Salary for audit manager: Auditing Manager Salary | Salary.com

Audit Manager Salary California, United States

Average Base Salary

Average Hourly Rate

$76.39 (USD)/hr

Average Bonus

$14,347 (USD)/yr

Compensation Data Based on Experience

The average audit manager gross salary in California, United States is $158,886 or an equivalent hourly rate of $76. This is 12% higher (+$17,604) than the average audit manager salary in the United States. In addition, they earn an average bonus of $14,347. Salary estimates based on salary survey data collected directly from employers and anonymous employees in California, United States. An entry level audit manager (1-3 years of experience) earns an average salary of $110,237. On the other end, a senior level audit manager (8+ years of experience) earns an average salary of $197,684.

Quickly search for salaries in other careers and locations in our salary database.

Job Title

City, State, Country or US Zip Code

This page is a promotion for SalaryExpert’s Assessor Platform and is not intended for professional use.

Professionals should subscribe to SalaryExpert’s Assessor Platform.

ERI’s compensation data are based on salary surveys conducted and researched by ERI. Cost of labor data in the Assessor Series are based on actual housing sales data from commercially available sources, plus rental rates, gasoline prices, consumables, medical care premium costs, property taxes, effective income tax rates, etc.

DO YOU WORK IN HR OR COMPENSATION?

Try our professional compensation software to generate detailed salary and cost of living reports.

Try a Free Demo

Estimated Salary in 2028:

$192,567 (USD)

5 Year Change:

21 %

Based on our compensation data, the estimated salary potential for Audit Manager will increase 21 % over 5 years.

Coordinates activities

91%

Reviews records

81%

Establishes systems specifications

41%

Assigns employees

3%

Assigns responsibility

3%

This chart displays the highest level of education for:
Audit Manager, the majority at 55% with bachelors.

Typical Field of Study: Banking and Financial Support Services

See how education can impact your salary

California, United States

The cost of living in California, United States is 34% more than the average cost of living in the United States. Cost of living is calculated based on accumulating the cost of food, transportation, health services, rent, utilities, taxes, and miscellaneous.

View Cost of Living Page

California is a state in the Western United States, located along the Pacific Coast. With nearly 39.2 million residents across a total area of approximately 163,696 square miles (423,970 km2), it is the most populous U.S. state and the third-largest by area. It is also the most populated subnational entity in North America and the 34th most populous in the world. The Greater Los Angeles and San Francisco Bay areas are the nation’s second and fifth most populous urban regions respectively, with the…

Sourced from Wikipedia

Are you paid fairly?

Calculate your market salary rate to find out

Calculate Salary

Manages and coordinates activities of auditors conducting independent protective and constructive audits for management to review effectiveness of controls, financial records, and operations. Contributes to the design and implementation of company audit procedures. Establishes systems and standards for conducting audits. Reviews records of functions audited to ensure proper recording of transactions and compliance with applicable laws.
Read More

account_balance Nextdoor

location_on San Francisco

Meet Your Future Neighbors Nextdoor is seeking an experienced Technology Internal Audit Manager to join our Internal Audit team and report to the Head of Internal Audit. The ideal candidate will have …

account_balance Bright Vision Technologies

location_on Laguna Woods

Bright Vision Technologies has an immediate fulltime opportunity for a Senior Audit Manager for a remote position. This is a fulltime position looking to hire someone within 2 weeks. Location: Remote …

account_balance Scion Staffing

location_on San Francisco

As the Senior Audit Manager, you will perform audits of nonprofit clients’ financial and information systems, assessing compliance with applicable standards and guidelines and sufficiency of internal . ..

Learn About Our Products

SalaryExpert, powered by ERI, provides verified salary and cost of living data to the public with a comprehensive platform for evaluating compensation, career, relocation, and education decisions.

Access Our Assessor Productsarrow_right

• 
  Manager Internal Audit
• 
  Accounting Auditing Manager
• 
  Information Systems Auditor Manager
• 
  Auditing Department Manager
• 
  Audit Internal Manager
• 
  Manager Auditing Department
• 
  Internal Audit Manager

With a PhD-level research team in house, SalaryExpert, provides up-to-date salary and compensation data. Download our free white papers to learn more.

Planning Global Compensation Budgets for 2023 – UPDATED

2023 CEO Pay Trends in the Nonprofit World

National Compensation Forecast April 2023

View All White Papers

Quickly search for salaries in other careers and locations in our salary database.

Job Title

City, State, Country or US Zip Code

This page is a promotion for SalaryExpert’s Assessor Platform and is not intended for professional use.

Professionals should subscribe to SalaryExpert’s Assessor Platform.

ERI’s compensation data are based on salary surveys conducted and researched by ERI. Cost of labor data in the Assessor Series are based on actual housing sales data from commercially available sources, plus rental rates, gasoline prices, consumables, medical care premium costs, property taxes, effective income tax rates, etc.

Coordinates activities

91%

Reviews records

81%

Establishes systems specifications

41%

Assigns employees

3%

Assigns responsibility

3%

See how skills can impact your salary

Learn About Our Products

SalaryExpert, powered by ERI, provides verified salary and cost of living data to the public with a comprehensive platform for evaluating compensation, career, relocation, and education decisions.

Access Our Assessor Productsarrow_right

How Much Should You Be Paid?

Calculate your market salary using our salary calculator.

• 
  Manager Internal Audit
• 
  Accounting Auditing Manager
• 
  Information Systems Auditor Manager
• 
  Auditing Department Manager
• 
  Audit Internal Manager
• 
  Manager Auditing Department
• 
  Internal Audit Manager

internal audit manager salaries in atlanta, georgia

Randstad, the largest staffing firm in the world, is hiring Staffing Managers to sell our services and recruit candidates for placement with our clients. Did you catch that? We find opportunities to help people thrive and provide for their families. It is a big job! Our Staffing Managers use their technology, personality, and curiosity along with virtual, social, and verbal communication skills to make things happen.We sell work solutions. What does that mean? We help companies find the best talent for their organizations, impacting their productivity and profitability. We also help people thrive by assisting in finding their way to the right employers. If you want to learn how to have a major impact on the careers of others, then come talk to us. We are investing!What you get to do: Effectively sell and recruit through modern media connectionsIdentify prospects in need of Randstad’s workforce services & solutions Build strong relationships with hiring managers via phone, text, email, social media, in-personCreate partnerships through various channels of communication with key decision-makersExecute the activities that will gain results (lots of calls, virtual, and on-site client meetings)Listen to diagnose the workforce gaps that are limiting a client’s potentialNegotiate pricing to ensure maximum return on quality solutionsEffectively source, recruit, interview, and select candidates Coach and retain talent via phone, virtually, and in-personMarket talent to make certain they land the right jobUse a combination of tech and touch approaches that require exceptional documentationOffer innovative and creative employment solutionsProvide services that consistently delight our clients and talent What you need to bring: Bachelor’s degree and/or 1-3 years of professional sales experience Strong history of being the best at whatever you have done in the pastTechnically adequate and competentProficiency using Google mail, calendaring and shared drivesAbility to connect with others through phone, video, social media, and in-person meetings Prior experience working in a team-oriented and fast-paced organizationTrack record of delivering results in a metrics-driven or tech-savvy environmentExperience or quick adaptability utilizing digital tools and google suite applicationsAbility to thrive in a hybrid work model including onsite and remotePassion for results, resilience, self-confidence, and the desire to do an exceptional jobPossess a natural curiosity and relentless determination to make things happen – you like to WIN! What’s in it for you: Largest global staffing leaderCompetitive salary + bonusExcellent benefits package – medical, dental, visionGenerous PTO policy earned from day oneEducation and professional developmentRapid career growthRetirement savings and securityEmployee stock purchase planPaid parental leaveShort and long term disabilityEmployee assistance program and health advocacyHealth and dependent care flexible spending accountMetlife auto and home insuranceMetlife legal planReferral reward programExclusive discounts and programs with dozens of nationwide vendors and retailers For certain positions, Covid-19 vaccination and/or testing may be required by Randstad’s client or applicable state/local mandates, subject to approved medical or religious accommodations. Ask your Randstad representative for more information.At Randstad, we love to celebrate our hardworking diverse teams demonstrated through our ongoing commitment and diversity awards. Ranked as a 2022 DiversityInc Top 50 company, a Human Rights Campaign 2022 Best Places to Work for LGBTQ+ Equality, a Military Friendly company for Veterans, Military Spouses & Suppliers, and a 2022 Staffing Industry Analyst Top 50 Diversity, Equity & Inclusion Influencer to name a few. We are proud of our collaborative culture which is at the heart of Randstad. When you join Randstad you will receive opportunities for competitive & robust benefits, flexible schedules, and the assurance that everyone can be their authentic selves. We are seeking candidates from all backgrounds and demographics and a variety of industries to join a winning team!Equal Opportunity Employer: Race, Color, Religion, Sex, Sexual Orientation, Gender Identity, National Origin, Age, Genetic Information, Disability, Protected Veteran Status, or any other legally protected group status. At Randstad, we welcome people of all abilities and want to ensure that our hiring and interview process meets the needs of all applicants. If you require a reasonable accommodation to make your application or interview experience a great one, please contact [email protected].

How to become an audit manager (plus skills and salary)

Adding an audit manager to your accounting and internal audit team can help a company improve financial reporting and compliance. The Comptroller can help plan and review tax filings, secure necessary funds, and implement good accounting practices. Financial professionals who want to advance their careers into a management position in accounting and auditing would benefit from learning more about how to get this job. In this article, we will discuss what an audit manager does, how to become one, what skills are required to be successful in this profession, and what is the average salary for this role.

What does an audit manager do?

An audit manager is a professional who specializes in managing the business processes, operations and control of an organization. This often includes monitoring and auditing a company’s financial records to determine if it complies with laws and regulations. They also track data and perform analysis to make sure employees follow compliance protocols without potential risks. The audit manager also leads a group of junior accountants or auditors, gives them directions and reviews their work.

Some other duties of the audit manager include:

• Appointment and scheduling of personnel

• Document evaluation results

• Provide training

• Provide positive feedback

• Implement different test methodologies

How to Become an Audit Manager

Here are seven steps you can take to become an Audit Manager:

1. Get an education

Companies are looking for audit managers with a bachelor’s degree in accounting or a related field such as finance or business administration. This degree usually takes four years to complete, depending on how many credit hours you take per semester. Earning a higher degree, such as a Master of Business Administration (MBA), Master of Accounting in Public Accounting, or Master of Accounting (MAcc), can help you in your job search as an audit manager. A master’s degree usually takes one to two years to complete.

2. Gain experience

When hiring an audit manager, a company may be looking for candidates with extensive experience in accounting, auditing, or other professions where you learned to evaluate and review the organization’s financial records. This experience often includes determining the soundness and reliability of an organization’s internal processes and the ability to weigh them against risks, which includes any violation of financial laws and regulations. Having management or leadership experience, even in an unrelated field, can also help you qualify for this position.

3. Certification

The Certified Quality Auditor (CQA) certification is often required for anyone aspiring to become an audit manager. A CQA is a professional in the financial industry who specializes in implementing principles and standards related to auditing an organization’s financial records. Hiring managers may also opt for certification, such as a Chartered Public Accountant, a Certified Information Systems Auditor, or a Certified Internal Auditor. Earning one of these certifications in addition to the CQA may make you a more attractive candidate.

4. Improve your skills

Analytical thinking and critical analysis skills can help audit managers succeed in their careers. This includes the skills needed to interpret information found during the audit and translate data to help the leaders of the organization understand your findings. It’s important to show potential employers that you’re meticulous, honest, and committed to meeting deadlines. Other skills that should be developed include the ability to solve problems and make decisions.

5. Write a Resume

When you are looking for a job as an audit manager, it is important to have a resume that highlights your relevant skills, experience and education. Your resume can be the hiring manager’s first impression of you, so providing an informative document can improve your chances of being hired. Consider tailoring your resume to the position you are applying for, and you can do this by highlighting your previous responsibilities or job responsibilities that can help you as an audit manager. If your resume includes a purpose or a professional resume, try to highlight how your skills and experience can enable you to excel in this role.

6. Apply for a job

If you want to advance in your finance career to a management position, it is important to apply for a variety of jobs in many industries. Most companies in any industry require their finances to be reviewed by a professional, which can allow you to expand your career opportunities. You can search for jobs on job boards, attend job fairs, or chat with colleagues. It is important to consider all options when looking for a job as an audit manager.

7. Succeed in the interview

Before the interview, read the exact description of the position and the company you are applying for. Showing that you are knowledgeable about the company can make you appear more professional, and being able to relate your experience to the job can improve your chances of being hired. You can also rehearse your answers to common interview questions, which will allow you to give clearer, more complete answers during the interview and remember to mention all the important details about yourself.

Skills for an Audit Manager

Here are some skills you can learn to improve your business processes if you want to advance your career as an Audit Manager:

Communication

Audit managers often transfer technical and sensitive information to clients or organizational leaders, so having strong communication skills will help you succeed in this role. Learning to develop positive relationships with your team and the department heads you report to will help you get better information from them or explain your findings to them more effectively. It can also help build trust, which can help them work better with you and complete tasks more efficiently.

Time management

As an audit manager, it is very important to incorporate time management into your work processes. This includes prioritizing tasks, making good use of technology, and having effective meetings. Another way to manage time is to delegate tasks and encourage the team to complete projects with financial deadlines, such as tax deadlines and fiscal year reporting.

Organization

As an audit manager, it is important to organize your processes carefully while working for a client or within an organization. This can be a simple paperwork organization or keeping financial data obtained during the audit in folders. You may be faced with a variety of audits that comply with various laws and regulations, so it’s a good idea to keep each set of financial documents in the proper place. The organization will also help you better manage your team and track the progress of projects.

Logic and critical thinking

Audit managers often work with numbers and data, so the ability to calculate and interpret them is very important. Since this job often requires drawing conclusions from your research and devising the proper steps to fix any problems or improve the efficiency of financial processes, being able to solve problems and come up with creative solutions can also help you succeed in this role. These skills will also help you overcome any difficulties you may encounter in managing your team members, which will help you maintain a positive work environment for them and keep morale high.

Audit Manager Salary and Career Opportunities

According to Indeed, the average Audit Manager salary nationwide is $97,101 per year. Your salary may depend on where you live, the size of your company, or the experience, education, and certifications you have received. The Bureau of Labor Statistics estimates that all accounting and auditing positions, including audit managers, will grow by 7% through 2030, just below the average for all professions. The agency attributes this demand to the continued need for financial reporting professionals as the economy grows and more companies go public.

Please note that none of the companies mentioned in this article are affiliated with Indeed.

Features of preparing and passing international security audits / Sudo Null IT News

In this article I want to describe the main stages of preparing for a security audit. Most often, this is an audit of compliance with ISO (27***) or PCI DSS security standards, or compliance with GDPR compliance requirements.

My experience in the field of information security is 12 years. During this time, I have completed projects with dozens of companies from the USA, Britain, China, Russia, Ukraine and European countries. The clients were both large processing centers and banks, as well as IT companies of various specializations. The implementation results were evaluated by PWC (Hongkong), VISA (USA), Deloitte (UKR) and successfully confirmed compliance with the requirements, which can be seen in the letters of recommendation on the website and reviews in the Linkedin profile.

I hope that my experience in conducting audits, consulting and supervising projects to bring companies into compliance with the requirements of the PCI DSS, VISA & MASTERCARD Security standard will help me convey useful information to readers in simple words.

I would like to express the accumulated experience and knowledge, observations and comments in this article using the example of preparing for an audit of compliance with the PCI DSS standard. Everything expressed in this article may differ significantly from the opinions of other auditors and consultants, the official position of the PCI Security Standards Council and other sources. I am not suggesting that you strictly follow everything that will be discussed. This is just information for you to make your own decisions. I hope it will be useful for readers.

So how does an audit start and how does it work?

It all starts not even with the signing of an audit contract or pre-audit. It all starts with the decision of the company (often the director or manager) about the need to undergo an audit.

And here there are two scenarios: the audit must be passed at the request of customers or payment systems, which happens more often, or the audit is initiated and defended before the director of the company (head of the board, the parent company), the head of the information security department (IB) or the manager – less often . In the first case, the audit descends like a “God’s punishment” on employees of IT and IS departments, as additional work will be added, it may not be in job descriptions, and the salary remains at the same level. It all depends on the team, the head of information security and the specific company. If the team manages to be motivated, with what – this is already a management issue and does not apply to this article, then the result will certainly be. The result will be, even if the staff is not motivated, but a different method will be applied – the whip method. But there are more difficulties.

Things are different if the initiator is the head of the information security department. In this case, with a high degree of probability, the processes somehow already comply with the requirements of the standard. The documentation has been prepared, the architecture fundamentally does not contradict the requirements of the standard, the head of information security understands why this is necessary. And since he initiates, it means that he understands the benefits for himself and for the department. And he will be able to convey to subordinates (most likely, he has already conveyed) the need, as well as find understanding (ideally support) from the IT department.

If the company that will perform the audit is not “lowered” by management, then it is worth talking with colleagues who have already interacted with auditors from this company. At the same time, it is worth choosing not only the company, but also the auditor who will conduct it. Since it is to this person that you will need to prove (just prove) that you meet all the points of the standard. In addition, it is advisable to ask this question to the consultant who will implement the processes in the Company, if one is involved. Since, probably, he also has his own idea of ​​​​auditors and audit companies in the market, in addition, passing an audit after preparation is his part of the responsibility, which is worth sharing with him. Depending on your goals, which can be completely different – from obtaining a piece of paper on compliance to fully bringing all processes in line with the points of the standard, it is necessary to choose a company and an auditor. But it should be borne in mind that the most competent specialists are the most meticulous. They provide the best audit advice but require a very high overall level of compliance from you. This is both the unwillingness to “turn a blind eye” to shortcomings, jeopardizing one’s reputation, and simply the unacceptability of accepting low-quality works. Of course, and they are under pressure both from your side, as a customer, and from their own management. But this class of experts is more willing to do quality work than to play corporate games.

Also, do not forget that you can either prepare for the audit yourself or involve a specialized specialist for preparation. It can be either an employee in the state or an external consultant. The advantage of an employee in the state is that this person is likely to perform additional functions within the framework of security tasks outside the active phases of the annual audit, as well as to devote himself entirely to the processes and infrastructure of the company.

The advantages of a consultant are profile specialization exactly according to the required standard, cost minimization by paying for specific tasks and hours, and high speed of preparing for an audit. Each of the options has its own advantages and important features depending on the company, the requirements for the audit time, budget, etc., which should be evaluated before starting the project.

If there is a need to pass an audit, and not build processes (I say in advance that some of the PCI DSS requirements, especially in terms of documenting processes, slow down the work of the business processes themselves). It is better to turn to a small local market player. The auditors of such a company, as a rule, are more loyal to the forms of implementation of PCI DSS requirements. If you want to get not only a thick report, but also consulting as part of its implementation, then there is no unequivocal recommendation. Choose an auditor. If you need a beautiful report with the seal of a well-known company, the choice is obvious, an international well-known company. The final choice is yours.

This article will not address the issue of which version to audit, as the standard evolves and its versions change. Currently, the current version is PCI DSS 3.2.1, but PCI DSS 4.0 is being prepared for release.

If you do not plan to involve a specialist or consultant at the preparation stage, then you will have to conduct an internal audit on your own. The result of the audit should not be a report, but an agreed schedule for eliminating nonconformities (an example of an audit table, sections of the report and a schedule plan is given in Appendices 1-3).

Annex 1

Annex 2

Annex 3

And in order to obtain this plan, it is necessary to conduct a detailed analysis of the infrastructure, documentation, processes and interview personnel. Completing this task will allow you to understand the level of maturity of the company’s processes and identify the biggest gaps.

The main points to pay attention to as part of the elimination of non-conformities can be divided into the following:

1. Preparation or amendment of regulatory documents.

2. Preparation of acts, registers, testing plans and other reporting.

3. Modernization and changes in the configuration of systems and software.

4. Conducting internal and external network scans and processing their results.

5. Penetration testing.

6. Provide training and test response plans.

7. Analysis of access rights in logical and physical systems.

Just like any change in business processes, changes made as part of bringing a company to PCI DSS compliance can meet fierce resistance from department heads and other staff. To offset this effect, I recommend an integrated approach. Namely:

• Support for your position by management and bringing his opinion to the staff.

• Allocation of part of staff time to PCI DSS tasks as directed by management.

• Holding joint meetings with department heads to communicate the essence of the standard and proposed reviews.

• Introductory mailings for staff.

• Indirect motivation: information security souvenirs, competitions, posters, screensavers.

I don’t think it’s worth saying that there is no company in which absolutely everything would be without violations. There are various reasons for this: too high costs for fulfilling requirements, violation or destruction of real business processes in fulfilling requirements, historically established processes. And here it all depends on what will be shown to the auditor or what he will see or find. Again, do not forget about the possibility of applying compensatory measures.
In the absence of the possibility of attracting a specialized consultant, when preparing for an audit, of course, a person is competent in the field of audit and standards, or someone who can quickly become one (a specialist in a related field). Since it is highly desirable for auditors and company representatives to understand each other, to have a high level of competence in the field to be audited. When a project for passing a compliance audit is managed by an unmotivated and incompetent person in matters of project management and information security standards, the probability of its successful completion is greatly reduced, while the time and budget of the project, on the contrary, increase. An exception may be cases where everything is paid in advance. But in this case, it’s probably not even worth running the project itself.

Let’s talk in more detail about the points listed above.

1. When developing and editing documents, a very simple principle is used. It is necessary that all processes that are subject to documentation within the framework of PCI DSS requirements are documented.

As for the nuances, I recommend that you pay attention to the fact that this is fraught with the fact that most of the processes will remain only on paper. Prescribing this or that process in the documents, think about how it will be performed by the staff. As cliche as it sounds, it really matters.

2. A rather long list of monthly, quarterly and other acts should be prepared by company employees. If you add to this the updating of registries, plans, analysis and processing of scan results and risk treatment, as well as documentation on incident response, then a stack for a year can be thicker than quality brickwork (although it is possible that in electronic form). You need to understand that it is better to cook it throughout the year. Although often it is done immediately before the audit. There is already a question of the correctness of the processes. In the end, everything is aimed at increasing the level of security and it is more logical to do everything on time. After all, you still have to do it.

3. Systems require constant updates, changes to settings and configuration parameters. To do this, you need to have competent specialists on staff, monitor the frequency and correctness of installing updates. Compliance with configuration passports. This is a periodic and very time-consuming part of the work. By the way, this can be automated. I wrote about this when I was looking at Building Vulnerability and Compliance Management Processes here.

4. To carry out internal scans, it is enough to use any more or less high-quality network scanner with the latest updates. And it is not necessary to deploy a whole complex for managing network vulnerabilities within the framework of PCI DSS compliance. But what is required is the processing of scan results. All vulnerabilities that cannot be fixed must be analyzed. And if the vulnerability is not erroneously discovered, compensatory measures must be developed and implemented for it.

As for the quarterly outer perimeter scan (ASV), it is enough just to buy a license for the required number of IP¨C28C and do the scan yourself 4 times a year. Naturally, this is for those cases when you do not have vulnerabilities in the infrastructure being scanned. And they shouldn’t be.

5. In preparation for the penetration test, I would prioritize the following features:

This is the sequence in which problems usually occur in a penetration test.

6. Employee training is an essential part of improving safety. But if not all the processes written on paper work in reality, then this is just an opportunity to tell employees to whom and how they should answer questions. So that, as part of interviewing employees, it does not become clear that not all processes reflected on paper are used in reality.

As regards response plans, if they have been applied for the current reporting period, certificates must be prepared. Otherwise, test response plans based on the results – draw up acts.

7. It is also mandatory to control user access to systems. Moreover, if this is done purely for show, then so be it. But if you want to establish processes and provide a real process of access control, then you first need to build a process, and then conduct an audit. And not vice versa. Since with an idle process, everything will return to normal very quickly and your efforts will be in vain.¨C32C

I would like to pay special attention to the planning of work and control of their implementation. I think that for each project the issue of lack of resources is relevant. Audit in this regard is probably the best example. Since for none of the involved departments (perhaps with the exception of the security department) the project is not a priority. And since no one plans to stop the main projects for the departments involved, then expect the appropriate relationship. And if you have not enlisted the support of the leadership in this matter … But let’s not talk about sad things.

I am a supporter of project management according to the PMBok methodology, however, sometimes allowing myself to reduce the number of reporting pieces of paper. This methodology allows you to correctly manage projects and a lot of questions that you will have in the process of conducting a project are already foreseen in advance. But if you are not familiar with it, then it will take time to get acquainted with it and test it.

Whatever situations you have to solve within the framework of certain projects, it is always a little creative. And more experience and bits of knowledge. Which just can be gleaned, including, for example, from articles in the specialized press. For example, I got ideas from the SCRUM methodology, which has nothing to do with information security and audits. But it came in handy.

As for inconsistencies, I would recommend taking the found inconsistencies calmly, if these are not basic inconsistencies in the system architecture, lack of equipment, software, or critical processes for the company that cannot be changed in any way. In all other cases, an explanation can be obtained from the auditor, and often advice on how to fix it in the simplest way. That’s just time and money for this may require much more than originally planned. Therefore, it is better to use the services of a specialized specialist in advance. But here we should not forget about human qualities and relationships between people.

Immediately before the audit, it is imperative to gather all the employees who will participate in the interview and hold a meeting where to clarify the main points of the upcoming audit and especially pay attention to the nuances. For example, that the administrator is forbidden to leave the workplace without locking the computer in front of strangers. At each audit, there is an administrator who runs out, leaving the auditor alone with open connections to the critical servers to be audited. This remark is not critical, and is used as an example, but quite a lot of such trifles can accumulate. In addition, be sure to agree with colleagues what information should not be disclosed to the auditor in any case – more on that above. Since, having heard at least some discrepancy, the auditor will definitely unravel the tangle – you can rest assured.
Before the audit, be prepared for the fact that no matter how you plan everything, you will not have time to eliminate all inconsistencies and complete all the tasks that you wanted by the planned deadlines. Since the company is constantly making changes to systems and processes, there are rush jobs (necessarily at the most inopportune moment), and employees, in addition to preparing for the audit, need to perform their functional tasks. I recommend that when planning, depending on the level of maturity of processes, the workload of employees and your sphere of influence, it is necessary to allocate from 10 to 35% of additional time for risks.

One more thing, regarding the decisions that companies recommend based on the results of the audit. You need to understand that, as a rule, companies that conduct audits have divisions that implement certain solutions and systems. And you can be sure that regardless of their full compliance with your requirements, they will be recommended for implementation. Just keep it in mind. Nothing wrong with that. If a division of the company has really completed successful projects, and this solution and the price for services suits you, feel free to agree. Just keep in mind that you should not blindly rely on recommendations and implement expensive systems to pass the audit and forget about them until next year.

And one more thing. Do not take the auditor as an enemy. Treat him as an ally. Often, the results of the audit can show management that you really do not have enough resources, technology or budget, and that it was not you who came up with the need for useless “toys” for IT or information security. Feel free to talk about this to the auditor, let him write in the report. But remember, this can be said during a preliminary audit or an expert audit, but certainly not as a discrepancy, at a certification one. Since otherwise the certificate of conformity, you may not see it. And management, instead of additional resources and budget, can reward you with a reprimand or even fire you for poor performance and failure to meet project deadlines.