Compliance audit: how to make it genuinely useful

Updated April 2026 — A compliance audit is an évaluation that measures an organisation's adherence to its legal, regulatory, contractual and internal obligations at a given point in time. It identifies gaps, prioritises risks and builds an operational remediation plan. In 2026, the scope of compliance audits has expanded considerably: tax, labour law, GDPR, anti-corruption, accounting, regulated sectors. This guide explains how to structure and exploit an effective compliance audit, with particular focus on the obligations that apply to foreign companies operating in France.

For related topics, see also Corporate audits, How to run an audit and Organisational audit firms.

A compliance audit is a systematic and documented assessment of an organisation's adherence to a set of obligations. This framework may be legal (statutes, decrees, ordinances), regulatory (ministerial orders, tax instructions, European directives), contractual (framework agreement clauses, ISO certifications, collective agreements) or internal (group policies, ethics charters, internal procedures).

The compliance audit answers a central question: does the organisation comply with its obligations, and if not, what are the gaps, the associated risks and the priority corrective actions?

It differs from the statutory audit (certification of accounts by a statutory auditor) in its purpose: the statutory audit concerns the sincerity of the accounts; the compliance audit concerns adherence to specific obligations. It also differs from internal control, which is a permanent risk management framework, whereas a compliance audit is a point-in-time évaluation mission.

Tax compliance#

The tax compliance audit examines adherence to filing and payment obligations: VAT returns (CA3, CA12), tax return and profit déclaration, withholding tax déclarations, compliance with depreciation rules (useful lives, component accounting), deductibility of provisions, compliance with tax consolidation rules for groups, and transfer pricing for companies with international intercompany transactions.

The most common problem areas: improperly recovered input VAT on mixed-use expenses, non-déductible provisions treated as déductible, entertainment expenses not reintegrated, under-documented transfer pricing.

Labour law compliance#

The labour compliance audit covers adherence to the French Labour Code (Code du travail), applicable collective agreements and company-level agreements. Key areas examined include:

• Compliance of employment contracts (mandatory clauses, classification, probation period duration)
• Compliance with maximum working hours and rest period rules
• Mandatory workplace notices and postings
• Updating and content of the internal rules (règlement intérieur)
• Existence and updating of the Unique Document for Occupational Risk Assessment (DUERP)
• Compliance of the Economic, Social and Environmental Database (BDESE) for companies with more than 50 employees
• Déclaration and calculation of URSSAF social security contributions

GDPR compliance#

The General Data Protection Regulation (GDPR), in force since 2018, imposes precise obligations on companies that process personal data. The GDPR audit examines:

• Existence and maintenance of the records of processing activities (mandatory for all companies under GDPR)
• Appointment of a Data Protection Officer (DPO) where required
• Compliance of information notices to data subjects
• Implementation of procedures for responding to requests to exercise rights (right of access, right to erasure, etc.)
• Procedures for managing personal data breaches (CNIL notification within 72 hours)
• Compliance of contractual clauses with processors (DPA — Data Processing Agreement)

Accounting compliance#

The accounting compliance audit verifies adherence to the French General Chart of Accounts (PCG) or IFRS standards for listed groups: accounting principles (going concern, consistency of methods, prudence, accruals), asset and liability valuation rules, compliance with mandatory notes to the accounts.

Sector-specific compliance#

Certain sectors are subject to specific regulations: credit institutions (AMF/ACPR prudential regulation), insurance (Solvency II), pharmaceuticals (pharmacovigilance, good manufacturing practices), food sector (traceability, HACCP). A sector compliance audit examines adherence to these specific requirements.

Step 1: mapping applicable obligations#

The first step is to identify all legal, regulatory, contractual and internal obligations applicable to the organisation, taking into account its size, sector of activity, structure (subsidiary, group, standalone) and specific activities. This mapping is the backbone of the audit.

Step 2: gap assessment#

For each identified obligation, the auditor assesses the level of compliance: compliant, partially compliant, non-compliant, or not applicable. Findings are documented with corresponding evidence (or the absence of evidence).

Step 3: risk prioritisation#

Not all gaps have the same severity. Prioritisation takes into account:

• The probability that the gap will be detected and sanctioned
• The potential impact (financial, legal, reputational)
• Whether the correction is urgent or can be deferred

Step 4: remediation plan#

Based on the identified and prioritised gaps, an action plan is developed: corrective actions to be taken, assigned owners, deadlines, resources required.

Step 5: monitoring corrective actions#

A compliance audit is only useful if its conclusions are actually implemented. Periodic monitoring of corrective actions is essential to close the loop.

A preventive tax compliance audit is one of the most cost-effective investments a company can make. Tax anomalies corrected voluntarily before an audit benefit from the voluntary régularisation régime: penalties and late interest are reduced compared to what they would be in the event of a tax reassessment.

Specific 2026 risk areas: deductibility rules for financing costs (ATAD provisions), tax treatment of crypto assets if the company holds any, compliance with electronic invoicing requirements under the 2026 reform, VAT on intra-Community transactions.

URSSAF inspections are dreaded by employers, but they can be anticipated. A preventive labour compliance audit identifies weak points before the inspection: contribution base, treatment of benefits in kind, applied exemptions, director status.

The most common URSSAF reassessments involve: reclassification of certain expense reimbursements as benefits in kind, incorrect application (or non-application) of available exemptions, errors in employee classification, and incorrect treatment of overtime.

According to the CNIL (France's data protection authority), the most common failings in SMEs are: absence of records of processing activities, absence of compliant information notices on data collection forms, absence of DPAs with processors, and absence of a documented procedure for responding to rights exercise requests.

These failings expose companies to fines of up to 4% of global annual turnover or 20 million euros (whichever is higher).

Hayot Expertise insight: a preventive compliance audit, conducted before a tax or URSSAF inspection, not only corrects anomalies but also demonstrates the company's good faith. Good faith is an expressly recognised criterion by the French tax authorities for reducing penalties in the event of voluntary prior régularisation.

There is no legally mandated frequency for internal compliance audits. In practice, best practice recommends:

• An annual audit for high-risk areas (VAT, social contributions, GDPR) in companies of significant size
• A one-off audit following major regulatory changes (new law, tax reform, amendment to a collective agreement)
• A pre-transaction audit before any disposal or fundraising (acquirers and investors systematically conduct compliance due diligence)
• An implementation audit when setting up a new activity or entering a new regulated sector

To structure your compliance audit approach, discover our statutory audit and compliance support.

Compliance auditing in 2026 is a strategic management tool, not merely a response to a regulatory obligation. It allows companies to anticipate inspections, demonstrate good faith, secure transactions and structure remediation on a documented basis. The areas covered are multiple: tax, labour law, GDPR, accounting, sector-specific. The key to a useful audit is its ability to produce an operational action plan, not merely a diagnosis.