Dave Daulby, NSI Services Auditor, shares his expertise on how best to prepare for a security services audit.
When liaising with companies about their impending audits I can often detect how the audit will go by how easy it is to communicate with the company and the quality of information provided. Processes embedded within the company make the audit feel like just another day at the office, as opposed to being the exception and a challenge to produce evidence of compliance.
Some companies adopt an attitude of “let’s not prepare and the auditor can let us know where we are”. This is a risky approach and one that could lead to a revisit at an extra charge.
When records need to be completed this should take place at the time as there is a risk of inaccuracy as time passes and an auditor is likely to identify this and raise a finding.
I would advocate an inclusive, continuous approach to preparation, extended over time, aimed at ongoing checks for sustained effectiveness.
It’s a team effort
Audits can make people nervous or defensive and they may lose the ability to think or act as they would normally. To put an external audit into context, you need to understand that the auditor wants the audit to add value and that any findings raised will improve the business.
The role of the auditee is to demonstrate compliance and having open conversations is the best option, helping the auditor to provide an assessment that will add value to the outcomes. Treat the audit as a learning curve. You also need to understand that, unless you are the sole manager or director, you need to engage with others to share the workload. Typically, they will be the leads in HR, finance, and operations. The larger companies will also have training and other leads.
Read the full article here