Skip to content
You know your team handles dangerous goods correctly. Your processes work. Your staff follow the rules. Then someone mentions an audit and suddenly you are scrambling to prove what you already know. Gathering evidence after the fact takes time you do not have. Files live in different systems. People remember procedures differently. What seemed straightforward becomes a puzzle of missing pieces.
A regulatory compliance audit does not need to catch you off guard. When you plan properly, it becomes a routine verification rather than a crisis. You map your obligations, test your controls systematically, and document everything as you go. The audit then confirms what your processes already demonstrate.
This guide walks you through running a regulatory compliance audit from start to finish. You will learn what these audits actually check, which types apply to your operations, and how to complete each step without wasting effort. We have included practical checklists and shown you where to focus your time. By the end, you will know exactly how to prepare for an audit and turn it into an opportunity to strengthen your compliance programme.
What is a regulatory compliance audit
A [regulatory compliance audit](https://logicomhub.com/regulatory-audit-definition/) examines whether your organisation follows the laws, regulations, and standards that apply to your operations. An independent auditor reviews your processes, records, and controls to verify you meet specific requirements. For dangerous goods operations, this might include checks against ADR, IATA, IMDG, or RID regulations depending on your transport modes.
The audit goes beyond simply reading your policies. Auditors test whether your documented procedures match actual practice. They interview staff, inspect facilities, review training records, and trace individual transactions from start to finish. Your team must demonstrate not just that controls exist, but that they operate effectively and consistently.
A compliance audit provides objective evidence that your operations meet regulatory requirements and reduces the risk of penalties or incidents.
Core purpose of compliance audits
Compliance audits serve three main functions in your organisation. First, they identify gaps between your current practices and regulatory requirements before regulators find them. Second, they provide assurance to stakeholders that you manage risks appropriately. Third, they create a documented record of your compliance efforts, which protects you if questions arise later.
Mandatory audits occur because regulations require them. Financial services firms undergo regular audits, healthcare organisations must verify HIPAA compliance, and certain dangerous goods operators need DGSA assessments. Voluntary audits happen when you choose to verify compliance proactively, often to satisfy customer requirements or demonstrate good governance.
Key characteristics
Every compliance audit shares several defining features. An independent auditor conducts the review, ensuring objectivity. The audit follows a defined framework or regulation rather than generic best practices. Auditors must provide evidence for their findings, not just opinions. The process concludes with a formal report that documents compliance status and any deficiencies.
The scope determines what the auditor examines. A narrow scope might cover only lithium battery shipping procedures, whilst a broad scope could encompass your entire dangerous goods safety management system. You agree the scope before work begins, though auditors may expand it if they discover related concerns during their review.
Common types of compliance audit
Your organisation faces different audit types depending on your industry, regulations, and business relationships. Understanding which audits apply to your operations helps you prepare properly and allocate resources where they matter most. Each audit type follows distinct procedures and produces different deliverables, from formal certifications to internal improvement reports.
Regulatory audits
Regulatory audits verify your compliance with specific laws and government requirements. These audits carry legal weight and non-compliance can result in fines, license suspension, or criminal penalties. For dangerous goods operations, you might face audits covering transport regulations (ADR, IATA, IMDG, RID), environmental laws, health and safety requirements, or customs procedures.
External auditors or regulators conduct these assessments on mandatory schedules or triggered by incidents. A DGSA audit examines your dangerous goods safety management system, whilst environmental agencies might inspect your chemical storage facilities. You must pass these audits to maintain your operating licenses and avoid regulatory action.
Regulatory audits confirm that your operations meet minimum legal standards and help you avoid penalties or operational shutdowns.
Standards-based audits
Standards-based audits assess your conformity to industry frameworks rather than legal requirements. ISO certifications, SOC 2 attestations, and sector-specific standards fall into this category. Your organisation chooses to pursue these audits voluntarily, often because customers require certification or you want to demonstrate best practices.
These audits typically offer more flexibility than regulatory audits. You select the scope, choose your certification body, and determine the implementation timeline. An ISO 9001 audit examines your quality management system, whilst an ISO 14001 audit focuses on environmental management. The resulting certificate provides market differentiation and can open doors with customers who mandate specific standards.
Internal vs external audits
Internal audits use your own staff or appointed consultants to review processes before external scrutiny occurs. You control the timing, scope, and depth of investigation. These audits identify weaknesses early and give you time to remediate issues without regulatory pressure. Your internal audit team should report to management independently from the departments they review.
External audits involve third-party auditors who provide independent verification. Regulators, certification bodies, or customer representatives conduct these reviews. External auditors bring objectivity and credibility but offer less flexibility in timing and process. Many organisations run internal audits quarterly and undergo external regulatory compliance audits annually, creating a continuous improvement cycle that maintains strong compliance posture year-round.
Step 1. Map your obligations and risks
The foundation of any successful regulatory compliance audit starts with knowing exactly what you must comply with and where your vulnerabilities lie. You cannot audit against requirements you have not identified, and you waste resources checking areas that carry minimal risk. This mapping exercise creates your audit blueprint and ensures you focus effort where it matters most. Your team needs a complete inventory of obligations before proceeding to planning or testing.
Identify applicable regulations
Start by cataloguing every law, regulation, and standard that governs your operations. For dangerous goods businesses, this typically includes transport regulations based on your modes (ADR for road, IATA for air, IMDG for sea, RID for rail), plus general requirements like health and safety legislation, environmental protection laws, and employment regulations. Your business structure, location, and customer base determine which rules apply.
Create a regulations register that lists each requirement with its source, the business area it affects, and the person responsible for compliance. Review this register quarterly because regulations change frequently. The following categories help structure your mapping:
- Transport-specific requirements: ADR, IATA Dangerous Goods Regulations, IMDG Code, RID
- Product-specific rules: Lithium battery regulations, radioactive materials controls, infectious substances protocols
- Safety management: Dangerous Goods Safety Adviser (DGSA) requirements, risk assessment obligations
- Documentation standards: Consignment note requirements, safety data sheets, transport documentation
- Training mandates: Periodic retraining schedules, role-specific certification requirements
Mapping your regulatory obligations before planning the audit prevents gaps in coverage and ensures you test all critical requirements.
Assess your risk exposure
Not all compliance areas carry equal weight. You must evaluate risk to determine which processes need intensive auditing and which require lighter review. High-risk areas typically involve activities that could cause serious incidents, result in significant fines, or affect many transactions. For dangerous goods operations, lithium battery shipments often present elevated risk due to complex classification rules and severe consequences of errors.
Score each regulatory requirement using a simple risk matrix. Assess both the likelihood of non-compliance and the potential impact if violations occur. Use a scale of 1-5 for each dimension, then multiply the scores to create a risk rating. Requirements scoring 15 or higher demand priority attention in your audit planning.
Consider these risk factors when assessing your exposure:
- Volume: How many transactions does this process handle monthly?
- Complexity: Do staff find this requirement difficult to interpret or apply?
- Change frequency: Has this regulation been updated recently?
- Past issues: Have you experienced non-compliance in this area before?
- Consequence severity: What happens if you get this wrong?
Document your compliance framework
Build a compliance map that shows how your organisation meets each requirement. This document connects regulations to your policies, procedures, controls, and responsible individuals. Your map should trace each obligation through your system, demonstrating the specific measures you have implemented to achieve compliance. Include both preventive controls (things that stop errors occurring) and detective controls (things that catch errors when they happen).
Structure your framework documentation using this template:
| Requirement | Policy Reference | Procedure | Control Owner | Control Type | Testing Frequency |
|---|---|---|---|---|---|
| ADR 1.3: Training | DG Training Policy v2.1 | Training Procedure TP-001 | Training Manager | Preventive | Annual |
| IATA 8.1: Classification | Classification SOP | Class Procedure CP-002 | Operations Lead | Preventive/Detective | Quarterly |
Your framework document becomes the foundation for audit planning. It shows auditors that you understand your obligations and have implemented systematic controls. Update this document whenever regulations change or you modify processes. This living document guides your internal reviews and provides evidence during external regulatory compliance audits that you operate a structured compliance programme.
Maintain supporting evidence for each mapped control. Store procedure documents, training records, and control effectiveness reports in a centralised location that auditors can access easily. This preparation work dramatically reduces the time needed to respond to audit requests and demonstrates mature compliance management to external reviewers.
Step 2. Plan the audit and set scope
Once you have mapped your obligations and assessed your risks, you need a detailed plan that transforms that knowledge into action. Your audit plan defines what you will examine, who will do the work, and how long each activity will take. Without proper planning, audits drift into irrelevant areas, miss critical issues, or consume excessive resources. The scope document you create now becomes your contract with auditors and your roadmap for execution.
Define your audit objectives
Your audit needs clear objectives that specify exactly what you want to achieve. Generic goals like "check compliance" waste time because they provide no guidance about priorities or success criteria. Instead, frame objectives that connect directly to your risk assessment and business needs. State whether you aim to verify specific regulatory requirements, prepare for external certification, or investigate concerns in particular operational areas.
Write objectives using measurable terms that make success obvious. For example: "Verify that 95% of dangerous goods shipments in Q3 included correctly completed transport documents" or "Confirm that all staff handling lithium batteries completed mandatory training within the past 24 months". Each objective should link to a specific regulation from your compliance map and identify the evidence you need to demonstrate conformance.
Clear audit objectives focus your team’s efforts on high-value activities and ensure you gather evidence that actually matters to regulators or certifiers.
Set audit boundaries
Scope definition determines which activities, locations, and time periods your audit will cover. Boundaries prevent scope creep and help you estimate resource requirements accurately. For dangerous goods operations, you might limit scope to air transport only, exclude certain product types, or focus on a single facility. Document what you will not examine as clearly as what you will include.
Your regulatory compliance audit scope statement should specify:
- Operational scope: Which business units, facilities, or transport modes
- Regulatory scope: Which specific regulations or standards (e.g. IATA DGR Section 10, ADR Chapter 1.3)
- Time period: Which transactions or activities (e.g. all shipments from January-June 2025)
- Exclusions: What falls outside the audit (e.g. non-dangerous goods, historical records before 2024)
Consider practical constraints when setting boundaries. You cannot audit every transaction, so determine appropriate sampling methods. For high-volume operations, you might test 25 shipments per month selected randomly. For critical processes with lower volumes, examine all instances. Balance thoroughness against available time and budget, recognising that tighter scopes allow deeper investigation.
Build your audit timeline
Create a realistic schedule that sequences activities logically and allocates sufficient time for each phase. Most regulatory compliance audits follow this basic structure: preparation (1-2 weeks), fieldwork (2-4 weeks), reporting (1-2 weeks), and follow-up (ongoing). Adjust timeframes based on your organisation’s size and the scope’s complexity. Build in buffer time because audits always uncover unexpected issues requiring additional investigation.
Use this template to structure your audit plan:
| Phase | Activities | Duration | Owner | Completion Date |
|---|---|---|---|---|
| Preparation | Notify stakeholders, gather policies, schedule interviews | 1 week | Compliance Manager | 25 Nov 2025 |
| Document review | Examine procedures, training records, past audit reports | 1 week | Lead Auditor | 2 Dec 2025 |
| Fieldwork | Conduct interviews, observe operations, test controls | 3 weeks | Audit Team | 23 Dec 2025 |
| Analysis | Evaluate findings, identify non-conformances | 1 week | Lead Auditor | 30 Dec 2025 |
| Reporting | Draft report, review with management, finalise | 2 weeks | Compliance Manager | 13 Jan 2026 |
Communicate your audit schedule to all affected departments at least two weeks before fieldwork begins. Give process owners time to prepare documentation and arrange staff availability for interviews. Clear scheduling prevents conflicts and ensures people understand when auditors need access to systems, facilities, or records.
Step 3. Test controls and gather evidence
Testing transforms your audit plan from theory into concrete findings. You examine whether the controls you documented actually work in practice and collect proof that validates your compliance status. This phase requires the most time and effort because you must verify claims systematically rather than accepting documentation at face value. Your testing approach determines the quality of evidence you gather and the confidence stakeholders place in your audit results.
Select your testing methodology
Choose testing techniques that match each control’s nature and risk level. Different situations demand different approaches. For preventive controls like mandatory approval workflows, you trace transactions forward to verify the control operated before the action occurred. For detective controls like periodic reviews, you examine the review documentation and confirm appropriate follow-up on identified issues.
Apply these standard testing methods to your dangerous goods compliance controls:
- Inquiry: Interview staff who execute controls about their understanding and practices
- Inspection: Review documents, records, and physical evidence that controls operated
- Observation: Watch staff perform controlled activities in real-time
- Re-performance: Execute the control yourself using the same inputs to verify results
- Analytical procedures: Compare data patterns to identify anomalies suggesting control failures
Your sample size depends on transaction volume and risk rating. For high-risk processes with over 100 monthly transactions, test at least 25 instances randomly selected across the audit period. Medium-risk processes need 15-20 samples. Low-risk areas with infrequent activity might warrant examining all instances or just 5-10 examples. Document your sampling rationale because auditors may challenge your approach if it appears insufficient.
Conduct control testing
Start testing with your highest-risk controls identified during Step 1. Gather the evidence list you prepared during planning and work through each item systematically. For training controls, you might verify that your training register shows completion dates, review course attendance sheets, check training certificates match regulatory requirements, and interview trainees about their understanding. Each piece of evidence either confirms the control works or reveals a gap requiring investigation.
Record observations as you test rather than relying on memory later. Create a working paper for each control that documents what you tested, the evidence you examined, and your conclusion about effectiveness. Note any deviations immediately, even minor ones, because patterns of small failures often indicate bigger problems. Use your mobile device to photograph evidence like properly completed dangerous goods declarations or correctly segregated storage areas, ensuring you capture timestamps and context.
Testing must produce verifiable evidence that demonstrates compliance objectively, not opinions or assumptions about how processes should work.
Follow this testing template to maintain consistency across your audit:
Control Test Record
Control ID: [Reference from compliance framework]
Control Description: [What the control does]
Testing Method: [Inquiry/Inspection/Observation/Re-performance]
Sample Size: [Number of items tested]
Sample Selection: [How you chose items]
Test Steps Performed:
1. [Specific action taken]
2. [Specific action taken]
3. [Specific action taken]
Evidence Examined:
- [Document type and reference]
- [Document type and reference]
Results:
☐ Control operating effectively - No exceptions noted
☐ Control operating with exceptions - [X] instances failed, [Y] instances passed
☐ Control not operating - Explain:
Deviations Found: [Describe any non-conformances]
Tested by: [Name]
Date: [Date]
Review: [Senior reviewer name and date]
Document your findings
Build your evidence file as you progress through testing rather than compiling it afterwards. Organise evidence by control area using the same structure as your compliance framework. Store copies of tested documents, interview notes, photographs, and test results in a central location that auditors can access easily. You should be able to retrieve evidence for any tested control within two minutes when questioned.
Create a findings log that tracks every issue discovered during testing. Classify findings by severity using consistent criteria: critical findings indicate serious regulatory breaches requiring immediate action, major findings show control weaknesses that could lead to non-compliance, and minor findings identify opportunities for improvement. Record enough detail that someone unfamiliar with the audit can understand the issue, its cause, and potential consequences.
Use this table format to log your audit findings systematically:
| Finding ID | Control Area | Severity | Description | Root Cause | Regulatory Reference | Evidence Location |
|---|---|---|---|---|---|---|
| F-001 | Training | Major | 3 staff handling lithium batteries lack current certification | Training renewals not tracked | IATA 1.5.0.2 | Evidence/Training/F-001 |
| F-002 | Documentation | Minor | 2 consignment notes missing emergency contact | Form template outdated | ADR 5.4.1.4.1 | Evidence/Docs/F-002 |
| F-003 | Classification | Critical | Incorrect UN number on 1 shipment | Staff misunderstood product category | IATA 3.0.1 | Evidence/Class/F-003 |
Your evidence quality determines whether your regulatory compliance audit withstands scrutiny. External auditors or regulators must be able to verify your conclusions independently by reviewing the evidence you collected. Keep evidence for at least three years after the audit concludes, as regulators sometimes request historical records during inspections or investigations.
Step 4. Report, remediate and follow up
Your testing phase has revealed both strengths and weaknesses in your compliance programme. Now you must communicate findings clearly and drive corrective action to close any gaps before they cause problems. This final step transforms audit results into tangible improvements that strengthen your organisation’s compliance posture. The report you produce becomes a permanent record that demonstrates due diligence to regulators and provides a roadmap for your team’s improvement efforts.
Draft your audit report
Write your audit report in clear, factual language that explains what you examined, what you found, and what needs to change. Structure the document logically starting with an executive summary that highlights key findings and overall conclusions, followed by detailed sections covering methodology, scope, individual findings, and recommendations. Your executive summary should be understandable to readers without technical knowledge because board members and senior managers often read only this section.
Present each finding using a consistent format that explains the issue, its root cause, the regulatory requirement it violates, and the potential consequences if left unaddressed. Include enough context that someone unfamiliar with your operations can understand the problem. Reference the specific evidence you collected and explain how you reached your conclusions. Your report must support each finding with verifiable facts rather than opinions or assumptions.
A well-structured audit report provides clear evidence of compliance status and creates accountability for addressing deficiencies before they escalate into regulatory issues.
Use this structure for your regulatory compliance audit report:
COMPLIANCE AUDIT REPORT
Executive Summary
- Overall compliance rating
- Critical findings count and nature
- Key recommendations
- Immediate actions required
1. Audit Scope and Objectives
- Regulations covered
- Operational areas examined
- Time period reviewed
- Exclusions
2. Methodology
- Testing approach
- Sample sizes
- Evidence collection methods
3. Findings by Control Area
For each finding:
- Finding ID and severity
- Description of non-conformance
- Root cause analysis
- Regulatory reference
- Evidence reference
- Recommended action
- Target completion date
4. Positive Observations
- Controls operating effectively
- Areas of strength
5. Management Response
- Agreed actions
- Responsible parties
- Completion timelines
6. Appendices
- Evidence index
- Testing documentation
- Regulatory references
Address findings systematically
Prioritise your corrective actions based on finding severity and implementation complexity. Critical findings demand immediate attention because they represent serious regulatory breaches that could result in penalties or incidents. Tackle these within days rather than weeks. Major findings need action within the current quarter, whilst minor findings can wait for your next planned process review cycle provided you monitor them to prevent deterioration.
Assign a responsible owner to each finding who has authority to implement changes and resources to execute the remediation plan. That person must develop specific corrective actions with measurable completion criteria. Vague commitments like "improve training" waste time because nobody knows when the action is complete. Instead require precise actions such as "revise lithium battery training module to include new IATA requirements and deliver to all relevant staff by 15 January 2026".
Track remediation using this table format:
| Finding ID | Owner | Action Required | Resources Needed | Target Date | Status | Evidence of Completion |
|---|---|---|---|---|---|---|
| F-001 | Training Manager | Update training records system to flag renewals 30 days before expiry | IT support for 5 hours | 15 Dec 2025 | In progress | System screenshots showing automated alerts |
| F-003 | Operations Lead | Retrain classification team on product category rules, implement peer review | 2 days trainer time | 30 Nov 2025 | Complete | Training certificates, new peer review checklist |
Monitor implementation and verify effectiveness
Schedule follow-up reviews at defined intervals to verify that corrective actions actually solved the problems rather than just creating new documentation. Visit the affected areas four to six weeks after implementation to observe whether staff apply the new procedures correctly. Interview process owners to confirm they understand the changes and have the resources needed to sustain improvements.
Your follow-up phase proves whether remediation efforts achieved their intended results. Test a sample of transactions processed after the corrective action took effect using the same methodology from your original audit. This re-testing provides objective evidence that the control now operates effectively. Document your verification activities and add the evidence to your audit file, creating a complete record showing you identified the issue, fixed it, and confirmed the fix worked properly.
Additional checklists and resources
You need practical tools that translate audit theory into action at your organisation. These checklists cover the common requirements across dangerous goods operations and help you verify readiness before external auditors arrive. Use them as starting templates and customise each item to match your specific regulations and operational context.
Pre-audit preparation checklist
Complete these tasks at least four weeks before your regulatory compliance audit begins to ensure you have gathered all necessary documentation and prepared your team properly. This checklist prevents last-minute scrambling for missing records and identifies gaps you can address before auditors discover them.
- Update your regulations register with any changes from the past 12 months
- Verify all staff training certificates remain current and properly documented
- Compile samples of dangerous goods declarations from each transport mode you use
- Review incident logs and confirm you investigated all events appropriately
- Prepare your DGSA annual report and supporting documentation
- Organise access permissions for auditors to your document management system
- Schedule interviews with process owners and notify them of required availability
- Test that you can retrieve any shipment record within five minutes
- Confirm your emergency response procedures reflect current contact details
- Document any known control weaknesses and the mitigation measures you have implemented
Preparation checklists transform audit readiness from an overwhelming task into a series of manageable steps you can delegate and track systematically.
During-audit evidence checklist
Gather these evidence categories as auditors request them during fieldwork. You should be able to locate and provide each item within hours rather than days to keep the audit moving efficiently and demonstrate mature record-keeping practices.
Regulatory documentation:
- Current copies of all applicable regulations (ADR, IATA DGR, IMDG Code, RID)
- Internal policies and procedures covering dangerous goods operations
- Organisation chart showing compliance responsibilities
Operational records:
- Training records including course content, attendance sheets, and certificates
- Dangerous goods declarations from representative shipments
- Classification decisions and supporting safety data sheets
- Packaging specifications and test certificates
- Equipment inspection and maintenance logs
Management oversight evidence:
- Internal audit reports from the past 24 months
- Management review meeting minutes discussing compliance
- Corrective action tracking showing closed findings
Next steps for your audit
You now have a complete framework for running a regulatory compliance audit that produces reliable results. Your mapped obligations guide what you test, your systematic approach ensures nothing slips through, and your documentation proves compliance to any stakeholder who asks. Start with your highest-risk areas identified in Step 1, then expand coverage as your team gains confidence with the process.
Regular audits become easier each cycle because you build on previous work rather than starting fresh. If your team handles dangerous goods and needs comprehensive training to strengthen compliance before your next audit, Logicom Hub provides the expertise and flexible learning options that turn regulatory requirements into practical skills your staff can apply immediately.