The auditors are coming! Let’s face it, many organizations dread audit time–but it doesn’t have to be that way. Whether you’re facing your very first audit or preparing for the next recurring one, being audit-ready will save you time and effort, alleviate stress, and facilitate a smooth and successful audit process. As humans, we naturally seek predictability and familiarity, so being unprepared can leave you feeling stressed and uncertain.
By following these audit readiness best practices, you can feel confident to showcase your compliance and security posture and may even, dare I say it, look forward to an audit (gasp!). You can feel proud to demonstrate credibility and reliability of information in meeting user entities’ and other stakeholders’ expectations.
What Is an Audit Readiness Assessment?
An audit readiness assessment is a process an organization performs to determine its current state of compliance before an audit begins. An audit readiness assessment uncovers gaps or weaknesses in controls, documentation, policies, and processes that should be addressed before the audit with recommended remediations to align with requirements. For organizations going through a first-time audit, this process also helps narrow down the scope of the key controls to include during the planning phase and avoids missing coverage or over-implementing, which can be costly.
Audit readiness assessments can vary depending on the type of audit and the industry or regulatory standards involved. See our blog articles on SOC 1 or SOC 2 readiness assessments, HITRUST readiness assessments, and FedRAMP readiness assessments for more information on readiness assessments for those specific audits. After you’ve identified and remediated your readiness assessment gaps, it’s time to prepare for the audit.
Audit Readiness Best Practices
How do you become audit ready? As you’re preparing for an audit, it is important to properly set the stage well before the audit fieldwork. The following audit preparedness items are what I almost always see in place during my most successful audits.
Management’s Support
Management’s commitment to compliance sets the tone for the organization’s approach to audit readiness and fosters a culture of compliance.
Primary Point of Contact (POC)
Like a lighthouse used as a central reference point to guide ships safely to shore, having a primary POC who is the liaison between the organization and the auditor helps facilitate effective communication, improves efficiencies, and avoids duplication in efforts. The primary POC should have the appropriate knowledge, skillset, and authority. In my experience, clients with an effective POC can make a drastic difference in how smoothly an audit will run.
Appropriate Resources Involved
Identify and involve the appropriate resources who need to be involved in each area. Having the appropriate resources lined up and involved in the walkthrough meetings for their relevant areas from the start reduces the need for additional meetings, minimizes disruptions from business operations, and reduces the chance of something being erroneously stated.
Organized Documentation
Establishing and maintaining clear, comprehensive, standardized, and intuitive documentation in a centralized repository allows an organization to easily reference and retrieve information when needed. This allows the organization to easily provide requested documentation to the auditor in a timely manner, giving the auditor time to review before walkthrough meetings which reduces the need for additional meetings and follow-ups. I find this to be a good indicator of how long an audit will take to complete based on how organized and timely the documentation is.
Trained Employees
Educating and training employees regarding their roles and responsibilities with compliance requirements helps mitigate risks and enables the resilience of the organization. Training employees fosters a culture of integrity and ethics and awareness of potential risks that may harm the organization’s reputation. Additional examples of training may include Security Awareness Training.
Risk Management Process Maintained
In this day and age with evolving cybersecurity threats and emerging security challenges, having and maintaining a proactive risk management process to help anticipate, prevent, monitor, and mitigate risks to the organization is critical. Be prepared for the inevitable dynamics, threats, and challenges within your organization’s business landscape.
Previous Audit Findings Addressed
Seeing the same finding(s) during an audit over and over, to me, can feel like a scene from Groundhog Day. Assess, remediate, and prevent audit deficiencies and any management letter comments from previous audits. Learn from past audit issues and use them as an opportunity to improve internal controls. Using a corrective action plan can help map out the actions needed to address identified audit deficiencies. Addressing previous audit findings also demonstrates accountability and a commitment to compliance.
Communication With the Auditor
It’s the first day of your recurring annual Type II SOC 2 audit fieldwork. You feel confident you’ve followed best practices in preparing for the audit and had a successful audit last year. You’re in your fieldwork kick-off meeting and the auditor asks if there have been any changes to the organization, systems, processes, and/or people. You reply, “Oh yeah, we switched our cloud-based infrastructure services a few months ago and have decommissioned the old system. We can no longer access anything from the old infrastructure to evidence some of those infrastructure controls were in place during half of the audit period”. Queue record scratch.
Keep your auditor informed of any organizational, system, people, and process changes in a timely manner. Having periodic touch bases with your auditor throughout the year helps prevent any surprise changes and allows sufficient time to address them. With timely communications, your auditor can guide you toward the right approach to make sure no control gaps will result in transitions. Think of auditors as your trusted guides through the weeds of compliance regulations, standards, and audit best practices.
Monitoring Activities
Although the audit fieldwork is an event that typically occurs once a year, it should not be considered a one-and-done event. Organizations should be performing periodic reviews and monitoring activities throughout the year to determine the continued relevance of internal controls and update them when necessary. Create and adhere to an audit plan and stay vigilant throughout the year, while being adaptable for the inevitable changes that will occur in today’s dynamic business landscape.
Common Pitfalls – What NOT to Do
In addition to the lack of the items mentioned above, below are common pitfalls I’ve seen during audits that have either led to exceptions or resulted in unnecessary extra time to resolve or clarify. Being aware of these audit mistakes early on will help prepare yourself for an audit and be set up for success.
Single Point of Failure
Creating a dependency risk and placing the effectiveness of a control in the hands of one person is never a good idea. More than a handful of times, I’ve seen clients where an employee who was in charge of obtaining and maintaining evidence for a specific control was terminated. No one else in the organization knew where to find the documentation evidencing the control task occurred but the organization states they were fairly confident it was done. Relying solely on inquiry alone is generally not sufficient to provide reasonable assurance about the effectiveness of a control.
Unorganized Documentation
I have sat in numerous meetings where the client relies on their memory and spends time digging through instant message conversations or emails during the meeting to locate control evidence. Employees shouldn’t have to go through archaeological digs to uncover retained audit evidence; keep documentation organized and easily accessible.
Overreliance on Audit Software Tools
While audit software tools are helpful in automating data collection, analysis, and reporting, depending too heavily on these tools without proper oversight or validation creates a false sense of security. The tools are generally designed to perform predefined checks and tasks based on how you configure the tool (i.e., garbage in, garbage out) but the tools cannot assess other qualitative factors that require human judgment and observation. A well-balanced approach using audit software tools with human expertise and judgment is key.
Unaware of Log Retention Policies
The most common pitfall scenario I’ve seen in this area is with clients who use Google Single Sign-On (SSO) to authenticate to sensitive systems. As part of the system access removal control, auditors want to see the timeliness of account deactivations. Google’s data retention policy is only six months for access log events and data.
For audits that cover a period of time (e.g., Type II SOC 1 reports or SOC 2 reports), which is typically a 12-month period, this limits the ability to retrieve the admin log event data during the entire period. Evidence of an account’s timely deactivation will not be available for accounts that were deactivated in the first half of the audit period. Be aware of the audit log data retention policies for the tools you use to support internal controls and consider workarounds where needed.
A recommendation in this scenario is to screenshot the Google access log event data showing the deactivation time stamp when it happens and retain that evidence where it can be retrieved for a longer duration (e.g., offboarding ticket, document repository with a sufficient retention period, etc).
Complex Policies & Procedures
Complex policies and procedures can lead to non-compliance as they can discourage employees from adhering to them as they are likely to be ignored/not read. Keep policies and procedures simple, relevant, and doable to prevent inconsistencies. Review and update as needed throughout the year as changes occur, or at least annually.
Summary
Achieving audit readiness success requires a disciplined and proactive approach. Audit readiness is not a one-time event preparing for audit fieldwork but encouraging and following a culture of accountability and compliance. I hope this article provided you with practical guidance when preparing for your next audit.
Linford & Company is an independent CPA firm with a team of experienced external auditors that specialize in a variety of audit services, including SOC 1 and SOC 2 assessments. We include audit readiness assessments for our new clients and touch base meetings for all of our clients throughout the year at no additional charge as we want to see our clients succeed. If you have questions about this article or need assistance with an audit service, please contact us.
Danielle has over 16 years of information systems auditing experience. Prior to starting at Linford & Company, Danielle worked at PricewaterhouseCoopers in their Systems and Process Assurance group followed by the Internal Audit Department of a financial services company and the IT Compliance group for a large healthcare organization. She has experience in IT general control reviews, SOC audits, HIPAA compliance, Sarbanes-Oxley section 404 attestation engagements, and Payment Card Industry Data Security Standards (PCI DSS) compliance. Danielle is a Certified Information Systems Auditor (CISA) and received her Bachelor of Science degree in Management Science & Information Systems from Penn State University.