In the IG world, audit and compliance have a unique relationship: one that ensures a business or other organization does not break any laws, regulations, rules, or standards. An auditor asks the question: Is the business doing what it said it would do? Asq.com notes there are “3 discrete types of audits: product (including services), process, and system.”[1] In its simplest form, an audit can be something as straightforward as a quality control measure, potentially identifying risk before it harms stakeholder interests. In more complex situations that require the business or organization to protect PII, an audit can be a formal investigative process whereby a designated professional independently “reviews, verifies, evaluates, and reports on an organization.”[2] Given the EU’s new privacy laws, the audit and compliance relationship ensures information systems that utilize PII do not open up an organization or business to costly lawsuits.

Although the audit process checks for specific compliance issues, compliance on its own has a formal place in an organization. Compliance can be used as a means for showing stakeholders that the PII in their control is safe from potential leaks. The audit/compliance relationship is particularly useful for ensuring electronic information inside information systems does what it should do according to standards such as DoD Standard 5015.2. With an audit trail of electronic records, an IG professional can ensure a records management system (RMS) is PII-protection compliant at each access point. Because many of these flows are automated, compliance as a function must be both forward and outward-focused. This gives compliance a proactive function that mitigates risk.

The Enron scandal is a case study in how the audit and compliance relationship breaks down when an incorrect or misleading audit function falsely inflates a business’ net worth. Arthur Andersen, once one of the most prestigious accounting firms in the business, conspired with some of Enron’s top executives to falsify earning statements. Although the objective was greed, these top executives bankrupted the company and sent its stock value tumbling. Unfortunately, virtually every person who worked at Enron lost their pensions as the company went bankrupt when Enron’s worth was revealed to be far less than what Arthur Anderson reported. In the wake of this scandal and prosecutions of Enron’s executives, the audit/compliance relationship was strengthened by the passage of the Sarbanes-Oxley of 2002. This act brought transparency to the audit/compliance relationship by protecting investors from illegal and fraudulent corporate activities.