Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Preparing for Your Audit: 3 Mindsets to Have

Compliance and Certification | Assurance / Service Audits

The famous French fashionista Coco Chanel once said, “don’t spend time beating on a wall, hoping to transform it into a door.”

Ms. Chanel couldn’t have known that her influence would extend beyond style into the world of compliance, but it would make sense for those considering these kinds of assessments to also consider her words.

We get it—nobody wants to get audited. The word alone—“audit”—is enough to earn groans and plenty of apprehension from organizations everywhere. After all, you do so much work preparing and securing data only to then have to deal with someone else coming in, asking for your time and resources so they can point out your problems.

There’s no getting around that it’s a bother—it’s extra effort, and you have enough going on with your business. But no amount of “beating on a wall” is going to change the nature of an audit, nor will it likely change your customers’ desires for that independent validation of your product or services.

You may not be able to “transform” your audit process, but one thing you can change—to your benefit—is your approach going in.

Since we are those people everyone dreads coming for a visit—and we’ve been doing this work for 20 years now—we want to offer some tips on that. We can’t change the process or how we evaluate or the wrench it throws into your business operations, but by adopting these strategies, you can make the whole thing easier on yourself.

Not only will you have a more positive experience during the whole thing, but you’ll be better equipped to get even more out of your process.

Let us explain how.

1. Your Audit is an Opportunity—Not an Inconvenience.

 

Whether it comes from your customers asking for one or your internal leadership spearheading an initiative, the purpose for audits can vary. What doesn’t vary is the tension that arises when someone raises the subject.

The word audit may have become synonymous with “inconvenience,” but even if it is one, it’s also more.

Because an audit is an opportunity, and that’s how you should approach yours.

It’s easy to only see an audit as yet another obligation you need to allot time for, but instead, consider how the process to confirm your compliance is a big benefit. Having a third party assess your environment is a wonderful way to build a sense of confidence surrounding the protection of the data in your charge.

Not only will it assuage your customers, but

  • You’ll have another tool to wield in building value for your company with potential new clients. Third-party validation goes a longer way than just a “trust us, we are secure.”
  • You’ll rest easier since you’ll have confirmation your environment was assessed against an established standard of security and found compliant with the requirements.
  • Better yet, your people will rest easier as well. An audit can confirm that your organization has a secure environment, which does contribute to their job security. One breach is all it takes to trigger personnel turnover, client loss, or worse, put a company out of business.

For these reasons, try to flip your perspective on your audit. Use each assessment as a confidence-building event for the security posture of your organization.

 

2. Be Open—Not Guarded—During Your Audit.

 

But for you to maximize what we’re now calling an “opportunity,” you also need to be completely open with your assessors when they come.

In our 20 years of experience, we often see a mixed bag of organizational enthusiasm. Of course, we’re not surprised when places are very protective and more interested in keeping private as much as possible.  

If that sounds familiar, it might help to have your assessor sign a non-disclosure agreement. You might’ve been considering that already, but let us—as said assessor—confirm that such a move can help your assessment in several ways.

Your honesty is key to your audit success. Answering questions with brief or yes/no answers when your auditor is asking questions makes the process painful on both sides, creating a wall between your personnel and your third party.

But as your assessors, we have to obtain a solid understanding of your environment to more accurately perform our evaluations—“yes” and “no” just won’t cut it.

By being open and disclosing your environment to your auditors—including known areas of compliance concern—you can also use your assessment to drive the necessary changes within your organization.   

It doesn’t have to be necessarily devastating for your auditors to turn up a finding. Some of them can be remediated more easily by making adjustments to configurations, making updates to your policies/procedures, or requiring system updates and additions.

We’ve had clients use our findings as evidence with management when communicating the need for technology updates. It worked, and that organization obtained the necessary funding to make the changes that were needed to bring the environment into compliance.  

But they wouldn’t have secured the updates without the combination of the audit process and their candor throughout it.

3. Consider Your Audit Team as Part of Your Own.

 

That need for open cooperation is critical, and it starts with your mindset regarding your chosen audit personnel.

To more easily facilitate the right kind of teamwork, you and your team should approach the audit as if the third-party folks are just an extension of your compliance team rather than visitors.

We’ve already outlined how that cooperation can yield even more success than you anticipate, but what about when things don’t go so right?

In an adversarial environment—without cooperation—the whole experience can stall progress and add unneeded delays. But treating your auditors as just another one of your teams working toward the same goal of completing the assessment helps to streamline the audit while also making it more pleasant for both sides.

Theoretically, this might seem like a given. After all, both the auditor and your personnel must work together to perform the audit due to the nature of the process—your side has the evidence and the auditors have to get it from them to assess it.

But thinking about it like that—in terms of opposite sides—can be detrimental. Instead, set an example for your staff and consider your third-party audit team as part of your own. In our experience, the idea of everyone working side-by-side sets both a positive tone and the conditions for the audit to be performed more efficiently.

Moving Onto Your First Audit

These days, auditing is a necessary practice, but despite the inconvenience you may currently anticipate, your experience does not have to be negative. If you take these three approaches, you’re setting yourself up well to have as pleasant of a process as possible while also maximizing your returns.

Even if your audit is being driven by regulatory requirements or customer demand, remember that you do still have some choice in the matter. You can either go through your assessment with an uncompromising and adversarial attitude, or you can set the stage for an opportunistic event with a cooperative attitude—either way, you are still going to have to perform your audits.

Make compliance assessments that are integral parts of your business even easier by being as prepared as possible. Read our content on different initiatives so that you ensure the right direction for your organization and set the right expectations:

About Todd Busswitz

Todd Busswitz is a Manager with Schellman. Prior to joining Schellman in 2019, Todd worked as a QSA specializing in PCI engagements. As a Manager with Schellman, Todd is focused primarily on PCI assessments for organizations and across various industries.