Compliance Audit Checklist
Download your compliance audit
Please fill out the form below to access your free compliance audit download.
About this compliance audit
A compliance audit checklist gives operations teams a consistent way to verify standards, capture evidence, and escalate risk — without relying on memory or local workarounds. When audits are done well, they don’t just find issues. They reduce guesswork by showing what’s happening on the ground, where controls break down, and what needs to change next.
Use this compliance audit checklist for routine site visits, follow-ups, and readiness checks. It includes preparation checks, in-process checks, clear escalation criteria, and close-out actions so findings turn into owned, time-bound improvements.
What this compliance audit checklist covers
- Audit details and scope so results are comparable across sites
- Preparation checks (policies, access, sampling, safety brief)
- In-process checks that test reality, not just paperwork
- Escalation criteria for safety, regulatory, data, and repeat-failure risks
- Close-out actions with owners, due dates, follow-up, and sign-off
How to use it on a site visit
Start with scope. Be specific about what you’re auditing and how you’ll sample evidence. If the scope is unclear, you’ll end up with a long list of ‘nice to check’ items and miss what matters.
Walk the site before you dive into records. A quick walkthrough surfaces immediate risks and helps you ask better questions when you review logs and documents.
Check controls in practice. A record can look perfect while the real process is broken. Use the checklist to observe, ask short knowledge-check questions, and confirm that controls actually work when it’s busy.
Escalate early. If you see an immediate safety risk, suspected falsification, or a potential regulatory or data breach, don’t wait until the end of the audit. Capture factual notes and escalate to the right owner straight away.
What good looks like (and what to challenge)
Most compliance failures aren’t caused by a lack of policy. They happen because people are forced to guess: which version is current, where the SOP lives, what ‘good’ looks like, or who owns the fix. Use this checklist to challenge those unknowns.
- Good looks like: clear standards at the point of use, complete records, and controls that hold up under pressure.
- Challenge: missing or back-filled logs, unclear ownership, and repeat failures from previous audits.
Turn findings into actions, not paperwork
An audit only improves performance when every non-conformance becomes an action with an owner and a due date. Close out on-site with a short summary: what’s working, what must change, and what happens next. That’s how you stop guessing and start knowing.
Want to run audits without chasing updates? Ocasta replaces ad-hoc notes and spreadsheets with structured checklists, clear actions, and real-time visibility across every location.
Disclaimer: This checklist is for general guidance only and does not constitute legal, regulatory, health and safety, or professional advice. You are responsible for ensuring compliance with applicable laws, standards, and internal policies.
Included questions
Here's what's included in this compliance audit:
Audit details and scope (8)
Capture the basics so the audit is consistent and comparable across sites — and so nothing gets missed when it’s busy.
-
Text
Audit date and time
Use local time. If the audit spans multiple periods, note the start time here and add detail in notes.
-
Text
Site name
Use the official site name as it appears in internal systems.
-
Text
Site ID or store number
Optional if your organisation uses it.
-
Person
Auditor
Who is completing this audit?
-
Person
Site point of contact
Who is responsible for supporting the audit on the day?
-
Dropdown
Audit type
Pick the closest match so reporting stays clean.
-
Dropdown
Audit scope
Choose the main area this audit covers. If multiple apply, select the highest-risk scope and capture the rest in notes.
-
Text
Scope notes
Add any exclusions, special focus areas, or known risks for this site.
Preparation checks (8)
Make sure you have the right information, access, and evidence requirements agreed before you start.
-
Yes/No
The latest policies and standards are available and in-date
Check you’re using the current version (not a locally saved copy).
-
Yes/No
The last audit and open actions have been reviewed before starting
You should know what was previously missed and what is still outstanding.
-
Number
Number of open actions from the last audit
If unknown, pause and confirm before proceeding.
-
Yes/No
Access has been confirmed for all relevant areas and systems
Include locked areas, plant rooms, back office, and any required logins.
-
Yes/No
Evidence capture method is agreed
For example: photos, document references, screenshots, log extracts, or signed records. Avoid collecting sensitive personal data unless required.
-
Dropdown
Sampling approach
Choose how you’ll sample records or checks so results are repeatable.
-
Yes/No
Site safety brief completed
Include local hazards, evacuation routes, and any PPE requirements.
-
Text
Who needs to be present during the audit
List roles (for example: duty manager, H&S rep, data protection lead).
In-process checks (14)
Run the audit in a consistent order: observe reality, check records, test understanding, and capture evidence.
-
Yes/No
A site walkthrough has been completed
Start with public areas, then back-of-house. Note anything that could create immediate risk.
-
Yes/No
Required notices and certificates are displayed where needed
For example: licences, safety signage, first aid information, privacy notices (as applicable).
-
Yes/No
Training and competency records have been checked for the sampled roles
Confirm completion, recency, and role relevance — not just that a record exists.
-
Number
Training sample size checked
How many people/records did you sample?
-
Yes/No
Critical SOPs are available at the point of use
If people have to ‘remember it’ or hunt for it, it’s a risk.
-
Yes/No
Compliance records are complete, legible, and signed where required
Look for gaps, back-filling, missing initials, or unclear dates/times.
-
Yes/No
Record retention meets your policy
Confirm the site can produce records for the required period.
-
Yes/No
Controls work in practice (not just on paper)
Example: people follow the process, checks are actually done, and exceptions are handled properly.
-
Vibe
Staff understanding of key compliance steps
Based on quick, respectful questions: do people know what to do and why?
-
Yes/No
Incidents, near misses, or exceptions are logged and reviewed
Check that follow-ups happened, not just that something was recorded.
-
Yes/No
Personal data is handled appropriately (if applicable)
Check access, storage, disposal, and whether sensitive data is collected only when needed.
-
Yes/No
Required equipment checks are completed and in-date
For example: fire safety equipment, emergency lighting, temperature checks, vehicle checks (as applicable).
-
Number
Number of non-conformances identified
Count items that do not meet the standard, even if they are quickly fixed.
-
Text
Key observations and evidence notes
Write what you saw, where, and what evidence supports it. Keep it factual.
Escalation criteria (7)
Know when to stop, escalate, and protect people and the business. If in doubt, escalate.
-
Yes/No
Is there an immediate risk to safety or welfare?
If yes: stop the activity if safe to do so, notify the duty manager, and escalate immediately.
-
Yes/No
Is there a suspected regulatory breach that could trigger enforcement action?
If yes: escalate to the compliance lead and record what you observed and why it indicates a breach.
-
Yes/No
Is there a suspected data breach or inappropriate access to personal data?
If yes: escalate to your data protection contact immediately and preserve evidence. Do not copy or share personal data.
-
Yes/No
Has a previously raised critical issue reoccurred?
If yes: escalate as a repeat failure and capture why the previous action did not stick.
-
Yes/No
Do you suspect records have been falsified or back-filled?
If yes: escalate to the appropriate lead (operations/compliance/HR) and document the indicators.
-
Dropdown
Escalation outcome
Record what happened so there’s a clear audit trail.
-
Text
Escalation notes
Include who you contacted, when, and what immediate controls were put in place.
Close-out actions and sign-off (9)
Turn findings into actions with owners and deadlines — then confirm understanding before you leave.
-
Yes/No
Actions have been created for every non-conformance
No ‘verbal actions’. Every issue needs an owner and a due date.
-
Yes/No
Each action has a named owner
If ownership is unclear, the action will drift.
-
Yes/No
Each action has a due date based on risk
Use shorter due dates for higher-risk issues.
-
Number
Due in how many days for critical actions
Enter the shortest due date applied to any critical action.
-
Yes/No
A clear summary has been shared with the site
Cover what’s working, what must change, and what happens next.
-
Dropdown
Follow-up plan
Choose the next step based on the level of risk.
-
Signature
Site representative sign-off
Confirms the findings and actions have been reviewed (not that the site agrees with every point).
-
Signature
Auditor sign-off
Confirms the audit was completed and evidence captured appropriately.
-
Text
Final notes
Anything that would help the next auditor or the ops team act faster.