So here are our ten top tips:-
1. Audit trail and documentation
As well as having clear, written policies and procedures, ensure that you have a detailed audit trail of all actions and can easily and quickly access the relevant documentation. It is not just about being compliant and adopting best practice, it is also important to document that you are doing so.
2. Joined up processes
If a component of the business function to be audited is outsourced, check there is transparency across both organisations to make sure that the policies and procedures of each organisation support the other’s and that they are joined up. The requirement for joined up working should be specified in the contract for all sub-contracted activities.
3. Latest legislation
Check that your policies and procedures incorporate the most up-to-date legislation and regulatory requirements. These change regularly, so you can never afford to relax and let your guard down. Link this to the document management system that holds all the documents and include review dates so that the document is regularly reviewed and updated with changes.
4. Escalation and emergency procedures
Test the robustness of your escalation and emergency procedures, for example, by having a trial run or a simulation exercise, whichever is more appropriate for the situation.
5. Start planning today
Start planning your audit well in advance. Develop a checklist of all areas that will be audited. Identify where you need to undertake remedial action and put a plan in place to address those. Review any other activity from outside the core area that may impact on your audit.
6. Tell everyone
Brief everyone about what to expect and what is required of them, including your outsource partners.
7. Dress rehearsal
Run internal audits before the big day to check you are ready – if you like, a dress rehearsal.
8. Trained and skilled internal auditor
Make sure that the internal auditor that you use to run that dress rehearsal is properly trained and knows how to run an audit so that the things they pick up on are what an external auditor might have also picked up on. You can use previous external audits for guidance.
9. Complete remedial actions
Once you have had your audit, if there are any remedial actions that are identified, make sure that you complete those before the due date and that you document that completion. Be open and make your internal audit reports available for the auditor.
10. Be prepared
Finally, it is not just about surviving an audit on the day. Your ideal position is to be audit-ready at all times. If you have your systems and processes in place, it is not just in order to satisfy the auditor, but really to help the business mitigate operational risk.
So as the old Army saying goes, proper preparation prevents poor performance! Being audit-ready and managing your operational risk thoroughly will not only enable you to survive audits with minimal pain, but also help the enterprise to function at an enhanced level.