Performing an Internal Compliance Audit

June 17, 2019 · 4 minutes

Three key reasons to identify compliance and operational gaps in your cannabis business:

  • Avoid fines and penalties
  • Improve process reliability and product or service quality
  • Getting a bank account

Yes, getting a bank account. Banks are highly regulated and to work with cannabis businesses they must gather evidence that their cannabis clients are not violating some thing known as the Cole Memo Priorities1 or any local or state laws and regulations.

Performing an internal audit is the best way to identify compliance gaps and take the necessary corrective action.

1 See posting on FinCEN Guidelines to learn about the Cole Memo Priorities

Performing an audit involves a minimum of three activities

  • Audit preparation and planning
  • Conducting the audit, and
  • Reporting the findings

Typically, corrective action follows to eliminate the gaps discovered. After corrected a followup audit can be conducted to ensure the corrections are working.

Internal Audits

An internal audit can be performed as a self-audit or by an independent outside firm. An experienced external auditor or audit firm brings a level of knowledge they gain from seeing lots of different operations and situations. They know what to look for and can recognize red flags that can indicate hidden issues.

On the other hand, if a business has grown large enough to economically justify a compliance staff, then preparing for and conducting self-audits is an excellent way to develop in-house knowledge and experience.

Independent Expert Audits

If an outside firm is hired they will perform most of the audit work. As the business owner or manager, your role during the preparation phase will be to coordinate with the firm to establish the purpose and objectives of the audit, work out logistical details (such as on-site timing, safety, security, and proprietary information access), communicate with staff to set expectations, and approve the audit plan. While the firm conducts the audit you will need to make documentation and records available per plan, ensure the auditor(s) follow safety measures, have an escort or key contact available to answer questions or control other matters, and make staff available for interviews. After the audit findings are reported you will want to develop and implement corrective action plans to eliminate any gaps. Optionally, you can have a followup audit conducted.


If you decide to conduct a self-audit the preparation will be the most time consuming phase, at least the first time. Here is a question to ask yourself, “how do you know, if you know, what you need to know?” In other words, the quality of your self-audit will only be as good as the knowledge of your compliance staff. A business preparing and planning for a self-audit should produce and maintain good documentation in order to retain the knowledge gained and not lose the knowledge with employee turnover.

A business owner or manager should evaluate the pros and cons of self-audits versus independent expert audits to decide which one is best for their situation.

Preparation and Planning

A major part of the audit work is developing an audit program and audit preparation and planning. An audit program consists of the questions, checklists, procedures and methods used to collect objective evidence during the audit. The audit industry refers to these questions and methods as audit protocols. You will need to develop protocols for the review of documentation and records, worker interviews, and on-site observations. The protocols are based on audit criteria that are derived from the policies, procedures, requirements, standards, and best practices that define how the work gets done in a legal, safe, efficient, effective, and trackable manner.

In the case of a self-audit, this gets back to knowing what you know and don’t know. The compliance officer or staff needs to collect, study and understand all of the applicable criteria and transform that collection of criteria into questions, checklist, and audit methods. The more depth and breadth to the questions the better as well as having questions that draw out objective evidence rather than subjective responses. For instance, the question, “Is safety taken seriously by the workforce” should be changed into a series of specific questions about safety being built into procedures, safety training, training records, employees following safety procedures, observations about using safety equipment, locking out and tagging malfunctioning equipment until it is repaired, and other specific details. There are audit programs that can be purchased or checklists that can be gathered on the internet and adapted to meet the needs of a self-audit.

Conducting the Audit

An auditor that is working from a well-designed audit program, with a deep understanding of applicable standards and regulations, and is experienced using good protocols for record review, interviews, and collecting observational evidence will be able to perform an audit with ease. During the audit, it is important to make detailed notes and take photos to include in the report. The notes can address the who, what, when, where, and why of a situation.


The audit report should present the audit findings in a manner that allows the readers to clearly understand the issues found. This is why taking good notes, and collecting photos, copies of documents or records, or other evidence is important. The reader should be able to understand and verify the issues by looking at the notes and the attached evidence.

Corrective Action

In most cases an internal audit is performed to guide corrective actions. The issues that present the highest risk of harm or penalty with the highest chance for occurring should be addressed first and the low-risk low-occurrence items last. corrective action should focus on process improvement first. Look for a future article on Process First.

Follow-up Audit

If a major issue was found you will certainly want to follow up and ensure the process was corrected, process documentation was updated, the appropriate staff was notified or trained as needed, that the operation is now functioning as desired, and measures are in place to prevent a recurrence of the situation. If self-audits are conducted on a recurring schedule the follow-up audit could wait until the next full audit. The other option is to perform an audit of just the corrected issues.

I can be contacted for questions or more information about audits, corrective action, or process improvement.