Compliance audit: Definition, types, and what to expect

Key Takeaway: A compliance audit is an independent review of an organization's adherence to internal policies, industry standards, and external regulations, ending in a formal report, opinion, or certification. In 2026, practitioners face a wave of new mandates including the IIA's 2024 Global Internal Audit Standards, PCI DSS v4.0.1, DORA, and U.K. Corporate Governance Code Provision 29. Treat findings as remediation input, not as pass/fail verdicts.

Compliance audits now sit at the center of a denser regulatory stack than they did even two years ago. The IIA's 2024 Global Internal Audit Standards became effective January 9, 2025, PCI DSS v3.2.1 has retired in favor of v4.0.1, and DORA technical standards have applied since January 17, 2025. This guide breaks down what a compliance audit is, the types you may face, and how to navigate one successfully.

What is a compliance audit?

A compliance audit is a formal evaluation of an organization's adherence to internal policies, industry standards, and external regulatory requirements. During a compliance audit, an independent auditor reviews documentation, interviews employees, and tests controls to verify adherence across domains such as cybersecurity, data privacy, financial reporting, healthcare, environmental, and workplace health and safety. The audit concludes with a formal report, opinion, or certification.

Most compliance audits share these characteristics:

• Based on frameworks, internal policies, or regulatory requirements.
• Evaluate an organization's posture in depth against the guidance and requirements of the target framework or regulation.
• Performed by an independent or third-party auditor.
• Result in a final deliverable, like a report, an assessment, or an audit opinion.

During a compliance audit, businesses should expect interviews about internal controls and requests for documents or evidence to show that you're "walking the talk" in carrying out compliance requirements. Auditors meet their own standards, exercising judgment and professional skepticism with the aim of reaching "reasonable assurance" that the organization is doing what the target framework or regulation requires.

What does a compliance auditor do?

A compliance auditor is an independent practitioner who plans the audit, gathers and inspects evidence, conducts interviews and walkthroughs, performs control testing, and issues a formal report or opinion. Sign-off authority is framework-specific: only Certified Public Accountants (CPAs) can issue SOC report opinions, PCI DSS Level 1 audits require a Qualified Security Assessor (QSA), and ISO 27001 certification audits must be performed by an accredited certification body. Many compliance auditors also hold CIA, CISA, or CISSP credentials depending on the domain.

Example: A SOX compliance audit in practice

Take the Sarbanes-Oxley (SOX) Act as an example. Section 302 requires that a CEO and CFO certify the financial statements are complete and accurate. There is a lot that goes into drafting those statements. For instance, when a company reports the cash balance, that number is the result of multiple transactions touching every part of the business. How can the business provide reasonable assurance the reported number is complete and accurate?

Some questions auditors may ask:

1. How are material transactions reviewed and approved?
2. Is the business retaining evidence that the transactions have been reviewed and approved? What type of evidence?
3. Is the evidence sufficient?
4. Can the auditors obtain the evidence and independently replicate the review?

The deliverable is an audit opinion on internal control over financial reporting (ICFR) under SOX Section 404.

Purpose and objectives of a compliance audit

The purpose of a compliance audit is to produce a deliverable detailing the organization's degree of compliance against the target framework or regulatory requirements. Depending on the type of audit, an organization might receive an audit opinion (SOX and SOC audits), a certification (ISO 27001), or a Report on Compliance (PCI DSS). Audit opinions are issued over the efficacy of an organization's internal controls against specific criteria. Not all compliance audits are pass or fail; regardless, noncompliance can have significant consequences.

Because compliance audits are performed by independent third parties, they are objective and often include areas of improvement for the business. More importantly, they build trust with external organizations and customers, demonstrating that an organization has the controls in place to meet target requirements.

While most companies pursue compliance audits because of regulatory requirements or contractual demands, treat them as a multi-faceted tool. In addition to "checking the box" on mandatory audits, use any findings as input for remediation, closing the gaps the audit surfaces. If corrective action isn't possible in the short term, log gaps in your risk register and track remediation status. Demonstrating commitment to continuous improvement mitigates present and future risks.

As third-party risks continue to threaten global cybersecurity, customers expect more in terms of security, data protection, and privacy, making SOC 2 attestations and ISO 27001 certifications table stakes for many sales conversations. Privacy regulations like GDPR have prompted other geographies to implement privacy regulations around personal data. The PCI Security Standards Council has also retired PCI DSS v3.2.1, leaving PCI DSS v4.0.1 as the only active version, with new requirements around the "Customized Approach," authenticated internal vulnerability scanning, and e-commerce script integrity reshaping the PCI DSS compliance audit approach.

Audit deliverables may also include recommendations for management and strategy. This third-party advice can help make the case for additional investment in governance, risk, and compliance (GRC) or security.

Consequences of non-compliance

Penalties scale with the framework. The SEC issued a record $8.2 billion in financial remedies in FY 2024, signaling an aggressive enforcement environment. Other consequences include loss of certifications (ISO 27001, PCI DSS), contract termination clauses triggering with customers, mandatory breach notification, and reputational damage that derails sales cycles. Under the EU AI Act, penalties apply from August 2, 2025, and DORA enables periodic penalty payments against critical ICT third-party service providers. A qualified audit opinion or material weakness in SOX can trigger stock price impact and shareholder litigation.

Internal audit vs. compliance audit

The core difference between internal audits and compliance audits (sometimes called external audits) is who performs the audit and what they assess.

Mandatory compliance audits differ based on a company's industry, sector, private/public status, size, and other factors. The U.S. government mandates audits across finances, transactions, health information, and information security. Publicly traded companies have their financial statements audited annually under the Sarbanes-Oxley Act (SOX).

However, compliance audits and internal audits are optimal allies. Ideally, internal audits run before and concurrent with compliance audits, allowing organizations to identify and remediate gaps ahead of time. Compliance audits then surface other improvement opportunities, while internal audits verify that compliance audit findings are remediated. Essentially, internal audits help you find holes before the external audit so you can prepare a remediation plan and response — reducing the risk around any finding. External auditors also appreciate seeing an organization improve its own processes through internal audit. Embracing the cyclical nature of compliance and integrating it into operations elevates and matures an organization's integrated risk program.

A readiness assessment is a third option: a non-attestation consulting engagement (often by a third party) designed to identify gaps before the formal compliance audit. It can't be relied upon for certification, but it de-risks the actual audit.

Different types of compliance audits

Compliance audits generally fall into several broad domains: cybersecurity, data privacy, financial reporting, healthcare, environmental, and workplace health and safety. With dozens of frameworks and regulations in play, organizations should identify audit priorities by asking:

• Which regulations am I required to perform compliance audits for?
• Are there any compliance audits required by our partners or customers?
• Are there any compliance audits available that would benefit the organization?
• Looking ahead, are there any compliance audits that may be required or desirable for the organization?

Healthcare providers and other covered entities, for example, must comply with HIPAA's regulatory compliance requirements, while publicly traded companies must comply with SOX. Other common frameworks include SOC 2, SOC 1, PCI DSS v4.0.1, ISO/IEC 27001, FISMA, and FINRA.

The list and table below summarize common types of compliance audits. Organizations are often required to perform more than one in a year, which can slow innovation and increase costs.

Types of compliance audits

• CMS: Centers for Medicare and Medicaid Services

Part of the Department of Health and Human Services (HHS), CMS specifically addresses Medicare and Medicaid regulations.

Who may need it? Organizations that work with Medicare and Medicaid.

• EPA: United States Environmental Protection Agency

The EPA conducts audits to address environmental regulations, such as the Clean Water Act (CWA), Clean Air Act (CAA), and Toxic Substances Act (TSCA), among others.

Who may need it? Organizations required to adhere to EPA standards and regulations; or organizations seeking to demonstrate sustainable and environmentally friendly practices.

• FINRA: Financial Industry Regulatory Authority

A non-governmental organization, FINRA requires broker-dealers to address 19 areas of compliance, including Anti-Money Laundering (AML) and cybersecurity and technology governance.

Who may need it? Brokerages; broker-dealers; similar financial organizations.

• FISMA: Federal Information Security Modernization Act

Introduced in 2002 and amended in 2014, FISMA requires government agencies and contracted affiliates to secure systems and sensitive and protected data.

Who may need it? Government agencies, state agencies that oversee federal programs, and any private businesses that have government contracts.

• GDPR: General Data Protection Regulation

Effective as of 2018, and passed by the EU in an effort to regulate and protect individuals' data and privacy.

Who may need it? Businesses that operate in the European Union or serve EU customers.

• HIPAA: Health Insurance Portability and Accountability Act

Originally introduced in 1996, HIPAA is a U.S. federal law aimed at protecting sensitive patient health information and informing patients in the event of a data breach. Healthcare compliance audits typically review PHI handling, breach notification readiness, and Business Associate Agreements.

Who may need it? Covered Entities (like hospitals) and Business Associates (third parties serving Covered Entities) must comply with the relevant clauses of HIPAA. The definition of Covered Entity versus Business Associate can be found on the U.S. Department of Health and Human Services' website.

• HR: Human resources

Human resources audits can involve employee information, payroll, and employment laws and regulations.

All employers may be subject to human resources-related audits.

• IRS: Internal Revenue Service

The IRS audits individuals and organizations routinely to ensure that taxes are paid appropriately and on time.

Who may need it? All employers may be subject to an IRS audit.

• ISO/IEC 27001 (and other variants): International Organization for Standardization

ISO, the International Organization for Standardization, publishes international standards across various industries. The ISO 27000 family of standards, including 27001, address information security and privacy.

Who may need it? ISO audits are optional, but ideal for organizations that:

• Operate internationally, especially in the EU.
• Certify against multiple ISO frameworks.
• Are required by customers or partners.
• OSHA: Occupational Safety and Health Administration

OSHA compliance audits are aimed at fostering safe and healthy workspaces.

Who may need it? All employers may be subject to an OSHA audit.

• PCI DSS: Payment Card Industry Data Security Standard

American Express, Discover, JCB International, MasterCard, and Visa formed the PCI Council in 2006 to develop and enforce data and security compliance standards around credit card information and cardholder data, with the aim of reducing fraud. PCI DSS v4.0.1 is now the only active version of the standard.

Organizations that process more than six million credit card transactions annually require a Level 1 audit.

Note that organizations that process credit card payments must still be compliant with PCI DSS; however, they do not have to conduct a formal compliance audit until transactions exceed six million annually.

• SOC 1: Service Organization Controls relevant to financial reporting

Expanded nomenclature calls a SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting. SOC 1 compliance audits can cover a variety of processes. Crucially, they can be used by service organizations to show that their services can be relied upon, even when contributing to a customer's financial statements.

Who may need it? SOC 1 audits are optional, but ideal for organizations that:

• Provide services to several publicly traded companies.
• Have a material effect on clients or customers' financial statements.
• Are required by customers or partners.
• SOC 2: Service Organization Controls relevant to the Trust Services Criteria (TSCs)

In contrast to SOC 1, which addresses controls that may affect customers' financial statements, a SOC 2 report covers the internal controls at an organization related to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. Both types were developed by the AICPA.

Who may need it? SOC 2 audits are optional, but ideal for organizations that:

• Provide services to other businesses, especially SaaS and PaaS organizations.
• Want to build trust with customers.
• Focus on Security, Availability, Processing Integrity, Confidentiality, and/or Privacy.
• Are required by customers or partners.
• SOX: Sarbanes-Oxley Act

Enacted in 2002 as a response to major fraud at Enron and WorldCom, among others, Sarbanes-Oxley was designed to enforce auditor independence for financial compliance audits and hold executives accountable for representations made in their organizations' financial statements.

Who may need it? Publicly traded companies, management, and accounting firms.

5 fundamental steps of the compliance audit process

These are the five fundamental steps an independent auditor completes to deliver a final report, opinion, or assessment. Keep in mind that each type of compliance audit has nuances, scopes, and procedures unique to that framework or regulation. Some teams may do these steps in a different order or use a variant testing methodology. These steps are written from the auditor's perspective; the steps an organization follows to prepare internally differ from company to company.

1. Research and readiness

Before landing "on-site" for fieldwork — physically or virtually — the auditors do their own preparation and research. They confirm the scope of the audit, prepare an evidence or audit checklist, plan their approach, and schedule time with the organization's main point(s) of contact to coordinate and kick off the audit.

If the auditors are the same as prior years, they may review prior-year reports, documentation, and workpapers to refamiliarize themselves with the environment. They want to understand what compliance procedures the business has taken in the past and confirm whether and how those procedures have changed.

2. Documentation and evidence review

As part of their work, compliance auditors review the policies and procedures that govern the business. This won't include every policy, but it typically covers security policies, risk management policies, compliance policies, and any policy tied to the target framework. Other common in-scope policies include change control, identity and user access, acceptable use, and third-party risk management.

Auditors familiarize themselves with these policies to understand the business, governing principles, ownership, and the IT stack. To narrow scope, auditors should present a checklist of evidence requests describing the documentation and artifacts they need. Expect several rounds of back-and-forth as auditors work out how the puzzle pieces fit together. This step may continue throughout the audit or occur in several rounds depending on the auditors' approach.

3. Conducting interviews

To support their knowledge of the business, its internal controls, and its compliance with the target framework, auditors require an interview or walkthrough phase where they ask real-time questions about in-scope processes. They might walk through a specific piece of documentation to understand the dates and causes for a transaction, or review a process end to end to identify the controls in place. It's fair game to ask the audit team for a high-level outline of interview topics so the right process owners attend. It's not a good use of anyone's time to show up to a process walkthrough without the process owner because they weren't invited.

The questions auditors ask in interviews are a type of audit test categorized as inquiry. Other audit tests include inspection or examination and re-performance. Reviewing documents and evidence is considered inspection.

To prepare, have interviewees review the organization's official policy and procedure documents related to the interview topic. The point person for an interview should have a thorough understanding of the people, processes, and technologies under their purview. Auditors are ultimately looking to replicate the compliance processes, procedures, and reviews the business performs. If your organization is capacity-constrained or your employees wear many hats, raise this with the audit team and ask them to keep interviews efficient.

4. Process assessment and employee shadowing

At this point, the auditor should have a good understanding of the business and relevant internal controls. They are likely forming an opinion or assessment of the effectiveness of the in-scope controls. This assessment comes from the combination of documentation review, interviews, and testing.

This is also the phase in which the bulk of testing occurs. Some testing can happen earlier, but most should occur after the audit team has confirmed its understanding of the organization's processes. How can one test a process they don't understand?

Audit testing involves document review, sometimes of a single instance of a control operating (showing a policy was reviewed at least annually), or of a sample (showing that a random sample of 25 employees hired this year signed the Employee Handbook). Auditors note findings, noncompliance, and deviations when they encounter them, potentially resulting in more follow-ups or testing. While organizations want to avoid deviations, human error, outages, and other factors happen. In those cases, document the actions taken to mitigate the deviation and future-proof the organization from repeating it.

If you have an audit finding, it's not the end of the world. Some of the largest and most successful companies in the world have findings in their compliance audits. The degree and duration of deviation from policy matters — how severe are the risks, what mitigating procedures or compensating controls exist, and how long has the gap existed? If possible, provide a management response to any finding, outlining the steps the organization will take to correct the deviation. All of this detail helps auditors document the finding with the full context. For instance, I once uncovered a finding where a terminated employee received stock when they were not supposed to. The business took corrective action and rescinded the transaction. As a result, we reported that while there was a finding, there was no net financial impact.

Throughout the audit process, allow auditors to shadow employees and collect testing evidence in real time — another type of audit testing called observation. By shadowing employees, auditors can see controls operate in action and ask questions ad hoc. Real-time screen sharing has made this more efficient and popular. Some auditors may record screen-sharing sessions to grab screenshot evidence after the meeting — specify if you do not want this to occur, and for cybersecurity purposes, use secure sharing and video conferencing methods to transfer documents and share screens.

5. Compilation of compliance report

After the audit team has completed the majority of their procedures — document review, interviews, testing, process assessment, and shadowing — the team on the ground will prepare the target compliance audit workpapers and report, noting the results of each phase and their overall assessment. Senior members of the team will perform one or more additional levels of review, sending back comments and questions the business may need to respond to.

For some types of compliance audits, like SOX, SOC, and PCI DSS Level 1, the final deliverable must be signed off by an individual or firm with the appropriate certifications. Only CPAs can sign off on, or issue an opinion for, SOC reports. These auditor certifications and qualifications are issued by formal authorizing bodies like the AICPA, ISO, and the PCI Security Standards Council.

You and your organization have a say in your report. Review the draft thoroughly for any errors, misstatements, or gaps, and raise them to the audit team's attention. Certain sections of compliance audit reports can be customized — use the opportunity to highlight your organization's dedication to GRC.

Once you receive the final report or deliverable in hand, signed and finalized, that particular compliance audit cycle closes… and another one begins.

Tips for a successful compliance audit process

Compliance is an ongoing activity that keeps businesses and customers safe and builds trust between them. It can also be a labyrinth of pitfalls and dead ends, which is where the right audit management software makes a difference. Here are some tips to help your next compliance audit go smoothly.

1. Be prepared

If your organization is pursuing a formal compliance audit, you are paying good money for it. It's not worth going through an audit if you know the business is not ready — and if you go through a compliance audit with poor internal controls, your business could be fined, face litigation, and lose customer trust.

Compliance audit readiness checklist:

1. Scope and framework confirmation — agree on what's in and out of scope with the auditor.
2. Policies and procedures — updated and mapped to the target framework's control requirements.
3. Evidence repository — organized by control ID and ready for sampling.
4. Audit logs — enabled with at least 366 days of retention (to account for leap years).
5. Process owners and interview schedules — identified, briefed, and calendarized.
6. Prior-year findings — remediation status documented and validated.
7. Single point of contact — one accountable owner for the audit end to end.

Treat compliance like operational must-haves. Tee up stakeholders for successful interviews and shadowing. If audit procedures call for physical inspection of workspaces, factor that into planning. Technology can help you operationalize your compliance program, assisting with scheduling, stakeholder communications, and translating policy into action.

2. Integrate and automate

Buzz words, we know. Still, we'll say it — wherever and whenever possible, especially if you're a small shop, automating controls and integrating across your larger cloud ecosystem is a significant efficiency gain. Force code changes to be approved by default at the pull request or release level so change controls operate without a hitch. Automatically create onboarding checklists when a new employee is entered into your HR systems, and integrate with other technologies to push out updates without manual intervention. Automate vulnerability scanning by integrating your code base with vulnerability scanning tools. By automating and integrating, businesses reduce the risk that compliance activities won't be documented or executed properly.

For periodic controls that operate weekly, monthly, quarterly, or annually, set up auto-reminders for process owners and their teams a few days before the deadline — you'd be surprised how many times I've had to note an audit finding because the Q2 access review occurred during Q3.

Use templates heavily. Compliance activities should be easily repeatable and integrated into everyday operations. With templates, employees spend less time thinking about how to document something and instead refer to an existing template for guidance.

If there is no built-in auditing for a critical system or activity like incident response, integrate or migrate to a task or service management solution like Jira, ClickUp, ServiceNow, or Asana to create tickets for compliance activities automatically.

There's a saying in compliance that "if it wasn't documented, it doesn't exist." It's better to have some documentation than no documentation. The business may have thorough review procedures in place, but if there is no documentation of that review, auditors cannot attest to the procedures. As a general rule of thumb: if you are performing any compliance procedures, document them.

The technology shift is measurable: 49% of compliance priorities now show compliance functions using technology for 11 or more compliance activities, according to PwC's 2025 Global Compliance Survey, with the heaviest concentration in training, risk assessment, and compliance monitoring.

3. Designate accountability

Whether it's one main point of contact for the whole audit, a formal compliance officer, or a dedicated compliance audit team, the buck must stop somewhere. We have seen entire audits derailed and budgets bloated because no single point of contact was accountable, and busy folks kept playing hot potato. Auditors will rack up hours sending emails trying to reach the right people. A connected platform keeps this from happening by simplifying communications between stakeholders.

Make sure someone is accountable for your compliance audit. That individual doesn't have to know everything — the ideal point person has a good understanding of the organization's operations as a whole and can pull in the right contacts for the right topic.

From a project management perspective, this helps the audit move along more smoothly.

This does not have to be a separate role, though it is a large project. Technology owners, process owners, and team leads should all have an understanding of the work they're involved in. They are ideal personnel to tap for interviews and shadowing during a compliance audit.

4. Use purpose-built technology

Technology and tools have come a long way since we started our careers in audit. Compliance attestations are now accessible to organizations of all sizes, and the tools available to tackle compliance challenges continue to improve and diversify. I still love my spreadsheets and don't see those going away any time soon, but modern organizations need more than a cloud repository, more than spreadsheets, more than dashboards, more than Gantt charts alone — modern organizations need a centralized home base. A compliance solution like Optro is built to facilitate a successful audit process, enabling the execution of core compliance audit steps and best practices.

No matter where you are in your compliance journey — whether it's your first or your hundredth audit — preparedness, using technology effectively, and establishing a culture of risk accountability are the keys to success.

Frequently asked questions

What is the role of a compliance auditor?

A compliance auditor is an independent practitioner who plans the audit, gathers and inspects evidence, conducts interviews and walkthroughs, performs control testing, and issues a formal report or opinion. Sign-off authority is framework-specific: only CPAs can issue SOC report opinions, PCI DSS Level 1 audits require a Qualified Security Assessor (QSA), and ISO 27001 certifications must come from an accredited certification body. Many also hold CIA, CISA, or CISSP credentials.

What is an example of a compliance audit?

A SOX Section 302 audit is a clear example. Auditors verify that the CEO and CFO can certify financial statements are complete and accurate by testing the controls behind reported numbers. For a "cash" balance, auditors request transaction listings, sample material transactions, inspect evidence that each was reviewed and approved by an authorized signer, and re-perform reconciliations. The deliverable is an audit opinion on internal control over financial reporting (ICFR) under SOX Section 404.

How are the IIA's 2024 Global Internal Audit Standards changing compliance audit work?

The IIA's 2024 Global Internal Audit Standards became effective January 9, 2025, raising the bar on internal audit strategy, stakeholder relationships, and performance measurement. The IIA is also rolling out mandatory Topical Requirements — starting with Cybersecurity in February 2025, followed by Third-Party Risk, Culture, and Business Resiliency. Map these requirements to existing compliance audit workpapers to avoid duplicate testing and make internal audit work reliance-ready for external auditors.

What are the consequences of failing a compliance audit?

Consequences scale with the framework. The SEC issued a record $8.2 billion in financial remedies in FY 2024, and noncompliance can trigger loss of certifications (ISO 27001, PCI DSS), contract termination clauses, mandatory breach notification, and reputational damage. EU AI Act penalties apply from August 2, 2025, and DORA enables periodic penalty payments against critical ICT third-party service providers. A qualified SOX opinion or material weakness can also trigger stock price impact and shareholder litigation.

What's the difference between a compliance audit, an internal audit, and a readiness assessment?

A compliance audit is performed by an independent third party against an external framework or regulation and produces a formal report, opinion, or certification. An internal audit is performed by employees, typically assesses performance against internal policies and goals, and reports to the audit committee. A readiness assessment is a non-attestation consulting engagement designed to identify gaps before the formal audit — it can't be relied on for certification, but it de-risks the actual audit.

How should practitioners prepare for U.K. Corporate Governance Code Provision 29?

For financial years beginning on or after January 1, 2026, boards subject to the U.K. Corporate Governance Code must declare in the annual report the effectiveness of their material internal controls (financial, operational, reporting, and compliance). Define what counts as "material" with the audit committee now, establish a continuous monitoring framework with documented evidence trails, align with COSO 2013 and NIST CSF 2.0 to use existing testing, and pilot the board declaration in the FY2025 annual report as a dry run.

How does PCI DSS v4.0.1 change the compliance audit approach?

PCI DSS v4.0.1 is now the only active version of the standard following the retirement of v3.2.1. Key audit changes include the new "Customized Approach" allowing entities to define their own controls (subject to QSA validation and a Targeted Risk Analysis), expanded scoping documentation, mandatory annual scope confirmation, and new requirements around authenticated internal vulnerability scanning, phishing defenses, and e-commerce script integrity. Re-baseline your Report on Compliance (RoC) workpapers and confirm your QSA is current on v4.0.1.

About the authors

Ariba Iqbal is a Senior Implementation Project Lead at Optro and specializes in RiskOversight implementation. Prior to joining Optro, she was a Senior Consultant in the Risk Consulting department at Focal Point Data Risk, a CDW Company. Ariba brings experience working on multiple types of internal audit engagements for clients in various industries, including manufacturing, financial services, cyber security, and real estate.. Connect with Ariba on LinkedIn.

Christina Ramos, CPA (inactive), is a Senior Manager of Implementation and Professional Services at Optro. Prior to Optro, Christina spent 10 years at Deloitte as an external auditor focused on PCAOB audits, including two years working as a PCAOB advisor in Tokyo, Japan. Connect with Christina on LinkedIn.