You’re probably reading this article because someone (maybe the CCO, maybe your future self) said the words: “We need to audit our compliance program.” And now it’s your job to figure out how.
Here’s the good news: it’s doable, even if you don’t have a giant audit department or a team of ex-regulators in the next room. This is your no-nonsense, real-world, entirely accurate step-by-step guide to pulling off an internal compliance audit that’s actually useful – and that holds up if the SEC ever asks for receipts.
Step 1: Don’t Skip Risk Assessment
Yes, even if you’re short on time. Yes, even if you think you already know what the issues are. According to industry data, 37% of organizations conduct at least one internal compliance audit per year, but nearly a quarter of those still don’t use analytics to prioritize risk. That means too many audits are scoped based on habit, not reality.
Start here:
- Pull your last SEC exam report. Those findings aren’t just historical—they’re predictive.
- Review your firm’s risk matrix and ask: “What could tank the business this year?” Look for high-impact vulnerabilities like lapses in third-party oversight, unvetted marketing channels, or shadow IT.
- Consider changes: Have you onboarded new software? Reorganized compliance personnel? Entered a new market? These aren’t side notes—they should drive scope.
A 2009 PCAOB study found that audit failures often stemmed from poor risk scoping, particularly when auditors missed emerging risks like off-channel communications. Fast forward to 2024: The SEC has increased enforcement actions under the new Marketing Rule, including cases where firms promoted performance-based ads without proper disclosures or oversight – the direct result of stale, recycled risk assessments.
Pro tip: Build a living “Risk ➝ Audit Area” table and update it quarterly. Include anything new (people, tools, vendors) and show exactly how it impacted your audit focus. When you present this to leadership (or a regulator), it’s actual proof that your audit scope wasn’t plucked out of thin air.
Step 2: Write a Real Audit Plan (Not Just a Calendar Reminder)
This doesn’t need to be a novel, but it does need to be real—written down, structured, and shared. A vague calendar invite titled “Marketing Audit?” isn’t a plan. It’s an invitation to forget.
Your audit plan should include:
- What you’re auditing (and why—tie it to risk)
- When it’s happening (start, fieldwork, reporting deadlines)
- Who is involved (including SMEs and reviewers)
- What documents you’ll need (procedures, logs, emails, marketing files)
- What “done” looks like (interviews completed, evidence saved, report delivered)
According to the IIA’s 2023 Pulse of Internal Audit report, more than 50% of audit failures trace back to scoping and planning errors. That includes audits that overpromise, drift off-scope, or fizzle when priorities shift.
Pro tip: Even if you’re a one-person audit team, sketch out a timeline with checkpoints. Send it to someone else so you’re accountable. Otherwise, it becomes a Q4 panic project… and nothing good has ever come out of an audit started the week before Thanksgiving.
Step 3: Pick Your People (And Be Honest About Gaps)
If your audit “team” is you, a very tired compliance analyst, and the office dog—say that out loud. You can still run a great audit. You just have to be smart about where to focus and when to call for backup.
Here’s your quick checklist:
- ✅ The person doing the audit shouldn’t be the one who built the process.
- ✅ Pull in outside help for specialized areas like IT, cybersecurity, RegTech, or marketing disclosures.
- ✅ Document roles and responsibilities—include a short bio if you’re involving external SMEs.
In a 2022 report, the SEC highlighted cases where firms failed to test critical areas like personal trading and cybersecurity because they lacked internal expertise and didn’t seek external input. That’s not just a miss—it’s a liability.
Pro tip: Independence doesn’t mean perfection—it means you have someone who can ask dumb questions without getting side-eyed. The best findings often start with, “Wait, why do we do it that way?”
Step 4: Use a Framework (So You Don’t Get Lost)
This is your GPS. Without it, you’re just opening files and hoping something incriminates itself. A framework gives structure to your chaos—and a defense if regulators ask, “Why didn’t you review X?”
Pick one (or two), depending on your audit focus:
- COSO: Great for internal control structure. It’s the backbone of most risk-based audits.
- ISO 37301: Ideal if you want a formal compliance management system with global recognition.
- SEC Marketing Rule: Mandatory if you’re auditing performance ads, testimonials, or hypothetical projections.
- FINRA guidelines: Essential for broker-dealers or dually registered firms (and anyone who enjoys a 70-page PDF).
Document the framework in your plan—name it, cite it, and use it to define your scope and test areas. In its 2023 examination priorities, the SEC explicitly noted that firms with clear, documented frameworks were more likely to demonstrate adequate supervision and compliance readiness. Translation: pick a map, follow the route, mark your turns.
Pro tip: When in doubt, tie your framework choice to risk. Auditing marketing? SEC Rule 206(4)-1 is your north star. Reviewing policies? COSO is your friend. It’s not about picking the fanciest acronym—it’s about using a compass regulators recognize.
Step 5: Review the Docs (Yes, All of Them)
Start with your compliance manual. If the last update predates Reg BI, you’ve already got a problem. Then go deeper:
- ✅ Policies and procedures
- ✅ Employee trading logs
- ✅ Marketing content (emails, decks, social posts)
- ✅ Training logs and certifications
- ✅ Prior audit findings and remediation status
Real-life mistake alert: The SEC has cited firms for stating “annual training is required” with no proof it ever happened. Print the certificates. Screenshot the LMS records. Don’t assume someone else has it covered.
Step 6: Ask People What They Actually Do
Time to see if your policies have legs. Interview the people actually doing the work: marketing, onboarding, ops, trading.
Ask: “Walk me through how you do [X].”
Don’t ask: “Do you follow the policy?”. That just gets you a nervous yes.
Pro tip: People tend to improvise in stress. What they describe may sound right until you ask, “Can you show me?” Always ask for the screenshot, email trail, or system log. Stories are nice. Evidence is better.
Step 7: Test the Controls (Pick Samples, Not Fights)
You’re testing processes, not putting people on trial. Pick sample sizes you can handle (5–10 is fine for smaller teams), and zero in on the riskiest areas:
- Email reviews
- Ad approvals
- Pre-clearance on trades
- Fee billing or invoice checks
Warning: If something fails, don’t jump to blame. Ask: Did they get trained? Was the tool working? Was the policy confusing? Good audits fix systems, not people.
Step 8: Save Your Evidence Like It’s Gold (Because It Is)
If the SEC comes knocking, “We talked about it in Slack” won’t cut it.
Best practices:
- Timestamp everything
- Use a secure, centralized folder (or Smartria if you want receipts with structure)
- Link your findings to the actual docs: screenshot + file + notes = audit win
Avoid: The words “I think it’s in my inbox.” That’s where audit trails and reputations go to die.
Step 9: Share Interim Results (If You Find a Fire, Don’t Wait to Report the Smoke)
Found something ugly? Don’t wait three weeks to “put it in the report.” If there’s a broken disclosure, a rogue policy, or a fee schedule from 2020 still on your site—raise it now.
Interim updates:
- Help prioritize urgent fixes
- Let you adjust the audit scope if needed
- Keep leadership looped in (so no one says, “Why didn’t we know sooner?”)
In a 2022 SEC enforcement case, a firm was sanctioned for failing to update its ADV Part 2A with new fee information—something that could’ve been caught with a mid-audit check-in instead of waiting until the end.
Pro tip: Keep it simple. One sheet, four columns: Issue / Severity / Owner / Deadline. It’s not fancy, but it keeps fires from turning into infernos.
Step 10: Document Findings Like a Prosecutor
This is where a lot of audits fall apart—not in the fieldwork, but in how findings are written. Vague notes like “Needs attention” or “Seems off” won’t hold up when leadership, legal, or the SEC asks for details.
Use the 5 Cs to make each issue courtroom-ready:
- Criteria: What should’ve happened (e.g., “Policy requires monthly attestations”)
- Condition: What actually happened (“None collected in Q2 or Q3”)
- Cause: Why? (“Compliance manager role was vacant”)
- Consequence: What’s the risk? (“No attestation = exposure to unauthorized trading”)
- Corrective Action: What needs to change? (“Appoint interim reviewer by July 15; revise workflow in Smartria”)
Example of bad language: “The procedure should be reviewed.”
Better: “Update the procedure to include monthly pre-trade certification reviews by the CCO by Q3 2025.”
This format isn’t just clean—it mirrors how regulators frame their findings. It helps you speak their language before they ask the questions.
Step 11: Write the Report, Not a Novel
You’re not writing for the Pulitzer. You’re writing so that someone can understand the issues and fix them.
Stick to this skeleton:
- Executive summary: What was in scope and why
- What you reviewed: Docs, interviews, processes
- What you found: Highlight the biggest issues, not every typo
- How risky it is: Rank by impact and likelihood
- What’s next: Include deadlines, responsible parties, and status
Reports that drone on for 30 pages with no action steps = shelfware. In a 2023 Deloitte survey, 46% of audit leaders said audit reports are often “too vague” to be useful for remediation.
Pro tip: Assign names to findings. If no one owns it, no one fixes it. Bonus points for using a shared tracker where owners can update status. Smartria can help automate that effortlessly.
Step 12: Follow Up or It’s Like You Never Did the Audit
Finding an issue is only the beginning. If you don’t fix it—or at least prove someone else did—you’re worse off than before. Regulators don’t just want to see that you spotted the fire. They want evidence you grabbed the extinguisher.
Track:
- ✅ What’s done
- ✅ What’s overdue
- ✅ Proof it got fixed (screenshot, attestation, updated doc—whatever applies)
A 2022 NASAA sweep found that nearly 70% of firms had repeat deficiencies from prior exams—most stemming from unresolved audit findings. Translation: weak follow-up is a red flag.
Use a tracker. A simple spreadsheet works. Smartria’s built-in remediation tracker is even better, as it timestamps completions, assigns owners, and gives you a real audit trail (without the version-control drama of Google Sheets).
Step 13: Debrief and Do Better Next Time
Take a beat. What worked? What didn’t? What can you automate next time?
Look at:
- ⏱️ How long each phase actually took
- 🧱 What caused delays (Was it document access? Staff availability?)
- 🤔 Where confusion popped up (Policies unclear? Framework mismatch?)
- 🛠️ What tools helped—or held you back
In a 2023 report by the Institute of Internal Auditors, over 50% of audit teams said post-audit reviews directly led to reduced cycle times and stronger documentation in the next audit cycle.
Pro tip: Add “Audit process improvements” as a standing item on your next compliance team agenda. Future-you will be grateful when audit prep doesn’t feel like a root canal.
Smartria Makes This Easier (Especially If You’re Not a Full-Time Auditor)
Let’s be honest: most compliance teams don’t have a dedicated audit department. You’re juggling ongoing tasks, last-minute requests, and maybe even quarterly board reporting. That’s where Smartria comes in.
Smartria’s platform helps you:
- Plan audits based on real risk assessments—not guesswork
- Track tasks, owners, and deadlines (no more “I thought you were doing that…”)
- Store timestamped audit evidence, all in one place
- Auto-generate reports mapped to SEC frameworks
- Assign and monitor remediation steps, with status updates and accountability baked in
If your current “system” is a mix of Google Drive folders, Outlook reminders, and panic, then Smartria isn’t just an upgrade. It’s what compliance sanity looks like.
Bottom Line: Audit Like You Mean It
You don’t need to build an audit empire. You need a process that’s realistic, repeatable, and risk-based. So audit like you mean it. Start with risk. Write stuff down. Assign names. Close the loop. And follow up like your job depends on it – because it does.
A solid audit gives you proof, not just peace of mind. And when the SEC shows up? You’ve got answers, not alibis.
If your current audit “system” is Post-its and prayer, Smartria can help you get organized without losing your weekends (or your mind).
