Audit Readiness Assessment

Reviewed by [Compliance Expert Name], [Certification]

An audit readiness assessment is a pre-audit self-evaluation where you systematically examine your controls, review your evidence, identify gaps, and determine what remediation must happen before external auditors arrive. Gaps you find and fix before the external audit are problems that won't appear in the official audit report. External auditors document gaps as formal findings in audit reports shared with your board, clients, and regulators—fixing gaps before external auditors discover them means improvements happen in your normal operations rather than appearing as compliance failures in official documents.

Planning Your Readiness Assessment

Your audit readiness assessment scope must mirror your external audit scope. If the upcoming external audit will evaluate SOC 2 Type 2 controls, your readiness assessment covers those same controls. If the external audit covers HIPAA technical safeguards, your assessment covers HIPAA requirements. If the audit covers ISO 27001, you assess against ISO 27001 criteria. Scope alignment ensures you're assessing what will actually be audited, not wasting effort on things auditors won't evaluate.

Conduct the readiness assessment two to three months before your scheduled external audit. This gives you time to identify gaps and remediate them before auditors arrive. If gaps are significant or require substantial work, start earlier. For an April external audit, begin the readiness assessment in January, giving you February and March to remediate issues. For focused organizations that know their control environment, the assessment can be completed in weeks. For larger organizations with complex infrastructure or distributed environments, allow longer, but prioritize being systematic over being elaborate.

Reviewing Whether Controls Actually Exist

The first step is control review: confirming that each control required by your framework actually exists in both documented form and in practice. If your compliance framework requires an access control policy, examine whether you have a documented access control policy and whether the policy is actually being followed. If the framework requires encryption, confirm encryption is configured in your systems. If the framework requires incident response procedures, verify procedures are documented and practiced.

Control gaps emerge immediately: a control that's supposed to exist but isn't documented; a control that's documented but not implemented in systems; a control that exists but isn't actually being followed. Walk through each control required by your framework, examine your documentation, examine system configurations, and talk to people responsible for the control. Confirm the control exists in documented form and in actual practice. Mark anything missing or weak.

Assessing Whether You Have Adequate Evidence

Once you've confirmed controls exist, you need evidence that they work. Evidence gaps are common and often discovered during readiness assessment. You have a training control where training is happening, but training records aren't organized and some are missing. You have access reviews happening quarterly, but documentation of reviews isn't consistently saved. You have security testing being performed, but test results aren't collected and organized.

Evidence must be recent and complete. A training record from 2020 doesn't prove current understanding. A system screenshot from six months ago doesn't show current configuration. Evidence must be from the actual audit period you're being assessed on. Go through your evidence repository (or start building one). For each control, confirm you have appropriate evidence collected during the period auditors will examine.

Identifying Documentation Gaps

As you review controls and evidence, you'll uncover documentation gaps: policies that need to be written or updated, procedures that should be documented but aren't, evidence that needs to be collected, training records that need to be organized, system configurations that need adjustment. Document these gaps in a structured way so you can prioritize and plan remediation.

Classify gaps by severity. Critical gaps are ones where a control is completely missing or completely broken—a missing access control policy, a control that's not operating at all. Medium gaps are ones where a control exists and is mostly operating, but documentation or evidence is incomplete—access reviews happening but some documentation missing, encryption deployed but configuration evidence not collected. Minor gaps are ones where controls work but organization or documentation could be improved.

Prioritizing Gaps for Remediation

Not all gaps are equally important to fix before the external audit. A missing critical control must be remediated before external auditors arrive. A minor documentation gap could potentially be addressed during the audit or shortly after.

Prioritization focuses on foundational controls (access control, encryption, incident response), controls that auditors specifically scrutinize in your framework, controls that address your highest-risk areas, and evidence most likely to be requested. A gap in a foundational control gets higher priority than a gap in a peripheral control. A gap in access control, which every audit examines, gets higher priority than a gap in a framework-specific control. A missing encryption control where you're supposed to be encrypting sensitive data is more urgent than incomplete training records. A broken incident response process is more critical than a policy missing version control documentation.

Planning Remediation Work and Allocating Resources

Once you understand what gaps exist and which are most important, plan remediation work. For each gap, determine what needs to be done to fix it, who will do the work, what resources are needed, and what timeline is realistic.

Some gaps can be fixed quickly: a policy can be written in days, documentation can be compiled quickly, evidence that already exists can be organized, a procedure can be updated. Other gaps require substantial work: a missing control needs to be designed, tested, and implemented; a broken process needs to be redesigned; new tools need to be configured; training programs need to be created and delivered.

Remediation work happens on top of normal operations. Your team cannot stop doing their jobs to spend months on audit prep. Create capacity by reducing other workload temporarily, bring in external help for some elements, or extend your timeline and start the readiness assessment earlier. Realistic planning about resource constraints creates timelines you can actually meet rather than setting aggressive deadlines that slip.

Testing Remediation Before the Audit

If you identify gaps and fix them before the external audit, verify the fixes work. If you've updated an access control policy, test that it's being followed. If you've implemented a new monitoring procedure, verify it's actually detecting and alerting on what it should. If you've configured a new system control, test that it produces the expected behavior.

Interim testing prevents the situation where you fix something, feel confident about the fix, and then the external auditor discovers the fix didn't actually work. Testing lets you confirm fixes are effective and adjust them if needed.

Frequently Asked Questions

How far in advance should we start our readiness assessment?

Start two to three months before your external audit. This gives sufficient time to identify gaps, prioritize remediation, complete the work, and verify fixes before auditors arrive. For audits with known large gaps, start four to six months in advance.

What if we discover critical gaps very close to our audit date?

Disclose the gaps to your auditor as soon as they're discovered. Auditors expect organizations to find gaps during readiness assessments. Gaps you've identified and are actively remediating are treated differently than gaps discovered by the auditor. Document your remediation timeline and progress toward closure.

Should our readiness assessment cover the same control objectives as our external audit?

Exactly. Your readiness assessment scope must mirror your external audit scope. Assess against the same framework, same control objectives, same evidence requirements. Assessing against a different standard or broader scope wastes effort; assessing against a narrower scope leaves you vulnerable to audit surprises.

Who should participate in the readiness assessment?

Include people responsible for each control area (access control owner, security owner, operations, training), your compliance or audit coordinator, and ideally someone familiar with your auditor's approach and expectations.

Can we use our previous year's audit report to guide our readiness assessment?

Yes. Previous audit reports show what your auditors look at and what they've historically flagged. Prior findings that haven't been addressed are high-priority items for your readiness assessment. Even closed findings indicate areas where auditors will look closely for evidence of sustained remediation.

What's the difference between audit readiness and ongoing compliance monitoring?

Audit readiness is a concentrated pre-audit assessment conducted a few months before the actual audit. Ongoing compliance monitoring is continuous checking that controls are operating throughout the year. Both are valuable. Ongoing monitoring prevents major gaps from accumulating; audit readiness ensures you find and fix what remains before the formal audit.