You are here: / / Compliance audits: from incident to system

Compliance audits: from incident to system

 

This is the final article in the series ‘The landscape of compliance investigations’. The earlier articles in this series focused on individual files and relationships. Integrity investigations, due diligence, IDD and AML/KYC each centred on specific parties, transactions or client relationships. The core question was tangible: what happened here, with this client, this deal or this signal?

With compliance audits, the perspective shifts fundamentally. The focus is no longer on the individual case, but on the machinery surrounding it: policies, processes, controls, culture and reporting lines. The question is no longer “is this specific file in order?”, but “does our compliance framework as a whole function as intended, and where are the blind spots?”

While this series focuses on the broad landscape of investigations within a single organisation, the parallel series AML/CFT internal audits – The invisible battle zooms in specifically on the dynamics of AML/CFT audits. There, we discuss why so many audits devolve into a paper reality, and what it takes to achieve truly risk-driven testing.

1. What do we mean by a compliance audit?

The term ‘compliance audit’ is elastic. In practice, scope ranges from a focused spot check on a single topic (such as sanctions screening or conflicts of interest) to a comprehensive review of the entire compliance management system.

A thorough audit analyses the organisation at three levels:

  • Design: Are the policies, procedures, roles and systems theoretically structured in a way that makes compliance possible at all?
  • Existence: Have those elements actually been implemented, or do they exist on paper only?
  • Operation: Do the controls function in practice as intended, and are deviations identified and corrected in a timely manner?

Where a forensic investigation primarily looks backwards (“what went wrong?”), a compliance audit looks forward: “if we continue on this path, where will the next incidents occur?” The AML/CFT audit series returns to this sharply as the difference between tick-box exercises and audits that genuinely uncover hidden risks.

2. The audit as a mirror of the system

Integrity and compliance issues rarely stand alone. An incident, a red flag in IDD, a client with elevated sanctions risk or a difficult KYC file is almost always a symptom of a deeper systemic problem. Think of:

  • An unclear or poorly embedded risk appetite.
  • Policies designed behind a desk that bear no relation to operational reality.
  • Poor data quality or failing tooling.
  • Vague boundaries between business, legal, compliance and audit.
  • A culture in which critical questions are seen as obstructive or time-consuming.

Compliance audits expose these patterns without mercy. They reveal why the same types of errors or omissions recur across different files, teams or countries. In this way, the audit forms the logical conclusion of this series: it shifts the focus definitively from the incident to the system.

3. Three flavours in practice

Although the boundaries are fluid in practice, we can conceptually distinguish three types of compliance audits.

3.1 Theme-based audits

These audits focus sharply on a single specific topic. Common examples include:

  • Sanctions and export controls
  • Conflicts of interest and secondary roles
  • Whistleblower arrangements and speak-up culture
  • Gifts and hospitality
  • Third-party due diligence
  • Data privacy and information security

The aim is to test whether the processes and file management around that theme hold up against internal and external standards, and whether day-to-day pressures have quietly overtaken best practice.

For more serious topics such as sanctions and transaction monitoring, such a theme audit closely borders on regular monitoring. The AML/CFT internal audits series examines the specific pitfalls of this: the temptation of checklist thinking, blind spots in data, and the subtle pressure to soften sharp findings.

3.2 Process and chain audits

Here the focus is not on the standard, but on the flow. We examine the end-to-end chain, such as:

  • The full client onboarding and KYC process.
  • The procurement and supplier chain.
  • M&A and integration trajectories.
  • Trade and export processes.

The central question is: where in the chain do risks accumulate, where do we rely too heavily on a single vulnerable control point, and where is there no clear owner? Often the errors seen in individual files reappear here at scale: structural backlogs, poor file management or critical controls simply skipped under time pressure.

3.3 Framework or system audits

This is the helicopter view. These audits examine the complete compliance framework:

  • The governance surrounding integrity and compliance.
  • The actual structure and effectiveness of the three lines of defence.
  • The methodology behind risk identification and monitoring.
  • Training, awareness and overall compliance culture.
  • Escalation and reporting to the board, audit committee and regulator.

This type of audit aligns with external standards (such as international guidance on effective compliance programmes or corporate governance codes). It determines whether the organisation’s foundations are solid enough that the other investigations in this series can do their work at all.

4. From finding to improvement plan

Stating the obvious, perhaps, but practice is stubborn: a compliance audit only has value if its findings lead to real change. Too often, an audit results in a thick document that goes straight into a drawer: a long list of observations, but no sharp action plan.

An effective audit report follows a clear three-part structure:

  • Finding: What has been factually and objectively observed?
  • Risk: What could concretely go wrong if this is left as is?
  • Recommendation: What is needed to close the gap structurally?

The report must also provide a realistic assessment of impact and feasibility. The goal is for executives and line managers to immediately understand what is on their plate. It must not become a technical compliance exercise. In the AML/CFT series, we address this under “from report to action”: how do you get management to genuinely move? Being right on paper is one thing. Delivering real change within the organisation is what counts.

5. Roles and responsibilities: the playing field between compliance and audit

As with the other investigations in this series, a compliance audit involves multiple key players. This requires clear coordination.

  • Compliance is the owner of the framework and the substantive standard-setting. In that role, compliance often conducts its own reviews or thematic assessments, or prepares the areas into which internal audit will later dig deeper.
  • Internal Audit maintains the independent perspective on the design and operation of controls, often with compliance as a substantive sparring partner.
  • External specialists join when specific in-depth expertise is required (such as complex sanctions legislation, FCPA/UKBA or IT security), or when maximum independence is required vis-à-vis the regulator or the supervisory board.

Nothing is more damaging to effectiveness, or to internal relationships, than audit and compliance inadvertently fishing in the same pond or duplicating each other’s work. Clear demarcation upfront is not a luxury, but a hard necessity. In the AML/CFT articles, we challenge this further in the context of the “myth of independence”: how internal politics and pressure from above can colour audit outcomes, and how auditors can push back against this.

6. Learning from practice: the root cause approach

Incidents, integrity reports, due diligence findings and KYC issues are all windows onto underlying risks. A mature compliance audit uses that data systematically through:

  • Case analysis: Which types of incidents recur, and what does that reveal about gaps in our policies?
  • Trend analysis: What patterns emerge when we look at data across different countries, business lines or product groups?
  • Root cause investigation: If the same error is made in three different departments, what is the common underlying cause?

The organisation thereby learns to stop mopping the floor and actually turn off the tap. The AML/CFT audit series builds on this by looking specifically at the blind spots in data and culture that mean red flags are in practice still missed or ignored.

7. Compliance audits and the limits of the reasonable

In compliance audits, the inevitable question arises sooner or later: “when is enough, enough?” An auditor can always find more: one additional control, a tightened policy, an extra reporting layer. Without a clearly defined risk appetite, you risk building a top-heavy compliance apparatus that completely paralyses the organisation.

A mature audit approach is willing to make choices:

  • It benchmarks findings directly against the established risk appetite.
  • It not only identifies where practice deviates from the manual, but also acknowledges where the risks are negligible.
  • It facilitates the healthy conversation between board, business and compliance about the balance between safety, workability and cost.

This discussion is directly mirrored in AML/CFT audits: stricter monitoring and generating more alerts may always look better on paper, until the system becomes clogged and the real risks are drowned out by noise.

8. Final note: the circle is complete

With the compliance audit, the circle of this series is closed. Where we began in the capillaries of the organisation, at the concrete incident, the difficult KYC file or the integrity report, we end at the nervous system.

The dynamic is clear: incidents expose the acute wounds, due diligence and KYC keep the back door closed, but the compliance audit checks whether the foundations of the entire house can withstand the storm. It shifts the focus definitively from firefighting to structural fire safety. The ultimate question for the board is not whether the rules happened to be followed today, but whether the organisation is structured in such a way that it can still do so tomorrow and a year from now.

Invitation to Consult

If this article has raised questions or topics you would like to discuss further, we welcome you to reach out. If you have a specific case you would like to explore, we are happy to arrange an informal introductory conversation. Our contact details can be found here.

Read more updates and articles here.

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

FIU-NL gets a pause button, but crypto keeps moving