Auditors. We’re an odd breed. “A necessary pain in the tuchus,” some may say. Admittedly, we’re not everyone’s cup of tea. In fact, in our 20+ years of experience, we’ve seen the word “auditor” invite various visceral responses. To be sure, organizations aren’t always enthusiastic about inviting us assessors in to do the requisite checks, despite the benefits of doing so (and despite being invited guests).
The period of September through the end of December many have nicknamed “Busy Season” for lots of fun reasons: the return of school and fall sports, endless football games on almost every night of the week, the busiest holidays of the year, and loads of family time. Perhaps less fun, Busy Season also often includes audits and attestations for many organizations wishing to deliver audit reports by the end of the calendar and fiscal years. With so much to do—not only at work but also at home—it all may seem impossible, but there actually are proven paths to a smooth end-of-year audit process that can help streamline Busy Season in at least this one respect.
Here are five steps to help successfully prepare: 1. Validate the Nature of the Request. Does your client base understand the various SOC reporting options and what they are asking of your organization from a compliance reporting perspective? Is there a connection to internal controls over financial reporting (ICFR) of the services that you provide to your clients, or are you looking at general controls of a system that are relevant to security, availability, processing integrity, confidentiality, and/or privacy? SOC 1 can oftentimes be misused by the general public as a generic reference to third party examinations. There is misconception in the marketplace; help prevent it.
The audit world isn’t as scary as people make it out to be. But there are things that you can only learn in the audit profession through experience and not in the classroom. Here are some of the biggest takeaways I learned as a first year auditor:
[NOTE: Schellman has since updated this content in a more recent article.] Think of your auditing firm like you would a long-term business partner. They are someone you will work with year after year, and they will be an integral part of setting the stage for your organization’s success. As such, the act of selecting the appropriate assessor shouldn’t be taken lightly. Here are several key qualities your organization should look for when choosing an auditing firm:
The Health Information Trust Alliance is a U.S.-based organization that works with healthcare, technology and information security leaders to establish a Common Security Framework (CSF). A CSF is a body of controls for all organizations to follow to create, access, store and exchange private or regulated data. The Health Information Trust Alliance believes security should be a core pillar of health information systems and exchanges, not an obstacle to be hurtled, hence its mission to normalize security controls via the CSF. The CSF includes:
Effective January 1, 2002, the Institute of Internal Auditors (IIA) released updated standards in the International Professional Practices Framework (IPPF). Internal auditing departments, according to Standard 1312 of the IPPF, must complete an external assessment once every five years from a qualified independent assessor or assessment team. In addition, the chief audit executive (CAE) must discuss the form and frequency of external assessments and the qualifications and independence of the external assessor or assessment team with the board of directors. Standards (unlike practice advisories, practice guides and position papers) are principal focused mandatory requirements consisting of statements for the professional practice of internal auditing and for evaluating the effectiveness of performance which are applicable at the organizational and individual levels.