Audit Guide

A practical, free guide to running a compliance audit — from setting up the programme to collecting evidence. The general method comes first; the regulation-specific pages then show what evidence looks like for each regulation. When you're ready to run a real audit, each audit checklist turns this method into a complete, scored question set.

Start here — the principles

What makes an audit sound, on one page. Each principle links down to a full working guide.

The 5 principles of a sound audit — A credible audit isn't about ticking boxes — it's built on principles that make its findings defensible. Whether you're auditing a privacy...

The method — applies to any audit

These guides are regulation-agnostic. Read them in order for an end-to-end picture, or jump to the one you need.

Audit programme & schedule — An audit programme is the standing plan that decides what gets audited, how often, by whom, and in what order across a cycle. Get the programme...
Risk-based auditing — Risk-based auditing means putting audit effort where the consequence of failure is highest, instead of treating every area the same. It is the...
Audit techniques — A handful of core techniques does almost all the work in a compliance audit: document review, interview, observation, walkthrough, sampling, and...
Roles & responsibilities — An audit involves more people than the auditor, and the credibility of the result rests on one thing above all: keeping the auditor independent of...
The audit report — The report is the audit's deliverable — the thing that survives after the fieldwork is forgotten. It records what was checked, what was found, how...
Evidence fundamentals — Every finding stands on evidence, and every weak audit is weak because its evidence is. This guide covers what counts as audit evidence, what...

For ISO management systems

PDCA behind every ISO standard — Behind every ISO management system sits one simple idea: Plan-Do-Check-Act. Deming's cycle is why ISO standards demand not a one-time fix but...

Evidence by regulation

What evidence actually looks like for a specific regulation — the records, registers, and responsible roles particular to each. These build on the method above.

GDPR — collecting evidence — What does evidence actually look like when you audit GDPR compliance? GDPR's accountability principle makes this regulation unusually...
NIS2 — collecting evidence — NIS2 raises cybersecurity-risk-management obligations for essential and important entities across the EU, and — unusually — places personal...
DORA — collecting evidence — DORA sets digital operational resilience requirements for financial entities and their critical ICT providers, organised into five pillars. Its...

From guide to checklist

This guide explains the craft. Doing it across an entire regulation — every obligation, every paragraph, scored and traceable — is what the audit checklists on this site are for. Each one ships with a Regulatory Compliance Matrix you can download free to see the full coverage before you buy.