Audit Preparation for In-House Teams

I've sat in more than 50 audits across GCC & Europe (ISO 27001, SOC 2, SAMA etc..) You rarely fail for missing a piece of evidence... You fail because the proof is scattered, outdated, ownerless, or can't be found (while the person providing it swears they submitted already) To avoid this: 1- Pick one system of record for evidence (SharePoint or Google Drive, etc.). No WhatsApp, Teams DMs, or email threads as “evidence.” 2- Create one folder per Framework. Create sub folder per control group. Use a clean name for files, {ControlName}{YY-quarter(e.g. Q1)} 3- Assign one named owner per domain (Access, Assets, Change, Incident). Give each an audit response cheat sheet: what to show, where it lives, who to pull in (good luck with getting other teams doing it!) 4- Run a pre-audit dry run: fresh eyes click every link, open every file, check dates/signatures, and tie each piece of evidence to the control ID. Time-box to 2 hours. Ask the team: “If we were audited tomorrow, where would you point the auditor to?” 5- Automate refresh: exports/screenshots as needed (monthly?), owner sign-offs, and expiry checks so proofs don’t go stale. Simple fix: Make evidence hygiene the product, not an afterthought. Or simply save yourself the headache, at Vamu we automate a large part of this, and map controls to owners and time-stamped proofs so the folder is clean by default. But you can start with the list above this week. Audits are won (or lost) in the evidence folder.

The First Impressions Set the Tone of an Audit—Make Them Count After several onsite and virtual audits, I can tell—almost instantly—whether a manufacturer will glide or grind through the next two days. Yes, there are initial signs and hints and yes, it is possible to prepare for them. Below is a six-point checklist I share with anybody who wants an audit to feel like a strategy review, not a stress test. 1️⃣ Share the Quality Manual in Advance ↳ Send the current PDF at least one week before Day 1. ↳ A healthy manual shows several controlled revisions every year—evidence that procedures evolve, not collect dust. Prep time: 30 min to export + 2 h internal spot-check for outdated links. 2️⃣ Show a Management Review That Tracks New Regulations ↳ Include a table that lists MDR amendments, ISO changes, and MDCG guidance published since the last review. ↳ Define input channels (reg-watch service, NB newsletters, industry forums) so auditors see the radar, not just the blips. Prep time: ½ day to update the table; worth every minute. 3️⃣ Present a One-Page “What Changed” Briefing ↳ Headcount shifts, market feedback, design updates—cover the last 12 months. ↳ This transparency lets the audit focus on facts rather than detective work. Prep time: 1–2 h with your cross-functional leads. 4️⃣ Bring Top Management to the Table ↳ CEO or site lead joins the opening, closing, and management sections. ↳ Ten minutes of visible commitment unlock faster decisions during the audit. Prep time: Calendar invites—send them now, not the night before. 5️⃣ Keep a Single, Complete CAPA List ↳ One spreadsheet (or database view) that merges internal findings, last external audit actions, and significant events. ↳ No hidden tabs, no side lists—one source of truth builds instant trust. Prep time: 1 h to reconcile lists, 15 min to add status notes. 6️⃣ Lay Out PMS Files—Ready to Discuss ↳ PSURs, complaint trend graphs, FSCA log, and summary conclusions within arm’s reach. ↳ When teams know their post-market story, the auditor’s tough questions sound like confirmation, not confrontation. Prep time: ½ day to print or hyperlink the latest versions. Why Invest This Effort Up Front? ✅ Smooth, interruption-free audit flow ✅ Fewer “Please provide…” scramble breaks ✅ A reputation with NBs that provides calmness next year Auditors and manufacturers—what single practice gives you a confident start? ---------------------------------- MedTech regulatory challenges can be complex, but smart strategies, cutting-edge tools, and expert insights can make all the difference. I’m Tibor, passionate about leveraging AI to transform how regulatory processes are automated and managed. Let’s connect and collaborate to streamline regulatory work for everyone! #automation #regulatoryaffairs #medicaldevices

Most MedTech companies treat audits as one-off events. (And it costs a lot more than money) This mindset costs: • Market access • Investor trust • Years of work product • And lots of money    But the biggest cost isn't financial. It's human lives. The ones that depend on life-saving devices that are getting locked out of the market. Not because their technology wasn’t good enough. But because of preventable mistakes. Because they treated compliance as an event. Not a culture. Passing a Notified Body Audit isn’t luck. It’s discipline. It’s daily habits. It’s system-level thinking. Here are 4 ways the best MedTech companies prepare (and how you can too): 1. They build audit-ready systems Your documentation must tell a complete story: • Align QMS to ISO 13485:2016 and MDR Article 10 • Justify risk management with defensible rationales • Show proactive surveillance in PMS reports • Close CAPAs fully with evidence of resolution • Validate claims with clinical performance data 2. They eliminate silent compliance risks Fix problems that quietly undermine audits: • Complete missing risk–benefit rationales • Update and control all key documents • Close gaps in complaint and vigilance logs • Strengthen post-market surveillance • Link CAPAs directly to audit findings 3. They train for audit readiness every day. Turn audit behavior into muscle memory: • Run mock audits and rotate team roles • Train clear, non-speculative auditor responses • Assign scope ownership across all functions • Focus answers — no speculation or improvisation    4. They set up audit execution in advance. Plan logistics that create calm, not chaos: • Prepare a dedicated audit room with indexed files • Assign document fetchers and tech support • Track requests and responses live during audits • Maintain a calm, professional audit environment Here’s the truth: An audit isn’t something you survive. It’s a mirror that reflects how you operate every day. What’s the biggest audit challenge your team is facing right now? ♻️ Find this valuable? Repost for your network. 💡 Follow Bastian Krapinger-Ruether for actionable tips on MedTech compliance and QM.

Dear Accountants, External Audits Don’t Have to Be Stressful Let’s be honest, when the message goes out that external auditors are coming, tension rises across the organization. Finance teams get anxious. Management starts to worry. Everyone feels the pressure. But here’s the truth: Auditors aren’t just there to “find faults.” Their mission is to: ✅ Verify that your financial statements present a true and fair view ✅ Ensure compliance with accounting standards (IAS/IFRS) ✅ Assess the strength of internal controls and financial processes With the right mindset and preparation, audits can be smooth, insightful, and even a chance to grow. Here are some practical Tips to Prepare for External Audits (Especially for NGOs) 1.     Start Preparation Early. Don’t wait for the audit notice. Keep documentation and reconciliations up to date year-round. 2.    Ensure Financial Records Are Complete. Record all transactions, update bank reconciliations, and file every receipt and invoice properly. 3.    Review Grant Agreements and Donor Requirements.Understand each donor’s reporting rules and confirm that funds were used as agreed. 4.    Prepare Audit Schedules in Advance. Have schedules for assets, liabilities, income, and expenses ready and ensure they reconcile with your general ledger. 5.    Label and Organize Files Clearly. Whether digital or physical, clear labelling saves time and shows professionalism. 6.    Reconcile Inter-Project and Inter-Fund Balances.For multi-project NGOs, ensure all inter-project transactions are reconciled and supported. 7.    Review Internal Controls. Check that policies like approvals and segregation of duties are being followed and strengthen weak spots early. 8.   Work with Program Teams. Financial accountability isn’t just for finance. Align program reports with financial reports, especially for donor-funded activities. 9.    Hold a Pre-Audit Meeting. Review key audit areas, past findings, and unresolved issues. Preparation builds confidence. 10. Be Transparent and Cooperative. Provide information promptly, answer questions honestly, and avoid being defensive. 11.  Document Learnings and Follow Up. Review findings together, agree on corrective actions, and follow through. 12. Maintain Continuous Communication. Keep lines open between finance, management, and auditors before, during, and after the audit. External audits should not be feared, they are a chance to demonstrate accountability, improve systems, and build donor confidence. With good preparation and teamwork, the process can run smoothly and become a valuable learning experience for everyone involved. How does your organization prepare for external audits? Let’s share best practices and grow together.

How to prepare for an audit as an accountant My first audit, I felt anxious and convinced the auditors were out to “catch me.” I was working in a start-up with no proper systems, processes, or documentation, so I knew things were far from perfect. When the auditor sent over the audit requirements list, nothing was ready. I had to request more time, and that moment taught me one of the most valuable lessons in my accounting journey: audit preparation is not something you do at the last minute. Being organized early saves you stress, builds trust, and boosts your confidence. Over the years, I’ve created a simple routine that keeps me ready for any audit, big or small: Organizing supporting documents chronologically either by name, month, or date, and ensuring documents are digitally stored by Google Drive or OneDrive Keeping all reconciliations updated, for example, bank, tax, AP, AR, and petty cash. Document every process by ensuring I have approvals, contracts, and agreements, and follow the set policies. Preparing key schedules in advance, for example, payroll reports, aging analyses, fixed asset schedules, tax schedules, etc. Communicating early with departments and confirming balances with suppliers, lenders, and other external parties. Performing internal checks days before the audit starts. Ensuring that the company is compliant with the tax laws at all times by filing and paying all returns on time, and updating myself on any changes to the tax laws With time, I realized something important: An audit is not there to catch you; it's there to help you as an accountant, improve accuracy, strengthen controls, ensure compliance, and grow professionally. Today, I approach audits with confidence, not fear, because preparation has become part of my routine. #bookkeeping #audit #auditpreparation #careertips #accounting

Why a Good PBC is the Secret to a Smooth IT Audit Let’s be honest—when it comes to IT audits, especially around ITGC and ITAC, things can get messy if the PBCs aren't right. But what is a PBC, and why is it so important? What is a PBC? PBC stands for "Prepared By Client." It's a fancy name for the documents, reports, or screenshots that the client (you or your team) shares with the auditor to help them test controls. Think of it like this: if the auditor is the chef, the PBCs are the ingredients. No good dish comes out if the ingredients are missing, late, or stale! Why is a Good PBC Important? 1. It Makes the Audit Faster and Easier A clear and complete PBC means the auditor doesn’t have to keep coming back with questions or follow-ups.This saves time for everyone and avoids unnecessary stress near deadlines. 2. It Helps Avoid Errors If the PBC is confusing, missing details, or not in the right format, there's a chance the auditor might test the control incorrectly or miss important information. That could lead to control failures or rework. 3. It Builds Trust and Professionalism Sharing well-prepared PBCs shows that your team knows what it’s doing.It builds confidence between your team and the audit team and sets the tone for a smooth audit. Tips to Create the Perfect PBC Be Clear and Specific Instead of saying: > “Send user list” Say: > “Please share a system-generated, non-editable user access listing from Oracle Cloud ERP as of 31st March, with roles and last login details.” Include Dates and Formats Tell exactly what you want, by when, and in what format (PDF, Excel, screenshot, etc.). For ex: > “PDF screenshot of approval for the system change made in January 2025.” Connect It to the Control If the audit is about access reviews, the PBC should be clearly related. Example: > “Access review file signed by reviewer showing comments, actions, and dates.” Use a PBC Tracker A simple Excel or tool-based tracker with columns like: What was requested When it was sent What’s pending Any comments or issues This keeps everything organized and easy to track. Don’t Wait Too Long Once the controls are identified, raise your PBCs early.Last-minute PBCs often lead to rushed evidence and mistakes. Common Mistakes to Avoid Sending screenshots that are blurry or editable Missing dates, approver names, or comments Uploading files with no context or description Waiting till the last week to send everything at once Real Ex: ITGC PBC Control: Review of user access every quarter Good PBC: > “PDF file of Q3 user access review for Oracle HCM, signed by the reviewer, showing reviewed users, roles, comments, and approval date.” A good PBC is not just a document—it’s the starting point of a successful audit. Whether you’re testing who has access to what (ITGC) or how the system processes data (ITAC), a clear, complete, and timely PBC helps make everything easier, faster, and more accurate. Right PBC = Smooth Audit = Happy Teams

After being in the audit industry for many years, one thing is clear: First impressions matter in the compliance industry……. Having performed many audits, both onsite and virtual, I can quickly tell whether a company will smoothly navigate the process or struggle through it. There are clear signs, and you can absolutely prepare for them. Here’s a simple six-point checklist I share with anyone who wants their audit to feel like a strategic review instead of a stressful test: 1. Share Your Compliance Documents Early Send your latest compliance documents (like QMS, FDA, and ISO certifications) at least one week before the audit. A good QMS should reflect consistent updates, showing that your procedures are evolving and not stagnant. 2. Show How You Track Regulatory Changes Include a list of any important regulatory changes (like FDA or ISO updates) since the last review. Highlight how you stay updated, through newsletters, regulatory bodies, or industry guidelines. 3. Give a "What Changed" Briefing Talk about any major changes like staffing shifts, product updates, or market feedback from the last year. This helps the auditor focus on the key changes, instead of wasting time finding them. 4. Have Top Management Participate Have your CEO or site leader attend the opening, closing, and management review sections. Their involvement demonstrates commitment and helps speed up decision-making during the audit. 5. Keep a Simple CAPA List Maintain a single list or document that includes all internal CAPA actions, past audit findings, and significant events. This single source of truth builds trust and avoids confusion. 6. Have Your Post-Market Files Ready Ensure all relevant post-market documents (PSURs, complaint data, FSCA logs) are organized and easy to access. When your team is prepared, the tough questions from auditors feel more like confirmation rather than confrontation. Why should you invest time upfront? It makes the audit go smoothly with fewer “please provide” moments. It also builds a good reputation with regulators, making future audits easier. Auditors and quality teams: What single practice gives you a confident start?

Audit Checklist Pre-Audit Preparation * Engagement letter signed * Understand client's business & industry * Review prior year's audit files & notes * Check legal & regulatory requirements (Companies Act, Income Tax, GST ,etc.) * Risk assessment plan Financial Records & Books * Trial balance reconciliation * Ledger scrutiny (sales, purchases, expenses, assets, liabilities) * Journal entries review (check unusual entries at year-end) * Cash book &. bank book verification * Compliance with accounting standards (ind AS/AS), Bank & Cash * Bank reconciliations for all accounts * Verify bank statements with books * Cash balance verfication (cash count, petty cash) * Review high -value/unusual cash transactions Fixed Assets * Verify Fixed asset register with books * Check additions/deletions during the year * Physical verification of assets * Depreciation calculation (Companies Act & Income Tax Act) * Review capital work-in-progress Inventory * Physical stock verification / reliance on stock reports * Reconcilation of stock records with financials * Valuation as per AS-2 (cost or NRV) * ldentify obsolete/slow-moving stock Debtors & Creditors * Debtors aging analysis * Balance confirmation from major debtors/creditors * Check doubtful debts & provisions * Review related party transactions *Creditors reconciliation &. overdue payments Revenue & Expenses * Cross-check sales invoices with GST returns * vouching of expenses (rent. salary, utilities, etc. * Verify TDS compliance on expenses * Cut-off testing (recorded in correct period) Statutory Compliance * GST returns vs. books reconcililation * TDS deducted & deposited timely * PF & ESI compliance * Income Tax advance tax/provisions * MCA flings (if applicable) Payroll & HR * Salary sheets & registers verification * Bonus, gratuity, leave encashment provisions * PF, ESI, Professional Tax compliance * Verify appointment letters & contracts Final Reporting * Draft audit report preparation * Notes to accounts & MRL (Management Representation Letter) * Report internal control weaknesses * Final sign-off

Question of the day: How can I address audit fatigue? Audit fatigue is a challenge for organizations that are maintaining multiple certifications including ISO certifications, surveillance audits, customer audits, and regulatory inspection. It is the weariness, stress, decreased effectiveness and loss of productivity experienced by your staff and management as a result of the frequency and intensity of audits. Audit Fatigue: 😒 Teams feel they are constantly preparing for the next audit. 😒 Resources are stretched too thin across the various standards. 😒 Employees see these audits as disruptive, repetitive and do not see the value. 😒 Findings from audits do not result in real improvements, which increases frustration on the part of all participants. Approaches to address Audit Fatigue: 💡 Integrated management systems are one approach to combat audit fatigue. This aligns multiple ISO standards under one set of policies, procedures and controls.  A common audit program is used to cover multiple standards. 💡Adjust your audit schedules and risk management activities so that audits are spread throughout the year rather than clustering them around the same time frame. 💡Focus audits on depth where risk is high instead of auditing everything with the same intensity. 💡Use rotational audits so that not every process is reviewed at the same frequency. 💡Build audit preparation into daily operations. By treating compliance as “business as usual”, teams will always be audit ready. 💡Automate document management, monitoring, alerting and evidence collection by using one of the many available GRC tools (ISMSOnline, Vanta, Drata, etc.) to reduce manual preparation.  If not possible, centralize your evidence collection, assessment reviews, and corrective action tracking. Automate what you can (log collections, etc.) and utilize dashboards to demonstrate compliance progress. 💡Train your internal auditors across multiple standards and rotate them to ensure fresh perspectives and impartiality, ensuring the burden doesn’t always fall on the same people. 💡Leverage audits for improvement–not just to meet “compliance requirements”. This frames the audit as an opportunity to add value and not just a check-box exercise.  💡Work with your certification authority to coordinate external audits across multiple standards. You can negotiate combined certification, surveillance or re-certification audits to reduce repetition. 💡When communicating with your subject matter experts about audit requirements, emphasize learning and continuous improvement over “catching mistakes” or problems. Recognize and reward your teams for maintaining audit readiness and their individual contributions to successful audits.   Audit fatigue can happen when audits are seen as a burden rather than a tool for improvement. Combat this with integrated systems, balanced workloads, automation and a mindset shift towards value creation.  #ISO27001 #EmagineIT

Finance leaders, Q4 isn’t “reporting season.” It’s reset season. If you want Q1 2026 to hit different, clean up the fundamentals now. Not when you’re staring down an audit request. This Q4 Checklist includes five essential clean-ups every finance team should lock in before year-end: 1. Partner Up — Internal + External Auditors, regulators, bankers, tax pros, and attorneys aren’t just for issues. They are strategic partners. Use Q4 to align early, clear disclosures, close information gaps, and eliminate the surprises that stall momentum. 2. Review Key GL Accounts Most teams wait too long. Q4 is a chance to locate errors, eliminate clutter, and tighten compliance. Q1 moves faster when your GL isn’t a minefield. 3. Assess Your Assets 66% of CFOs plan new investments next year, but you can’t allocate well if your balance sheet is outdated. Test for impairment. Revalue long-term and short-term assets. Enter 2026 knowing exactly what you’re working with. 4. Analyze Accruals Large projects that straddle year-end is where leakage happens. Validate estimates. Confirm vendor support. Make sure 2025 expenses don’t sneak into 2026. 5. Audit Internal Controls Control effectiveness was a top CFO priority in both 2024 and 2025. Q4 isn’t when you discover gaps, and when you eliminate them. Here’s the real issue: Most finance teams don’t struggle because of strategy. They struggle because of: • Weak processes • Outdated accounts • Untested controls • Inconsistent communication Clean up Q4 with intention, and Q1 becomes your most confident, predictable, and strategically aligned quarter yet. Full checklist is in the graphic below. _____ Please share your thoughts in the comments. Repost if this will help someone in your network. Follow me, Beverly Davis, for more strategic finance insights.