How to Lead the Audit Orchestra: Plan, Execute, Report

Scenario: It’s Friday afternoon, and you just got told that Sarah, who normally handles the audit, is unexpectedly out of the office. The auditors show up Monday at 8:00 AM, and you’re the new quarterback. Good luck!

You Got This!

Like in sports, preparation before game day is the key to winning. So is having a strategy and a plan.

While audit deadlines can sometimes make you feel like a snake eating a watermelon, you’ll be in much better shape if you:

  1. Understand the three phases of audits

  2. Understand auditor and management goals at each phase

  3. Following the steps below

Planning Phase

Auditors can get an understanding of the business and identify key risk areas by:

  1. Reviewing prior audit reports and workpapers

  2. Asking management about changes to people, processes or technology since last check-in

  3. Having a pulse on the latest industry threats and opportunities

Management supported by the GRC team should come to the table with:

  1. Transparency and open lines of communication

    • An ounce of prevention here can be worth a pound of cure downstream if an unexpected discovery is made in testing that adds to audit scope

  2. All relevant business updates

Since better planning provides more effective execution, it’s worth the investment to have:

  1. All killer, no filler control narrative documentation (e.g. in a wiki with a page per control)

  2. An audit gantt chart

  3. A single-song sheet: up to date list of controls with owners

  4. Regular compliance check-ins and/or continuous monitoring of the environment ahead of the audit

Execution Phase

Weeks after the initial kick-off meeting it’s now control walkthrough time. Because management planned and communicated well, the auditor has the right person in the room, at the right time and it’s planned work, not a disruptive fire drill. But does the control owner understand the business value that justified the auditor booking the meeting? What risk or opportunity does investing this time in an audit control walkthrough help with? Make sure you’ve communicated that before walkthrough day.

Also ideally before this meeting occured, though it doesn’t always occur in practice:

  1. The auditor provided a “PBC” (Provided By Client) request list of artifacts in advance and the client (management) has responded

  2. The auditor had reviewed provided artifacts and prior year audit reports or workpapers, if applicable

Next the auditor uses a combination of inquiry (asking control owners to describe) and verification test procedures (inspect, observe, analytical procedures, re-perform) to document in a workpaper:

  1. What was done?

  2. What was found?

  3. What was concluded?

After the walkthrough, follow up populations and samples are requested. An agreed upon collaboration tool here can drive a lot of efficiency and organization vs flurries of dis-coordinated emails with the same questions asked repeatedly by different people.

Reporting Phase

With an emphasis on achieving the audit objective which is typically to protect and enable the business, the auditor now documents if they found control deficiencies and provide an opinion of the control environment.

It’s critical that findings are socialized with interviewees before a report is sent up the chain to top management or the Board. There won’t be surprises when this happens if open lines of communication have been established and maintained.


As daunting as it may seem, you can lead the orchestra of a large audit involving hundreds of controls and dozens of control owners. Even an elephant can be eaten, one bite at at time. Elevate your control narrative documentation, get organized, understand the three phases of an audit, follow the steps above for each and communicate, communicate, communicate!

Subscribe to keep reading

This content is free, but you must be subscribed to CPA to Cybersecurity to continue reading.

I consent to receive newsletters via email. Terms of Use and Privacy Policy.

Already a subscriber?Sign In.Not now