Compliance Audit France 2026: Method, Scope and Deliverables

Updated 15 May 2026 — Written by Samuel Hayot, chartered accountant, Hayot Expertise, Paris.

Compliance audits are no longer reserved for large corporations. In 2026, the multiplication of legal obligations — GDPR, Sapin 2, CSRD, AML/CFT, ECF — exposes SMEs, mid-size companies and startups to growing risks. This article explains the methodology, the scopes to cover, the competent actors and the deliverables to expect, with two concrete practical cases. It does not replace a personalised analysis of your situation.

A compliance audit is a systematic, documented evaluation of an organisation's adherence to a set of obligations. This set may be statutory (legislation, decree, ordinance), regulatory (ministerial order, tax instruction, European directive), contractual (framework agreement clauses, ISO certifications, collective agreements) or internal (group policy, ethics charter, internal procedures).

A compliance audit answers one central question: does the organisation comply with its obligations, and if not, what are the gaps, associated risks and priority corrective actions?

Compliance audit vs financial audit#

Compliance audit vs internal control#

Internal control is a permanent risk management framework — procedures, segregation of duties, delegations. A compliance audit is a one-off mission that evaluates the effectiveness of that framework at a given point in time. The two are complementary: a well-conducted compliance audit feeds and strengthens the internal control framework.

a. Tax compliance and ECF#

Tax compliance covers the correct application of corporate income tax, VAT, territorial economic contribution (CET), payroll tax, and any special regimes (JEI, CIR, tax consolidation). It includes review of tax returns, elected tax options and their consistency with corporate resolutions.

The Examen de Conformite Fiscale (ECF), codified under Article 1739 C of the French Tax Code (CGI), is a standardised contractual engagement covering 10 specific tax checkpoints. It provides a reduced risk of reassessment on validated points. ECF is a targeted subset of tax compliance review — it does not cover all risks, notably structural options, transfer pricing or complex exemption regimes.

b. Labour and payroll compliance#

A labour compliance audit verifies consistency between pay slips, DSN filings, social contributions paid and the provisions of the applicable collective agreement. It also examines employment contracts, company-level agreements, expense claims and benefits in kind. URSSAF reassessments most frequently target professional expenses, the classification of certain allowances and supplementary pension and health coverage.

c. GDPR and PSD2 compliance#

Since GDPR came into force in 2018, the CNIL has had the power to impose fines of up to 4% of global annual turnover or EUR 20 million. A GDPR compliance audit verifies the records of processing activities, legal bases, retention periods, consent mechanisms, data processing agreements with sub-contractors and breach notification procedures. For payment service actors, PSD2 (Directive 2015/2366) adds requirements for strong customer authentication (SCA) and access security.

d. AML/CFT and Sapin 2 compliance#

Anti-money laundering and counter-terrorism financing (AML/CFT) imposes due diligence obligations, suspicious transaction reporting to TRACFIN and training requirements on obliged entities. The Sapin 2 Act (Act No. 2016-1691 of 9 December 2016), Article 17, requires companies with more than 500 employees and EUR 100 million in consolidated turnover to implement a full anti-corruption programme (risk mapping, code of conduct, training, whistleblowing channel, third-party assessment). The Agence Francaise Anticorruption (AFA) may audit this programme and impose administrative sanctions.

e. Environmental compliance: DPEF and CSRD#

The French DPEF (Declaration de Performance Extra-Financiere) is being progressively replaced by the sustainability report required under the CSRD (Directive 2022/2464). In 2026, large companies with more than 500 employees already subject to the DPEF obligation enter the first CSRD scope. Listed companies with more than 250 employees come in for financial years starting on or after 1 January 2025 (report published in 2026). A preparatory ESG audit allows companies to anticipate these obligations, map available data and close gaps before the intervention of the accredited independent third-party auditor.

f. Sector-specific compliance#

Banking and insurance (ACPR), healthcare (HAS, ARS), defence (DGA), food (DGCCRF), transport (DGAC) — each regulated sector layers its own obligations on top of general law. Sector compliance audits are generally entrusted to specialist firms with precise knowledge of the applicable framework.

• Sapin 2 Act (Act No. 2016-1691 of 9 December 2016): mandatory anti-corruption programme for companies with more than 500 employees and EUR 100 million in consolidated turnover; AFA sanctions up to EUR 200,000 for legal entities (to be verified: updated amount).
• CSRD (Directive 2022/2464 of 14 December 2022): replaces NFRD, extends sustainability reporting to listed SMEs and large companies, mandatory audit by an accredited third-party auditor.
• Art. L823-1 and L823-2 French Commercial Code: statutory audit of accounts, mission reserved for registered statutory auditors.
• GDPR (EU Regulation 2016/679): legal basis for all GDPR audits; CNIL fines up to 4% of global turnover.
• TRACFIN: financial intelligence unit of the French Ministry of Economy, recipient of AML/CFT suspicious transaction reports.
• ISO 19011:2018: international standard for audit methodology of management systems, applied on a voluntary basis.

ISO 19011:2018 structures the compliance audit into four phases that we apply in our contractual engagements.

Phase 1 — Planning#

• Definition of scope, objectives and audit criteria
• Preliminary documentary review: accounts, tax returns, DADS-U, DSN, GDPR registers, org chart, framework agreements
• Identification of internal stakeholders (CFO, HR director, DPO, legal counsel)
• Establishment of the audit programme and timetable
• Communication to management

Phase 2 — Field work#

• Structured interviews with domain managers
• Sampling and verification of supporting documents
• Procedure tests: end-to-end transaction tracing
• Documentation of findings with precise legal reference

Phase 3 — Reporting#

• Drafting of the findings report (by domain, with criticality)
• Findings/recommendations matrix: risk, impact, remediation effort
• Presentation of results to management before final distribution
• Executive summary (1-2 pages, decision-oriented)

Phase 4 — Follow-up#

• Prioritised action plan: owner, deadline, monitoring indicator
• Interim review at 3-6 months depending on scopes
• Update of the action plan and closure of resolved findings

For a chartered accountant, the compliance audit takes the form of a contractual engagement, distinct from the accounts review or compilation mission. It requires a specific engagement letter and separate fees.

1. Preparation for a tax inspection: identify risk areas before a tax inspector does.
2. Preparation for an URSSAF inspection: secure the treatment of professional expenses, officer remuneration and benefits in kind.
3. Business sale: the compliance audit report enriches the acquirer's due diligence file and reduces the risk of price revision or activation of warranty clauses.
4. Fundraising (Series A and beyond): institutional investors require documented compliance, particularly GDPR, tax and labour.
5. IPO: compliance audit is a component of mandatory regulatory due diligence.
6. ESG labelling / ISO certifications: ISO 9001, ISO 14001 and ISO 27001 require a prior compliance assessment.

Situation: 28-employee services company, sale planned within 12 months, industrial acquirer. The acquirer appoints a firm for due diligence. The owner wishes to anticipate findings.

Scope selected: tax compliance (corporate tax, VAT, CET, options) and labour compliance (DSN, professional expenses, key employment contracts).

Findings during field work:

• Two VAT elections exercised without a formal resolution in the minutes book
• Flat-rate remote working allowances paid without an internal policy or supporting documentation, creating a partial reclassification exposure
• Employment contract of a senior executive does not reference the applicable collective agreement

Action plan:

• Regularisation of VAT resolutions (retroactive resolution to be validated with legal counsel)
• Implementation of a remote working policy and review of supporting documentation
• Amendment to the senior executive's employment contract
• Preparation of a tax memorandum presented to the acquirer with the regularisations completed

Outcome: sale file presented with a compliance memorandum, reduced risk of price challenge or activation of the asset and liability warranty.

Our reading#

In sale files, the most frequent findings do not involve fraud but documentary gaps accumulated over time: options not formalised, internal policies absent, amendments not drafted. A compliance audit conducted 12 months before the sale allows time for regularisation without deadline pressure.

Situation: 18-month-old startup, 15 employees, EUR 8 million Series A in progress. The lead investor (European fund) requires a GDPR audit and PSD2 compliance check before closing.

Scope selected: full GDPR audit, PSD2 (integrated payment module), labour compliance (BSPCEs, stock options, free shares).

Findings:

• Incomplete processing register: 4 undocumented processing activities including one outsourced to a US sub-contractor without a GDPR-compliant Data Processing Agreement
• Cookie consent mechanism non-compliant with CNIL 2023 guidelines
• BSPCEs granted without a prior extraordinary general meeting validating the attribution conditions

Action plan:

• Completion of the GDPR register and signature of missing DPAs
• Cookie banner overhaul (CNIL compliance)
• Convening of an EGM to regularise BSPCE attributions (to be validated with legal counsel)
• Delivery of the compliance report to the fund before closing

The underestimated risk: startups focus their attention on visible GDPR compliance (cookie banner) and underestimate the compliance of equity instruments (BSPCEs, free shares). A procedural defect in a BSPCE grant can invalidate the tax benefit for recipients and create an unanticipated labour liability.

These ranges are indicative and depend on company structure, the level of existing documentation and the scopes selected. They are to be confirmed in the engagement letter.

1. Do not underestimate the scope. The scope of a compliance audit is rarely the one the business owner imagines at the outset. Companies with foreign subsidiaries, non-EU sub-contractors or multi-sector activities must integrate the international dimension from the planning phase.

2. Do not overlook the human dimension. Documentary compliance does not guarantee operational compliance. Interviews with teams frequently reveal practices that diverge from formalised procedures. An audit based on documents alone is an incomplete audit.

3. Distinguish between remediation and prevention. A compliance audit conducted under pressure (imminent inspection, sale closing) constrains remediation timelines. Ideally, the audit is conducted 12 to 18 months before the triggering event.

4. CSRD and listed SMEs: anticipate from 2025 onwards. Listed companies with more than 250 employees enter the CSRD scope for financial years starting on or after 1 January 2025 (report published in 2026). Non-financial data must be collected and documented throughout the financial year.

Our team conducts contractual compliance audit engagements in the tax, labour and GDPR domains for SMEs, mid-size companies and startups based in Paris and the Ile-de-France region. We work with our legal and data specialist partners for scopes requiring additional expertise.

Every engagement is governed by an engagement letter specifying the scope, deliverables, timetable and fees. We do not conduct statutory audits (commissariat aux comptes) — this mission is reserved for registered statutory auditors.

This article is provided for general information purposes only. It does not replace a personalised analysis of your situation by a qualified professional, which alone can account for the specific circumstances of your company, sector, and the regulatory framework in force at the date of your decision.

Sources: Legifrance — Sapin 2 Act No. 2016-1691 of 9 December 2016 — CSRD Directive 2022/2464 — Art. L823-1 and L823-2 French Commercial Code — CNIL GDPR — TRACFIN — AFA Practical Guide SMEs/ETIs — ISO 19011:2018.