Compliance audits: How to conduct an internal audit before the authorities arrive

5.12.2025

Compliance audits, legal audits of companies, and internal audits are among the most effective tools for protecting businesses from fines, sanctions, and reputational damage. In this article, you will learn how to systematically check your company's compliance with legal regulations, when an audit is necessary, what risks are involved in neglecting it, and how ARROWS Law Firm can help you manage the entire process without stress and unnecessary costs.

Potřebujete s tématem poradit? Obraťte se na advokátní kancelář ARROWS na e-mail office@arws.cz nebo telefon +420 245 007 740. Váš dotaz rád zodpoví "JUDr. Jakub Dohnal, Ph.D.,LL.M.", expert na dané téma.

Why compliance audits are essential for every company

Imagine this situation: an audit from the tax office, labor inspectorate, or Office for Personal Data Protection arrives at your office. Are you prepared? Is all your documentation in order? Do you know that you are complying with all legal obligations?

A compliance audit is a structured check of a company's internal activities against external regulatory requirements and internal regulations. It is this check that allows you to identify weaknesses in the system before the state discovers them—and imposes a fine.

In 2024, the State Labor Inspection Office imposed fines totaling over CZK 253 million in the first half of the year alone. Since 2018, the Office for Personal Data Protection has imposed fines exceeding CZK 368 million for GDPR violations, including a record penalty of CZK 351 million for unauthorized processing of personal data. Financial institutions face fines of up to CZK 130 million for breaches of AML obligations

ARROWS lawyers perform compliance audits for dozens of clients every year and are well aware that prevention is many times cheaper than dealing with the consequences of an audit. Do you need legal assistance? Contact us at office@arws.cz.

What are the stages of a compliance audit?

The stages of a compliance audit structure the process of ensuring a company's compliance with key requirements and standards. At each stage, conditions for effective verification are created and risk areas are identified.

1. Preparation and planning

At this stage, it is necessary to systematize internal documentation: AML policies, KYC, anti-corruption procedures, data protection guidelines, and internal acts. Identify the responsible persons—the compliance manager, legal department, and IT specialists. Conduct a preliminary self-assessment of the maturity of the compliance system.

2. Risk identification and analysis

The goal of identifying and analyzing compliance risks is to create a certain form of profiling for a given business company in terms of the risks arising from its business activities. Risk analysis is the basis for creating a system of interconnected internal regulations, processes, and control mechanisms.

The compliance manager regularly performs risk analysis within the scope of their responsibilities and assesses whether adjustments to the measures taken are necessary.

3. Documentation review and analysis

This phase involves verification: documents are analyzed, interviews with employees are conducted, technical diagnostics of IT systems are performed, and monitoring procedures are tested. Special attention is paid to verifying compliance with internal regulations and corporate ethics.

4. Evaluation and corrective measures

The output of the audit is a report containing a description of the findings, identified risks, and recommendations on how to deal with these risks. This is followed by the implementation of corrective measures and the updating of internal regulations.

FAQ – Legal tips for conducting a compliance audit

1. How often should a compliance audit be conducted?

It is recommended to conduct a comprehensive audit at least once a year, as well as after significant changes in the organization or legislation. For fast-growing companies, it is advisable to introduce gradual scaling of the audit. Do you need to set up a regular audit cycle? Write to office@arws.cz.

2. Who is responsible for compliance in the company?

The ultimate responsibility always lies with the statutory body – the executive or board of directors. In practice, a specific person (Compliance Officer) or department is usually entrusted with this task. We can help you set up the right roles and responsibilities – contact us at office@arws.cz.

3. Why formal compliance is not enough

According to the decision of the High Court in Prague in the AGROTEC case, the mere formal existence of a compliance program is not sufficient and does not automatically lead to the conclusion that the legal entity has made "every effort that could reasonably be expected of it."

In order to reach a reliable conclusion about exoneration from criminal liability, it is necessary to examine the company's activities in detail and have an idea of its functioning, management, internal control, and ability to respond adequately to identified problems.

Indicators of dysfunctional compliance systems include, for example, insufficient staffing, insufficient powers of the compliance manager, blind implementation of the parent foreign company's system without adaptation to Czech conditions, or failure to draw conclusions from unlawful conduct.

A functional compliance program should include:

Interconnected internal regulations governing organizational structure and competencies
Checking the compliance of internal regulations with legal regulations and their regular updating
Internal compliance control systems and records of checks performed
Records of identified violations, consequences, and measures taken
Provision of confidential internal reporting of violations
Training of persons and verification of their knowledge

ARROWS lawyers specialize in creating truly functional compliance programs that will stand up to scrutiny by regulatory authorities and courts. For immediate assistance with your situation, please contact us at office@arws.cz.

You can learn more about this service HERE.

Criminal liability of legal entities and exoneration

Act No. 418/2011 Coll. on the criminal liability of legal entities gives companies the opportunity to be exonerated from liability if they can prove that they have made every effort to prevent illegal conduct through an effective compliance program.

In practical terms, a company is liable for an employee's criminal offense either if management ordered or approved it, or if management failed to establish controls, training, and rules (compliance) that would have prevented such illegal conduct.

ISO 37301:2021 is an international standard for compliance management systems and allows for certification. An effectively functioning CMS can be taken into account by law enforcement authorities as an instrument of exoneration under the law on criminal liability of legal entities.

Risks and sanctions	How ARROWS helps (office@arws.cz)
Criminal liability of the company for the actions of its employees.	Preparation of a compliance program that meets the requirements for exoneration.
Personal liability of members of the statutory body.	Legal consultation on due diligence and setting up control mechanisms.
Fines for AML violations of up to CZK 130 million.	Comprehensive AML audit and preparation of internal policies.
GDPR sanctions of up to EUR 20 million.	Audit of personal data processing, preparation of DPIA and documentation.
Reputational damage and loss of business partners.	Implementation of a code of ethics and whistleblowing system.

What to focus on during an AML audit

Since 2021, the AML Act has increased the upper limit of fines for certain offenses, so that serious misconduct is punishable by a fine of up to CZK 10 million for obligated persons, and up to CZK 30 million for qualified offenses.

AML compliance checklist

The Financial Analytical Office (FAÚ) conducts 15 to 30 inspections directly at companies each year. If misconduct is found, it initiates administrative proceedings. A fine is only one type of administrative penalty – the FAÚ may impose corrective measures or, in the case of repeated violations, a ban on activities.

Key AML obligations:

Appointment and registration of an AML contact person
Conducting a complete audit of procedures and eliminating deficiencies
Investing in monitoring automation
Creating a culture of compliance through regular training

Violations are recorded in public registers, leading to reputational damage and the severing of relationships with banks and investors. In practice, there have been cases where delayed registration of an AML contact person has led to the blocking of all outgoing payments until the violation was remedied.

ARROWS Law Firm provides comprehensive AML compliance services, including the preparation of internal policies, employee training, and representation before the FAÚ. Please do not hesitate to contact our office – office@arws.cz.

Whistleblowing – an obligation that cannot be ignored

The Whistleblower Protection Act imposes an obligation to establish an internal reporting system on all employers with more than 50 employees, all public contractors with more than 25 employees, and municipalities with more than 10,000 inhabitants.

The system must allow for the submission of reports and ensure the confidentiality of the whistleblower's identity. The introduction of a reporting system is not just a formal obligation – it is about creating a mechanism for the early detection of problems within the organization.

Practical recommendations:

Develop a policy on the internal reporting system
Update records of processing activities
Conduct a data protection impact assessment (DPIA)
Train employees responsible for receiving and handling reports

ARROWS lawyers will prepare complete documentation for the whistleblowing system and ensure its proper implementation. Our lawyers are ready to help you – write to office@arws.cz.

FAQ – Legal tips on whistleblowing and AML

1. Does my company have to implement a whistleblowing system?

Yes, if you have more than 50 employees or fall within regulated sectors (financial services, AML obligated entities). The Whistleblower Protection Act sets strict requirements for the functioning of the system. Do you need help with implementation? Contact office@arws.cz.

2. What are the consequences of failing to comply with AML obligations?

Fines of up to CZK 130 million for financial institutions, account blocking, prohibition of activities, and entry in public registers of violators. Prevention is significantly cheaper than dealing with the consequences – write to us at office@arws.cz.

3. NIS2 and cybersecurity – new challenges from November 2025

The new cybersecurity law implementing the NIS2 directive will affect 6,000 to 10,000 entities in the Czech Republic. The law distinguishes between higher and lower obligations depending on how important the service provided by the entity is.

In the event of a breach of the rules, members of statutory bodies face personal liability for damages caused, liability to creditors for the company's debts, removal from office, and a ban on performing their duties for at least six months. Penalties can reach up to CZK 20 million for individuals. Companies face fines of up to CZK 250 million or two percent of their annual turnover.

Companies must undergo a self-identification process, register with NÚKIB, and implement security measures including asset and risk management, the establishment of security roles, the introduction of a security policy, training for employees and management, and regular incident reporting.

ARROWS Law Firm helps clients implement NIS2 requirements thanks to its experience from the international ARROWS International network. For more information, please contact us at office@arws.cz.

Internal guidelines – the basis of a functional compliance system

Most companies know they need internal guidelines, but often neglect their legal enforceability. Even though many companies have compliance documents, they may have problems with their legal validity if they were to appear in court.

For guidelines to be legally enforceable, they must meet several key requirements:

The guidelines must be clearly binding on all employees.
They must be issued by the company's statutory body.
They should be included in employment contracts or other relevant documents.

They must be updated in line with changes in legislation. Employees must sign to confirm that they have read and understood the policy.

If internal policies are not legally valid, the organization will not be able to prove the existence of a valid regulation in the event of a compliance violation, which may jeopardize its defense against sanctions.

Risks and sanctions	How ARROWS can help (office@arws.cz)
Invalid internal guidelines with no legal effect.	Legal review and revision of guidelines to make them enforceable.
Lack of approval by the statutory body.	Preparation of complete compliance documentation, including resolutions of bodies.
Employees are unaware of their obligations.	Professional training with certification for management and employees.
Insufficient updates when legislation changes.	Long-term compliance monitoring and regular reviews.

Due diligence and responsibility of the statutory body

A member of the statutory body is obliged to perform their duties with due diligence, i.e. with the necessary loyalty, knowledge, and care. The Business Corporations Act supplements the duty of due diligence with the rule of business judgment – business decisions must be based on sufficient information.

The senior management (statutory body) is responsible for the proper setup of the compliance management system – this responsibility cannot be delegated.

In the context of compliance, this means that the statutory body must:

Ensure that the company has a functional compliance program
Regularly evaluate its effectiveness
Respond to identified deficiencies
Ensure sufficient resources for compliance activities

Failure to comply with these obligations may result in personal liability for damage caused to the company or third parties. Our portfolio includes more than 150 joint-stock companies, 250 limited liability companies, and 50 municipalities and regions – we pride ourselves on the speed and high quality of our legal services. Contact us at office@arws.cz.

Practical steps for conducting a compliance audit

A compliance audit is not a one-time formality, but a comprehensive process necessary for every business. Here is a practical procedure:

Step 1: Define the scope of the audit - Determine which areas of compliance you will review – corporate, AML, GDPR, labor law, tax, or all of them at once.

Step 2: Assemble an audit team - The audit should be conducted by an independent team – ideally external lawyers who will bring an objective perspective and experience from other companies.

Step 3: Gather documentation - Prepare all relevant documents: contracts, internal regulations, minutes of meetings, work documentation, records.

Step 4: Perform an analysis - Compare the actual situation with legal requirements and identify gaps.

Step 5: Prepare a report with recommendations - The report should include identified deficiencies, their severity, and specific recommendations for remediation.

Step 6: Implement corrective measures - Appoint responsible persons and set deadlines for eliminating the identified shortcomings.

In practice, this issue is more complex than it seems at first glance. The individual steps have hidden exceptions, procedural details, and links to other regulations that are often overlooked by laypersons. The ARROWS law firm deals with this agenda on a daily basis, which significantly reduces the time required by the client and minimizes the risk of errors. ARROWS is insured for damages up to CZK 500,000,000 – it is therefore safer for the client to have the matter professionally handled.

FAQ – Legal tips for conducting an audit

1. Can I do a compliance audit myself?

Theoretically, yes, but in practice, we do not recommend it. Internal audits often overlook systemic deficiencies that are obvious to an external expert. In addition, in the event of an inspection, an audit performed by an independent party carries more weight. Would you like an independent opinion? Write to office@arws.cz.

2. How much does a compliance audit cost?

The price depends on the scope and complexity of the business. However, the investment in an audit is a fraction of the potential fines and damages. For a specific offer, please contact us at office@arws.cz.

3. Inspections by state authorities – what to prepare for

In 2024, the State Labor Inspection Office conducted over 10,000 inspections and imposed fines totaling nearly CZK 254 million in the first half of the year alone. The most common violations include non-payment of wages, failure to keep records of hours worked, and non-compliance with occupational health and safety requirements.

The tax office may carry out inspections within a three-year limitation period for determining tax. The inspection is initiated by the delivery of a notice in which the tax administrator specifies what tax and for what period it is inspecting. In the event of discrepancies, the entity is retroactively assessed tax and related penalties – a 20% penalty on the additional amount assessed and interest on late payment.

What can lead to the initiation of an audit:

Long-term loss (suspicion of income concealment)
High deductions or VAT refund claims
Discrepancies in the control report
Complaints from employees or competitors
Random checks in high-risk sectors

We regularly partner with corporate lawyers to resolve special issues, including representation in audits and administrative proceedings. For immediate resolution of your situation, please write to us at office@arws.cz.

Overview of the main risks and how to prevent them

Risks and penalties	How ARROWS can help (office@arws.cz)
SÚIP inspection – fines for violations of labor law can reach tens of millions of CZK.	Audit of labor law documentation, preparation of internal OHS guidelines – do you need an audit?
Tax inspection – 20% penalty + interest on late payment.	Legal consultation on tax risks, representation in tax proceedings.
NIS2 violations – fines of up to CZK 250 million.	Implementation of security measures, registration with NÚKIB, management training.
Failure to comply with whistleblowing obligations.	Introduction of an internal reporting system, preparation of complete documentation.
Violation of corporate obligations – invalidity of actions.	Corporate audit, updating of articles of association and contracts, entries in registers.

International dimension of compliance

For companies with an international reach, compliance is even more complex. It is necessary to take into account not only Czech regulations, but also European regulations (GDPR, NIS2, AML directives) and, where applicable, the legislation of other countries where the company operates.

In international companies, it is becoming mandatory to conduct audits in the area of AML requirements and to verify business partners in terms of sanction risks. Screening of sanction lists should be carried out on a monthly basis.

The ARROWS law firm provides legal services outside the Czech Republic thanks to the ARROWS International network, which has been built up over ten years, and deals with cases with an international element on a daily basis. If you are looking for financing or a business partner for a purchase or sale in this area, we will be happy to connect you with suitable contacts from our portfolio. Contact us at office@arws.cz.

ISO 37301 certification – above standard for the demanding

ISO 37301:2021 is an international standard specifying requirements for compliance management systems. Unlike the previous ISO 19600:2014 standard, which only contained recommendations, ISO 37301 allows for certification.

Advantages of ISO 37301 certification:

Proof of compliance assessment for third-party CMS
Development of a positive culture of compliance
Effective management of unexpected events
Protection of the company's reputation
Improvement of business opportunities
Increased trust of customers and partners

Compliance certification provides organizations with the opportunity to prove in court proceedings that they have exercised all due care that can be required of them. This is particularly important in the context of criminal liability of legal entities.

Why entrust compliance audits to experts

Conducting a legal audit is very meticulous work requiring detailed knowledge of many areas of law. The length of the entire process depends on the size of the company. The output is a due diligence report summarizing the overall state of the company or focusing only on issues discovered during the audit.

"Yesterday was too late" – every owner or executive should assess as soon as possible whether their company has sufficient internal safeguards against illegal conduct. If not, it is appropriate to implement a compliance program or revise existing internal regulations.

The consequences and risks of a company being charged or convicted are serious and can threaten its existence. During the proceedings, the court may impose preventive measures, such as a ban on the disposal of certain items or the seizure of funds, which may immediately threaten the company's cash flow and operations.

FAQ – Frequently asked legal questions about compliance audits

1. Is a compliance audit required by law?

For some entities, yes – for example, financial institutions, AML-regulated entities, or entities regulated by the Czech National Bank have a legal obligation to perform regular internal audits and compliance checks. For other companies, the audit is voluntary but strongly recommended as a risk prevention measure. If you are facing a similar problem, please contact us at office@arws.cz.

2. How long does a compliance audit take?

It depends on the size of the company and the scope of the audit. For medium-sized companies, a comprehensive audit usually takes 4-8 weeks, while for large corporations it can take months. Partial audits focused on a specific area (e.g., GDPR or AML) can be performed more quickly. To estimate the time required in your case, contact us at office@arws.cz.

3. What to do if the audit reveals serious deficiencies?

Take corrective action immediately. If sanctions are imminent for the current situation, consider voluntarily notifying the regulator—in some cases, this may lead to a reduction in the fine. Do not conceal deficiencies or try to cover them up. Need advice on how to proceed? Write to office@arws.cz.

4. Can a good compliance program reduce the potential fine?

Yes. The introduction of a new effective compliance program (no later than before the first-instance decision is issued) may be taken into account by the Office for the Protection of Competition as a mitigating circumstance when determining the amount of the fine, reducing the basic amount of the fine by up to 5%. Other regulators take a similar approach. For more information, please contact us at office@arws.cz.

5. What is the difference between an internal and external compliance audit?

An internal audit is performed by company employees (compliance department, internal auditor), while an external audit is performed by an independent third party (law firm, auditing firm). An external audit has greater evidential value and provides an objective view, while an internal audit is suitable for ongoing monitoring. A combination of both approaches is optimal. If you are dealing with the setup of audit processes, please contact us at office@arws.cz.

6. Does the compliance audit also apply to suppliers and business partners?

Yes, especially in the areas of AML (due diligence of business partners), cybersecurity (supply chains according to NIS2), and ESG compliance. Inadequate supplier control can transfer risks to your company. We can help you set up partner verification processes – contact office@arws.cz.

Conclusion – prevention is cheaper than cure

A compliance audit is not unnecessary bureaucracy, but an effective tool for protecting your business. In an environment where fines reach hundreds of millions of crowns and the personal liability of statutory bodies is becoming increasingly strict, no company can afford to rely on "it will somehow blow over."

If you don't want to risk mistakes, damages, or fines, you can safely leave the whole thing to the ARROWS law firm. We have experience with more than 150 joint-stock companies and 250 limited liability companies in our portfolio. We are insured for damages up to CZK 500,000,000 and pride ourselves on the speed and high quality of our services.

We offer:

Comprehensive, tailor-made compliance audits
Preparation and revision of internal guidelines and compliance documentation
Training for management and employees, including certification
Representation during inspections and administrative proceedings
Long-term compliance monitoring
Obtaining licenses and permits, including changes thereto

Do not hesitate to contact our office and ensure that your company is in compliance with the law. Just write to office@arws.cz – we will be happy to help you.

Don't want to deal with this problem yourself? More than 2,000 clients trust ARROWS Law Firm, and we have been awarded Law Firm of the Year 2024. Take a look HERE at our references, and we will be honored to help you solve your problem. The inquiry is free of charge.