Tips for Leading a More Successful Compliance Audit

Being audited is common company practice, but it’s often met with stress and maybe even resistance. Here at Onspring, we make preparing for audits as easy as possible by automating workflows, building document-supported audit trails, and providing real-time data. This means teams can track findings and connect them to related controls in a snap.

We recently sat down with data experts Melissa Ryan, principal and founder of Asureti, and Brandi Lawson, senior GRC consulting manager, to discuss all things audit. The robust discussion yielded valuable advice on how to specifically use Onspring for internal audit practices. Asureti is an IT services and consulting company with over 60 years of hands-on experience in governance, risk, and compliance.

Melissa Ryan

Principal and Founder – Asureti

Brandi Lawson

Regulatory Compliance Executive – Asureti

Let’s say your organization has an audit planned, scoped, and defined. Roles and responsibilities have been laid out. How can your compliance team make sure the audit itself goes smoothly? Melissa and Brandi share answers to that “what now?” question to ensure your upcoming audit engagements will be successful.

Why is communication so important during an audit? And what tips would you share for effective communication?

Brandi: I’d stress that effective communication is really woven throughout the entire audit engagement, and it happens at every level. Communication really drives the audit experience, whether it will be a good one or a stressful one.

In order to have effective communication, I always emphasize effective listening. Compliance teams should make sure that they fully understand what the auditor is looking for and provide information to complete the audit in an efficient manner. Of course, everyone on your team is going to want to pitch in during the audit, but it’s important to identify those key individuals who will be directly engaged in the audit and educate them on how to effectively help the auditor during the engagement. We really just want to provide the information asked about in an accurate and concise response.

Melissa: Just to add to that, it’s ok for clients to ask the auditors why they’re asking those questions: Why do you need that documentation? Why are you asking me about that process? Can you help me understand why you asked that? I want to make sure I get you a complete answer or that I’m thinking about it in the right way.

The auditor should be able to answer these questions and explain why it’s important and why it’s connected to the defined scope.

I often think of audits as coming together and butting heads, and it doesn’t have to be that way. There really is a common objective. So, keeping that in mind, I’ve found it’s always helpful to remember that the audit engagement should really be a conversation with open communication around a common goal.

How have you worked through a disagreement or diffused a situation during an audit?

Brandi: Firstly, organizations can prep for audits so that there aren’t many disagreements. And to do that, you really want to demonstrate transparency and cooperation as an organization.

Secondly, it’s very helpful if you have a primary person who’s responsible for the line of communication throughout the engagement. This person helps to get things to the correct people, fostering good communication by responding quickly and acknowledging requests.

Having great compliance personnel is really going to help during the engagement. If you can have like-minded individuals who are able to talk through things and see eye-to-eye with the auditor, it’ll help with anything ambiguous. This also helps the auditor stay within the bounds of the audit. A good compliance person will jump in if the auditor asks for things that honestly are not within the scope of the audit.

Those are the things I do to set up my team for success, so that I don’t have a disagreement. If you anticipate a disagreement, plan to have a senior-level person, such as a chief compliance officer or chief security officer, prepped ahead of time to diffuse the situation. These individuals don’t necessarily need to be involved in the core discussions, but they can be “on call” to meet with the auditors and help guide disagreements.

Those folks are good at diffusing situations, but it’s important to respond to that conflict calmly, professionally, and respectfully.

How can compliance teams leverage Onspring during the audit process?

Brandi: Onspring has been a game-changer for us. We developed an audit dashboard inside Onspring that serves as a primary source of truth and a communication hub for both auditors and client executives to review audit details.

We’ve found that you can designate auditor roles or use the portal feature to limit the details that are shared with the auditor vs. the internal executives. For executives, it gives that “executive snapshot” and reduces internal communication and updates. We use this dashboard for audits, and it’s really reduced the number of back-and-forth conversations and emails that project managers had to send and update. Onspring has been fantastic and has improved our efficiency.

Melissa: We can also route all of the auditor’s requests through Onspring, so we have everything in one place serving as one source of truth for data, status updates, etc.

The dashboard is the icing on the cake in some ways. We’re doing the work in the tool, leveraging the automation, the tracking, the interaction capabilities with end users, making it as easy as possible to get all that information, but then we’re also able to pull it together in one place for the executives, and even for the auditors. In some cases, we’ll pull the auditors into the project, so they can see it. We can provision their access and set it up a little differently, so maybe they can’t see everything the internal team sees. It’s something that we can use truly as a one-stop shop for everyone.

This is just the beginning, though. We can’t stress how great this dashboard’s been in real practice.

What are your thoughts on performing an audit through electronic communication, such as Zoom, email, phone, etc.?

Brandi: People had been hesitant to go virtual until they were forced to because of the pandemic. But I’ve seen these tools be really successful, which can be surprising because I think people just assume that you have to be on site to see things. People have been creative, taking pictures or carrying the computer around and showing the auditor.

I think as long as you make it a requirement that everybody is visual on screen, it’s going to be more successful than you might think. Lots of people have been doing audits virtually for quite a while, so there’s a comfort level now in doing them remotely.

Melissa: And you may be able to set up some type of rotational program where you go to on-site locations every two years or every three years for validation.

But there are still ways you can simulate collecting evidence over Zoom. From the auditors’ perspective, they still have the obligation to verify, inspect, and validate. So, we need to be creative and be a little flexible or agile in how we’re working through that audit process. Who knows, maybe virtual will be better than traditional, in-person audit someday.