Preparing For An Audit

Excited to share my latest dive into the intersection of high-speed data and financial regulation! As digital assets and tokenized securities gain momentum, the critical question is: How do we maintain an unquestionable, tamper-proof audit trail at massive scale? Traditional databases often fall short. My new article explores how Apache Kafka's core architecture, the immutable commit log, serves as the ideal compliance layer for regulated asset transfers. I cover: 1. The power of immutability for audit-readiness. 2. Using Schema Registry to enforce structured compliance events. 3. Enabling real-time AML/KYC checks using stream processing. 4. Strategies for long-term, WORM (Write Once, Read Many) archival. If you are building infrastructure for Fintech, Digital Assets, Trading Systems, or are focused on #RegTech, you need to see how Kafka can move compliance from an "afterthought" to a real-time capability. https://lnkd.in/g_G3myVH #Kafka #DigitalAssets #Fintech #Compliance #RegTech #StreamingData #Auditability

Most MedTech companies treat audits as one-off events. (And it costs a lot more than money) This mindset costs: • Market access • Investor trust • Years of work product • And lots of money    But the biggest cost isn't financial. It's human lives. The ones that depend on life-saving devices that are getting locked out of the market. Not because their technology wasn’t good enough. But because of preventable mistakes. Because they treated compliance as an event. Not a culture. Passing a Notified Body Audit isn’t luck. It’s discipline. It’s daily habits. It’s system-level thinking. Here are 4 ways the best MedTech companies prepare (and how you can too): 1. They build audit-ready systems Your documentation must tell a complete story: • Align QMS to ISO 13485:2016 and MDR Article 10 • Justify risk management with defensible rationales • Show proactive surveillance in PMS reports • Close CAPAs fully with evidence of resolution • Validate claims with clinical performance data 2. They eliminate silent compliance risks Fix problems that quietly undermine audits: • Complete missing risk–benefit rationales • Update and control all key documents • Close gaps in complaint and vigilance logs • Strengthen post-market surveillance • Link CAPAs directly to audit findings 3. They train for audit readiness every day. Turn audit behavior into muscle memory: • Run mock audits and rotate team roles • Train clear, non-speculative auditor responses • Assign scope ownership across all functions • Focus answers — no speculation or improvisation    4. They set up audit execution in advance. Plan logistics that create calm, not chaos: • Prepare a dedicated audit room with indexed files • Assign document fetchers and tech support • Track requests and responses live during audits • Maintain a calm, professional audit environment Here’s the truth: An audit isn’t something you survive. It’s a mirror that reflects how you operate every day. What’s the biggest audit challenge your team is facing right now? ♻️ Find this valuable? Repost for your network. 💡 Follow Bastian Krapinger-Ruether for actionable tips on MedTech compliance and QM.

Many Auditors face problems in gathering data from the auditee. If someone is not sharing data required for audit purposes, handling the situation diplomatically and professionally is important while ensuring the audit objectives are met. Here are some strategies one can follow. 1. Clarify the Request Please make sure your request is clear, specific, and documented. Misunderstandings can arise if the person does not fully understand what you need or why it’s essential. Specify the format, timeline, and purpose of the data. 2. Explain the Purpose Communicate the importance of the requested data in the context of the audit. Emphasize that the audit process is not punitive but aims to identify risks, improve controls, and enhance operations. 3. Engage Leadership If the person continues to withhold data, escalate the issue to their supervisor or relevant management. Sometimes, a clear directive from leadership can resolve such roadblocks. 4. Leverage Audit Authority Reference the audit charter or mandate that grants you the authority to access necessary information. If applicable, remind them of organizational policies or regulatory requirements mandating cooperation. 5. Document the Issue Record all instances of non-cooperation, including details of the requests, responses received, and any actions taken. This documentation can be included in the audit report or shared with senior management for resolution. it is recommended to have a tracker of all data requirements. 6. Explore Alternative Sources If the primary source is uncooperative, consider obtaining the required information through alternative channels or systems. 7. Maintain Professionalism Avoid confrontations or assigning blame. Maintain a neutral and professional tone in all interactions. Focus on problem-solving and collaboration to achieve your audit objectives. 8. Leverage Risk Implications Highlight how withholding data could negatively impact the organization, such as increased exposure to risks, compliance issues, or inaccurate reporting. 9. Seek Legal/Compliance Support If non-cooperation persists and the data is critical, involve legal or compliance teams to assess the situation and provide guidance. 10. Report as a Limitation If all attempts fail, document the lack of cooperation as a limitation in the audit report. Clearly state the potential impact of the missing data on audit conclusions. #Internalaudit #riskmanagement #Auditor

🔐 Providing Audit Evidence for Access & Role Changes in Dynamics 365 F&O When external auditors ask: “Who has access to this data?” “When were security roles changed?” The answer should not rely on screenshots or manual explanations. It should come from structured, system-driven evidence. 🎯 The Challenge During compliance audits, organizations need: • Clear proof of access history • Visibility into role assignments • Traceability of security changes Without proper reporting, audits become stressful and time-consuming. ✅ The Right Reports to Use In Microsoft Dynamics 365, two reports are essential for security transparency: 📊 Role Audit Trail • Shows when roles were assigned or removed • Tracks historical changes over time • Provides clear accountability 🔎 Security Analysis Report • Displays a user’s complete security profile • Shows entry points and access details • Includes history of changes to duties and privileges 🛠️ Practical Approach 1️⃣ Run Role audit trail for assignment history 2️⃣ Use Security analysis report for full access visibility 3️⃣ Provide reports as audit evidence 4️⃣ Validate that access aligns with governance policies 💡 Business & Consultant Benefits ✔ Supports compliance and external audits ✔ Creates transparency and accountability ✔ Helps internal teams verify access controls ✔ Reduces audit preparation stress ✔ Strengthens overall security governance 🧠 Consultant Insight Good security design is not only about controlling access — it is about proving that controls work when questioned. Audit-ready reporting transforms security from assumption into measurable governance. 🤝 Still learning step by step; this post is from my Dynamics 365 Security learning notes, not client delivery. I hope it benefits others too. Always open to feedback and guidance. #MicrosoftDynamics365 #D365FO #SecurityGovernance #ERP #Compliance #AuditReadiness #AccessControl #EnterpriseTechnology

Dear IT Auditors, Auditing IT Change Management Change is constant in IT. But uncontrolled change is one of the biggest sources of audit findings. Change management controls protect production environments from errors, downtime, and security exposures. Yet, they often fail in predictable ways. Here are some common gaps to watchout for: 📌 Missing or Incomplete Change Documentation Auditors often find changes made without proper tickets or approvals. If it isn’t documented, it didn’t happen. Lack of traceability weakens assurance. 📌 Unauthorized Changes Developers or administrators sometimes deploy fixes directly to production. Even small “emergency” changes can cause major incidents if not reviewed. 📌 Inadequate Testing Evidence Changes are approved but testing proof is missing or incomplete. Testing must confirm both functionality and security before deployment. 📌 Segregation of Duties Issues Developers who code, test, and deploy changes bypass a critical control layer. Auditors should verify that roles are properly separated to reduce risk of manipulation or error. 📌 Improper Access to Migration Tools Privileged access to deployment tools is often excessive or not reviewed. These permissions should be restricted, logged, and monitored. 📌 Weak Emergency Change Process Emergency changes are necessary but must be controlled. They need a post-implementation review to confirm they didn’t introduce new risk. 📌 Lack of Post-Change Review Auditors should check if teams validate system behavior after deployment. This confirms stability and reduces hidden risk. Change management isn’t about slowing progress. It’s about protecting reliability. When controls fail, even a single change can damage systems, trust, and the compliance posture. #ITAudit #ChangeManagement #AuditLeadership #InternalAudit #RiskManagement #GRC #ITControls #Assurance #TechGovernance #AuditQuality #CyberVerge #CyberYard

If customs walks in today, are you ready? Most aren’t and the penalties prove it. What triggers a customs audit ? 1. Random Selection Part of risk-based targeting systems to keep audits fair.  2. Red Flags Errors or inconsistencies in import declarations can raise alarms.  3. Industry Targeting   Customs focuses on industries with high fraud risks like electronics and pharma.  4. Prior Non-Compliance Past penalties or lack of response can trigger scrutiny.  5. **Related Party Transactions**   Intra-company deals face extra checks for pricing issues.  6. FTA Claims   Large claims for Free Trade Agreements may lead to reviews.  Common Mistakes That Trigger Penalties  - Misclassification  Customs uses data analytics to find errors. This can lead to a duty shortfall of up to three times.  - Undervaluation Transfer pricing reports can expose undervalued goods, resulting in fines and interest.  - FTA Misuse  Lack of origin support during claims can mean repayment of duties plus penalties.  - Poor Recordkeeping Random audits can catch missing documents, leading to fines.  - Misdeclared Dual-use Goods   These can lead to serious legal issues.  - Inconsistent Broker Instructions   Discrepancies can cause loss of benefits.  Preparation Best Practices - Assemble a Compliance Task Force    Include Trade Compliance, Finance, Logistics, and Legal teams.  - Review Historical Import Data Analyze reports from brokers and customs tools for the last 12 to 36 months.  - Validate HS Classifications  Cross-check with product specs and rulings.  - Review Valuation Methodology   Ensure all dutiable elements are included in declared values.  - Confirm Origin Documentation  Match each FTA claim with valid supplier declarations.  - Check Recordkeeping Protocol   Keep all documents accessible.  - Audit FTA Claims  Randomly select entries to trace back to source.  - Examine Related Party Transactions  Ensure customs values are based on fair market pricing.  - Spot Audit Broker Instructions  Pull recent declarations to check accuracy.  - Prepare a Compliance Report   Summarize risks and actions taken.  **Do's**  ✅ Designate a single point of contact for customs.   ✅ Be transparent but only provide requested information.   ✅ Keep an audit log of all communications.   ✅ Prepare an intro presentation outlining import processes.   ✅ Provide documents promptly and in order.  **Don'ts**  ❌ Don’t argue or blame other departments.   ❌ Don’t offer unsolicited documents.   ❌ Don’t allow unscheduled interviews with untrained staff.   ❌ Don’t say “we’ve always done it that way.”  **Post-Audit Actions**  Review findings with your broker or legal team.   Respond within the deadline to correct inaccuracies.   Implement corrective actions and document them.   Schedule a follow-up audit within six months.   Update SOPs and training based on findings.  

50% The most dangerous audit findings in aviation aren’t technical. They are systemic and invisible until it’s too late. Audit after audit shows the same truth: Approximately 50 percent of findings aren’t caused by people. They’re caused by the systems we ask people to work within. ( EASA/FAA/ICAO) That’s not a maintenance or engineering issue. That’s an organisational leadership issue. System failures are rarely loud. They hide in unclear escalation paths, silent handovers, outdated assumptions and budget cuts that remove safety buffers. And they’re not just operationally risky. They’re financially silent killers. One unresolved system gap can quietly cost €15,000 to €50,000 through delays, rework, overtime and lost availability. It doesn’t show up on the balance sheet. But it erodes your margins, control and trust. Multiply that across a fleet, a region, a quarter and you’re no longer leaking money. You’re bleeding structure. I’ve led these systems. I’ve seen where they silently fail and how they can be rebuilt to protect aircraft, but also reputation, margin and the people behind both. Here’s the uncomfortable truth: Audit findings don’t only show what went wrong. They reveal how leadership thinks. They reflect how risk is absorbed or ignored, how resilience is designed or delegated and whether systems catch failure or people are expected to. We don’t need more checklists. We need better designed systems, led by those who understand how operations, finance and safety interconnect. Because systems don’t fail in silence. They fail under leadership that wasn’t listening.

Your Quality problems have nothing to do with Quality It’s time for a reality check. Every broken system has the same pattern. Quality fails not because of lack of knowledge, processes or resources -  but because of how people decide, when they decide and why they decide what they do. It starts in meetings, in priorities, in the trade-offs that people make when pressure wins over principle. And that’s how small exceptions grow into systemic cracks. It is all about decision-making behavior. These patterns explain why your system breaks because of it: 1. Biggest risk to quality isn’t non-conformity - it’s uncertainty. People don’t know what matters most, so they make safe choices instead of smart ones 2. “Lessons learned” are just lessons archived. Majority of so-called lessons are stored in folders no one opens twice 3. “Management Review” is treated as a meeting, not a mechanism. Leadership only reviews quality instead of using it to steer, and every slide ends with “no actions required” 4. Improvement plans are written by the same people who fear being blamed if they fail. 5. Customer complaints are counted, not studied. “Closed” doesn’t mean “understood”. 6. The word “risk” appears everywhere except in budgeting meetings. If the organization won’t fund prevention, it has chosen reaction. 7. Organizations measure compliance, not confidence. Most audit findings have zero link to business outcomes. 8. Root-cause analyses rarely mention behavior. We love tools like 5 Whys, until the fifth “Why” points to leadership. 9. Non-conformities are reviewed by Quality, not by those who own the process. 10. Processes are optimized for audits, not for People. 11. Change control means “fill this form”, not “think this through”. 12. Internal communication means sending an email, not ensuring a message is understood. 𝗧𝗵𝗲 𝗶𝗹𝗹𝘂𝘀𝗶𝗼𝗻 𝗼𝗳 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗶𝘀 𝘁𝗵𝗲 𝗯𝗶𝗴𝗴𝗲𝘀𝘁 𝗻𝗼𝗻-𝗰𝗼𝗻𝗳𝗼𝗿𝗺𝗶𝘁𝘆 𝗼𝗳 𝗮𝗹𝗹. 13. And finally: Quality fails most often in the moments between decisions. The space where no one is officially responsible, but everyone assumes someone else is. We build systems that manage evidence better than behavior. And yet, behavior is where every real risk starts. Our job isn’t to count non-conformities. It’s to understand what drives them. =>> All Quality problems are decision-driven. And that’s why the real purpose of Quality isn’t to enforce or control. It’s to enable better decisions. Informed. Data-backed. Timely. That’s the kind of Quality the future needs. When you look once again at your “quality issues” - were they truly process gaps or the result of decisions? 📢 ⤵️ (be honest :) with yourself first!) 🤝

How can internal audit be more efficient with their time? We can find ways to reduce non-value-added time spent during an #audit project. Here are a few ideas to get you started. 1. Reduce the amount of testing needed to come to a conclusion. Can you test less and still provide reasonable assurance the process / control is working as is? 2. Be more strategic with audit meetings. Can your 30 min meeting be cut to 15 min or replaced with a memo? Do you need all attendees? Can you batch audit questions and ask them daily or every other day? 3. Prepare the audit report during the audit planning and fieldwork, not at the end of fieldwork. Audit scope, objectives, and a draft of the executive summary can be completed and memorialized in the audit report by the end of audit planning. Build consensus on audit’s recommendations and management action plans for observations noted during fieldwork. By the fieldwork close meeting, aim to have 80 - 90% of your report finished. 4. Document fieldwork in your audit management solution, not in a standalone Excel or Word document. When the audit team shares files via email or a shared repository, version control issues can arise, and time is wasted sending requests via email without automated notifications and reminders. Additionally, uploading fieldwork into an audit management solution after completing the audit adds an unnecessary step to your audit project. 5. Internal Audit reviews of fieldwork need to be more frequent and timely. Internal Audit Seniors and Managers should review audit scope, individual testing procedures, and identified observations more frequently, daily if possible. More timely reviews will help overcome hurdles sooner and start communication with management regarding identified observations earlier. 6. Eliminate manual reporting efforts. Purpose-built audit software offers real-time dashboarding and reporting as work is completed. If you're manually collecting feedback on document requests, test steps, hours spent, and project completion, and writing out your audit report manually, purpose-built audit management solutions can save you significant time. 7. Leverage Generative AI. Use Generative AI as a starting point to create risk and issue statements, control descriptions, test procedures, and audit summaries. With an AI-powered audit management solution, machine learning can link your data (frameworks, risks, controls, past issues) and provide intelligent recommendations, saving your team time from researching this manually. What’s missing from this list? If you have a best practice or an internal audit time reducing super-power, share it here. AuditBoard #InternalAudit #EnablingPositiveChange