Befriend Your Auditors

Through my 20+ years I've learned a ton from the various auditors that I've had in my various shops.  Early on in my learning they were a major inspiration for how to not only make a program compliant (to meet specs like PCI, SOC1, SOC2, etc) but to implement or plan for the implementation of security controls that would further reduce risk.

Here are a couple (of the many) tips that I've used to build and maintain strong relationships with my auditors.

1. Communicate frequently.  I would reach out before the audit, make sure I was available and following up during the audit, and communicate with them after the audit until we had the report or other deliverable items.
2. Make their job easy.  I remember the first SOC1 audit I sat in on.  The auditor and I both showed up on a cold November Monday (it was my first day).  She asked people a bunch of questions and then we build the discussion schedule with the various control owners.  After that point in time I always had the meetings pre-setup, documentation ready to go (and quality controlled), and anything else that made their visit easier.

There is one auditor friend that I talk to from time to time and he still brings up that they wish they could audit my environment, since it would be pretty easy for them.  I guess some companies just don't understand what is needed or are too busy to do it.

Reach out if you'd like to discuss how to reduce your audit overhead.