The Audit Preparation Checklist: 90 Days to Audit-Ready

The 90 days before your audit observation window opens are the most critical period in your compliance journey. This is when preparation gaps become visible, when evidence collection processes are stress-tested, and when organizational readiness is either confirmed or exposed as incomplete.

After coordinating hundreds of audit engagements, we have distilled the preparation process into a structured 90-day timeline. This is not a generic checklist of compliance requirements. It is an operational playbook focused on the specific activities that determine whether your audit runs smoothly or becomes a scramble of last-minute evidence requests and emergency remediation.

Days 1 through 30: Foundation and Gap Closure

The first 30 days focus on confirming that your control environment is complete and that every gap identified during readiness assessment has been remediated.

Begin with a comprehensive control inventory review. Walk through every control in your GRC platform and verify three things for each one: the control is documented in a current policy, the control is implemented in your environment, and evidence of the control's operation is being collected automatically or on a defined manual schedule. Flag any control that fails any of these three checks.

Policy review should happen in the first two weeks. Every policy referenced in your control environment needs to be current, meaning reviewed and approved within the past twelve months. Check that policies reflect your actual operational practices. A common failure mode is policies written during initial certification that were never updated to reflect organizational changes. If you have migrated cloud providers, changed your deployment process, or significantly restructured your engineering team, your policies likely need updates.

Complete any outstanding remediation items from your gap assessment. Common items that linger until this phase include finalizing Business Associate Agreements with all vendors handling sensitive data, implementing automated evidence collection for controls that were previously tracked manually, completing the annual risk assessment if it has not been conducted in the current period, and ensuring all employees have completed security awareness training within the required timeframe.

Conduct a pre-audit evidence dry run during weeks three and four. For each control, pull the evidence that you expect the auditor to request and review it for completeness. This exercise invariably reveals gaps: a quarterly access review that was completed but not documented in the GRC platform, a vendor assessment that was conducted verbally but never formalized, or a change management ticket that was approved after deployment rather than before.

Days 31 through 60: Evidence Hardening and Team Preparation

With foundational gaps closed, the middle 30 days focus on evidence quality and team readiness.

Evidence hardening means ensuring that every piece of evidence tells a complete, auditable story. An access review is not just a list of users; it includes the reviewer's name, the date of review, the decisions made for each account, and documentation of any access changes that resulted from the review. A vulnerability scan is not just a report; it includes the scan configuration, the date executed, the findings, and evidence of remediation for critical and high-severity findings within your defined SLA.

Review your evidence against the specific sampling methodology your auditor will use. Most auditors use a risk-based sampling approach, selecting a subset of your control population for detailed examination. For process-based controls like change management, they typically review 25 to 40 samples across the observation period. Ensure that your evidence is consistent across the entire population, not just for the first few months when the team was most attentive.

Team preparation is essential and frequently neglected. Identify every person who may interact with the auditor during fieldwork. This typically includes your compliance lead, the engineering manager responsible for infrastructure, the HR representative who manages onboarding and offboarding, the IT administrator who manages access provisioning, and any team lead whose department is within scope.

Schedule 30-minute preparation sessions with each person. Cover what the auditor will ask about their area of responsibility, where evidence is stored and how to retrieve it, what a good response looks like versus what triggers follow-up questions, and the escalation path if they cannot answer a question. The goal is not to rehearse scripted answers but to ensure everyone understands the audit process and can respond confidently and accurately.

Days 61 through 90: Final Readiness and Audit Logistics

The final 30 days are about logistics, communication, and final validation.

Confirm your audit schedule with the audit firm. Establish the exact dates for fieldwork, identify the audit team members and their areas of focus, and agree on the communication protocol for evidence requests. Most audit firms use a secure portal for evidence submission. Ensure your team has access and has tested the upload process before fieldwork begins.

Conduct a final evidence completeness review. This is your last opportunity to identify and close gaps before the auditor arrives. Review the evidence for every control, focusing particularly on the most recent quarter of the observation window. Late-period gaps are the most damaging because they suggest that your controls may not be operating consistently.

Prepare your system description document. For SOC 2, this is a narrative description of your system including infrastructure, software, people, processes, and data. For ISO 27001, this is your ISMS scope statement and the Statement of Applicability. These documents frame the auditor's evaluation and should accurately represent your current environment. Review them for any inaccuracies introduced by recent changes to your infrastructure or organization.

Set up a dedicated communication channel for audit coordination. A Slack channel or Teams group that includes your compliance lead, the key evidence providers, and the audit team enables rapid response to evidence requests and questions. Speed of response during fieldwork directly correlates with audit duration. Auditors who wait days for evidence responses extend their fieldwork timeline, which increases both cost and organizational disruption.

Prepare a management representation letter. Your auditor will provide a template, but reviewing it in advance allows legal counsel to flag any concerns before fieldwork begins. This letter attests to the completeness and accuracy of the information provided to the auditor, so ensure that every claim is supportable.

Common Pitfalls That Derail Audit Preparation

Beyond the structured timeline, there are recurring failure patterns worth highlighting because they consistently catch teams off guard.

Evidence gaps in the middle of the observation window are surprisingly common. Teams maintain strong compliance discipline in the first two months and the final two months but relax during the middle period. Auditors specifically look for consistency across the entire window. If your access reviews happened in January and June but not in March, the auditor will note an exception regardless of how thorough the other reviews were.

Informal controls that work in practice but lack documentation are a frequent source of exceptions. Your engineering team might have excellent change management discipline, with every production change going through code review and testing, but if the ticketing system does not capture approval timestamps or reviewer identity, the auditor cannot verify the control operated as documented.

Vendor management gaps appear when new tools are adopted without going through the formal assessment process. Conduct an inventory of all tools and services adopted during the observation window and ensure each one has a completed vendor assessment, a signed agreement with appropriate security terms, and inclusion in your vendor register.

Personnel changes during the observation window require careful handling. When employees join or leave, your access provisioning and deprovisioning controls are tested. Ensure that onboarding and offboarding records are complete for every personnel change during the window, including evidence that access was granted within your defined provisioning SLA and revoked within your defined deprovisioning SLA.

Key Takeaways

• Structure your audit preparation as a 90-day sprint with distinct phases: foundation and gap closure, evidence hardening and team preparation, and final readiness and logistics.
• Conduct a pre-audit evidence dry run in the first 30 days to surface gaps while there is still time to remediate them.
• Prepare every team member who will interact with the auditor through focused briefing sessions covering their specific areas of responsibility.
• Monitor evidence consistency across the entire observation window, not just the beginning and end, as mid-period gaps are a common source of exceptions.
• Establish rapid communication channels with the audit team to minimize fieldwork duration and reduce organizational disruption.

FAQ

What happens if we discover a significant gap during the 90-day preparation period?

The appropriate response depends on the severity and the timing. If the gap is identified in the first 30 days and can be remediated quickly, implement the fix and ensure the control operates through the remainder of the observation window. If the gap is fundamental, such as a missing control that has not been operating at all, you may need to discuss options with your auditor including extending the observation window, accepting an exception on the report, or delaying the audit. An exception on one control is almost always preferable to delaying the entire engagement.

How many hours should our team expect to spend supporting the audit?

For a first-time SOC 2 Type II audit, expect 80 to 150 hours of total team effort during the 90-day preparation period and fieldwork. This breaks down to approximately 40 to 60 hours for the compliance lead, 20 to 40 hours distributed across engineering and IT, 10 to 20 hours for HR and administrative functions, and 10 to 30 hours for management review and sign-off. Subsequent annual audits typically require 40 to 60 percent less effort as processes become routine and evidence collection is further automated.

Should we engage our auditor during the preparation period or wait for fieldwork?

Engage your auditor early. Most audit firms are willing to conduct a pre-fieldwork planning call where you can align on evidence expectations, discuss any areas of concern, and confirm the fieldwork schedule. Some auditors offer interim evidence reviews during the observation window, which can identify issues before they become exceptions. This proactive engagement adds minimal cost and significantly reduces the risk of surprises during formal fieldwork.