How to Prepare for a Compliance Audit: The 60-Day Countdown
craft·

How to Prepare for a Compliance Audit: The 60-Day Countdown

A week-by-week guide to preparing for a compliance audit — from scoping and evidence review through audit week and post-audit follow-up.
Justin Leapline Justin Leapline

The worst time to prepare for a compliance audit is the week before it starts.

Yet that's exactly when most teams kick into gear. The Slack messages start flying — "Where's the latest access review?" "Did anyone update the risk register?" — and compliance prep becomes a fire drill that eats nights and weekends.

Whether you're preparing for SOC 2, ISO 27001, HIPAA, or any other framework, the playbook is the same: start early, work in phases, and eliminate surprises before the auditor arrives. Sixty days is the sweet spot — thorough without losing momentum.

Here's your countdown.

🏁 Before the Clock Starts: Choosing Your Auditor

Before day 60 begins, you need an auditor on the calendar. This decision shapes everything — scope discussions, evidence expectations, and timeline.

What to Look For

  • Framework expertise — Have they done this specific audit type dozens of times?
  • Industry experience — An auditor who understands SaaS asks different questions than one used to manufacturing.
  • Communication style — Do they share evidence expectations upfront, or leave you guessing?
  • Timeline flexibility — Can they fit your 60-day window?

Questions to Ask

  • "Walk me through your typical evidence request list for this framework."
  • "How do you handle minor exceptions during the audit?"
  • "What's your turnaround time on the final report after fieldwork?"

Red Flags 🚩

  • They can't explain what "audit-ready" looks like for your framework
  • No references from companies your size and industry
  • Pricing dramatically lower than competitors (usually means junior staff)

One more thing: get the engagement letter signed early. It documents the framework, scope boundaries, and timeline expectations. Waiting until week one to finalize it eats into your prep window.

Once the auditor is locked in, the clock starts.

📋 Days 60–45: Scoping and Inventory

The first two weeks are about sharp boundaries. What's in? What's out? What changed since last time?

Confirm Scope and Framework Version

Scope creep is one of the most common reasons audits run late. Nail down the framework version, which controls are included, the reporting period, and what's explicitly excluded. Write it down, get sign-off.

If you're pursuing SOC 2 for the first time, our SOC 2 readiness roadmap covers scoping in detail — including choosing between Type I and Type II.

Inventory Everything In Scope

Build a complete inventory of what falls inside your audit boundary:

  • Systems: Production infrastructure, SaaS tools, identity providers, CI/CD pipelines, monitoring platforms
  • Processes: Change management, access provisioning, incident response, vendor management, backup and recovery
  • People: Control owners, system admins, department heads — anyone who'll provide evidence or sit for interviews

This inventory becomes your master checklist for the rest of the countdown. Every control, every evidence artifact, and every interview traces back to it.

Review Previous Findings

If this isn't your first audit, pull out the last report. Have prior exceptions been remediated? Did you deliver on management responses? Auditors love checking follow-through. Unresolved findings from the last cycle are a bad look.

Days 60–45 Deliverables

  • Audit scope documented and signed off
  • Systems, processes, and people inventory complete
  • Previous findings reviewed and remediation confirmed
  • Auditor engagement confirmed with fieldwork dates

🔍 Days 44–30: Evidence Review Sprint

You've defined what you're auditing. Now confirm you can prove it.

Walk Through Every Control

For each control, ask three questions:

  1. Does evidence exist?
  2. Is it fresh? A quarterly access review from nine months ago is a gap, not evidence.
  3. Is it clear? Could someone unfamiliar with your environment understand what it proves?

Most "audit surprises" trace back to evidence that was assumed to exist but didn't. For a deeper dive, check our guide on building an evidence library that scales.

Identify Gaps and Assign Owners

Every gap gets three things: a description, an owner, and a deadline. Common categories:

  • Missing evidence — the control exists but nobody collected the artifact
  • Stale evidence — the artifact exists but it's from a prior period
  • Missing controls — the process isn't formalized
  • Documentation gaps — no written policy describing the control

Prioritize ruthlessly. A missing access review for a critical system trumps an outdated acceptable use policy.

Test Critical Controls Yourself

Pick your highest-risk controls — access management, change management, incident response — and test them internally. Pull a sample of recent changes: did they all go through the approval process? Pull a list of user accounts: are terminated employees removed within the required timeframe? Check incident tickets: were they handled according to your documented procedure?

If you find exceptions in your own testing, the auditor will find them too. Better to catch and remediate now than to discover them during fieldwork when they become formal findings.

Days 44–30 Deliverables

  • Full evidence walkthrough completed
  • Gaps documented with owner, description, and deadline
  • Internal testing completed on critical controls

🔧 Days 29–15: Gap Remediation

Two weeks to close everything. This is the sprint.

Close Evidence Gaps

Owners collect missing artifacts, re-run exports, pull fresh screenshots. Set a hard cutoff: gaps close by day 15 or become known exceptions you'll discuss with the auditor.

episki helps here by tracking evidence freshness and sending reminders when artifacts are due — so remediation doesn't depend on someone remembering to check a spreadsheet.

Update Stale Policies

Review your core policies — Information Security, Access Control, Incident Response, Change Management, Vendor Management, BC/DR. For each: does it reflect what you actually do? Is the approval current?

Pro tip: Update the "last reviewed" date only if someone actually reviewed the content. Auditors check version history.

Access Reviews and Config Checks

These two areas produce more audit findings than almost anything else:

  • Access reviews — Pull user lists from every in-scope system. Remove stale accounts, especially former employees and contractors.
  • Configuration checks — Verify MFA enforcement, encryption settings, logging, and backup schedules match what your policies claim.

Days 29–15 Deliverables

  • All evidence gaps closed or escalated
  • Policies reviewed, updated, and approved
  • Access reviews and configuration checks complete

👥 Days 14–7: Stakeholder Preparation

Controls are tight. Evidence is collected. Now make sure the humans are ready.

Brief Control Owners

Everyone who might be interviewed needs a 30-minute prep. Cover what control(s) they own, what evidence supports it, what the auditor might ask, and how to respond. The golden rule: answer what's asked, don't volunteer extra.

Build the Evidence Package

Organize all evidence into a single, navigable structure the auditor can work through without hunting across five different systems. Your package should include:

  • A control matrix mapping each control to its evidence artifact(s)
  • All artifacts organized by control area with consistent naming
  • Policies and procedures in a dedicated section
  • Previous findings with remediation proof

Whether this lives in a shared folder or a platform like episki, the goal is the same: one place, clearly organized, nothing missing.

Run a Mock Walkthrough

Grab someone who hasn't been involved in prep and have them play auditor. Give them 10–15 controls and ask them to find the evidence, verify freshness, and ask a clarifying question. If they struggle, your organization needs work. If they find policy-evidence inconsistencies, fix them now.

Days 14–7 Deliverables

  • Control owners briefed and prepared
  • Evidence package organized and accessible
  • Mock walkthrough completed

🎯 Audit Week: What to Expect

You've done the work. Now it's execution and composure.

The Daily Rhythm

  • Morning: Auditor reviews evidence, prepares questions
  • Midday: Evidence requests arrive; your team responds
  • Afternoon: Interviews with control owners
  • End of day: Quick sync on status and tomorrow's focus

Designate a single point of contact. All requests flow through one person who logs, assigns, and tracks everything.

Handling "I Don't Know"

  • Never make something up. "I'll get you an answer by end of day" beats a guess that becomes a finding.
  • Track every open item. Forgotten follow-ups erode auditor trust fast.
  • Don't argue during fieldwork. Disagree with a finding? Note it for the management response.

Keep It Moving

Turn requests around in 24 hours max — same day is even better. Answer what's asked and nothing more. Extra context opens new inquiry lines you didn't plan for. Be accurate, be concise, be responsive.

And keep morale up. Audit week is stressful for everyone involved, especially control owners who are juggling interviews alongside their normal work. Acknowledge the team's effort. Bring snacks. Seriously — it matters more than you'd think.

🔄 Post-Audit: Remediation and Continuous Improvement

The report arrives. Now what?

Address Findings

A report with one or two minor findings and thoughtful management responses is still a strong report. Write honest responses — what happened, what you fixed, and how you're preventing it next time. Remediate before the next cycle. Auditors absolutely check.

For guidance on framing audit results for leadership, see our guide on GRC metrics execs actually care about.

Build the Cadence

The best thing you can do post-audit is build compliance into your operating rhythm so the next countdown feels like a light refresh:

  • Monthly: Collect recurring evidence. Review freshness. Close overdue items.
  • Quarterly: Internal control testing. Risk register updates. Access reviews.
  • Annually: Full policy review. Penetration test. BC/DR test. Lessons learned.

If you're layering on ISO 27001 alongside SOC 2, our ISO 27001 implementation guide covers how to add a second framework without doubling your workload.

The goal: when day 60 of the next cycle arrives, you're already at day 30.

✅ Key Takeaways

  • Start 60 days out — not 60 hours. The runway lets you remediate gaps without panic.
  • Scope first, collect second. Tight scope prevents audit creep.
  • Every gap needs an owner and a deadline. Orphan gaps don't close themselves.
  • Test your own controls. Find exceptions before the auditor does.
  • Prepare the humans. Evidence is half the audit. People confidently explaining what they do is the other half.
  • Treat post-audit as the start of the next cycle. Continuous beats annual every time.

Audit prep doesn't have to be a scramble. Sixty days, a clear plan, and no surprises — that's the formula.

Ready to make your next audit the smoothest one yet? episki gives you a structured evidence library, automated freshness tracking, and a real-time compliance dashboard so you always know where you stand — year-round, not just audit season. Start your free trial →

How to Build a GRC Team: Roles, Skills, and Hiring Order

When to make your first GRC hire, what skills to prioritize, how to scale from one person to a team, and when outsourcing makes more sense than hiring.

Choosing the Right Compliance Framework: SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST CSF Compared

A practical comparison of the five major compliance frameworks to help you decide which to pursue first and how to manage multiple frameworks efficiently.