January 15, 2015


SACRAMENTO–Compliance Audits has been added to the website as a new Bureau skillset for members whose background and training includes them.  Former Section Chief CHRISTINE JUNG said the skillset would better define agents offering the service, as well as encourage membership.  In 1978, JUNG became the Bureau’s first female firearms instructor and she shot a perfect score on the FBI’s Practical Pistol Range.

Generally speaking, conducting a compliance audit[1] investigators undertake a comprehensive review of an organization’s adherence to established practices, bylaws, and/or regulations governing its operation.  The team of experts conducting a compliance audit typically includes independent investigators, lawyers, accountants, security consultants and/or IT engineers.  Worried about legislation and/or regulations that can impact an organization’s ability to function, auditors will examine policies, ongoing programs and available documentation, enabling managers to make controversial decisions, certify documents and/or make statements clarifying a position.

Conducting a compliance audit, investigators are asked to review security strategies, evaluate monetary controls, scrutinize environmental policies, examine local ordinances, analyze federal, state and/or local laws, question user access in a variety of programs and/or dissect policies associated with risk management.  Exactly what compliance auditors examine generally depends on whether an organization is a public or private entity, the kind of data it handles, and whether or not it stores or transmits financial or sensitive information.

For example when Congress passed the Sarbanes-Oxley Act [SOA], in 2002, legislators mandated that electronic communications being transmitted and stored must be backed up and secured using a Disaster Recovery Plan.  Likewise, healthcare providers must make sure they store and/or transmit patient data and/or other sensitive information in accordance with the Health Insurance Portability and Accountability Act [HIPAA].  And transmitting credit card information financial institutions must comply with standards established in 2004 by the four major credit card companies[2] known as the Payment Card Industry Data Security Standard.  Organizations wanting to demonstrate compliance make sure they can produce an audit trail, using special designed software and management programs generating data—capturing and recording events.

Concerned about “hacking” and “unauthorized” access to computer networks, today, auditors frequently find themselves called upon to conduct IT compliance audits, where investigators ask administrators about user IDs, network access and whether IT administrators have access to critical systems not subject to review.  Using software designed to capture events, IT administrators can demonstrate compliance so long as they follow protocols—tracking network access and computer use. The ever growing category of governance and risk management software used by administrators and investigators—doing compliance audits—allows executives to argue against costly fines and mandated sanctions, since the programs can demonstrate compliance with policies, regulations and/or laws governing suspected abuses.

[1] Information concerning COMPLIANCE AUDITS was taken from information written and produced by MARGARET ROUSE at

[2] Visa, Master Card, Discovery and America Express.