Anatomy of Compliance Audits

Compliance audits can be quite intimidating, especially if you’re new to them. For many organizations, it’s something that’s becoming increasingly unavoidable. In this post, we introduce you to the various aspects of an audit, what an auditor expects from you (the complying organization), and what you can do to make the auditing process as smooth as possible.

Lifecycle of an Audit

Depending on your industry or geographical location, your organization could be subject to one or more laws, regulations, and/or standards such as the Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), EU General Data Protection Regulation (GDPR), and others. This means, at some point, your business processes will likely be audited against a certain compliance framework(s). Regardless of which law(s) or regulation(s) govern your business, you will often have to go through the following phases of a compliance auditing process:

Planning

Planning is a very crucial phase in the auditing process. This is where auditors define the scope of their audit as well as other essentials such as timelines, resources to engage with, the specific compliance framework (e.g. PCI DSS, HITRUST) and corresponding requirements to be met, and so on. If it’s for an internal audit, auditors will typically develop a risk/control matrix and testing plan. If it’s for regulatory compliance, they will identify the specific regulatory requirements to explore, evidence, and test.

For the complying organization, on the other hand, “planning” is (ideally) part of a continuous process. Assuming you already know which frameworks you should be complying with and the relevant systems, applications, and processes that make up your in-scope environment, you should have established a set of policies and operating procedures that dictate how your business will run. Once you’ve established adherence to those policies, you can allow an external auditing firm to come in and do its job.

Your planning cycle should include a walkthrough and implementation of known requirements and a continuous compliance program to both monitor for effectiveness and collect needed audit evidence along the way. Scoping is a big part of this phase, as it is what determines how far you need to go when applying all the necessary requirements, not to mention how much your audit will cost to perform. The bigger the footprint, the higher the bill, so take time and carefully consider what is relevant to your business.

Fieldwork

Upon completion of the planning phase, auditors will proceed to specify a Document Request List, or DRL, which is essentially a list of supporting documents (e.g. policies, schedules, duties, approval processes, reports, etc.) and other evidence from your side that they need to review and evaluate. In turn, you’ll provide them with the needed information, through what is known as an IPE (Information Provided by the Entity) or IUC (Information Used in Control execution).

Typically, included in this IPE or IUC is documentation of steps that auditors can follow to gather the evidence themselves. Therefore, it’s important to ensure that your evidence is accurate and complete. This may include any scripts that you use when pulling evidence or criteria you input when running a canned report.

It is also in this phase that auditors will run tests to see if your controls meet compliance requirements. At the end of this phase (and hopefully during testing), auditors will meet with representatives from your organization and discuss test results as well as any relevant observations and recommendations.

They will point out any misalignments from compliance requirements discovered during the audit and may make recommendations on possible corrective measures. Recommendations aren’t always appropriate, as auditors need to maintain a stance of independence. It’s helpful to have an internal GRC team to keep you aligned with requirements and who can guide you more on changes that may be required in your business processes.

Reporting

After your meeting, auditors will set out to write a more comprehensive report detailing their findings (the good, the bad, and the ugly), the salient points of which would already have been taken up in the meeting. Generally, the outline would include the objectives of the audit, the tests carried out, the results, and the corresponding recommendations. An initial draft of the report will be submitted to your team for perusal.

There will often be multiple reviews, clarifications, and revisions (and sometimes even meetings) until you and the auditors agree on the truth and accuracy of the observations. Once both parties are in full agreement, a final report will be drawn out by the auditors and presented to your team.

Before a final report is submitted, you may be asked to submit a written response to the audit findings. This response is often included in the final report. Some findings are bound to be hard to accept and might appear to damage your reputation.

Before you respond, understand that findings are meant to help you identify risks you might have overlooked. Those unmitigated risks are the ones that can harm your organization, not the audit findings. As such, don’t be too defensive. Instead, look at findings more objectively. Acknowledge issues and outline corrective action plans. It is helpful to take a more cooperative stance.

Follow-up

You will be given time to carry out your corrective action plans, and the severity of any offense(s) should help you determine your priorities. After a reasonable time has elapsed, the auditors will then request a status report on the changes that were made to your internal controls and evaluate the effectiveness of those changes. If they find the corrective actions inadequate, the auditors may suggest alternatives. At a minimum, they will help you to understand what may still be lacking.

As with what was done during the planning and fieldwork phases, the auditors will look for documentable evidence to support whatever changes you have implemented and will run tests against them. It’s a good idea to test your remediation activities yourself first so that you can be confident that the issue has been adequately addressed.

What does an auditor expect?

Audits can be extremely disruptive to business operations, so it’s in your best interest to make yours as smooth and quick as possible. One of the major causes of delays in an audit is misalignment between what the auditor expects from your end and what you’ve done to meet those expectations. It would be best if you knew what auditors expect beforehand to ensure a seamless engagement.

Preparation

As soon as your auditors show up, they’ll expect your team to be fully prepared and ready to go. That means you should be way past the stage of setting up controls or assigning people in your organization to respond to audit queries regarding those controls. All controls should have already been up and running for a considerable period of time, and all control owners should know those controls and the policies associated with them like the palm of their hand.

Organization

When auditors start looking for evidence, they expect you to know where to get the needed information. This means being able to quickly point to 1) relevant documentation and 2) people in your organization who are familiar with the controls, policies, and relevant compliance requirements and are able to promptly respond to queries and requests.

Understanding

Usually, auditors need to gain more context (e.g. events, conditions, company activities, etc.) to determine what specific factors may pose significant risks to your company’s processes. Someone from your end will have to help them gain an adequate understanding of your business and its environment for this purpose.

Integrity

It goes without saying, auditors expect the evidence you provide them to be always accurate and complete. These people are trained to spot falsifications, so you would only put your reputation at risk if you resort to dishonesty just to pass an audit.

How to best deliver on those expectations

The ideal approach to compliance and, accordingly, audits, is to adopt a continuous compliance program. This will allow you to be in a state of perpetual readiness for an audit. You won’t need to drop everything to prepare for an approaching audit because you’re always prepared.

When you have a continuous compliance program, you’ll always have a pulse of how your policies, processes, and operations stack up against all of the laws, regulations, and standards that impact your company. It also means your control owners know your controls well and how they map to specific compliance frameworks.

These mappings can be implicitly or explicitly included in your documentation. As a result, when auditors come in, control owners can easily engage them and provide any requested information on the fly.

To achieve this level of readiness, you’ll first need to identify every single regulation or standard that impacts your organization and consolidate your efforts against a single overarching compliance framework. The idea is to eliminate redundancy and simplify your compliance endeavors.

Next, you’ll need to help your control owners understand the wisdom and practicality of adopting a continuous compliance program against the traditional, highly disruptive approach. You’ll also need to help them become knowledgeable with their designated controls, especially how they relate to your chosen compliance framework. Making all of this part of day-to-day operations instead of a seasonal task can make compliance efforts less daunting for you and your control owners.

Learn more about continuous compliance here.

In addition to adopting continuous compliance, you can also make compliance and audit initiatives less burdensome by partnering with reputable vendors who are already compliant.

Most regulations treat security, especially when it involves cloud environments, as a shared responsibility between the cloud service provider (CSP) and the customer (you). Meaning, some security responsibilities rest on you and some on your CSP. By offloading some security responsibilities to an already compliant vendor, you not only reduce regulatory scope in your environment, but also end up minimizing the risk of non-compliance.

Armor’s private cloud, secured with Armor Anywhere, can help you implement that shared responsibility model while ensuring compliance with major security regulations and frameworks such as HIPAA, PCI DSS, GDPR, and HITRUST. In Armor’s private cloud, security controls are conveniently mapped to compliance mandates, thereby simplifying audit processes. You can see which controls map to which specific regulatory requirement in this compliance matrix.

Armor Anywhere includes a cloud security posture management (CSPM) module, a powerful feature that regularly monitors your cloud environment to assess adherence to major compliance frameworks. If issues are found, you will be provided with step-by-step instructions on how to remediate them. This capability fits perfectly in a continuous compliance program.

Behind Armor Anywhere and Armor’s private cloud is a team of individuals with deep experience and expertise in governance, risk, and compliance (GRC). Every day that team ensures Armor products and services meet applicable requirements of several compliance standards. We also have a team of experts who are available to assist customers with any specific compliance questions or concerns.

Audits don’t have to be scary. By adopting a continuous approach to compliance, deploying the right security solutions, and seeking help and guidance from experts in the field, you can eliminate a lot of the difficulties associated with compliance auditing processes and reduce disruptions to business operations.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals