At KirkpatrickPrice, we’re committed to helping our clients get the most out of their information security engagements with us. That’s why we insist that our audits include an onsite visit. It’s part of performing our due diligence and testing. So, what happens during an onsite visit? How can organizations calm their nerves and prepare for an onsite visit?
What Happens During an Onsite Visit?
Once an organization has completed about 80% of their Online Audit Manager responses, we schedule an onsite visit. During this 3- to 4-day visit, an auditor has three tasks: interview, review, and observe. The auditor will interview the personnel responsible for various activities, physically test your networks, systems, and devices, and observe your company culture. While this process may seem straightforward, we understand that having an auditor come onsite can be stressful and nerve-wrecking. What exactly are auditors looking for? Who will they talk to? What will they ask? Let’s take a look at how organizations can prepare for an onsite visit.
How Can I Prepare My Organization for an Onsite Visit?
Every organization is different when it comes to onsite visits: levels of preparedness differs, the buy-in from personnel differs, and even the resources needed to get through the onsite differs. Regardless of this, though, every organization can proactively set themselves up for success by implementing the following five practices to prepare for an onsite visit.
1. Relax! Remind Yourself Why You’re Doing This Audit
The goal of compliance, and especially the onsite visit, is to make your organization stronger. Auditors aren’t there to get you fired. An auditor finding vulnerabilities means doesn’t mean you’ve failed – finding vulnerabilities is the only way an auditor can help you! It means that you’re receiving a thorough audit – one that will only strengthen your security in the long run. Before your onsite visit begins, remember to relax and remind your personnel what this audit means to your organization. Does it mean more revenue? Bigger clients? New industries? New locations? To hone in on the value of compliance, you might consider sending out a company-wide email prior to the auditor coming onsite, similar to this one our client sent out. This is something that acknowledges how all employees play a role in compliance, explains what compliance means for your organization, and provides reminders of what not to do when an auditor is onsite.
2. Ask Questions, Voice Concerns
At KirkpatrickPrice, we know that undergoing any type of information security audit is difficult and stress-inducing. Often times, clients have questions, concerns, and even fears going into the onsite visit – and we want to reiterate that we are always here to help. Before the onsite visit then, ask your questions and voice your concerns. Our auditors can’t answer questions that never get answered or address concerned that are never shared. This level of transparency builds our relationship and will only help the success of your audit.
3. Review the Agenda
The best auditors will supply you an agenda of topics prior to the onsite visit, so be sure to work with your auditor to ensure that you have the right personnel lined up to speak to an auditor. This will help prevent any confusion or stress when the auditor comes onsite. If your staff knows when they’ll be interviewed, they’ll be much more prepared.
4. Involve Senior Management
At every stage of an information security engagement, senior management involvement is extremely important, although this is especially true when it comes to the onsite visit. The best auditors will be sure to hold briefings will all involved in the audit at both the start and finish of the onsite engagement. This gives the auditor the opportunity to address questions about timeline, expectations for the group, any issues in need of attention, as well as any other notable findings. If senior management is not involved during this process, critical information could be missed, which could prolong the engagement or prevent your organization from receiving your report on time.
5. Develop a Method for Tracking Action Items
Whether it’s during the onsite visit or afterwards, there will be a number of items which the auditor may ask for more information on, such as logs, files, reports, etc. Most organizations will utilize Excel or other GRC software, but at KirkpatrickPrice, we’ve develop our own online tool for tracking action items. Using a tool like KirkpatrickPrice’s Online Audit Manager can facilitate the process through various time statuses and compliance frameworks.
Have more questions about our audit process? Want more information on how to prepare for your next onsite visit? We’re here to help! Contact us today to speak to one of our Information Security Specialists.