What’s the No. 1 cause of errors when preparing for an audit? Procrastination.
Rushing to complete an assignment often leads to panic. And when people panic, they tend to miss something important. For an event as significant as an audit, accidentally omitting critical information can be a very costly mistake, resulting in hefty fines and penalties.
After working in a variety of industries that adhere to many regulations – payments, securities, loans, retail – I have discovered organizations of all sizes experience the same pain. I’ve witnessed companies panic as they scramble to gather all the required information, and it’s not a fun environment to be in.
When an audit is scheduled, your company should plan to be prepared with all the evidence in a form that is accessible, clearly defines the requirement and how it meets the requirement.
Here are four steps that I follow to help our clients change their compliance culture from reactive to proactive and incorporate compliance into their everyday processes.
Step 1: Get Everyone on Board and Create a Plan
First, we develop a plan to get ready by gathering the documents and combining them into a condensed version.
During this process, we make sure everyone is in the room so we can speak to the requirements from the same organizational perspective.
Compliance isn’t a job for just one person. It involves the entire team at all levels so everyone involved should be part of the planning process.
Step 2: Identify Risk Areas
We review the systems architecture to identify the risk areas (internal and external) that the auditors will want to check.
After the risk areas are identified, we document the safeguards for those risks and how and when they are tested for accuracy. Then we identify and document all users of the systems and everything they have permission to access.
These reviews provide a good opportunity to write remediation plans so that you have time to address any issues. Presenting remediation plans during the audit will save a lot of time because it means there is less to discuss.
Step 3: Review Monitoring Processes
If you monitor your customers’ activity, you’ll need to provide overviews of the monitoring process, procedures and reporting used to accomplish this objection.
You will also need to provide any procedures regarding reporting of suspicious activity.
Ideally, most of this information should already be documented and will just need to be updated.
You do not want to give your auditors the same documents that you provided during the previous audit because you need to show them that you are constantly reviewing and updating processes and procedures.
Step 4: Conduct Mock Audits
Review the documentation and conduct mock audit reviews if time permits. Practice makes perfect!
How Odyssey can help
According to Verizon’s 2019 PCI DSS Compliance Report, 80 percent of organizations are still non-compliant. If your company needs help navigating the ever-changing compliance landscape, reach out to us. Our team of experts will work with your IT team to identify gaps, organize all documents and create a proactive plan that have you prepared for an audit at any time. Click here to learn more.
About the Author