I’ve looked all over and have yet to find a clear and simplified explanation on this. I see why people are confused. Let’s clear it up.
IT Compliance – Short Answer: What controls should we have in place? Future.
Longer answer: IT Compliance asks bigger questions about what should happen and works to define that and put processes in place to support it.
What makes sense to check, do, look at. IT Compliance acts as management and defines the controls.
“Should we have separation of duties so Rob isn’t an administrator for every single application? Should our Security Groups follow a logical order?”
“What roles should have read only access to an application or systems. What roles should have write/modify (Role Based Access).”
Policies, Procedures and maintenance of them. Governance. IT Compliance should be heavily involved in Governance and be a resource/SME (Subject Matter Expert) that’s tapped when Governance comes into question on any IT system or application.
In most organizations, IT Compliance is a Management function. They carry out the controls that management would.
IT Audit – Short answer: Assurance. Checking everything that’s in place now. Present.
Longer answer: Does the organization follow their controls, documents, are their systems set up the way they say they are?
“Do you do what you say you do? Let’s check”. Verify and make recommendations based on that.
Verifying people do what they say they do. They make recommendations as well, but aren’t the ones carrying out the changes.
IT Audit is checking to see what’s going on in the current environment and scores it (e.g., COBIT 5 and frameworks like it) and reports back.