IT KORR Knowledge Center
Audit Preparation Workbook
A structured workbook for organizing scope, evidence, and internal review ahead of a compliance or security audit.
Step 1 — Define Scope
Before collecting evidence, document exactly what is in scope: which systems, data types, business units, and locations the audit covers. An unclear scope is the most common source of wasted effort and last-minute scrambling during an audit.
- List all systems, applications, and third parties that process, store, or transmit in-scope data.
- Identify the specific framework or standard being audited against (e.g., HIPAA, SOC 2, PCI DSS).
- Confirm the audit period (point-in-time vs. a defined date range) with the auditor.
Step 2 — Collect Evidence by Category
- Policies — current, signed/approved versions of every relevant written policy.
- Technical configuration — screenshots or exports showing MFA enforcement, encryption settings, firewall rules, and logging configuration.
- Access review logs — records of periodic user access reviews and offboarding actions.
- Training records — completion logs for security awareness and role-specific training.
- Incident records — documentation of any incidents during the audit period and how they were handled.
- Vendor due diligence — contracts, security questionnaires, and attestations for in-scope vendors.
Step 3 — Anticipate Common Auditor Questions
- How do you know who has access to this system, and how often is that access reviewed?
- Walk me through what happens when an employee leaves the company.
- Show me evidence that backups are actually tested, not just scheduled.
- How would you detect and respond to unauthorized access to sensitive data?
- Who is responsible for this control, and how do you know it is operating consistently?
Step 4 — Pre-Audit Internal Review
- Walk through the evidence list above and confirm every item is current, not stale from a prior audit cycle.
- Identify any control gaps now, while there is still time to remediate or document a plan.
- Confirm the right people are available and briefed for auditor interviews.
- Do a dry run of any live demonstration the auditor may request (e.g., showing an access review in the actual system).
Related Resources
- Compliance Fundamentals — /knowledge-center/compliance/compliance-governance/compliance-fundamentals
- SOC 2 Explained — /knowledge-center/compliance/compliance-governance/soc-2-explained