compliance
- The ISSAIs on compliance audit entail that a written report, setting out findings in an appropriate form,
be prepared at the end of each audit.
- This report should conform to the principles of completeness, objectivity, timeliness and contradictory
process, both in its form and content:
+Completeness requires the auditor to consider all relevant audit evidence before issuing the report.
+Objectivity requires the auditor to apply professional judgment and skepticism to ensure that all
reports are factually correct and that findings and conclusions are presented in a relevant and balanced
manner.
+Timeliness requires the auditor to report in due time when the findings are applicable and can be
relevant to the intended users.
-
- Auditor is expected to consider the following factors
+User’s needs
+SAI Mandate
+Relevant legislation and regulation
+The level of assurance provided
+Type of engagement
+Customary reporting practice
+Complexity of the reported issues

V. Case Studies and Examples

Enron Corporation
The Enron scandal was a major financial scandal that emerged in the early 2000s, involving the
American energy company Enron Corporation. Here’s a summary of the key events and outcomes:
- Accounting Fraud: The scandal primarily involved fraudulent accounting practices where Enron’s
financial health was grossly misrepresented. The company used complex financial structures to hide
debt and inflate profits.
- Bankruptcy: The scandal led to Enron filing for bankruptcy in December 2001, which was the largest
bankruptcy in U.S. history at the time1.
- Legal Repercussions: The fallout resulted in the dissolution of Arthur Andersen LLP, one of the
largest auditing and accounting firms globally, due to not detecting fraud in Enron’s financial
statements.
- Regulatory Changes: In response to the scandal, the U.S. Congress passed the Sarbanes-Oxley Act
to enhance corporate accountability and financial transparency

- Firstly, Enron’s case highlights the importance of auditors in maintaining independence from
the companies they audit to ensure unbiased assessments.
- But it also reminds us of the importance of whistle-blower protection – where there are
safeguards in place, organizations will encourage openness and provide the confidence for
individuals discovering financial irregularities to expose them.
- And Enron finally emphasizes how crucial regulatory oversight is in holding auditors accountable and
preventing corporate fraud.

VIII. Challenges
1. Client Or Security Certification Audits Take Forever To Complete
- Audits are time-consuming tasks.
- client and security audits require you to check relevant documentation twice or thrice.
- The hours required to perform audits pose difficulties for small and medium-sized companies that do
not have enough internal auditors or the budget to perform this manual work.
2. Managing Complaints And Resolving Disputes Is A Tricky Business
- On average, collection agencies receive disputes on 10% of their accounts, and complaints on another
5% of their accounts.
- Resolving a complaint can take several hours, especially if it involves cross-verifying multiple
departments.
- In the absence of automation around dispute and complaint management, agents may end up
spending 25% of their time only on resolving complaints and disputes.
3. Compliance Training Is A Never-Ending Task
- Team leaders or compliance officers may have to spend many hours for training, testing, and scoring
employees manually.
- Not identifying gaps in training can pose potential risks to the company in regard to policies,
procedures, client requirements, and the latest regulations
4. Maintaining Policies And Procedures Is A Labor-Intensive Job
- Taking substantial manpower and supervision to ensure that regulatory changes are disseminated
agency-wide and every agent, dispute analyst, and QA professional within the company is up to date
on the changes.

IX. Key Points and Recommendations

1. Key Points of Compliance Audits
- Compliance audits are systematic reviews of an organization's adherence to relevant laws, regulations,
and internal policies. They typically involve:
+Identifying applicable requirements: This involves understanding the specific laws, regulations, and
internal policies that apply to the organization's activities.
+Gathering evidence: This involves collecting data and documentation to assess compliance with the
identified requirements.
+Evaluating findings: This involves analyzing the evidence to determine whether the organization is
compliant and identifying any areas of non-compliance.
+Reporting results: This involves communicating the audit findings to management and making
recommendations for corrective action.
2. Recommendations for Compliance Audits
- Based on the findings of a compliance audit, recommendations may be made to address any identified
areas of non-compliance. These recommendations may include:
+Developing or revising policies and procedures: This may be necessary to ensure that the
organization has clear and up-to-date guidance on how to comply with relevant requirements.
+Providing training to employees: This may be necessary to ensure that employees are aware of their
compliance obligations and how to meet them.
+Implementing corrective action plans: This may be necessary to address any specific instances of
non-compliance that have been identified.