The Night Before the Audit
If you're reading this the night before your audit, we can't help you. But we can make sure next time is different.
Every compliance audit — whether SOC 2, ISO 27001, HIPAA, or PCI DSS — follows the same basic pattern: the auditor asks "show me," you either can or you can't, and then everyone writes a report about it. The organizations that handle audits well aren't smarter. They're just less surprised.
An audit should confirm what you already know about your governance posture. If it teaches you something new, your monitoring failed.
Pre-Audit Checklist (8-12 Weeks Before)
Documentation
- Policy inventory is current — every policy reviewed within the last 12 months
- Governance statements have owners — no orphaned controls or unassigned responsibilities
- Evidence is pre-collected — don't wait for the auditor to ask; have evidence ready for every control
- Exception log is documented — every deviation from policy is recorded with justification and approval
- Previous audit findings are resolved — open findings from last year signal systemic issues
Technical Controls
- Access reviews completed — quarterly reviews documented with manager sign-off
- MFA enabled on all critical systems — admin consoles, cloud platforms, email, VPN
- Encryption at rest and in transit — verified, not assumed
- Logging enabled and retained — minimum 90 days, accessible for investigation
- Vulnerability scans current — within 30 days, with remediation evidence for critical/high findings
- Backup and restore tested — not just "we have backups" but "we proved restore works"
People and Process
- Security training completed — all employees, within the last 12 months, with completion records
- Acknowledgments collected — policy acknowledgments from all employees
- Background checks current — for employees with access to sensitive systems
- Vendor assessments current — critical vendors assessed within 12 months
- Incident response plan tested — tabletop exercise within the last 12 months
During the Audit
What Auditors Actually Look For
Auditors aren't trying to catch you. They're trying to answer one question: "Are your controls designed properly and operating effectively?"
| They Ask | They're Really Checking |
|---|---|
| "Show me your access review process" | Do you actually review access, or just say you do? |
| "Walk me through an incident response" | Can your team explain the process, or just point to a document? |
| "How do you handle change management?" | Is there a process, or do people just push to prod? |
| "Who approved this exception?" | Is there accountability, or do exceptions happen silently? |
| "Show me evidence of employee training" | Did people complete it, or did they click through in 3 minutes? |
Audit Survival Rules
-
Answer the question asked. Auditors don't want a 20-minute explanation. They want a concise answer with supporting evidence.
-
If you don't know, say so. "Let me check and get back to you" is infinitely better than making something up. Auditors can smell improvisation.
-
Have a single point of contact. Don't let auditors wander the organization asking random employees about controls. Channel everything through someone who knows the governance program.
-
Provide evidence proactively. Before each session, share the evidence for that day's topics. Auditors who have to chase evidence get skeptical.
Post-Audit Checklist
- Review draft findings — negotiate language where appropriate (auditor observations vs. exceptions)
- Create remediation plan — owner + deadline for every finding
- Brief leadership — no surprises; communicate results to the board/exec team
- Update risk assessment — incorporate audit findings into your compliance risk assessment
- Start evidence collection for next cycle — the best time to prepare for the next audit is the day after this one ends
- Celebrate — seriously, audits are stressful. Acknowledge the team's work.
The Continuous Audit Mindset
The organizations that breeze through audits aren't doing anything heroic at audit time. They're maintaining governance continuously:
- Monthly: Access reviews, vulnerability scan remediation, training completion tracking
- Quarterly: Control effectiveness testing, vendor assessment reviews, policy acknowledgment cycles
- Annually: Full policy review, risk assessment update, governance maturity evaluation
When governance is continuous, audits become confirmations — not discoveries.
The Bottom Line
An audit checklist isn't a substitute for compliance management. It's a verification tool. If you're using this checklist as your primary governance mechanism, you're doing it backwards.
Build governance statements your team understands. Track maturity continuously. Test comprehension regularly. Then use this checklist to confirm you haven't missed anything.