No, it’s not a joke. Before an audit kickoff meeting, a very frustrated network administrator cornered his IT manager outside the room and nervously asked: “When will you allow us to do the development work? We’ve got lots of projects lined up, but we can’t focus on them because most of the team’s time is spent on audit meetings and looking for audit evidence.”
This anecdote is taken from a real life example illustrating the frustration of multiple audits—each auditor performing his or her own assessment without relying on work done by other auditors or even his or her own past audits. Some of the other most common audit related challenges are delayed audit starts, extended audit projects, audit reworks, and disagreement between the control owners and auditors on the results.
While the reasons for these challenges are many—including control owners who are busy or on holidays during the audit, difficulties in understanding the evidence requirements and providing wrong or old evidences—the bottom line is this: if these challenges are not addressed properly or evidences aren’t maintained or retrieved, the result to your business could be control failures, reduced compliance, reduced productivity and increased cost. And when the audit schedule is extended, the audit fees can also increase.
Post-audit pain points include tracking and follow up for remediation of failed controls and compliance monitoring, and gaining an insight into control weaknesses—activities that consume a lot of time and energy, and have significant cost implications.
An integrated approach to managing the challenges
Addressing the challenges above requires an integrated approach wherein dedicated compliance support expertise is brought in and well-defined processes and tools are implemented to manage evidence. To this end, here are a few things to consider in order to effectively manage your audit challenges:
- Set up a compliance management support team – acting as the single point of contact (SPOC) for both auditors and auditees, a dedicated, knowledgeable and experienced compliance management support team provides the necessary information and most of the evidence to the auditors.
- Adopt a workflow tool – with evidence needing to be very clearly identified, workflow tools such as SharePoint can easily and effectively capture, store, track and retrieve policies, procedures, approval evidence and documents related to periodic reviews.
- Implement an evidence management process – read access provided to the compliance management support team helps them retrieve population lists and screenshots from the application, infrastructure, workflow tools and SharePoint folders. If email approvals are provided, approvers may be required to mark a copy to the compliance management support team, storing it in an orderly manner and retrieving it for audit purposes. This will greatly reduce the involvement of control owners in the audit process.
Improved efficiency and effectiveness in handling audits
The compliance management team is primarily responsible for facing the auditors, handling most of the audit requirements and queries, and providing the necessary clarifications and evidence through a reduced number of communication channels. This team will be well aware of the audit terminology, process and requirements, which greatly reduces the turnaround time, rework and other delays, and will be able to track, monitor and report the status of the audit project and remediation.
On top of this, the compliance management support team can also perform continuous control monitoring—proactively ensuring that reviews are performed on a timely basis—manage the scope of your locations, processes, applications, infrastructure and controls, and schedule and manage your external audits.
Implementing a dedicated compliance support team and structured processes and tools for managing evidence can enhance the efficiency and effectiveness of your audit process. Surely that’s something to be happy about!