Building strong audit management process for frameworks like HIPAA and PCI DSS

Companies need to collaborate with their audit firms, which means they must anticipate the audit firm’s needs. The better you do at that task, the easier (read: less expensive) your audit will be.

Unfortunately, anticipating your audit firm’s needs can be difficult. Some companies may have never undergone an audit and won’t know what to expect. Others might have business processes that have evolved over the years and don’t align with what auditors want for evidence or documentation. All of them will be worried about the cost of the audit, and rightly so.

At the same time, audit firms labor under their own pressures: high standards for objectivity and quality control imposed upon them by regulators and fears of legal liability should they reach an opinion about a client that later turns out to be wrong. 

Businesses need to develop an effective audit management process: that defines the company’s policies and procedures managing audits and spells out best practices for collaborating with your auditor. Let’s unpack what that entails and how you can develop such a process at your organization.

Mastering your PCI DSS and HIPAA audit obligations

Begin by understanding your company’s audit obligations. That, in turn, will help you understand the personnel and tools you’ll need to meet those obligations and to engage with your auditor productively.

Example

For example, publicly traded companies in the United States must undergo an annual audit of their financial statements and internal control over financial reporting. Public, private, and nonprofit groups might need to audit their data security controls to comply with the HIPAA law for personal health information, the PCI-DSS standard for credit card data, or other security standards. 

Some companies might be working under consent decrees with an agency such as the Federal Trade Commission, which can impose requirements for privacy audits. Your business may operate under numerous such laws, regulations, and decrees and have multiple audit obligations simultaneously.

You can only manage those audits efficiently if you know about them. Hence, you need to consult with the corporate finance, legal, IT security, or other teams to understand all the audit obligations your organization has. Keep a master list of those obligations. As you know those audit obligations, you can piece together who should be involved in your organization’s audit management process.

Designating the right leader for your internal audits

Auditors will place many demands on your organization. The best way to handle those demands is to designate a specific person (or team) to be responsible for working with the auditor:

three best practices for handling audit demands are: set the scope, outline responsibilities, and develop procedures
  • Setting the scope of the audit
  • Outlining which people will do what tasks
  • Developing procedures for settling disputes

Exactly who within your business should manage the audit will depend on the type of audit in question. For example, financial statement compliance audits with the Sarbanes-Oxley Act will typically involve the head of internal audit (or the CFO if you don’t have an internal audit team). HIPAA or PCI-DSS audits usually involve the Chief Information Security Officer or a Chief Privacy Officer.

Another important point is to ensure that the person in charge of working with the auditors has sufficient authority and empowerment. After all, this person might be responsible for working with operating units to collect certain types of evidence or recommending that specific policies, procedures, or internal controls be changed. Suppose that person (head of internal audit, compliance officer, CISO, or anyone else) needs executive-level support or respect from operating units. In that case, those requests from the auditors won’t get done.  

Ultimately, that will mean more work for everyone as the external auditors insist on being more strident on more exacting tests and evidence. Your internal audit leader should also have the necessary support staff and resources to competently fulfill those audit management duties.

Working with external auditors

Once the audit gets underway, the work could last from several weeks to several months. Your audit firm will bill you for every hour of that engagement, and your team will spend valuable corporate resources as you respond to the audit firm’s requests. 

That’s why you want an audit process that promotes efficiency and collaboration and can be sustainable yearly and from one audit to another. Let’s consider some best practices so that your relationship with external auditors runs smoothly.

Five steps for working with external auditors

Establish clear communication

Maintain a clear and open dialogue with your auditors. That means setting up a preliminary meeting to define audit objectives, set timelines, and spell out expectations. Then follow up with periodic meetings after that to be sure everything is still happening according to the audit plan. Also, establish a point of contact to coordinate with the auditors, such as the head of internal audit on your side and the audit engagement partner on the other.

Prepare in advance

Before the audit begins (such as after that preliminary meeting but before the audit staff set up camp in your conference room), gather the documentation you know you’ll need. That can include financial statements, results of internal audit testing, policies, contracts, compliance reports, and the like. Organize those documents logically so audits can understand them more easily. All these steps with help streamline the audit process and make it easy to maintain audit trails.

This is also when you want to talk with your internal team to identify any special issues that could be exceedingly tricky or problematic. If necessary, brief your audit firm contact about those issues and how you want to address them.

Promote accountability

Audits will require that people within your company take certain actions: gather documentation, test internal controls, run reports, walk auditors through certain processes, and the like. Clearly define who does what to fulfill those tasks and enforce accountability so all that work gets done on time and the audit stays on course.

Likewise, when the audit is complete, and the auditor generates a report including recommended corrective actions, assign those corrective actions to specific people. Establish follow-up procedures to ensure the completion of actions or promptly escalate any incomplete work to the attention of senior management.

Emphasize transparency and collaboration

Be clear to everyone in your organization that the audit is about improving the company’s performance and demonstrating its compliance. That means people should view the auditors as partners to work with, not adversaries to work against. Encourage cooperation, transparency, and honesty.

Improve and repeat

Once the audit is done, ask the audit firm for feedback on improving the audit process and your client-auditor relationship overall. Use that feedback to refine your internal processes for future audits. 

Remember, there will be future audits, potentially with the same auditor team. The more you can foster a long-term, collaborative relationship, the more efficiently those audits will proceed and the more quickly you’ll be able to demonstrate — and maintain — a high degree of compliance.

How technology helps the audit process

Technology also plays a crucial role in modern audits, separate from all the personnel and process best practices we’ve outlined so far. Specifically, companies should embrace audit management software to streamline processes and exert stronger control over audit-related activities.

The exact audit management software you’ll want to use will depend on your company’s unique needs, existing IT infrastructure, and budget. However, we can identify certain capabilities that your chosen audit management tool should be able to deliver.

Six ways technology helps with the audit process

Centralized audit information

Audits depend on accurate, reliable, comprehensive data. Your tool should, therefore, collect and preserve all audit-related data in a single repository — the fabled “single source of truth” — that auditors can access whenever they need. Meanwhile, your team is freed from repeated searches for files, spreadsheets, or other documentation.

Strong document management

Along similar lines, your tool should bring logical order to all that data stored in the repository mentioned above. With properly organized and labeled policies, procedures, and other evidence, auditors will be able to find the evidence they need more efficiently.

Streamlined communication

Audit teams might include specialists working from multiple offices, or the auditors might want to talk with employees at your business working in multiple offices. A good audit management tool will help to coordinate that communication between offices, regions, teams, and time zones, to assure that everyone can follow along and avoid miscommunications.

Automated workflows

Your tool should automate task assignments, reminders, evidence submission, and similar duties. The reduced manual effort helps to keep the audit on track and spares people from flurries of emails asking for missing work.

Consistent procedures

A good audit management tool will come pre-populated with standard templates, checklists, flow charts, forms, audit work plans, and other documents. Be sure the tool you choose has the standard documents you’ll need, such as those for HIPAA, SOX, or ISO standards. When you use those procedures consistently, auditors will have an easier time understanding your workflows and collecting the evidence they need to do their jobs.

Followup actions

Your tool should enforce accountability for any corrective actions or other remediation work that your auditor recommends to assure that the work gets done in a timely manner. (If the corrective work doesn’t get done, that failure will look all the worse when the next audit comes — and can be a damning mistake in the event of a data breach or financial failure, when regulators and plaintiff lawyers start circling.)


Overall, a good audit management tool is all about bringing consistency and discipline to the audit management process. That’s true whether we’re talking about gathering evidence, storing evidence, performing tests consistently, communicating with the audit team about problematic issues, or verifying that corrective actions get done promptly.

Investing in a strong audit management process: Preparing for corporate audits

Companies need to invest in a strong audit management process because more and more audits will be coming. Responding to those demands in a manual, piecemeal way is not sustainable.

For example, 30 years ago, most companies only encountered audits if they were publicly traded or government contractors. Those companies tended to be large, stable businesses that knew how to handle audits. 

Today’s situation is completely different. More audits today examine privacy or data security, and even small, young firms encounter demands for those audits because they handle confidential information either for themselves or for customers. In the future, we can expect audits on even more subjects (supply-chain stability, carbon emissions, artificial intelligence), and those audits will keep hitting more companies earlier in their natural corporate lifecycle. 

Responding to those many and diverse audit demands in a one-off fashion does no good; companies need to develop a disciplined approach to cooperating with auditors. One part of that will be strong personnel and leadership, and the other will be skillful use of audit management technology to keep your business running smoothly in a future where everyone needs more assurance.

A SOC 2 Type 2 audit in the Hyperproof platform

Streamline your audit management process with Hyperproof

Invest in a strong audit management process with Hyperproof to seamlessly navigate the increasing demands of corporate audits. Hyperproof’s audit management technology offers the tools needed to ensure your business operates smoothly amid growing compliance requirements. 

Request a demo today and see how Hyperproof can enhance your audit management process and preparation.

Monthly Newsletter

Get the Latest on Compliance Operations.
Subscribe to Hyperproof Newsletter