Skip to main content

Managing Audit Process and External Auditor Collaboration

Collaborate effectively with external auditors, manage audit workflows, and maintain organized communication throughout the certification process.

John Ozdemir avatar
Written by John Ozdemir
Updated over 2 months ago

Effective auditor collaboration ensures smooth certification audits. DSALTA facilitates secure information sharing and organized audit management.

Selecting an Audit Firm

Choose an audit firm appropriate for your framework:

SOC 2: Select a CPA firm authorized to perform SOC 2 audits

ISO 27001: Engage an accredited certification body (CB)

HIPAA: May use qualified assessors or rely on internal assessments

Other Frameworks: Follow framework-specific auditor requirements

Consider:

  • Industry experience and expertise

  • Customer recognition and acceptance

  • Audit timeline and availability

  • Pricing and service level

  • References from similar organizations

Auditor Onboarding

Provide auditors with necessary context:

Company Overview: Business model, size, structure, technology stack

Compliance Scope: Which frameworks, which systems, what boundaries

Previous Certifications: Prior audit experience and reports

Known Issues: Any current gaps or remediation in progress

Timeline Constraints: Business deadlines or customer requirements

Granting Auditor Access

Set up secure auditor access in DSALTA:

  1. Navigate to Personnel > People

  2. Click Invite Auditor or Add Person

  3. Enter auditor email address

  4. Select Auditor role

  5. Configure access permissions:

    • Which frameworks they can view

    • Time-limited access duration

    • Read-only permissions

  6. Send invitation

[Screenshot needed: Auditor access configuration]

Auditor Permissions

The Auditor role in DSALTA provides:

Read Access:

  • View all controls and evidence

  • Access policies and documents

  • Review test results and history

  • See framework progress

Restricted Actions:

  • Cannot modify any data

  • Cannot change configurations

  • Cannot add or remove evidence

  • Cannot access organization settings

This ensures auditors can review everything needed while maintaining data integrity.

Audit Kickoff Meeting

Initial meeting to align expectations:

Agenda Items:

  • Review audit scope and objectives

  • Discuss timeline and key milestones

  • Identify control owners for interviews

  • Establish communication protocols

  • Review evidence organization

  • Address any questions or concerns

Deliverables:

  • Finalized audit schedule

  • List of required interviews

  • Evidence request list

  • Communication plan

Evidence Request Management

Handle auditor evidence requests systematically:

Track Requests: Maintain a list of all auditor questions and evidence requests

Assign Owners: Designate who will provide each piece of evidence

Set Deadlines: Commit to response timeframes (typically 24-48 hours)

Provide Through DSALTA: Share evidence via the platform when possible

Document Responses: Keep records of all information provided

Interview Coordination

Schedule and prepare for auditor interviews:

Who to Interview:

  • Control owners for key controls

  • Security leadership

  • Engineering/IT leadership

  • HR representatives

  • Executives (for governance interviews)

Interview Preparation:

  • Brief interviewees on what to expect

  • Review relevant controls and evidence

  • Prepare examples and context

  • Gather supporting materials

  • Set up meeting logistics

During Interviews:

  • Be honest and direct

  • Provide specific examples

  • Show evidence when relevant

  • Acknowledge gaps if they exist

  • Document key discussion points

Audit Status Tracking

Monitor audit progress throughout the engagement:

Evidence Review Progress: Which controls have been reviewed

Outstanding Requests: What information is still needed

Findings Identified: Any concerns raised by auditors

Completed Sections: Which control areas are finalized

Timeline Status: On schedule or delays

Responding to Auditor Questions

When auditors request clarification:

Understand the Question: Ensure you know exactly what they're asking

Gather Information: Consult with relevant control owners

Provide Complete Answers: Address all aspects of the question

Include Context: Explain organizational decisions and rationale

Reference Evidence: Point to supporting documentation in DSALTA

Follow Up: Confirm the answer satisfied their inquiry

Handling Audit Findings

If auditors identify issues during the audit:

Findings vs. Observations:

Findings: Significant gaps that may impact certification

Observations: Minor issues or improvement opportunities

Immediate Actions:

  1. Understand the specific concern

  2. Determine severity and impact

  3. Develop remediation plan

  4. Assign responsibility and timeline

  5. Implement fixes if possible during audit

  6. Document corrective actions

Management Representation Letter

Many audits require a management representation letter:

Content Typically Includes:

  • Confirmation of information accuracy

  • Acknowledgment of management responsibilities

  • Disclosure of known issues or incidents

  • Commitment to maintaining controls

Review carefully before signing and ensure all statements are accurate.

Draft Report Review

When auditors provide draft reports:

Review For:

  • Factual accuracy

  • Correct company information

  • Accurate scope description

  • Fair representation of controls

  • Clear description of any exceptions

Respond With:

  • Corrections for factual errors

  • Clarifications on misunderstandings

  • Additional context if needed

  • Management responses to findings

Auditors will consider feedback and issue final reports.

Receiving Final Reports

Once the audit is complete:

SOC 2 Reports: Receive Type I or Type II report

ISO 27001: Receive certificate of certification

Other Frameworks: Framework-specific certification documentation

Report Contents:

  • Auditor opinion

  • Scope of examination

  • Control descriptions

  • Testing results

  • Any exceptions or findings

Post-Audit Cleanup

After audit completion:

Update Trust Center: Add certifications and publish reports

Revoke Auditor Access: Remove temporary access when no longer needed (or set expiration)

Address Remaining Observations: Create action items for improvement opportunities

Document Lessons Learned: Record what went well and what to improve

Plan Surveillance: Schedule next year's audit

Continuous Monitoring: Maintain evidence collection for ongoing compliance

Annual Surveillance Audits

Most certifications require annual recertification:

Surveillance Audits:

  • Shorter than initial certification

  • Focus on changes since last audit

  • Verify continuous compliance

  • Update previous findings

Preparation:

  • Maintain continuous evidence collection

  • Address any previous observations

  • Document significant changes

  • Keep integrations healthy

  • Update policies as needed

DSALTA's continuous monitoring makes surveillance audits significantly easier than initial certifications.

Related Articles
Framework Progress Tracking and Completion
Control Status and Evidence Requirements
Control Monitoring and Continuous Compliance
Document Management Overview
Preparing for an Audit in DSALTA
Did this answer your question?