Auditing Practices Overview

Audit, Risk & Compliance (ARC): The Three Pillars of Strong Governance "Let me explain why Audit, Risk, and Compliance aren’t just checkboxes—they’re your governance backbone." I’ve had this conversation many times with peers, clients, and boards. And here’s what I often say when someone asks, “How do you build strong governance?” You start with ARC: - Audit - Risk Management - Compliance Each has its role, but when aligned, they become a strategic force. Let me walk you through it from experience: 🔍 Audit is your independent lens. Think of Audit as the team that tells you what’s happening. Their job is to verify that controls are working not just existing on paper. ▶ Example: I once saw an internal audit uncover a $500K billing discrepancy no one had noticed. That wasn’t just cost savings it was a control failure caught before it became reputational damage. The best audit teams today use data analytics and real-time assurance tools to stay ahead. Traditional static audits no longer suffice. ⚠️ Risk is your radar. Risk Management isn’t about stopping risk, it’s about knowing which risks matter, and how much risk you can take to grow. I’ve seen risk teams run scenario analyses ahead of market expansion that flagged FX volatility. With a solid hedging plan, they avoided a 7% EBITDA hit. That’s what proactive risk management looks like. And right now? The strongest risk programs I’ve seen are integrating AI, ESG risk, and third-party oversight into their frameworks. ✅ Compliance is your moral and legal compass. Compliance isn’t just about avoiding fines. It’s about building trust internally and externally. A solid compliance program is the reason one company I worked with navigated new data privacy regulations across multiple countries without missing a beat or getting penalized. What’s changing? Compliance is becoming more automated, more behavior-driven, and more global. And that means compliance officers need better tech and a seat at the strategy table. Now here’s the key: ARC only works when it's integrated. When Audit, Risk, and Compliance operate in silos, things fall through the cracks. But when they collaborate sharing insights, aligning priorities, and using common platforms governance becomes a value driver. A recent PwC survey backs this up: - 73% of execs say ARC alignment improves decision-making - 65% plan to invest in integrated GRC platforms - Over half say Internal Audit is now a transformation partner If you’re leading or supporting ARC functions, my advice is simple: Don’t build walls, build bridges. The future of governance isn’t in functions. It’s in how those functions work together. Let me know how ARC works in your organization today. Do the functions collaborate, or still operate in silos? #Governance #InternalAudit #RiskManagement #Compliance #GRC #BoardEffectiveness #OperationalResilience #Leadership #3prm #tprm #GovernanceExcellence #RiskStrategy #ComplianceCulture

Do you know what auditors look for when examining financial statements? Let's dive into the audit assertions! Assertions about Classes of Transactions: -Occurrence: Ensuring that recorded transactions actually happened and are related to the company. No fictional sales here! -Completeness: Checking that all transactions are properly recorded and disclosed. Nothing left out! -Accuracy: Making sure there are no errors in recording transactions and that disclosures are correctly measured and described. Accurate numbers matter! -Cut-off: Verifying that transactions are recorded in the correct accounting period. No time travel allowed! -Classification: Confirming that transactions are posted in the right accounts. Raw materials in repairs and maintenance? We'll catch that! -Presentation: Aggregating or disaggregating transactions for clear descriptions and relevant disclosures. Let's make financial statements easy to understand! Assertions about Account Balances: -Existence: Ensuring assets, liabilities, and equity interests are real and not overstated. No imaginary assets here! -Rights and Obligations: Checking legal ownership or control of assets and obligations to repay liabilities. It's all about rights and responsibilities! -Completeness: Confirming that all assets, liabilities, and equity interests are properly recorded and disclosed. Nothing missing! -Accuracy, Valuation, and Allocation: Verifying appropriate valuation and recording of assets, liabilities, and equity interests. Plus, proper allocation of overhead costs! -Classification: Ensuring assets, liabilities, and equity interests are recorded in the correct accounts. Let's organize things properly! -Presentation: Presenting assets, liabilities, and equity interests in a clear and understandable manner. Financial statements should tell a compelling story! Understanding audit assertions helps auditors ensure the reliability and accuracy of financial statements. #AuditAssertions #FinancialStatements #Auditors #audit #accounting #finance

Microsoft recently admitted it let engineers in China help maintain its cloud systems for the U.S. Defense Department. Why this is important to know: even though American staff oversaw the work, those “digital escorts” often lacked the skill to spot malicious commands. That gap could make secret military data an easy target for cyberattacks. When a mistake like this happens, it shows how a single weak link in a cloud setup can put our national security at risk. The way this system worked was simple but dangerous. Microsoft hired U.S.-cleared workers to act as messengers for overseas experts. An engineer abroad would send instructions, and the escort would copy and paste them into the Pentagon’s cloud. On paper, U.S. personnel held the keys. In reality, they sometimes couldn’t tell if the code was safe. Lawmakers and the Defense Secretary quickly raised alarms. They demanded stronger rules to keep foreign nationals out of the most sensitive systems. After a ProPublica report exposed the issue, Microsoft said it has stopped using China-based engineers for Defense Department support and expanded its “Lockbox” review process. The company also promises more training and stricter checks on any team working with federal data. This change is a step forward, but it reminds us all how vital it is to watch every part of a cloud network. Staying alert and updating security rules can help prevent the next data breach. #Cybersecurity #CloudSecurity #DataPrivacy #ChangeYourPassword Follow me for regular updates on tech security insights.

Compliance isn’t choosing one framework, it’s understanding how they work together. Many organizations view SOC 2, ISO 27001, and GDPR as competing obligations, but the reality is far more integrated. SOC 2 validates data security controls for US-based service providers voluntary but expected by enterprise clients. ISO 27001 provides a globally recognized ISMS foundation with comprehensive risk management and continuous improvement. GDPR legally enforces personal data protection for EU citizens with significant financial penalties for non-compliance. The strategic advantage lies in their overlap: access controls, incident response, vendor risk management, encryption, and breach notification requirements align across all three. Organizations that map controls once and satisfy multiple frameworks simultaneously reduce audit fatigue while strengthening their overall security posture. Rather than treating compliance as separate silos, mature GRC programs build unified control environments that address shared requirements, turning regulatory burden into operational excellence. What’s your approach to managing overlapping compliance frameworks? #GRC #SOC2 #ISO27001 #GDPR #Compliance #InformationSecurity #DataProtection

The audit firm that used to send 6 people for 5 weeks now sends 2 for 2 weeks. Not (just) because they're more efficient. Because your GRC platform already did the testing. This is the Zillow effect in compliance. Platforms shifted from passive storage to active control testing. They now collect evidence, test controls, and form opinions on effectiveness. The auditor validates the platform's opinion instead of forming their own from scratch. This is what we discuss in this week's entry of the GRC Engineer newsletter! → Platforms now collect evidence automatically → Test controls based on their logic → Form opinions on effectiveness → Present auditors with pre-assessed landscape The auditor validates platform opinions instead of forming their own from scratch. This created: → Information parity (you see what auditors see in real-time) → Audit fees dropping 60-90% (discovery work already done) → New business model: checkbox audits at £15k (just trust platform, sign report) → Power inversion (platform choice matters more than auditor choice) But here's the problem most miss: Your platform is now your compliance brain. It decides control effectiveness using vendor methodology. If that logic is wrong, everyone trusts the wrong assessment. Quality auditors question platform logic. Checkbox auditors trust it. Full breakdown in this week's newsletter (link in comments). Huge shoutout to Tines for being the lead sponsor of this week's entry #GRCEngineering

How to Win Any Audit Conversation 5P Audit Talk Code Ever feel like you're walking into an ISO audit with a target on your back? You know your work is solid — but the moment the auditor walks in, your confidence walks out. One wrong word. One nervous ramble. One offhand comment — and suddenly, the conversation spirals. Let’s fix that. Here’s how to talk to any ISO Auditor — without slipping up or sounding unsure. 🧭 THE 5P Audit Talk Code **Think of it like your GPS for audit conversations 1. Polite – But Not Passive Tone rule: calm, respectful, not overly eager. → Avoid over-explaining or defending. → Don’t fill silences — let them ask. → Use neutral phrasing:  “Let me walk you through how we approach that”  “This is how it’s currently structured” 2. Precise – No Rambles Stick to the question. Answer what was asked. Nothing more. Nothing less. Auditor: “Do you monitor this?” Wrong: “Well… not really, but we tried to set it up last year…” Right: “Yes. We monitor it monthly using [X]. I can show you the last three reports.” → Think Twitter, not TED Talk. 3. Process-Based – Not People-Based Talk about the system, not individuals. Wrong: “John usually checks it.” Right: “The process requires a monthly review by the department lead, documented in [system/tool].” Use phrasing like:  “The process we follow is…”  “Our current procedure outlines…” 4. Proof-Backed → Don’t explain it — show it.  → If you say it exists, have it ready.  → Screenshots, logs, reports, checklists — whatever backs your point. Pull up real examples if asked: “Here’s the form we use” Don’t explain verbally what you can demonstrate visually. 5. Professional – Stay in Audit Mode No complaints. No sarcasm. No improvisation. And never (!) blame another person or team — even if you really want to. If you don’t know, say:  “That’s outside my scope, but I can connect you with the right owner”  “Let me confirm that and follow up — would you like that in writing?” 🔄 Bonus: When You’re Unsure – How to Stay in Control Even the best-prepared person hits a moment of doubt. When that happens, don’t guess. Use audit-fluent bridging phrases like: → “I want to be accurate on that — let me double-check the current setup” → “That’s owned by another team — I’ll loop them in so you get the full picture” → “We’ve been updating this area — can I show you where we are with it right now?” → “Give me a second — I’ll pull up the latest record so you can see exactly what we’ve got” → “That’s a fair question. The way we currently approach it is evolving, but here’s what’s in place today” These buy you time, maintain confidence and show that you know your process. *** Auditors don’t just listen to your words. They read your behavior and mindset. This Code helps you speak with clarity, alignment and credibility. Tell me — what you always use to stay cool during an audit? P.S. Want the 5P Audit Talk Code™ as a printable card? Comment “5P” and I’ll send it your way. #Auditor #Quality

Last week I spoke with a CISO looking for a GRC platform to manage SOC 2, ISO 27001, ISO 9001, CSA Star, and PCI DSS. These are dream projects for me because there is such a huge opportunity for ROI. 𝗖𝗨𝗥𝗥𝗘𝗡𝗧 𝗣𝗥𝗢𝗚𝗥𝗔𝗠 & 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - Today they have 2 audit firms: One for SOC 2/PCI/CSA and one for ISO 27001 - As a result they have two audit seasons and end up burning a lot of political capital with engineering teams and IT asking for the same audit evidence 2x per year - The audits drive all compliance activity and there is no visibility between audits -The business has aggressive plans to acquire 1-2 companies a year and they needs to be able to inherit and maintain new programs 𝗪𝗛𝗔𝗧 𝗪𝗘 𝗔𝗥𝗘 𝗚𝗢𝗜𝗡𝗚 𝗧𝗢 𝗗𝗢 𝟭. 𝗛𝗮𝗿𝗺𝗼𝗻𝗶𝘇𝗲 𝘁𝗵𝗲 𝗽𝗿𝗼𝗴𝗿𝗮𝗺 𝗶𝗻 𝗳𝘂𝗹𝗹𝗖𝗶𝗿𝗰𝗹𝗲 First we are going to harmonize all the frameworks and audit evidence in our platform fullCircle. This way they can slice and dice by framework, by control, by evidence, by owner, or however else they need to. This will enable gathering evidence once to meet requirements across multiple frameworks. They can also generate "audit packages" of evidence with a click of a button. 𝟮. 𝗦𝘁𝗿𝗲𝗮𝗺𝗹𝗶𝗻𝗲 𝗮𝘂𝗱𝗶𝘁𝘀 Next, we need to work with the external auditor to create a single audit season, understand mapped evidence, and buy in on the strategy. The best audit firms we work with are great partners in pulling off this strategy while also doing a thorough high quality audit. 𝟯. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 We also have to get the team to a place where they aren't pulling everything manually and they have some confidence things are running well between audits. First, we did this is by automating a few big ticket items - focusing mostly on their AWS and GCP instances (access, secure configs, etc.). Second, we set up a cadence of internal audit spot checks on a monthly basis for high risk items. --- This will likely save the customer $1M and 1000+ hours a year of largely non-value add work. That's a solid project.

AI Field Note: We just launched the second iteration of PwC's Simplified Audit for Private Business. Here’s what we learned building it. There was a piece doing the rounds last week about how AI still can't reliably read a PDF. One researcher put "PDF parsing is solved" on a joke timeline of AI progress, right before AGI. It resonated because it's true. In audit, PDFs aren't an academic problem. They're part of the job. Every engagement produces hundreds: invoices, bank statements, contracts, leases, handwritten receipts. Some are clean native files. Many are scanned, formatted inconsistently, or stitched together from multiple sources. Extracting structured, reliable data from these documents into testing workbooks is substantive and necessary audit work. We just released Version 2 of Simplified Audit for Private Business. It's an AI-enabled system built for private company audits under AICPA standards. It reads supporting documentation across formats and quality levels, extracts the relevant fields, matches them to testing samples, and produces structured output with source citations for every data point. It covers 25 test types spanning revenue, inventory, fixed assets, accounts receivable, debt, equity, leases, taxes, and operating expenses. The system is built around human judgment, not as a substitute for it. Every output requires an independent, unassisted review. The tool cites its sources so the reviewer can trace each data point back to the original document. It changes the mechanics of the work, but not the professional obligations. We use AI to shift attention from transcription to evaluation. The signal was always there. It just competed with a lot of noise. In high-stakes work, human oversight isn't a temporary control. It's structural. AI changes what professional attention is for (not whether it's needed). Cited, traceable output reviewed by an independent professional is more defensible than either alone. The organizations making real progress with AI are the ones starting from specific, unglamorous problems, building systems that work on actual workloads, and designing for the reality that humans stay in the loop. Reading PDFs and populating structured workbooks for private company audits will never make a keynote. But it's where a remarkable amount of professional work lives, and getting it right is how we raise the standard for all.

Frustrated by recurring audit stress? You're not alone! Despite years of experience, many of us face the same stressful audit situations: unrealistic deadlines, communication gaps, and high pressure impacting both auditors and management. But there's good news! Working across three continents and collaborating with diverse professionals, I've gained valuable insights into the root causes of audit stress. It's true, both auditors and management have key roles to play in creating a smoother, less stressful experience. Here are some helpful tips specifically for CFOs, financial control teams, and management personnel: Be proactive: Don't wait for the audit to start! Gather and organize documentation early. Clearly understand the audit scope to anticipate questions and prepare relevant materials. Early communication with auditors sets realistic expectations for both sides. Open communication is key: Be transparent and responsive to auditors' questions. Remember, their goal is to ensure accuracy, not to find fault.   Empower your team: Delegate tasks and involve your team in the preparation process. Ensure everyone understands their roles and responsibilities.   Practice makes perfect: Consider conducting mock audits with colleagues or internal audit professionals to identify and address potential issues beforehand.   Stay calm and organized: Deep breaths! ♀️ Being organized, prepared, and communicative are key to navigating audits smoothly and minimizing stress.   Embrace technology: Leverage accounting software to automate tasks and generate reports, streamlining the audit process.   Remember, we're all in this together! Share your own audit prep tips in the comments below. #accounting #audit #stressfree #preparedness #finance #tips #professionaldevelopment By Ahmed Marzouk | CPA | Audit Manager