A compliance audit checklist template turns a high-stakes review into a predictable process. Without one, your team scrambles through shared drives the week before the auditor arrives, hoping the right insurance certificate, signed policy, and renewed license are all where they should be.
This article gives you a ready-to-use compliance audit checklist template: a core list that applies to every audit, plus industry-specific add-ons for HR, construction, finance, healthcare, and IT. Copy the sections you need.
The core compliance audit checklist
Every audit â internal or external, ISO or SOC, GDPR or HIPAA â checks the same five things: policies are written, people followed them, evidence exists, gaps were fixed, and renewals happened on time. Use this base list before layering anything industry-specific on top.
| # | Item | What the auditor wants to see | Refresh cadence |
|---|---|---|---|
| 1 | Written policies and procedures | Current version, signed off by leadership | Annually |
| 2 | Org chart and role responsibilities | Who owns each control | When org changes |
| 3 | Risk register | Identified risks with owner and mitigation | Quarterly |
| 4 | Training records | Proof every employee completed required training | Annually |
| 5 | Vendor and subcontractor compliance files | Insurance, certifications, signed NDAs | At renewal |
| 6 | Access control logs | Who has access to what systems, with reviews | Quarterly |
| 7 | Incident and breach log | Every incident, response, and resolution | Real-time |
| 8 | Internal audit reports | Self-assessments from the previous cycle | Annually |
| 9 | Corrective action tracker | Findings from the last audit and how they were closed | After each audit |
| 10 | Insurance and certification renewals | Current, not expired, on file | Per document |
Get these ten right and you cover roughly 80% of any compliance audit. The rest is industry-specific.
Industry-specific compliance audit checklists
The base list is the floor. Each industry layers on its own document requirements based on the regulator, the standard, or the contract.
HR and employment compliance audit
- Employee handbook acknowledgments (signed)
- I-9 forms (US) or right-to-work proofs (UK/EU) for every employee
- EEO-1 reports and pay equity analyses
- Workers’ compensation insurance certificate
- OSHA training records and incident logs
- Harassment and DEI training completion records
- Background check authorizations and results
- Benefits enrollment confirmations
- Termination records with exit interview notes
A reusable new hire onboarding document checklist keeps these files complete from day one rather than scrambling at audit time.
Construction and contractor compliance audit
- General liability and workers’ comp certificates (yours and every subcontractor’s)
- OSHA 300, 300A, and 301 logs
- Site safety plans signed by the project manager
- Daily toolbox talk records
- Equipment inspection logs
- Subcontractor prequalification packets
- License and certification copies for trades on site
- MSDS / SDS sheets for every chemical on site
- Drug and alcohol testing records (per project requirements)
The full construction compliance documents checklist goes deeper on subcontractor packets and project-level evidence.
Financial services compliance audit (SOX, AML, KYC)
- AML policy with named MLRO
- KYC files for every client (see the KYC document checklist)
- Sanctions, PEP, and adverse media screening logs
- Suspicious Activity Reports (SARs) filed
- Transaction monitoring rule documentation
- Customer risk ratings and review history
- Internal controls testing (SOX 404)
- SOC 1 or SOC 2 report from key service providers
- Whistleblower hotline records
Healthcare compliance audit (HIPAA, HITECH)
- Notice of Privacy Practices (current and posted)
- Business Associate Agreements with every vendor handling PHI
- Workforce training records on HIPAA
- Risk analysis and risk management plan
- Access control reviews for systems containing PHI
- Encryption attestations for data at rest and in transit
- Breach notification log
- Patient access request log (with response times)
- Disposal records for paper and electronic PHI
IT and information security audit (SOC 2, ISO 27001)
- Information security policy
- Asset inventory with owners and classification
- Vendor risk assessments
- Penetration test and vulnerability scan reports
- Change management records
- Backup and disaster recovery test results
- Access review evidence (joiners, movers, leavers)
- Encryption key management policy
- Vendor SOC 2 / ISO certificates on file
- Incident response runbook with post-mortems
GDPR / data protection audit
- Record of Processing Activities (Article 30)
- Data Protection Impact Assessments for high-risk processing
- Lawful basis documented for every processing activity
- Data subject request log (with response times)
- Data processor agreements with every vendor
- Breach notification register
- Cross-border transfer documentation (SCCs or adequacy decisions)
- Cookie consent and privacy policy versions with dates
A GDPR-compliant document collection workflow makes most of this evidence collectable on a schedule rather than rebuilt before each audit.
Common compliance audit findings (and how to avoid them)
Auditors fail you less often for missing a single item and more often for patterns. The same handful of findings appears year after year.
Expired certificates and licenses. A subcontractor’s general liability lapsed in March. Nobody noticed. The auditor pulls a list of active vendors and checks one at random. Found. Set expiration dates on every document and let the system chase renewals automatically â document expiration tracking eliminates this entire failure mode.
Stale training records. Annual harassment training was completed in 2023 by 80% of staff, 60% in 2024, and the spreadsheet was never updated for 2025. The fix is recurring workflows that re-trigger automatically each year instead of a static spreadsheet.
No audit trail for collected documents. The auditor asks who reviewed the supplier’s insurance certificate and when. The answer is “Sara, I think? Sometime last spring?” Every approved document needs a timestamp and a reviewer name attached.
Email-based document collection. Sensitive files sit in inboxes, multiple versions float around, and there is no central record. This fails almost every information security and GDPR audit. There are better methods for collecting documents than email attachments.
Open corrective actions from the last audit. Three findings were issued last year. Two were closed. The third is still open and the auditor remembers it. Track every finding to closure with an owner and a deadline.
Inconsistent document collection across teams. The Paris office collects subcontractor packets one way, the New York office another. Standardize the checklist and the intake process across teams.
How to automate a compliance audit workflow
Building a binder the week before an audit is the slow, painful way. The teams that pass audits cleanly do three things differently.
1. Collect evidence continuously, not at audit time. Every renewal, every signed policy, every new vendor goes into the system the day it happens. Audit prep becomes “run a report” instead of “rebuild a year of records.”
2. Make every requirement a workflow. A subcontractor onboarding workflow that requests insurance, license copies, and a signed code of conduct produces the same complete file every time. No memory, no gaps, no rework.
3. Set expiration dates and let the system chase renewals. When a certificate expires in 30 days, the contact gets reminded automatically, uploads the renewed version, and the file stays current without your team chasing.
A platform like Superdocu lets you build each compliance checklist as a reusable workflow. Contacts (employees, vendors, clients) get a branded link, complete the documents step by step, and the system tracks status, expirations, and reviewer approvals automatically. When the auditor asks for a vendor’s insurance history, you export a clean PDF with dates and approvals in seconds. Everything is hosted in Europe, GDPR-compliant by default, with full audit logs.
For French firms, the SIRET integration pulls KBIS, URSSAF, and registration data automatically â about 15 minutes saved per supplier file.
Frequently asked questions
What is a compliance audit checklist?
A compliance audit checklist is the list of documents, records, and controls an auditor expects to see during a compliance review. It typically covers written policies, training records, vendor evidence, access logs, incident reports, and corrective actions from previous audits. Each industry layers on specific items based on the regulator or standard being reviewed.
What is the difference between an internal and external compliance audit?
Internal audits are run by your own team to find gaps before regulators do â they are diagnostic and recurring. External audits are run by a regulator, certification body, or independent third party to issue a finding, certificate, or report. The checklist is the same; the consequences differ.
How often should we run an internal compliance audit?
Annual internal audits are the minimum for most standards (ISO 27001, SOC 2, HIPAA, GDPR). High-risk areas (financial controls, data security, AML) often warrant quarterly reviews. The pace should match the volume of change in the area being reviewed â a stable process needs less attention than one rebuilt twice a year.
Who should own the compliance audit checklist?
A named compliance officer or risk owner should maintain the checklist. Department heads own the evidence for items in their area (HR owns training records, IT owns access logs, procurement owns vendor files). Without clear ownership, every checklist item becomes someone else’s job.
Can a compliance audit checklist be the same across all sites and teams?
The core list should be identical so every team is held to the same standard. Industry-specific or jurisdiction-specific add-ons can vary by site. The mistake is letting each team invent their own format â that guarantees inconsistent evidence at audit time.
What is the fastest way to prepare for a compliance audit?
Stop preparing for audits as an event. Build the evidence continuously: standardize document collection workflows for vendors, employees, and clients; set expiration dates on every certificate; assign a reviewer to every uploaded file. When the auditor arrives, you run a report instead of building a binder.
Next step
Most compliance audit failures trace back to the same root cause: documents collected ad-hoc, scattered across email and shared drives, with no single source of truth. A purpose-built portal turns each checklist item into a workflow, tracks expirations automatically, and gives auditors a clean evidence trail on demand.
Start a free 7-day trial of Superdocu â no credit card required. Build your first compliance workflow in under 10 minutes with the AI workflow generator.