So, you’ve been tasked with providing evidence for an audit. You may be wondering what your auditor is even looking for. Let’s take a look behind the scenes at why the auditor is asking for certain things, and how you can provide audit evidence to make your life (and your auditor’s life) easier.
Every audit includes the collection of audit evidence. This evidence is used to prove that a control is in place and to show the control has operated over a specified period. Evidence may come in the form of screenshots, policies, or meeting minutes. Some information in this blog is specific to risk3sixty, but the principles generally apply to all audits.
Evidence Collection Tools
Each audit firm will collect evidence differently. Some have created their own tool for such a task, some use pre-existing tools, and still, others manage audit evidence via spreadsheets and emails. Risk3sixty specifically has created Phalanx to facilitate evidence collection, and it allows cross-framework mapping, advanced filtering, and quick communication between auditors and auditees.
So, What Does the Auditor Want to See?
We can figure out what audit evidence or evidence attributes your auditor needs to see by answering three questions:
What do they need to see? What will the auditor be asking for in their request list?
Why do they need to see it? What is the overall purpose of the evidence/attribute?
What does it typically look like? What will you practically need to provide to meet the request?
What do they need to see? Timestamps
Why do they need to see it? For every audit, the auditor must obtain reasonable assurance that the provided audit evidence was generated during the examination period.
What does it typically look like? Timestamps may be provided in several ways depending on the evidence:
- Meeting minutes showing the date of the meeting
- Policies that have a “last approved/reviewed” date
- Screenshots that show the date and time from your computer’s taskbar
What do they need to see? Populations (of new hires, identified vulnerabilities, vendors, etc.)
Why do they need to see it? To decrease the audit burden, auditors will take a sample of large populations instead of looking at every single occurrence of a specific event/item.
What does it typically look like? A system-generated or manually maintained list of items, preferably in an editable format, such as .xlsx or .csv. Ensure the list is very specific as to what the auditor is asking, or else the selected samples may be incorrect.
What do they need to see? Samples
Why do they need to see it? To ensure compliance across a period of time, auditors must look at occurrences throughout a period. For example, to ensure employee onboarding follows a consistent process, an auditor will select 10% of new employees stratified throughout the audit period.
What does it typically look like? After a population has been provided and the auditor has requested a sample, provide the appropriate documentation. This may include onboarding checklists for new hires, remediation documentation for vulnerabilities, or due diligence questionnaires for vendors.
What do they need to see? Population Validation
Why do they need to see it? When analyzing a population, an auditor must ensure that the provided population represents the full population.
What does it typically look like? If audit evidence is generated via a query to a system, a screenshot of that query should be submitted. This may be an employee list from an HRIS system or change tickets from a change management system, for example. For manually maintained populations, a screenshot of the folder or another storage mechanism should be submitted.
What do they need to see? Non-Occurrence Validation
Why do they need to see it? If no instances of an event take place, the auditor must validate that this is true.
What does it typically look like? For system-maintained populations (e.g., incident tickets in a ticketing system), a screenshot of the system showing no occurrences should be submitted. This may require filtering on the ticketing system (e.g., filtered by ticket type “incident”). For manually maintained populations, a screenshot of the empty folder or other storage mechanism should be submitted.
Behind the Scenes
Audit firms are typically beholden to certain professional organizations. They must follow AICPA guidelines for SOC 2 audits, for example. We are also part of the AICPA peer review network, which means that risk3sixty’s audit processes have and continue to be audited to confirm alignment with AICPA requirements.
After audit evidence has been provided, the audit firm must analyze the evidence, ensure it meets the criteria specified above, and test it against the relevant controls. If the audit evidence is missing some of the above information, or if it does not pass the control, the auditor will request follow-up evidence.
In some cases, the auditor may work with you to see if you are performing other activities that can meet a certain requirement (a compensating control). If not, the auditor must issue an exception.
Now that you know more about audit evidence than you ever wanted to know, you are ready for your audit!
If you follow all of the above guidelines, your audit should run smoothly. Your auditor will thank you, and your team will appreciate the decreased back-and-forth. And if what you read in the Behind the Scenes section sounds like a compelling way to make a living, connect with us and we’d love to visit!