- CPA to Cybersecurity
- Posts
- How to Lead the Audit Orchestra: Plan, Execute, Report
How to Lead the Audit Orchestra: Plan, Execute, Report
Scenario: It’s Friday afternoon, and you just got told that Sarah, who normally handles the audit, is unexpectedly out of the office. The auditors show up Monday at 8:00 AM, and you’re the new quarterback. Good luck!
You Got This!
Like in sports, preparation before game day is the key to winning. So is having a strategy and a plan.
While audit deadlines can sometimes make you feel like a snake eating a watermelon, you’ll be in much better shape if you:
Understand the three phases of audits
Understand auditor and management goals at each phase
Following the steps below
Planning Phase
Auditors can get an understanding of the business and identify key risk areas by:
Reviewing prior audit reports and workpapers
Asking management about changes to people, processes or technology since last check-in
Having a pulse on the latest industry threats and opportunities
Management supported by the GRC team should come to the table with:
Transparency and open lines of communication
An ounce of prevention here can be worth a pound of cure downstream if an unexpected discovery is made in testing that adds to audit scope
All relevant business updates
Since better planning provides more effective execution, it’s worth the investment to have:
All killer, no filler control narrative documentation (e.g. in a wiki with a page per control)
An audit gantt chart
A single-song sheet: up to date list of controls with owners
Regular compliance check-ins and/or continuous monitoring of the environment ahead of the audit
Execution Phase
Weeks after the initial kick-off meeting it’s now control walkthrough time. Because management planned and communicated well, the auditor has the right person in the room, at the right time and it’s planned work, not a disruptive fire drill. But does the control owner understand the business value that justified the auditor booking the meeting? What risk or opportunity does investing this time in an audit control walkthrough help with? Make sure you’ve communicated that before walkthrough day.
Also ideally before this meeting occured, though it doesn’t always occur in practice: