How To Prepare for the Audit?

Published by Yana on

I was recently preparing a team for an external on-site audit visit and the basic guiding principle I declared was: “You are going to do all the work and they are going to get paid”.

I meant it.

It sounds a bit odd and potentially provocative, but the truth of the matter is: the more your auditors have to work, the worse your audit outcome is likely going to be.

Most audits are not about learning something new or discovering something you did not know about your business. The majority of the audits are just about getting the most favorable opinion that you can get for a specific pre-defined purpose (e.g. mandatory annual audit, partner due diligence request, listing requirements, licensing requirements or something else that needs external validation).


Here is what (in my opinion) important to know and to do in order to have a successful audit:

  • Spend significant amount of time with the leading partner on the phone and over emails, defining your audit scope and methodology they will use, the size of the samples and other parameters of the audit before signing any engagement letter. For example, instead of inviting the team to do an AML audit, you would have to clearly define which specific processes will be audited, which policies will be reviewed, what is the period covered and what the opinion should be.
    • Bad audit scope example: AML audit for the year 2018 for company XXX.
    • Good audit scope example: AML audit of for the company XXX for the year 2018, covering the following processes:
      • Adequacy of the AML Policy, Transaction Monitoring Policy and Scanning Policy
      • Adequacy of the High Risk Accounts Identification and Approval Processes.
      • Performance testing of the automated onboarding solution used by the company XXX based on 30 sample accounts during the months of October 2018.
    • The audit opinion would normally be a negative confirmation: “We have reviewed the processes XXX and documents XXX, and we found the processes and documents to be generally adequate and of sufficient quality, and nothing came to our attention that would indicate significant deficiencies…”
  • Do not volunteer your team time educating the audit team during the audit, it has to be done before and should not count as chargeable hours. Instead of having a 2-hour discussion about the nature of your business and its risks during the audit, send to the auditors in advance your latest risk assessment. Actually, it’s way better to communicate with auditors in writing, rather than giving them verbal explanations.
  • Get clear understanding who is going to be involved into the audit team and how many hours they will spend. If you see that the senior manager is going to spend 50 hours doing field work analysis, ask to assign more junior person to do these tasks (because it costs less)
  • Don’t be afraid to be a bit confrontational: for example, if you had sent to the audit team a set of documents in advance to prepare them for the audit, and they turned up and did not read any of them, send them back home, reschedule their visit and complain to the leading partner.
  • Prepare all the samples, all the reports, all the observations, all the evidences, all the copies, and all the explanations about potential deviations or missing elements in advance, so that the audit team does not need to think or get creative – your goal is to make them copy and paste all your information as much as possible.
  • Do not be afraid to push back on the first audit opinion draft (e.g. never accept the first offer). In fact, always push back on the first opinion. For example, it is very common for auditors, when they did not really find any deficiencies, to come up with generic improvement ideas, e.g. “the client combined process 1 and process 2 within one policy and we recommend to split it into 2 separate policies” or “the client policy may benefit from some additional details…” Just push back (in writing) and state that these recommendations do not reflect the nature and the level of complexity of your business, and they are optional and subjective and do not represent actual deficiencies or legal requirements, which is why you request these recommendations to be removed from the report.
  • Let auditors find something small and easy quickly (or they will keep digging).

>