To get the best out of the audit process, organizations should implement the following steps.
Be prepared — The end result of the audit process is an audit report and this is the joint product of the professional audit staff and the auditee. Obtain a copy of the audit guide in advance.
Prepare an area for the audit team — Provide the audit team a work area, phones, network connection, user accounts and coffee. Because of the nature of their work, the area should be secured at the end of the business day.
Train employees to speak to the audit team — It is very important for employees to understand what is expected of them. This includes: tell the truth; do not guess at the question, ask for clarification; do not guess at the answer, if you don't know, say so; do not assume that "everybody" knows what is going on; do not volunteer additional information; and never say never and never say always.
Before responding to any finding, research the policy, procedure, standard, law, regulation or other document cited for a perspective on interpretation.
Once you are clear on the audit finding, the actual response process consists of two key elements. First, identify if you agree or disagree with the finding. Second, if you agree with the finding, draft a response that outlines the steps that are to be taken to achieve compliance, who is responsible, and what timeframe will be established to comply.
If the only time the information security team and the audit staff get together is during the audit process, then my bet is your working relationship is not as strong as it could be. For years, I have been advocating a quarterly working lunch with both teams.
And finally, view audits as opportunities for objective, skilled and impartial reviews of the program operations that will result in recommendations for improvement. The audit process should bring out the best in both teams.