How can you help ensure the successful and timely completion of your compliance audit? This article provides insights into what we’ve found successful compliance auditees do during the audit process. Regardless of the company’s size or maturity of their GRC function, a common thread in the successful on-time completion of their assessments follows those four habits listed in this article.
What are the Habits needed for a “Good” Compliance Audit?
First, I want to begin by stating that I don’t view any client as “good” or “bad.” I approach every engagement with the same vigor and with the successful completion of the project in mind. The proposed question came up during a recent SOC 2 Type 2 assessment kick-off meeting. While I’ve certainly thought through how some clients can ensure the operational effectiveness of their controls and communicate their maturity better than others, I had never thought about it in terms of client habits.
After reflecting, we could quickly outline four habits we’ve seen repeated throughout hundreds of engagements.
Compliance Audit Habit 1: Strict Adherence to Deadlines
During an external audit, you’ll be presented with several deadlines. The number of deadlines, the rigidity of the dates, and the work required to meet them will vary from auditor to auditor and framework to framework. Examples of deadline drivers are getting all evidence submissions before the start of fieldwork or the review and approval of scoping, to name a couple.
We have seen that clients with internal processes to meet established deadlines are generally doing the more complicated things well. There are exceptions to this, as many factors can fall outside the auditee’s control.
As you’ll see below, adherence to deadlines is a core component for many successful habits.
Compliance Audit Habit 2: Timely Upload of Evidence
Submission of evidence was mentioned in the previous habit. However, I wanted to touch on why this habit is critical to the success of your audit. Providing the requested evidence either before fieldwork (where possible) or before the end of the assessment improves the audit experience in a few ways.
First, submitting evidence before the start of fieldwork allows the auditor time to review the evidence ahead of time and ask more relevant questions. As someone being audited, it can be frustrating to begin walkthroughs with an auditor with no context or insight into your environment. This can save both you and the auditor substantial time!
Secondly, providing requested evidence promptly gives the auditor time to request clarifying or supporting evidence. As the auditor will generally be attesting or certifying depending on the framework to the operation of a control during a specific timeframe, many items can’t be collected after the end of your assessment period. Ensuring “wiggle room” to provide that clarified context can reduce the risk of control non-conformities.
Compliance Audit Habit 3: Timely Response to Request
Similarly, to ensure you upload your evidence in time to provide the auditor the opportunity to review, you should ensure you’re responding to inquiries and follow-ups from the audit team throughout assessment promptly.
At risk3sixty, we communicate early and often to ensure we’re providing clients with the information they need to be successful. During an audit, that communication is generally around the clarification or addition of requested evidence. Those that respond timely provide themselves with additional time to collect the required evidence, reducing the risk of missing those previously discussed deadlines on the last few days.
Compliance Audit Habit 4: Organization of Audit Artifacts Throughout the Year
The last habit I wanted to touch on is what’s being done the 95% of the year in which there is no auditor interaction. Having a plan to identify, collect, and manage your audit artifacts that evidence the completion of your controls throughout the year will save you time and frustration when it comes time to submit. While this is not the only solution, our clients have found great success in leveraging Phalanx’s Compliance Calendar module. Managing your controls and required audit artifacts from a Compliance Calendar provides you with:
- Reminders to complete upcoming control deadlines (access reviews, security meetings, log reviews, etc.)
- Templated descriptions of the completed artifact requirements (meeting agendas, completed access reviews)
- A central location to store the output of those events. Upon completing your recurring events, you store the artifacts within the applicable calendar event linked to your control for easy retrieval.
Our clients come in different sizes, security and compliance program maturity levels, and varying degrees of experience working with 3rd party auditors. Regardless of the company’s size or maturity of their GRC function, a common thread in the successful on-time completion of their assessments follows those four habits listed above.