What Is a Compliance Audit? An Extensive Guide
Everything EU organisations need to know about compliance audits. Covers internal, external, and regulatory audits under NIS2, DORA, and ISO 27001. Includes a preparation checklist, common findings, and strategies to achieve audit readiness.
- 1
Compliance audits are systematic examinations of regulatory adherence, conducted internally, by third parties, or by regulators under NIS2, DORA, and ISO 27001.
- 2
NIS2 Article 32 empowers authorities to mandate security audits of essential entities, while DORA Article 26 requires threat-led penetration testing at least every three years for significant financial entities.
- 3
The most common audit findings -- outdated documentation, insufficient evidence, access control deficiencies, and untested business continuity plans -- are predictable and preventable.
- 4
Continuous audit readiness, achieved through automated evidence collection and ongoing control testing, eliminates pre-audit scrambles and reduces findings by up to 50%.
What Is a Compliance Audit?
A compliance audit is a systematic, independent examination of an organisation's adherence to applicable laws, regulations, standards, or contractual obligations. Unlike financial audits, which focus on the accuracy of financial statements, compliance audits evaluate whether the organisation's policies, procedures, controls, and practices conform to specific regulatory or standard requirements.
Compliance audits serve multiple purposes. For the organisation, they provide independent assurance that the compliance programme is effective, identify gaps before regulators find them, and generate evidence of due diligence. For regulators, they provide a mechanism to verify that regulated entities meet their obligations. For customers and partners, audit results (particularly third-party certifications like ISO 27001) provide confidence that the organisation manages risk responsibly.
In the EU regulatory context, compliance audits have taken on heightened importance. NIS2 Article 32(2) empowers competent authorities to carry out on-site inspections and off-site supervision, including targeted security audits performed by a qualified independent body or a competent authority. DORA Article 26 mandates advanced testing of ICT tools, systems, and processes through threat-led penetration testing (TLPT) for significant financial entities. ISO 27001 certification requires annual surveillance audits and triennial recertification audits. The frequency and rigour of audit scrutiny facing EU organisations has increased substantially, making audit readiness a permanent state rather than a periodic project.
Types of Compliance Audits
Understanding the different types of compliance audits helps organisations prepare appropriately for each and manage audit fatigue when multiple audit types overlap.
Internal audits are conducted by the organisation's own internal audit function or an in-house team with appropriate independence. ISO 27001 Clause 9.2 requires organisations to conduct internal audits at planned intervals to determine whether the ISMS conforms to the standard's requirements and is effectively implemented and maintained. Internal audits are the organisation's first line of assurance: they identify nonconformities before external auditors or regulators discover them. The best internal audit programmes operate continuously, not annually, and use risk-based sampling to focus effort where it matters most.
External audits are conducted by independent third-party organisations. The most common external compliance audit for EU organisations is the ISO 27001 certification audit, performed by an accredited certification body. Certification audits follow a two-stage process: Stage 1 assesses documentation and ISMS design, and Stage 2 assesses implementation and operational effectiveness. After initial certification, annual surveillance audits verify ongoing conformity, and a full recertification audit occurs every three years. External audits of SOC-type or ISAE 3402-type are also relevant for EU service organisations providing assurance to their customers.
Regulatory audits (or supervisory examinations) are conducted by or on behalf of regulatory authorities. Under NIS2 Article 32, competent authorities may conduct regular and targeted audits of essential entities, and under Article 33, may supervise important entities through ex-post measures when evidence suggests non-compliance. DORA Article 26 requires financial entities to carry out advanced testing at least every three years, supervised by the competent authority. Regulatory audits differ from certification audits in that the auditor has enforcement powers: findings can lead to binding instructions, penalties, or operational restrictions.
Supply chain audits are increasingly common as NIS2 Article 21(2)(d) and DORA Articles 28-30 impose supply chain security and third-party risk management obligations. Your customers and partners may audit your compliance posture as part of their own regulatory obligations, creating a cascading audit chain throughout the supply network.
Under NIS2 Article 32(2)(b), competent authorities can require essential entities to undergo security audits carried out by a qualified independent body or by the competent authority itself. These audits are not optional and refusal to cooperate is itself a compliance violation.
EU Regulatory Audit Requirements
Each major EU framework imposes specific audit and examination requirements that organisations must understand and prepare for.
NIS2 Directive (Articles 32-33): For essential entities, competent authorities have broad supervisory powers including on-site inspections, off-site supervision, regular and ad hoc security audits, security scans based on objective and non-discriminatory risk assessment criteria, and requests for information needed to assess cybersecurity risk-management measures. For important entities, supervisory measures are primarily ex-post: authorities act when they receive evidence of non-compliance, typically through incident reports, audit results, or complaints. However, Member States may transpose NIS2 with additional supervisory powers, so national implementing legislation should be reviewed carefully.
DORA Regulation (Articles 24-27): Financial entities must establish an ICT testing programme that includes vulnerability assessments, open-source analyses, network security assessments, gap analyses, physical security reviews, compatibility testing, and penetration testing. Article 26 requires significant financial entities to carry out threat-led penetration testing (TLPT) at least every three years, following the TIBER-EU framework or equivalent national frameworks. The competent authority supervises TLPT execution and validates results. DORA Article 26(8) requires that TLPT is carried out by external testers, though internal testers may participate under specific conditions.
ISO 27001:2022 (Clauses 9.2-9.3): The standard requires internal audits at planned intervals and management reviews that evaluate the continuing suitability, adequacy, and effectiveness of the ISMS. External certification audits follow IAF Mandatory Document 1 and ISO 17021-1, with Stage 1 (documentation review), Stage 2 (implementation assessment), annual surveillance audits, and triennial recertification. Auditors assess conformity with the standard's requirements (Clauses 4-10) and the applicability of Annex A controls.
Organisations subject to multiple frameworks will face overlapping audit activities. A financial institution might undergo a DORA supervisory examination, an ISO 27001 surveillance audit, a NIS2-mandated security audit, and multiple customer supply chain audits within the same year. Coordinating these activities through a unified audit management process is essential to prevent audit fatigue and ensure consistent responses.
Audit Preparation Checklist
Thorough preparation is the single most important factor in audit outcomes. Organisations that invest in preparation experience fewer findings, shorter audit cycles, and less operational disruption. The following checklist covers the essential preparation activities.
Documentation readiness: Ensure all policies, procedures, and standards are current, approved, and version-controlled. Auditors will check that documents have been reviewed within their scheduled review period (typically annually). Verify that the scope statement is accurate and up to date. Confirm that the risk assessment methodology is documented and has been applied consistently. Check that the statement of applicability (for ISO 27001) or requirements traceability matrix (for NIS2/DORA) accurately reflects the current control environment.
Evidence preparation: For each control in scope, verify that evidence of effectiveness is available, current, and complete. Evidence should demonstrate that the control is designed effectively (it addresses the risk it is intended to address) and operating effectively (it has been consistently applied throughout the audit period). Common evidence types include system configuration exports, access review records, training completion reports, incident response records, vulnerability scan reports, penetration test reports, change management records, and backup/recovery test results. Organise evidence by control or requirement to facilitate efficient audit navigation.
Personnel preparation: Brief all individuals who may be interviewed by auditors. Ensure they understand their role in the compliance programme, can describe the controls they own, and know where to find supporting evidence. Conduct mock interviews with key control owners to build confidence and identify knowledge gaps. Assign an audit liaison who will coordinate logistics, manage evidence requests, and track finding responses.
Environment readiness: Verify that technical controls are operating as documented. Run internal scans and checks to confirm that configurations match policies. Address any known nonconformities before the audit begins -- an auditor who discovers a known, unaddressed issue will view it more severely than one that was identified and is being actively remediated. Ensure that audit trails and logging are functioning correctly, as auditors increasingly validate controls by examining system logs.
Logistical preparation: Confirm audit dates, scope, and methodology with the audit team. Prepare a secure workspace for on-site auditors with appropriate network access. Establish a communication protocol for evidence requests and finding discussions. Agree on the timeline for draft report review and management response.
Conduct a pre-audit internal assessment 4-6 weeks before the external audit. This provides time to identify and remediate issues while they can still be addressed before auditors arrive. Findings remediated before the audit are not findings.
Common Audit Findings and How to Prevent Them
Audit findings follow predictable patterns. Understanding the most common findings allows organisations to focus preventive effort where it has the greatest impact.
Incomplete or outdated documentation is the single most frequent audit finding across all frameworks. Policies that have not been reviewed within their scheduled period, procedures that do not reflect current operational practices, and risk assessments that have not been updated to reflect organisational changes are perennial issues. Prevention: implement automated policy lifecycle management with review date tracking and owner notifications. Treat documentation currency as a continuous obligation, not a pre-audit activity.
Insufficient evidence of control effectiveness is the second most common finding. The control may be well-designed and consistently operated, but if the organisation cannot produce evidence demonstrating this, the auditor cannot confirm conformity. Particularly problematic are controls that rely on manual processes without systematic documentation -- "we always do this but we do not have records." Prevention: define evidence requirements for every control at the time of control design, automate evidence collection wherever possible, and conduct quarterly evidence completeness checks.
Access control deficiencies appear consistently in cybersecurity audits. Common issues include: excessive access rights (users with permissions beyond their role), orphaned accounts (former employees or contractors with active access), insufficient authentication (absence of MFA for critical systems), and infrequent access reviews. These findings are relevant to NIS2 Article 21(2)(i), DORA Article 9(4)(c), and ISO 27001 A.5.15-5.18 and A.8.2-8.5. Prevention: implement automated access reviews on a quarterly cadence, integrate identity lifecycle management with HR processes, and enforce MFA for all administrative and remote access.
Incident management weaknesses are flagged when organisations cannot demonstrate a tested, documented incident response process with clear escalation paths and regulatory notification workflows. NIS2 requires 24-hour early warnings and 72-hour incident notifications. DORA requires major incident classification and notification within 4 hours. Prevention: document incident response procedures, conduct tabletop exercises at least semi-annually, and implement automated incident classification and notification workflows.
Business continuity and disaster recovery gaps are common findings, particularly the absence of tested recovery procedures. Having a business continuity plan is necessary but insufficient; auditors expect evidence that the plan has been tested and that test results have been used to improve the plan. Prevention: conduct DR tests at least annually, document results including failures and lessons learned, and update plans based on test outcomes.
Managing the Audit Process
How an organisation conducts itself during an audit significantly influences the outcome. Professional, transparent engagement builds auditor confidence; evasive or disorganised behaviour raises concerns that may lead to deeper examination.
Respond to evidence requests promptly and completely. If a requested document does not exist, say so honestly rather than stalling or producing a hastily created substitute. Auditors are experienced professionals who can distinguish between a document that has been in active use and one that was created the previous evening. Honesty about gaps, accompanied by a credible remediation plan, is always received better than obfuscation.
During interviews, answer the question that was asked -- not a different question that you are more comfortable with. Provide concise, factual responses. If you do not know the answer, say so and offer to follow up. Do not speculate, exaggerate, or volunteer information about unrelated areas. Every additional topic you introduce is a potential additional audit trail for the examiner to follow.
Track findings as they emerge during the audit. Most auditors will share preliminary observations during closing meetings, but maintaining your own tracking throughout the audit ensures nothing is missed. For each potential finding, begin developing a management response immediately -- this demonstrates responsiveness and may influence how the finding is characterised in the final report.
Maintain a constructive relationship with auditors. They are not adversaries; they are performing a function that ultimately benefits the organisation by identifying weaknesses before they lead to incidents or regulatory actions. Auditors who encounter a cooperative, well-prepared organisation will naturally focus their limited time on areas of genuine concern rather than conducting exhaustive testing of areas that are clearly well-managed.
After the audit, review the draft report carefully and provide substantive management responses. A management response should acknowledge the finding (or provide additional context if the finding reflects a misunderstanding), describe the specific remediation actions planned, assign ownership, and commit to a completion date. Generic responses such as "management will review" are insufficient and signal a lack of seriousness.
Never fabricate or backdate evidence. Auditors verify timestamps and metadata. Fabricated evidence, if discovered, transforms a minor nonconformity into a fundamental integrity concern that jeopardises the entire audit outcome.
Achieving Continuous Audit Readiness
The ultimate goal of a mature compliance programme is continuous audit readiness: the ability to produce complete, current evidence of compliance at any point in time, without special preparation. This state eliminates the stressful pre-audit scramble, reduces the risk of findings due to evidence gaps, and positions the organisation to respond to unannounced regulatory examinations.
Continuous audit readiness requires three foundational capabilities. First, automated evidence collection: the GRC platform continuously gathers control effectiveness evidence from integrated systems -- endpoint compliance data, access review records, vulnerability scan results, configuration snapshots, training completion records -- without manual intervention. Each evidence artefact is timestamped, immutable, and automatically linked to the controls and requirements it supports.
Second, living documentation: policies, procedures, and risk assessments are maintained in a system that tracks versions, enforces review schedules, captures approvals, and alerts owners when documents are approaching or past their review date. Documentation currency is a managed metric, not a pre-audit activity. The organisation should be able to demonstrate, at any moment, that its documentation accurately reflects current operations.
Third, ongoing control testing: rather than testing controls once a year before an audit, the organisation tests controls on a continuous or high-frequency basis. Automated controls (firewall rules, encryption settings, MFA enforcement) are verified daily or weekly through automated checks. Manual controls (access reviews, risk assessments, incident response exercises) are tested on a scheduled cadence with results documented in the GRC platform.
The investment in continuous audit readiness pays dividends beyond audit efficiency. It fundamentally improves the organisation's security posture by ensuring that controls do not degrade between annual reviews. It provides real-time compliance visibility to the board and steering committee. And it creates the data foundation for advanced analytics that predict compliance drift before it materialises as a finding. Organisations that achieve continuous audit readiness report spending 60-80% less time on audit preparation and experiencing 50% fewer findings than those relying on periodic preparation.
How often will my organisation be audited under NIS2?
NIS2 does not prescribe a fixed audit frequency. For essential entities, competent authorities have broad supervisory powers and may conduct regular audits, ad hoc audits triggered by specific concerns, or audits following significant incidents. The frequency depends on the Member State's supervisory approach, the entity's risk profile, and available supervisory resources. Important entities are primarily subject to ex-post supervision, meaning audits are triggered by evidence of non-compliance rather than conducted on a scheduled basis. However, organisations should assume that audit frequency will increase as Member States build supervisory capacity.
What is the difference between an ISO 27001 audit and a NIS2 regulatory audit?
An ISO 27001 audit is a voluntary certification audit conducted by an accredited certification body against the ISO 27001 standard. It results in a certificate that the organisation's ISMS conforms to the standard. A NIS2 regulatory audit is a mandatory supervisory examination conducted by or on behalf of the competent authority to verify compliance with NIS2 obligations. It may result in compliance findings, binding instructions, or enforcement actions. While significant overlap exists between ISO 27001 and NIS2 requirements, ISO 27001 certification does not automatically satisfy NIS2 obligations -- though it provides strong evidence of compliance maturity that regulators typically view favourably.
How should we handle an audit finding we disagree with?
First, ensure you understand the finding fully by requesting clarification from the auditor if needed. If the disagreement is factual (the auditor misunderstood a process or missed evidence), provide the additional context or evidence in your management response. Most auditors will revise or withdraw findings when presented with clear contradictory evidence. If the disagreement is interpretive (you and the auditor interpret a requirement differently), present your interpretation with supporting references (regulatory guidance, legal opinions, industry practice) in the management response. For certification audits, formal appeal mechanisms exist through the certification body's dispute resolution process.
What is threat-led penetration testing (TLPT) under DORA?
TLPT is an advanced form of security testing required by DORA Article 26 for significant financial entities. It simulates the tactics, techniques, and procedures (TTPs) of real threat actors targeting the specific entity, using current threat intelligence to design realistic attack scenarios. TLPT must be performed at least every three years, must be carried out by external testers meeting qualification criteria, and must cover critical or important functions of the financial entity. The competent authority supervises the TLPT process and validates results. TLPT follows the TIBER-EU framework developed by the ECB or equivalent national frameworks.
How can we reduce audit fatigue when subject to multiple frameworks?
Audit fatigue can be reduced through several strategies. First, implement integrated GRC with a unified control register so that evidence collected once serves multiple audits. Second, coordinate audit schedules to avoid overlapping audit windows where possible. Third, establish a common evidence repository that any auditor can access, reducing repetitive evidence production. Fourth, conduct comprehensive internal audits that cover all applicable frameworks simultaneously, reducing the volume of findings that external auditors need to investigate. Fifth, pursue integrated audits where a single audit team assesses multiple frameworks concurrently -- some certification bodies offer combined ISO 27001/ISO 27701/ISO 22301 audits that are more efficient than separate engagements.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.