In today’s world of industry and governmental regulations I know it seems like there is a revolving door of auditors, assessors and examiners visiting your location. Although we know you love seeing us and can’t wait till the next team of auditors show up so you can clear your calendar of real work to facilitate another audit, there are ways to minimize the operational impact the audits have on your organization.
Audits have various reporting periods and evidence requirements. Audit evidence for a point in time audit, like PCI DSS, can be gathered close to the report date, based on the auditor’s judgment, while a 12 month SSAE 16 engagement requires audit evidence throughout the period. By coordinating the audit schedules with your auditor you can ensure you receive the biggest bang for your evidence gathering buck; meaning, align your audit report and fieldwork dates so that the auditor can use the evidence gathered for multiple engagements. You don’t want to gather audit evidence and then six months later, be asked for the same information because it needs to be from a different point in time.
I know you just love talking to auditors. You see your audit firm’s name pop up on caller ID and you know your day is going to improve, but there are times it is important to talk to your auditors. I traded emails yesterday with a client who is changing their retention policy on some information. They wanted to make us aware of it and ensure the change would not negatively impact their audit next year. It is so much easier to discuss changes in your environment before the audit period starts rather than try to figure out what to do looking back in time. I have seen the “oh crap” look on my clients’ face when I ask for supporting evidence for a control and they say “we stopped doing that, we didn’t think it was important”. So when do you call your auditor?
An audit focuses on people, processes and technology. If your organization is going to make a change to any of those three areas it may warrant a quick email or call to your audit team. In sharing the information when a change is happening or even before the final decision is made to make the change, the auditor can provide insight on how this may impact your control environment and any potential impacts the change will have on your audit.
Prepare Prepare Prepare
It is no secret what the auditor is going to request for a particular audit. The authors of the various requirements publish the requirements you will be audited against. If you do not want to search for it yourself, contact your auditor and have them do some work to make your life easier. Read and understand the requirements. Communicate the requirements to the individuals responsible for performing the tasks. I can’t count the times I have had an audit finding and the process owner states “if they told me I was supposed to do that for the audit, I would have”. Ask your auditor for a detailed request list and have the information ready when they arrive. The request list should include specific items such as reports, logs and configuration settings that the auditor will review. In addition, the request list should include the dates selected for their sample. As an example, the visitor log for the months of February and August can be requested and gathered weeks in advance instead of scrambling to gather something so simple while the auditor is on-site.
By implementing these simple techniques you can get the auditors in, out and on their way so you can get back to your real job.