Audit
A systematic, independent examination to determine whether processes and measures comply with defined requirements.
An audit is a structured, evidence-based assessment process carried out by qualified auditors to evaluate whether an organisation's activities, processes, or systems conform to predefined criteria. These criteria may be legal requirements, regulatory standards, internal policies, contractual obligations, or internationally recognised norms such as ISO standards. Audits are a cornerstone of any compliance and risk management framework, providing objective assurance to management, regulators, customers, and other stakeholders.
Audits are classified in various ways. Internal audits are conducted by the organisation's own audit function and serve primarily as a management tool for self-assessment and continuous improvement. External audits are performed by independent third parties — such as certified auditors, accredited certification bodies, or regulatory authorities — and typically result in a formal opinion, certificate, or regulatory finding. Second-party audits, where a customer or business partner audits a supplier, are common in supply chain compliance contexts.
In the compliance context, audits may cover a wide range of areas: financial statement audits, information security audits (e.g. ISO 27001), data protection audits (GDPR), sustainability audits (CSRD, LkSG), or quality management audits (ISO 9001). A key principle of any audit is independence — the auditor must be free from conflicts of interest to ensure objectivity. Audit findings are documented in reports that distinguish between conformities, minor non-conformities, major non-conformities, and observations.
Legal Basis
IDW PS 980 (CMS audit); ISO 19011 (Audit Guidelines); ISO 27001 (Information Security audits); GDPR Art. 5(2) (accountability/audit trail); CSRD/ESRS (sustainability assurance)
Practical Example
A software company undergoes an ISO 27001 certification audit. In the first stage, the external auditor reviews the company's documented Information Security Management System (ISMS) and verifies that all required policies, risk assessments, and procedures are in place. In the second stage, the auditor visits the company's premises and interviews staff to verify that the documented processes are actually practised. Two minor non-conformities are identified — an outdated supplier risk assessment and a missing access review for a legacy system. The company addresses both findings within the agreed remediation period and receives its ISO 27001 certificate.