Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorLearning and EventsBreadcrumb SeparatorCoursesBreadcrumb SeparatorFundamentals of Compliance Auditing
Course Description Course Outline Bring Us On Site  

Fundamentals of Compliance Auditing

Course Description

Print-friendly Course Description and Outline

​While compliance auditing is typically used to evaluate whether the organization is following external regulations, it can also be used at a corporate level to determine whether a subsidiary company follows the wider corporation's procedures and policies. Internal auditors should exhibit the proficiency and professional due care to ensure adequate testing is performed, reducing the likelihood of failing regulatory and other stakeholders expectations.

This introductory course provides a comprehensive overview of key compliance auditing concepts that are fundamental for all internal auditors. This course will introduce participants to a host of common regulations and the controls needed to maintain compliance, and how to apply each regulation within the internal audit process. Additionally, this course will explore the associated reporting requirements (SOX, PCI, HIPAA, Breach Notification, OFAC, ESG, and others) and how to collect evidence and perform internal audit activities against the regulatory reporting guidelines.

Who will benefit from this course?

This course is designed for internal auditors who are looking for a fundamental understanding of conducting compliance audits. It is recommended for internal auditors that are involved in assessing processes that require regulatory reporting and need to know how to assess the compliance, accuracy, completeness, and currency of existing data collection, management, and reporting processes and the understand the impact of inaccurate and/or incomplete data collection, data protection, and regulatory reporting on organizational risks. This course also benefits any internal auditors currently focused on operational, financial, or technology audits who would like to expand their skill set to include compliance audit knowledge and understanding.

Course Objectives

  • Explore a suite of commonly encountered regulations impacting one or more industries focusing on data collection, data protection, breach notification and compliance reporting requirements, current proposals, and recent changes.
  • Review the suite of common risks and controls related to identifying and maintaining regulatory compliance in general.
  • Discuss common US and international data privacy regulations and notable failure impacts.
  • Evaluate common US and international cybersecurity regulations and notable failure impacts along with their impact on privacy regulations and the cryptocurrency industry.
  • Identify challenges with maintaining compliance during rapidly shifting global work conditions, including: increased volume of remote work, shifts to company culture, and increased demand for employee mental health and well-being.
  • Examine the impact of climate change, environmental, environmental, and governance (ESG) and diversity, equity, and inclusion (DEI), and the increased utilization of deep fakes on the organizations internal and external stakeholders while ensuring regulatory compliance and reducing reputational, regulatory, and financial risks.
  • Articulate the importance of data protection regarding data and people analytics.
  • Apply common techniques for performing internal audit activities against common regulatory guidelines.
  • Identify common indicators of compliance-related fraud and how to identify, validate, and report such fraud.
Course Duration: 2 day(s)
CPEs Available: 16
Knowledge Level: Intermediate
Field of Study: Auditing
Prerequisites: 
Tools for the New Auditor and/or previous internal audit experience.
Advance Preparation: 
​None
Delivery Method: eLearning (Group-Internet-Based); On-site Training (Group-Live); Seminar (Group-Live); Live Stream

​US and International Regulation Review

  • Regulatory guideline discovery techniques.
  • Review of common financial services regulations including cryptocurrency.
  • Review of common health and safety regulations.
  • Review of common critical infrastructure regulations.
  • Review of common public sector regulations.
  • Review of common retail regulations.
  • Review of common manufacturing regulations.
  • Review of common social media regulations.

General Regulatory Compliance Risk and Controls

  • The impact of culture on regulatory compliance.
    • Learning vs. blaming culture.
    • Compliance vs. non-compliance culture.
    • Risk-adverse vs. risk-aggressive culture.
  • The role and duties of the compliance committee.
  • Common controls to improve regulatory compliance.
  • Common risks that impede regulatory compliance.

Data Privacy Regulations

  • History and purpose of establishing data privacy regulations and notable failures.
  • Data privacy disclosure and reporting requirements.
  • Risks of inadequate protection of non-public data and information.
  • Controls to protect data privacy.
  • Techniques for internal auditors to assess the effectiveness of controls to ensure compliance with data privacy regulations.

Cybersecurity Regulations

  • History and purpose of establishing cybersecurity regulations and notable failures.
  • Impact of privacy and cryptocurrency regulations on cybersecurity and incident response.
  • Impacts of supply chain and other third-party risks.
  • Cybersecurity and third-party risk management requirements.
  • Cyber / ransomware / kill ware / data breach disclosure and reporting requirements.
  • Risks of inadequate cybersecurity protections.
  • Controls to protect against cyber exploits.
  • Techniques for internal auditors to assess the effectiveness of controls to ensure compliance with cybersecurity and cryptocurrency regulations.

Response to a Rapidly Shifting Global Work Environment

  • Identify challenges with maintaining compliance during within a rapidly shifting global work environment, including: increased volume of remote work, shifts to company culture, and increased demand for employee mental health and well-being.
  • Impacts of sudden shifts to remote work regarding maintaining regulatory compliance.
  • Risks of inadequate protections and policies for telecommuting.
  • Controls to protect data from inappropriate remote access and inappropriate data usage.
  • Techniques for internal auditors to assess the effectiveness of controls to ensure compliance with regulations in a work-from-home/ remote-work environment.

ESG and DEI

  • Illustrate the impact of climate change, environmental, environmental, and governance (ESG) and diversity, equity, and inclusion (DEI), and the increased utilization of deep fakes on the organizations internal and external stakeholders while ensuring regulatory compliance and reducing reputational, regulatory, and financial risks.
  • Impacts of current and emerging requirements for ESG reporting.
  • Risks of inadequately collecting and reporting ESG-related topics to regulators and other key stakeholders.
  • Controls to collect, manage, and reporting on ESG and DEI related activities.
  • Techniques for internal auditors to assess the effectiveness of controls to ensure compliance with regulations and stakeholder expectations regarding ESG and DEI.

Public Section Regulations

  • Overview of regulations relating to purchasing (supply chain), grants, taxes, and contracting.
  • Current and emerging regulatory requirements.
  • Documenting data flow including IT-controlled and end-user (shadow-IT) controlled input sources.
  • Opportunities for data analysis and automation in regulatory compliance testing.
  • Typical audit activities.
  • Understanding the difference between accidental actions, management overrides with unintentional negative consequences, vs. fraudulent activities.
  • Identifying, investigating, and communicating suspicious activities.

Sarbanes-Oxley

  • Overview of regulation.
  • Current and emerging regulatory requirements, including SOX for cybersecurity.
  • Documenting data flow including IT-controlled and end-user (shadow-IT) controlled input sources.
  • Opportunities for data analysis and automation in SOX testing.
  • Typical audit activities.
  • Understanding the difference between accidental actions, management overrides with unintentional negative consequences, vs. fraudulent activities.
  • Identifying, investigating, and communicating suspicious activities.

PCI-DSS

  • Overview of regulation.
  • Current and emerging regulatory requirements.
  • Documenting data flow including IT-controlled and end-user (shadow-IT) controlled input sources.
  • Opportunities for data analysis and automation in PCI testing.
  • Typical audit activities.
  • Understanding the difference between accidental actions, management overrides with unintentional negative consequences, vs. fraudulent activities.
  • Identifying, investigating, and communicating suspicious activities.

HIPAA

  • Overview of regulation.
  • Current and emerging regulatory requirements.
  • Documenting data flow including IT-controlled and end-user (shadow-IT) controlled input sources.
  • Opportunities for data analysis and automation in HIPAA testing.
  • Typical audit activities.
  • Understanding the difference between accidental actions, management overrides with unintentional negative consequences, vs. fraudulent activities.
  • Identifying, investigating, and communicating suspicious activities.

GLBA and FINRA

  • Overview of regulations.
  • Current and emerging regulatory requirements.
  • Documenting data flow including IT-controlled and end-user (shadow-IT) controlled input sources.
  • Opportunities for data analysis and automation in GLBA and FINRA testing.
  • Typical audit activities.
  • Understanding the difference between accidental actions, management overrides with unintentional negative consequences, vs. fraudulent activities.
  • Identifying, investigating, and communicating suspicious activities.

EU GDPR

  • Overview of regulation.
  • Current and emerging regulatory requirements.
  • Documenting data flow including IT-controlled and end-user (shadow-IT) controlled input sources.
  • Opportunities for data analysis and automation in GDPR testing.
  • Typical audit activities.
  • Understanding the difference between accidental actions, management overrides with unintentional negative consequences, vs. fraudulent activities.
  • Identifying, investigating, and communicating suspicious activities.

​Most courses can be delivered through on-site training. You might be surprised that the organization leading the profession is just as committed to the delivery of affordable training.

Contact us by calling +1-407-937-1388 or send an e-mail to GetTraining@theiia.org.

LocationsDates