How to Lead the Audit Orchestra: Plan, Execute, Report

Author

Steve McMichael
May 16, 2024

Scenario: It’s Friday afternoon, and you just got told that Sarah, who normally handles the audit, is unexpectedly out of the office. The auditors show up Monday at 8:00 AM, and you’re the new quarterback. Good luck!

You Got This!

Like in sports, preparation before game day is the key to winning. So is having a strategy and a plan.

While audit deadlines can sometimes make you feel like a snake eating a watermelon, you’ll be in much better shape if you:

  1. Understand the three phases of audits

  2. Understand auditor and management goals at each phase

  3. Following the steps below

Planning Phase

Auditors can get an understanding of the business and identify key risk areas by:

  1. Reviewing prior audit reports and workpapers

  2. Asking management about changes to people, processes or technology since last check-in

  3. Having a pulse on the latest industry threats and opportunities

Management supported by the GRC team should come to the table with:

  1. Transparency and open lines of communication

    • An ounce of prevention here can be worth a pound of cure downstream if an unexpected discovery is made in testing that adds to audit scope

  2. All relevant business updates

Since better planning provides more effective execution, it’s worth the investment to have:

  1. All killer, no filler control narrative documentation (e.g. in a wiki with a page per control)

  2. An audit gantt chart

  3. A single-song sheet: up to date list of controls with owners

  4. Regular compliance check-ins and/or continuous monitoring of the environment ahead of the audit

Execution Phase

Weeks after the initial kick-off meeting it’s now control walkthrough time. Because management planned and communicated well, the auditor has the right person in the room, at the right time and it’s planned work, not a disruptive fire drill. But does the control owner understand the business value that justified the auditor booking the meeting? What risk or opportunity does investing this time in an audit control walkthrough help with? Make sure you’ve communicated that before walkthrough day.

Also ideally before this meeting occured, though it doesn’t always occur in practice:

Subscribe to keep reading

This content is free, but you must be subscribed to CPA to Cybersecurity to continue reading.

I consent to receive newsletters via email. Terms of Use and Privacy Policy.

Already a subscriber?Sign In.Not now