Audit Preparation
Evidence collection, control testing, and not being surprised by findings.
Overview
Auditors are not adversaries, but they are not forgiving of evidence gaps, untested controls, or recurring findings with superficial responses. Answer the five questions below with the preparation discipline of someone who wants no surprises on audit day.
Read before you answer
Audit preparation is the discipline of ensuring that controls are operating effectively and that evidence of their operation is collected, organised, and available before auditors arrive β not in the 48 hours after they send their evidence request list. Audits in the IT governance context include internal audits (conducted by the organisation's own internal audit function), external audits (conducted by independent third parties, typically for certification or regulatory purposes), and customer audits (conducted by enterprise customers exercising their contractual audit rights). Each has different objectives, different evidence standards, and different consequences for findings, but all require the same underlying discipline: controls that are designed, implemented, and operating effectively, with evidence that demonstrates each of these three things.
The audit evidence hierarchy distinguishes between types of evidence by reliability. Direct evidence β system-generated logs, configuration exports, automated alerts β is more reliable than testimonial evidence (what someone tells an auditor) because it is harder to fabricate and is contemporaneous with the control operation. The controls themselves are evaluated against three criteria: design effectiveness (is the control designed to address the risk it is supposed to mitigate?), implementation effectiveness (has the control been implemented as designed?), and operating effectiveness (has the control operated consistently over the audit period?). A control that is well designed and correctly implemented but only operated for two of the twelve months in the audit period will produce an operating effectiveness finding β the most common type of finding in practice, because organisations implement controls correctly but fail to maintain them consistently.
Responding to audit findings is a governance process, not a reactive scramble. Findings are typically classified by severity β critical, high, medium, low β and each requires a management response that specifies the root cause, the remediation action, the owner, and the target completion date. Management responses should be honest about root cause: an auditor who receives a response that attributes a finding to "a one-time process gap" for a control that has failed in three consecutive audit periods will not accept the explanation, and the relationship between the organisation and the audit function will deteriorate. The right response to a recurring finding is a root cause analysis that identifies the systemic cause β inadequate resources, unclear ownership, competing operational priorities β and a remediation plan that addresses the system, not just the symptom. Tracking finding remediation to closure is the final step: open findings that age past their target date without escalation become a governance signal in their own right.