A Guide to Busy Season for Auditors
The period of September through the end of December many have nicknamed “Busy Season” for lots of fun reasons: the return of school and fall sports, endless football games on almost every night of the week, the busiest holidays of the year, and loads of family time. Perhaps less fun, Busy Season also often includes audits and attestations for many organizations wishing to deliver audit reports by the end of the calendar and fiscal years. With so much to do—not only at work but also at home—it all may seem impossible, but there actually are proven paths to a smooth end-of-year audit process that can help streamline Busy Season in at least this one respect.
Here are a few tips that can help your organization as we all head into this hectic period of the year.
First off, maintaining high levels of communication
Communication with both your team and the external assessors is essential for any successful audit process, and that includes periodic standup meetings with internal personnel to discuss expectations, requirements, and other aspects of the ongoing (or even upcoming) audit. Clear communication is key to efficiency—which itself is crucial to navigating this chaotic time of year—and ensuring your team fully understands exactly what is expected of them and the timetable in which they must deliver their evidence plays a huge part. This importance of communication as it is relevant to efficiency also extends to the third-party audit team – having an open, transparent channel with your assessors keeps them well aware of your concerns or issues, as well as any changes in systems or the control environment since the previous audit. (Or, if it’s your first year, thorough communication helps establish their initial understanding of said systems and environments.) Overall, established lines of communication across the board increase the productivity of both the internal team and the audit team by decreasing confusion surrounding expectations and the number of follow-ups needed to provide adequate evidence for the auditors’ examination. In turn, this also decreases the chance of the project running over time and delaying the delivery of the report, saving everyone time.
Next, let’s talk about process walkthroughs
All compliance personnel likely recognize that these are an essential part of every audit, but if you’re looking to find time during Busy Season, it is also vital to actually prepare staff for these walkthroughs. In doing so, try emulating popular children’s book figure, Goldilocks—she would make a great lead for a walkthrough with her ‘not too much, but not too little’ approach. As information security teams know well, too much information leads to scope creep, but too little leads to time-consuming follow-ups and clarifications from the external assessors in order to obtain what they need to have an adequate understanding of the systems and control environment. More well-prepared personnel can avoid this, creating more effective walkthroughs and process overviews that lead to a more complete set of knowledge for the auditors—by providing ‘just the right amount of information’ from the start, the process is not held up at this step, and usually a higher quality audit report is yielded in the end.
Take good notes
When it comes to streamlining both communication and walkthroughs, I’ve found that notes are a complete lifesaver: in my experience, they serve as my memory bank for client work from prior years and also from meeting to meeting in the present. But notes can also provide great assistance for your internal team, as they can help to serve as a starting point with discussions that you conduct with auditors that you can take back to your team, or vice versa. Having a concrete and noted reference point saves valuable time spent searching for the necessary answers, and also helps eliminate the need for repeating and rehashing information when you can instead easily reference past discussions with auditors or your internal team.
Utilizing lessons learned from past audits
But while these three elements—communication, walkthroughs, and notes—are part of most every audit, there are always still particulars to each assessment. Every organization and environment is different, meaning they and those involved in those specific processes are all privy to situations unique to those audits. Rather than remaining stagnant over time, actively utilizing lessons learned from past audits—or even previous compliance experiences at other organizations—can also help to smooth out an audit experience during this upcoming year-end. Our team at Schellman regularly provides observations and deviations at the end of the audit process—these observations outline areas where the organization can improve. If you have not already done so, I recommend taking these findings seriously and creating an action plan to address these potential speedbumps before the audit period so they can be resolved by that time.
Provide honest feedback to your auditors
In the same vein, also providing feedback to the auditors is absolutely essential. Some may not like receiving it, but I love it because it helps me to improve audit skills, which in turn will make me a better auditor and person in the long run, hopefully furthering my career as well. But in general, feel free to give auditors feedback, whether positive or negative. No matter how they feel, the information will not only help them glean a clear understanding of your expectations going in, but will lead to a better audit experience for all in the future.
While this upcoming Busy Season promises to make our lives a little more chaotic, just as it always does, at the end of the day, everyone wants to have a low-stress audit experience no matter when it is, and I as an auditor want that same thing. But the good news is, if you follow the above suggestions, you should see helpful payoff immediately. Good luck with the year-end, everyone!
About Eric Aulbach
Eric Aulbach is a Senior Associate with Schellman based in Tampa, Florida. Prior to joining Schellman in 2020, Eric worked as a IT Audit Associate for a Big 4 firm specializing in SOC 1 and SOC 2 audits. Eric has several years of experience comprised of serving clients in various industries, including manufacturing, healthcare, and information technology. Eric is now focused primarily on HIPAA, HITRUST, NIST, and SOC attestations for organizations across various industries.