How to Pass Every Audit - Soft Skills & Documentation

One of the main keys to a successful audit is proper management of the audit by the team being audited. There are four big ticket items that are essential, and have proven successful for me:

1. Centralize responses. Funnel all answers through one or two designated contacts to maintain consistent messaging.

2. Be factual and concise. Never speculate, and don’t speak to future plans. “We’re planning to…” often creates new audit scope you didn’t intend.

3. Use documentation rather than stream of consciousness. A strong response includes the auditor’s question, your narrative answer, and quantitative evidence (metrics, screenshots, reports).

4. Leverage automation. Where possible, provide system-generated proof rather than manually collected samples.

Above all: never lie, and never overpromise. A well-written, measured response builds trust and trust is often the difference between a “note” and a “finding.”

Centralizing response and using documentation to your advantage

There are two aspects to this: verbal and documentation requests.

Verbally, it’s best to designate one primary voice. This person should do 90+% of the talking. They should be aware of the program enough to talk to the vast majority of topics. There may be a few nuanced areas where a deeper dive is required. I have had the most success, when this happens, deflecting the auditors to making a formal documentation request on the deep dive, and then working with the SMEs to create a document response.

For documentation, I have generally used a combination of Jira and SharePoint. The best experience is when audit is also using Jira and all requests go through Jira. We still create a formal document that contains four main sections for every response. So, if audit combines multiple questions, we respond to each separately.

1. Restate the audit question exactly

2. Define or clarify any relevant scope, standards, or exceptions - but only specifically relevant.

3. Provide the explanation. Explain this like you’re explaining it to someone who doesn’t know. Educate, define, explain, and if possible provide visuals.

4. Attach any relevant evidence.

This then gets routed to a program manager for review and approval as well as the primary designated voice. This helps maintain consistency and clarity in what is discussed and reviewed.

Be factual and concise

One reason to choose a single voice is to keep someone from being loquacious or meandering in the conversation. The last thing you want is to expose something that is irrelevant or unnecessary that becomes scope for the audit. If you can’t clearly articulate an answer, ask for a formal document request and write it out. Don’t wing the response unless you’re extremely comfortable with the topic.

Don’t talk about things you are planning to do. That does 3 things. 1) It makes it sound like there is a risk now that you aren’t prepared to handle. 2) It adds new scope to the audit that may result in a finding for something you are already managing. 3) You may extend the audit, trigger a request to review your work in progress, or invite a revisit on the thing you are working on when you aren’t ready to show it.

Leverage automation

If you are properly building your standards and metrics, then you don’t need to go manually gather evidence. Build the automation into your metrics that provides the evidence for you. Automated evidence is always stronger than manually captured evidence. Manually collected evidence includes things like screenshots, UI exports, and live demos.

Findings are normal and expected. A single finding rarely results in a failed audit. Similar to your metrics, if an auditor never finds anything they may appear as if they aren’t digging hard enough. Your goal is to come with an overwhelming force of confidence and evidence, but a program is never perfect. It rarely makes sense for a department to mature all of its programs to the highest level, so there will always be gaps. Your goal, in that case, becomes a risk manager. Be able to explain the residual risk of these gaps so you can ensure the findings are right-sized.