Audit Readiness
Measure how prepared your organization is for compliance audits.
Audit Readiness
The Audit Readiness card shows how prepared you are for a compliance audit. It combines evidence coverage, control implementation, and gap status to give you a single readiness score.
What Audit Readiness Measures
Audit readiness is calculated from:
| Factor | Weight | What It Measures |
|---|---|---|
| Evidence Coverage | 35% | Controls with supporting documentation |
| Gap Resolution | 30% | Percentage of gaps resolved |
| Control Implementation | 25% | Controls marked as implemented |
| Evidence Freshness | 10% | Documents updated within 12 months |
Readiness Score Interpretation
| Score | Status | Meaning |
|---|---|---|
| 90-100% | Audit Ready | Ready to engage auditors |
| 75-89% | Nearly Ready | Minor gaps to close |
| 50-74% | In Progress | Significant prep work needed |
| Below 50% | Not Ready | Major effort required |
Aim for 90%+ before scheduling an audit. Lower scores mean more auditor questions, potential findings, and delays.
Understanding Evidence Coverage
What Auditors Want
Auditors expect evidence for every control claim:
- Policies - Written documents stating what you do
- Procedures - How you actually do it
- Proof - Screenshots, logs, records showing it works
Coverage Calculation
Evidence coverage = (Controls with evidence ÷ Total applicable controls) × 100
A control has evidence if:
- At least one document is linked
- The document addresses the control requirement
- The document is current (not outdated)
Viewing Readiness Details
Click the Audit Readiness Card
Opens the detailed readiness view with breakdowns.
Select a Framework
Choose which framework's audit readiness you want to review.
Review Missing Evidence
See which controls lack sufficient evidence.
Check Open Gaps
View gaps that need resolution before audit.
Generate Readiness Report
Create a PDF or document summarizing your readiness status.
Preparing for Audit
90 Days Before
- Check your readiness score - Know your starting point
- Identify major gaps - Critical/High severity items
- Create remediation plan - Workflows for each gap
- Assign owners - Who will close each gap
60 Days Before
- Execute remediation - Complete workflow tasks
- Gather evidence - Upload supporting documents
- Update stale docs - Refresh outdated policies
- Test controls - Verify implementations work
30 Days Before
- Final gap check - All critical/high resolved
- Evidence audit - Every control has documentation
- Prepare control narratives - Write explanations
- Brief team - Everyone knows their role
Week of Audit
- Final score check - Should be 90%+
- Ready documents - Easy access for auditors
- Designate point person - Who talks to auditors
- Review common questions - Prepare answers
Don't wait until the last minute. Rushing audit preparation leads to findings, exceptions, and potential audit failures.
Framework-Specific Preparation
SOC 2 Audits
Focus areas:
- Type I - Point-in-time design effectiveness
- Type II - Operating effectiveness over period (usually 6+ months)
- All Trust Service Criteria controls
- System description document
ISO 27001 Certification
Focus areas:
- Statement of Applicability (SoA)
- Risk assessment documentation
- Internal audit evidence
- Management review records
HIPAA Compliance
Focus areas:
- Risk assessment (required annually)
- Policies and procedures for all safeguards
- Training records
- Business Associate Agreements
SOX Compliance
Focus areas:
- Financial controls documentation
- IT general controls (ITGCs)
- Access control evidence
- Change management records
Common Audit Gaps
Documentation Issues
- Missing policies for key controls
- Outdated procedures
- Unsigned approvals
- Incomplete records
Implementation Issues
- Controls documented but not operating
- Inconsistent implementation
- Missing monitoring/logging
- No periodic review evidence
Evidence Issues
- Can't locate supporting documents
- Evidence doesn't match timeframe
- Screenshots not dated
- Records not retained long enough
Improving Readiness Score
Quick Improvements
- Upload missing evidence - Biggest impact
- Resolve high-severity gaps - Reduces gap count
- Update stale documents - Improves freshness score
- Mark implemented controls - Accurate status
Systematic Improvements
- Complete remediation workflows - Addresses root causes
- Regular evidence collection - Monthly documentation
- Control testing - Verify implementations
- Gap reviews - Weekly team reviews
Audit Readiness Checklist
Before scheduling an audit, verify:
- Readiness score is 90% or higher
- No critical or high severity gaps open
- All controls have current evidence
- Policies reviewed within 12 months
- Team is prepared and briefed
- Point of contact assigned for auditors
- Document access arranged
Common Questions
When should I schedule an audit?
When your readiness score is consistently above 90% and you've maintained that level for at least 30 days.
What if my score drops during audit period?
- Continue normal operations
- Document any changes
- Inform your auditor if significant
- Evidence collected during audit period is valid
How do I maintain readiness year-round?
- Monthly evidence collection
- Quarterly gap reviews
- Immediate workflow creation for new gaps
- Regular policy reviews
Next Steps
- Workflows In Progress - Check remediation status
- Documents - Upload evidence
- Compliance Gaps - Resolve open gaps