Preparing for an audit can be daunting but it doesn’t need to be. This article provides real-life examples and best practices for when preparing for an audit. In particular, we’ll focus on a scenario where you’ve just finished your last scheduled ISO 27001 audit (the following tips can also be applied to many other standards) and there are now 12 months to prepare for your next one. I know that social housing is a highly regulated sector so, by undertaking external audits, you’re already demonstrating your organisation’s commitment to compliance and data security as well as financial wellbeing and reputational standing.
12 months before your audit
When working with an accredited certification body, you will have received feedback from your organisation’s last audit. This offers a springboard to look at the roadmap for the year ahead before your next audit takes place. A good starting point would be to carry out a post-audit review (from your audit report and list of findings) which will explore the independent findings and recommendations that the auditor has given you.
After you’ve managed the associated corrective actions, use the original findings to help define the scope and set the objectives for your next internal audit. And look ahead to the next year – are there any trends or key changes in the social housing or IT landscapes that could have knock-on effects for you? If so, take those into account when defining your scope and objectives.
After that, it’s a great opportunity to review the composition of your current audit team (e.g. new people in your organisation who should be included). Make sure your team comprises a good mix of IT staff, health and safety experts, compliance and regulatory specialists as well as senior leadership. We’d also recommend including someone from your marketing team so they can communicate relevant information to the whole organisation.
Ten months to go
Now you’ve taken those first steps, it’s time to ensure all systems and tools are up to date. This would include your IT policies, disaster recovery plans, any legal and/or housing regulatory requirements and network diagrams.
Being aware of your third-party partners’ policies is also important. From your repairs contractors to your architects, it’s important to know what their procedures are and that they don’t undermine your information security.
It’s also a good time to establish your most current risks and mitigating controls relating to your ICT processes and systems.
Eight months to go
With the compliance officer, extend your view of emerging industry standards, regulations and laws that affect you and the wider housing sector (such as GDPR and ISO-27001). Alongside this, with ‘smart home’ technologies constantly evolving, make sure you’re staying on top of the latest data-sharing and security policies.
Six months to go
Being able to demonstrate effective procurement processes is something that is very important in an audit. Make sure that you’re working with your relevant colleagues to ensure your procurement programmes are as strong as possible and can be clearly communicated to your auditor.
At this halfway mark, it’s also a good time to undertake your latest gap analysis to spot any gaps that might need further exploration before the audit. Prioritise analysing the efficiency of your management system in general as well as the processes and sub-site activities. This will ease the process of finding these gaps by comparing your current ICT controls and practices against best practice for compliance.
Now is also the time to carry out pre-audit assessments. This could be in the form of undertaking a mock audit to replicate what the processes might look like or carrying out more straightforward internal assessments. Both of these will help you find any weaknesses in your processes and give you the opportunity to rectify them.
To finish off this stage in your audit preparation, make sure you’ve kept detailed documentation of all the changes and updates that you’ve made off the back of the gap analysis and assessments you’ve carried out because your certification body will probably want to review your internal audit reports.
Three months to go
You should now be in a solid position to connect with your relevant stakeholders and start the detailed planning for your audit. Make your stakeholders (incl. your executive groups and leadership teams) aware of any significant system and/or process changes since your last audit.
It’s also a good time to coordinate access to relevant systems, resources and key documentation that all stakeholders might need. When carrying out these specific conversations, it also gives you a good opportunity to share your finalised scope and objectives with the external auditor. These critical interactions between you and the certification body help ensure a smooth audit experience as well as maximising the derived value.
One month to go
As the audit gets close, attention moves to internal communication. Now is the time to prepare your key colleagues/stakeholders and ensure they’re ready to answer questions related to their areas of the business. It’s also a good idea to create a communication plan around this point to ensure all teams are aware of what’s most relevant for them in terms of the audit.
One week to go
You’ve almost made it to the finish line! On the day of the audit, confirm that all necessary documentation and resources are readily available. Make sure your team is well prepared to address questions and provide explanations to the auditors. Remember, there is no such thing as a bad set of audit findings because they will always help identify focus areas and drive continual improvement.
Post-audit
We’re now back to where we started because the best way to close the loop is by carrying out a post-audit review; look at the strengths, opportunities, weaknesses and threats that have arisen from the review.
For any readers who might be carrying out their first audit, then many of the above recommendations will hold true; we’d recommend taking a pragmatic view when applying them to best suit your current circumstance.
Whether you’re facing your first audit or your 21st audit, I wish you luck and hope this information proves useful.
Andy Wilson is the UK country manager and director for business assurance at DNV.
