Compliance audit

What is a compliance audit and why is it important?

A compliance audit is a detailed review which focuses on whether an organisation is in conformity with statutory laws as well as internal rules and decisions. This type of audit also assesses the effectiveness of an organization’s internal controls by identifying weaknesses in compliance processes whilst finding measures to enhance such processes.

The purpose of a compliance audit is different than an internal audit since the former is an outward assessment that is generally conducted by an independent third party. On the other hand, an internal audit is carried out by professionals who are internal to the organization and who aim to evaluate the overall risks to compliance and security, as well as to identify whether the organization is following internal guidelines.

A compliance audit may be requested from different sources which include management, shareholders, key stakeholders, and even authorities. Therefore, the importance of undertaking a compliance audit will assist the organisation in

  • identifying weaknesses in the compliance process;
  • reducing risk;
  • enhancing transparency with key stakeholders; and
  • identifying and correcting non-compliance.



Grant Thornton undertakes compliance audits in relation to financial crime (e.g., AML and CFT) and other regulatory requirements (e.g., safeguarding of client funds, conflicts of interest, outsourcing, risk management requirements, compliance requirements, and key person risk). The firm undertakes such audits by applying the following stages:

  1. Planning stage

The key areas that the compliance audit will focus on are identified and appropriate tools (e.g., interviews, desk-based review, sampling) are chosen to carry out the required audit.

  1. Familiarisation stage

Grant Thornton undertakes interviews and/or questionnaires with key roles to understand the organisation in terms of the activity, governance, reporting lines, and processes.

  1. Design assessment stage

The organization is requested to provide relevant policies, procedures, and ancillary documents which assist Grant Thornton in assessing compliance with relevant legal obligations.

  1. Effectiveness assessment stage

Subsequently, Grant Thornton tests whether the established policies and procedures by the organization are implemented in practice. For example, Grant Thornton may opt to test a sample of client files, agreements, meeting minutes, meeting packs, and reports to assess the organization’s compliance with its internal controls.

  1. Report drafting stage

A report is prepared by Grant Thornton outlining the findings and any recommendations for the organization to enhance its compliance process. At the final meeting, Grant Thornton discusses the report and makes recommendations to address any areas of risk.

The organization may also opt to seek follow-up support from Grant Thornton to rectify any risks or deficiencies with the aim for such improvements to be validated and verified again.

The duration of a compliance audit may vary depending on the complexity of the organization, processes as well as the key areas that need to be tested. Nonetheless, the minimum required time for Grant Thornton to conclude the audit is four weeks.


Other services

Grant Thornton also provides services to assist organizations in enhancing their business risk controls. Services include:

  • Due diligence services
  • Internal audit services
  • IT audit services
  • Compliance and risk management consultancy services
  • GDPR audit and consultancy services