Compliance audit in medium-sized companies: Checklist 2026 for management and representatives
This 2026 checklist shows medium-sized companies step by step which 14 subject areas a compliance audit covers, which documents must be available and how the platform documentation reduces the effort.
In 2026, a compliance audit will no longer be optional, but rather mandatory in every medium-sized company with 50 or more employees and in every company that works in regulated supply chains. The pressure comes from several directions at the same time: the NIS 2 Implementation Act, the Supply Chain Due Diligence Act, the GDPR with an annual review period in accordance with Article 24 (1) GDPR, the EU Whistleblower Directive in the German HinSchG implementation and the EU AI Act, the first obligations of which have taken effect since August 2026. Anyone who enters the 2026 financial year without an audit plan risks violating supervisory obligations in accordance with Section 130 OWiG with a fine limit of up to one million euros and, in the event of damage, personal liability for management.
This article presents a complete checklist for the internal compliance audit of a medium-sized company. It describes the 14 subject areas that are covered in a typical exam, lists the mandatory documents for each field, explains the timing from preparation to the final report and shows how platform-based documentation reduces the effort by 40 to 60 percent compared to an Excel and Word collection. You will receive concrete templates from the 490 ready-to-use audit templates, a schedule for a two-stage audit over 12 weeks and a comparison between internal self-audit and external audit by an accounting firm. The checklist is industry-neutral and applicable to companies with between 50 and 1,500 employees.
Key Takeaways
- A complete compliance audit for medium-sized companies covers 14 subject areas, from data protection to NIS-2 and whistleblower protection to money laundering prevention and occupational safety, and typically requires 12 weeks of preparation plus two weeks of implementation.
- The documentation requirement for each subject area is clearly defined; A platform solution with versioned audit templates reduces the preparation effort by 40 to 60 percent compared to Excel and Word collections.
- According to Section 130 OWiG, the management is personally liable for a failed or inadequate audit; A documented audit report with a specific list of measures is the central evidence of exoneration in the event of an investigation.
Why 2026 is a key year for compliance audits in medium-sized companies
In 2026, several regulatory waves will coincide, each of which would justify an audit. The NIS-2 Implementation Act covers around 29,500 companies in Germany and requires management to provide evidence of specific risk management measures in accordance with Section 30 NIS-2-UmsuCG. Anyone who does not document these measures risks fines of up to 10 million euros or 2 percent of global group sales for essential facilities. At the same time, since January 1, 2024, the Supply Chain Due Diligence Act has required companies with 1,000 or more employees to submit an annual report to BAFA with a documented risk analysis along the supply chain. The EU supply chain directive CSDDD will gradually extend this obligation from 2027 to companies with 500 employees or more and a turnover of 150 million euros.
In addition, there will be the transition to ISO/IEC 27001:2022, the transition period of which ends in October 2026. Anyone who has not converted to the new standard by then will lose their certification and must expect the loss of procurement rights in customer tenders. The EU AI Act, whose first obligations have been effective since August 2026, requires companies with high-risk AI systems to have a risk management system in accordance with Article 9 of the AI Act and data quality documentation in accordance with Article 10 of the AI Act. The GDPR also remains an audit driver with its annual review obligation according to Art. 24 Para. 1 GDPR.
This situation results in a clear list of obligations for 2026: Every medium-sized company with 50 or more employees should carry out an integrated compliance audit that checks the above-mentioned fields together and bundles them in a final report to the management. CIVAC as an external compliance officer or as a platform licence for the internal officer is supported with 490 ready-to-use templates that cover exactly these 14 subject areas.
The 14 subject areas of a compliance audit checklist 2026
A complete compliance audit in medium-sized companies covers 14 subject areas that are derived from the applicable laws, norms and industry standards. Firstly, data protection in accordance with the GDPR and BDSG with a list of processing activities in accordance with Article 30 of the GDPR, order processing contracts in accordance with Article 28 of the GDPR, technical-organisational measures in accordance with Article 32 of the GDPR and a documented reporting line to the data protection officer. Secondly, information security according to NIS-2 and ISO/IEC 27001:2022 with risk analysis, incident response plan and 24 and 72 hour reporting paths to the BSI. Thirdly, whistleblower protection according to the HinSchG with a documented internal reporting office, confidential input channels and deadline management of seven days for confirmation of receipt and three months for the content feedback to the whistleblowers.
Fourthly, money laundering prevention according to the AMLA, provided the company is an obligated party according to Section 2 AMLA, with documented risk analysis, know-your-customer processes, ongoing customer monitoring and suspicious activity reports to the FIU. Fifthly, the supply chain due diligence obligation according to LkSG with risk analysis, preventative measures, a complaint procedure according to Section 8 LkSG and an annual report to BAFA. Sixth, occupational safety in accordance with ArbSchG and DGUV with risk assessment, appointed safety specialist, safety officer in every department and complete proof of training. Seventh, fire protection with fire protection regulations parts A, B and C, a fire protection officer for certain building sizes and annual evacuation exercises. Eighthly, the hazardous substances area according to GefStoffV with safety data sheets for all substances used, a current list of hazardous substances and documented substitution tests for particularly dangerous substances.
Ninthly, environmental protection with a waste register according to KrWG, immission control permits according to BImSchG and water rights obligations according to WHG, depending on the activity profile. Tenth, the quality management obligations according to ISO 9001, if certified, with documented processes, corrective actions and management review. Eleventh, equality according to AGG with a named complaint office, proof of training and documentation of incidents dealt with. Twelfth, occupational medicine with the appointment of a company doctor according to ASiG and preventive examinations according to ArbMedVV. Thirteenth, the ESG and sustainability obligations under CSRD, if reportable, with dual materiality analysis. Fourteenth, AI compliance according to the EU AI Act with classification of the systems used according to risk levels and documentation of high-risk applications according to Articles 9 and 10 AI Act. CIVAC bundles these 14 fields in a role overview with an assigned appointment certificate, signed, filed, verifiable.
Preparation: schedule, responsibilities, data collection
The preparation of an internal compliance audit typically takes eight to twelve weeks in a medium-sized company with 50 to 500 employees. It begins with a kickoff meeting with management in which the scope of the audit is determined, usually all 14 subject areas or a justified selection. In the first week, those responsible for each subject area are named, i.e. the data protection officer for data protection, the information security officer for NIS-2, the security specialist for occupational safety and so on. A data package is requested for each topic area that covers the current status of documentation, training and measures carried out.
Structured data collection takes place in weeks two to four. Each person responsible provides a complete topic dossier that contains at least the following components: current list in accordance with legal requirements (e.g. VVT, list of hazardous substances, whistleblower receipt register), current appointment certificates with dates, documented proof of training from the last year, risk analysis with the date of the last update, documented incidents and measures as well as audit trails of relevant systems. This phase shows whether the documentation has been maintained or whether it needs to be created subsequently.
In weeks five to eight, the subject dossiers are subject to a technical review by the compliance officer or an external auditor. The test follows a standardised checklist for each subject area with a target/actual comparison. Deviations are documented as findings and categorised according to severity: critical (violation of the law with risk of sanctions), material (breach of duty without immediate risk of sanctions) and observable (potential for improvement). In weeks nine to twelve, the final report is prepared, which records the findings, the recommended measures, those responsible and deadlines for each subject area. The report is formally presented to the management at a meeting and recorded.
Mandatory documents per subject area: what must be available
There is a defined catalogue of mandatory documents for each subject area, which is checked as a minimum standard in the audit. When it comes to data protection, these are the list of processing activities in accordance with Art. 30 GDPR with all processing operations per specialist department, the TOM documentation in accordance with Art. 32 GDPR with specific measures for each processing, the order processing contracts with all service providers in accordance with Art. 28 GDPR including third country guarantees in accordance with Art. 46 GDPR, the data breach register with reports to the supervisory authority within 72 hours of becoming aware of it, the concept for exercising the Betroffenenrechte nach Art. 15 bis 22 GDPR mit Fristenkalender, die jährlich aktualisierte Datenschutzfolgenabschätzung für risikoreiche Verarbeitungen nach Art. 35 GDPR sowie die Bestellurkunde des Datenschutzbeauftragten nach § 38 BDSG. Without these seven documents, the data protection audit is incomplete.
For NIS-2 and ISO/IEC 27001:2022, the mandatory documents are the ISMS documentation with scope, risk assessment and risk treatment plan, the asset register with classification according to confidentiality, integrity and availability, the incident response plan with the reporting paths for 24-hour early warning and 72-hour follow-up report to the BSI, the authorisation concept with a documented access and role system and automatic reactivation when changing jobs, the training certificates for all employees with access to sensitive data and the proof of annual penetration tests as well as the awareness measures with phishing simulations. In addition, there are the 93 controls of ISO/IEC 27001:2022, which must be documented in the SoA (Statement of Applicability) with justification for excluded controls.
For whistleblower protection, the mandatory documents are the procedural description of the internal reporting office, the confidential input channel with documented access rights to only authorised persons, the appointment certificate of the impartial person, the incoming register with anonymized status, deadline monitoring for 7-day confirmation of receipt and 3-month feedback as well as the annual training certificates of the reporting office representatives. There are analogous mandatory document lists for the other eleven subject areas, which are displayed as versioned templates in the CIVAC workspace. The auditor calls, the evidence is ready. Licence the workspace for your internal representatives, or have our representatives order it.
Carrying out the audit: interviews, samples, findings
The actual audit takes place in a medium-sized company over two weeks and combines three methods that validate each other. Firstly, structured interviews with those responsible for each subject area, in which the functionality of the compliance system is queried. A data protection interview typically lasts 60 to 90 minutes and covers the topics of processing records, data subject inquiries, data breaches, order processing and employee training. An NIS-2 interview examines the risk analysis, incident response plan, 24-hour early warning and annual effectiveness assessment of the ISMS. The interviews are recorded and countersigned by the interviewee so that the audit report serves as reliable evidence in a later supervisory procedure.
Secondly, sample checks of individual processes that specifically test the system. In the case of data protection, for example, a randomly selected processing activity is checked to see whether the VVT entry, the associated AV contract, the TOM documentation and the training certificates are complete. With NIS-2, a sample is taken from the authorisation concept to determine whether the documented authorizations match the real system access. In the case of whistleblower protection, a sample from the incoming register is checked to see whether the 7-day and 3-month deadlines have been met. The deadline begins as soon as we become aware of it. Random samples regularly uncovered gaps in CIVAC practice in medium-sized businesses that were not visible in the topic dossiers, such as ex-employee accounts that had not been deleted or outdated AV contracts with subcontractors.
Third, technical tests, if relevant. For NIS-2 and ISO/IEC 27001:2022 these are penetration tests, vulnerability scans and configuration checks of the central systems. When it comes to data protection, cookie banner tests, tracking audits and authorisation analyses can be relevant. The results of the three methods are consolidated in a structured finding catalogue, which records the severity, legal basis, recommended action, person responsible and deadline for each finding. Audit-proof, documented, § 130-OWiG-proof is the shorthand for the Findings Catalog, which is the central proof of exoneration for management if necessary.
Final report: structure, addressees, action plan
The final report of the compliance audit is the central result of the audit and is handed over to the management at a formal meeting. The report is typically 30 to 60 pages long and consists of seven building blocks that every supervisory authority and every auditor expects as a minimum standard. Firstly, a management summary of two to three pages, which presents the overall level of compliance maturity for each subject area in a traffic light assessment and prioritises the five most important findings. Secondly, a description of the audit scope, the methodology and the sample parameters so that the report can be reproduced in a later external audit or supervisory procedure and the depth of the audit can be understood.
Thirdly, a detailed findings section for each subject area with a target/actual comparison, the status of the documentation and the specific findings according to severity with the respective legal basis. Fourthly, a consolidated action plan that records the person responsible, the deadline and the estimated costs for each finding. The action plan is the working document that is processed in the following year and serves as proof of implementation in the follow-up audit. Fifthly, a comparison with the previous year's audit, if available, which makes the improvements, the completed measures and the open issues visible and thus enables trend statements over several audit cycles.
Sixthly, a list of the documents and interviews viewed, which serves as evidence of the scope of the audit and supports the evidentiary value of the report in a later procedure. Seventh, the appendix with the original findings, the interview protocols, the sample lists and the screenshots of the systems tested. Der Bericht wird formell von der Geschäftsleitung gegengezeichnet und protokolliert, damit die Aufsichtspflicht nach § 130 OWiG belegt ist. Others run compliance like a filing cabinet. We run it like software. The CIVAC workspace generates the final report from the stored data and reduces report creation from typically two weeks to two days. The interface to the external data protection officer is integrated into the workflow.
Internal vs. external audit: costs, significance, obligation
Die Wahl zwischen internem und externem Compliance-Audit hängt von der Unternehmensgröße, der Branche und den regulatorischen Pflichten ab. An internal audit, carried out by a compliance officer or a small audit group, typically costs 8,000 to 25,000 euros in internal effort in medium-sized companies, spread over 12 weeks. It is the central self-assessment mechanism for management and satisfies the legal obligation for annual verification according to GDPR, NIS-2 and LkSG. An internal audit is sufficient for most medium-sized companies with 50 to 500 employees.
An external audit by an auditing firm or a specialised compliance provider costs between 35,000 and 120,000 euros, depending on the scope and depth. It is mandatory for ISO/IEC 27001:2022 certification (by an accredited certification body), for listed companies with CSRD obligations, for companies with particular suspicion of compliance violations and for companies bidding in regulated procurement procedures. The significance of an external audit is higher because the independence of the audit is formally guaranteed. In the case of a CIVAC mandate as an external compliance officer, the separation between mandate and audit is formally maintained by having an officer other than the one carrying out the appointment carry out the audit.
A sensible combination is an internal audit every year, supplemented by an external audit every two or three years as a validation of the internal system. This combination is the market standard in upper medium-sized businesses and offers a good ratio between costs, meaningfulness and security. The CIVAC workspace provides the database for both types of audits, so that the external audit can be carried out much faster and cheaper because the mandatory documents are already structured and versioned.
Common mistakes in medium-sized compliance audits
In audit practice in medium-sized companies, seven errors occur particularly frequently, which devalue the audit or make it unsuitable as evidence of exoneration in the supervisory procedure. Firstly, an audit scope that is too narrow and leaves out individual subject areas, such as NIS-2 or whistleblower protection, because those responsible are not sufficiently named. In the supervisory process, an incomplete scope is an indication that management has not systematically recorded the mandatory fields and weakens the protective effect of the entire report. Secondly, there are missing appointment documents with a date, for example if the data protection officer is active but there is no formal appointment document or it is out of date. In the audit, the appointment certificate is the central document for the fulfilment of obligations and must be up-to-date, signed and with a clear area of responsibility.
Thirdly, outdated training certificates that are formally available but are older than a year. Data protection and NIS-2 require annual training, other subject areas such as whistleblower protection and occupational safety have their own training intervals, sometimes with shorter deadlines. Fourthly, incomplete processing records in which individual processing operations are missing, such as employee monitoring, AI-supported tools, marketing databases or applicant management systems. The supervisory authority regularly checks the VVT first because it is the basis for all further data protection checks and gaps in the VVT indicate systemic deficits.
Fifth, missing order processing contracts with service providers, especially with US cloud providers, whose third country reference requires additional guarantees in accordance with Art. 46 GDPR and must contain the standard contractual clauses in the current version. Sixth, an untested incident response plan that is documented but never rehearsed in a tabletop exercise. In an emergency, an untested plan regularly fails, which the supervisory authorities take into account as an aggravating factor in the fine procedure. Seventh, a final report without an action plan, which lists findings but does not name those responsible or deadlines. Such a report is almost worthless in the Section 130 OWiG procedure. CIVAC prevents all seven errors through standardised templates, automatic deadline monitoring and versioned audit reports.
Turn reading into an assignment
In 2026, a compliance audit in medium-sized companies will no longer be an optional exercise, but rather mandatory in practically all companies with 50 or more employees and operating in regulated supply chains. The 14 subject areas that are covered in a complete audit can be prepared in a structured manner in 12 weeks, carried out in two weeks and documented in a 30 to 60-page final report. Anyone who incorporates this discipline into the annual cycle significantly reduces the risk of personal liability for management in accordance with Section 130 OWiG and creates a database that serves as reliable evidence of exoneration if a supervisory audit is necessary. The following years benefit from the structure that has been set up because the audit then only needs to be updated and no longer needs to be set up.
CIVAC is a German compliance platform and officer-as-a-service. We provide two models for the internal compliance audit. In the platform model, you licence the workspace, keep your internal compliance officer and use 490 ready-to-use audit templates that cover exactly the 14 subject areas of this checklist, with EU data residency and 93 controls according to ISO/IEC 27001:2022. In the service model, CIVAC also appoints an external compliance officer with an appointment certificate within two working days instead of the industry-standard two to six weeks. Licence the workspace for your internal representatives, or have our representatives appointed.
If you are planning a structured compliance audit for 2026, request our audit preparation checklist. We will provide you with the 14 topic area templates, a 12-week schedule and an initial discussion to define the scope within 48 hours. Send a short inquiry to info@civac.de or using the contact form on civac.de with the keyword Compliance Audit 2026. We will respond within one working day with a specific suggestion. Turn reading into an assignment.
FAQ
How long does a compliance audit take in medium-sized companies?
An internal compliance audit in a medium-sized company with 50 to 500 employees typically takes 12 weeks of preparation plus two weeks of implementation, followed by two weeks of reporting. In total, you expect 16 weeks from the kickoff to the formal handover of the final report to the management. An external audit by an accounting firm usually takes four to eight weeks, but builds on internal preparation.
What fines threaten without a documented audit?
Without a documented audit, the management is personally liable according to Section 130 OWiG with a fine limit of up to 1 million euros, significantly higher in connection with sector fines. NIS-2 allows 10 million euros or 2 percent of group turnover for essential facilities, the GDPR up to 20 million euros or 4 percent of group turnover, the LkSG up to 8 million euros. A documented audit report is the central proof of management's responsibility in the supervisory process.
Is an internal audit sufficient or does an external auditor have to be hired?
For most medium-sized companies with 50 to 500 employees, an annual internal audit carried out by the compliance officer is sufficient. An external audit is mandatory for ISO/IEC 27001:2022 certification, CSRD reporting and some regulated procurement procedures. A sensible combination is an internal audit every year and an external audit every two or three years to validate the internal system.
What templates does CIVAC provide for the 2026 compliance audit?
CIVAC delivers 37 ready-to-use audit templates that cover the 14 subject areas of data protection, NIS-2, whistleblower protection, money laundering prevention, LkSG, occupational safety, fire protection, hazardous substances, environmental protection, quality management, equality, occupational medicine, ESG and the EU AI Act. Each template contains the mandatory document catalogue, an interview script, a sample checklist and a findings template with severity logic. The templates are versioned and audit-proof stored in an EU data residence workspace with 93 controls according to ISO/IEC 27001:2022.
How much does a compliance audit cost in medium-sized businesses?
An internal audit typically requires 8,000 to 25,000 euros of internal effort, spread over 12 weeks. An external audit by an auditing company costs 35,000 to 120,000 euros, depending on the scope. The CIVAC workspace reduces preparation by 40 to 60 percent compared to Excel and Word collections because the mandatory documents are structured and versioned, which also significantly reduces external audit costs.
How does CIVAC support the preparation and implementation of audits?
CIVAC offers two models. In the platform model, you licence the workspace and use 37 audit templates with 93 controls according to ISO/IEC 27001:2022 and EU data residency. In the service model, we also appoint an external compliance officer within two working days to prepare and carry out the audit. Both models include the final report, the action plan and the follow-up of the findings in the following year.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.