By: Jay Anthony, President of Audit Liaison, PA
Your organization has determined that there is a need for a compliance audit. But you have so many questions or don’t know where to start? A-LIGN has asked us to put together a short guide to help you decide the correct course of action and the steps necessary to execute a successful audit.
Step 1: Pick the correct audit.
At this point, the audit should be determined by the needs of the business. This means that management or contractual requirements specify the audit be performed. In some cases, a specific audit is requested, however it may not be appropriate for your business. One of the reasons that we recommend A-LIGN to our clients is that A-LIGN takes the time to understand our client’s needs. Two primary factors to consider: the audit which would be appropriate based on your business model and the one that can actually further your business strategy.
Step 2: Prepare, prepare, prepare!
Preparation generally takes up to 80% of the overall first year audit time. As a rough guide, for every hour spent auditing, the client can anticipate up to three hours to prepare for it in the first year. Build your project plan around one of the prevailing internal control frameworks (e.g. COSO or COBiT). Again, leverage your auditor’s experience in determining client best practices in getting ready for the audit.
An annual, comprehensive risk assessment is explicitly or implicitly required in nearly every regulatory standard. When you perform the risk assessment, consider threats to achieving your business objectives in addition to risks of significant or “material” internal control failures, including fraud. The risk assessment will drive the specific controls the auditors will review.
Another area deserving of prep work are policies and procedures. If an auditor is performing a SOC 1 (or SSAE 16) engagement, then your policies and procedures are the foundation upon which they compare their evidence. A thorough preparation of the policies and procedures also allows the auditor to perform a better walkthrough of the business as a whole. Ultimately, the policies and procedures should be meaningful and valuable to your employees.
Step 3: Audit Considerations.
Is your organization considering multiple audits? Consider the opportunity to combine them into one engagement. Often times the evidence used in one audit can be used across multiple audits. By combining the audit efforts, your organization can save time (evidence requests come at the same time) and money overall (overlap means less audit effort).
Step 4: Exceptions?
The biggest concerns our clients have revolve around exceptions. These occur typically in a Type 2 engagement (of a SOC 1/SSAE 16 or SOC 2) when the auditor is looking over a period of time. Those controls must be designed appropriately and operating effectively throughout the review period. An exception can be something as minor as badge access not being revoked in a timely manner, or as significant as a programmer having access to source code as well as the production environment. The latter is an example of a significant segregation of duties concern and usually triggers a Qualified Opinion if there are no compensating controls.
Step 5: Business Considerations.
Management should do high-level cost/benefit analysis once they determine which audit(s)-type will be most meaningful. The preparation phase requires substantial resources, and the audits are an annual occurrence, if not semi-annual. There may be sound business reasons to postpone an audit, however you will have to weigh the potential customer and supplier ramifications carefully.
Most first year audits feel like a ton of work. The good news is that subsequent audits should be much smoother as you will have personnel buy-in, understanding of the evidence, and a better feel overall of what the auditor is looking for.
Hopefully these 5 steps help you and your organization feel better prepared to tackle an audit and have a better sense of where you may need assistance. If you have questions about how A-LIGN can provide a SOC 1/SSAE 16 or SOC 2 engagement for your organization, please call: 888-702-5446 or email them at firstname.lastname@example.org.