5 Ways to Prepare for Your Onsite Visit

by Abigail Raley / May 24th, 2024

At KirkpatrickPrice, we’re committed to helping our clients get the most out of their information security engagements with us. That’s why we insist that our audits include an onsite visit. It’s part of performing our due diligence and testing.

While this process may seem straightforward, we understand that an onsite visit may be stressful and nerve-wracking. Let’s discuss how organizations can prepare for an onsite visit.

What Happens During an Onsite Visit?

Once an organization has completed about 80% of its Online Audit Manager responses, we schedule an onsite visit. During this 3- to 4-day visit, an auditor has three tasks: interview, review, and observe. The auditor will interview the personnel responsible for various activities, physically test your networks, systems, and devices, and observe your company culture.

How Can I Prepare My Organization for an Onsite Audit Visit?

Every organization is different when it comes to onsite visits: levels of preparedness differ, the buy-in from personnel differs, and even the resources needed to get through the onsite differ. Regardless of this, though, every organization can proactively set itself up for success by implementing the following five practices to prepare for an onsite visit.

1. Remember Your Audit’s Purpose

The goal of compliance, and especially the onsite visit, is to make your organization stronger. Auditors aren’t there to get you fired. An auditor finding vulnerabilities means doesn’t mean you’ve failed – finding vulnerabilities is the only way an auditor can help you! It means that you’re receiving a thorough audit – one that will only strengthen your security in the long run.

Before your onsite visit begins, remember to relax and remind your personnel what this audit means to your organization. Does it mean more revenue, bigger clients, new industries, or new locations?

To hone in on the value of compliance, consider sending out a company-wide email prior to the auditor coming onsite, similar to the one our client sent out. This is something that acknowledges how all employees play a role in compliance, explains what compliance means for your organization, and provides reminders of what not to do when an auditor is onsite.

2. Ask Questions, Voice Concerns

At KirkpatrickPrice, we know that undergoing any type of information security audit is difficult and stress-inducing. Often, clients have questions, concerns, and even fears going into the onsite visit – and we want to reiterate that we are always here to help.

Before the onsite visit, prepare your questions and voice your concerns. Our auditors can’t answer questions that never get answered or address concerns that are never shared. This level of transparency builds our relationship and will only help the success of your audit.

3. Review the Agenda

The best auditors will supply you with an agenda of topics prior to the onsite visit, so be sure to work with your auditor to ensure that you have the right personnel lined up to speak to an auditor. This will prevent any confusion or stress when the auditor comes onsite. If your staff knows when they’ll be interviewed, they’ll be much more prepared.

4. Involve Senior Management

At every stage of an information security engagement, senior management involvement is extremely important, although this is especially true when it comes to the onsite visit. The best auditors will be sure to hold briefings with all involved in the audit at both the start and finish of the onsite engagement. This gives the auditor the opportunity to address questions about the timeline, expectations for the group, any issues in need of attention, as well as any other notable findings.

If senior management is not involved during this process, critical information could be missed, which could prolong the engagement or prevent your organization from receiving your report on time.

5. Develop a Method for Tracking Action Items

Whether it’s during the onsite visit or afterward, there will be a number of items that the auditor may ask for more information on, such as logs, files, reports, etc. Most organizations will utilize Excel or other GRC software, but at KirkpatrickPrice, we’ve developed our own online tool for tracking action items.

Using a tool like KirkpatrickPrice’s Online Audit Manager can facilitate the process through various time statuses and compliance frameworks.

Onsite Audit Visit FAQs

What happens during an onsite audit, including Entrance Conference, Onsite Work, and Exit Conference?

During an onsite audit, the audit team starts with an Entrance Conference on the first day. In this meeting, they introduce themselves, explain the audit process, provide billing instructions, and discuss relevant regulations. Providers are expected to introduce key personnel and offer a tour of their facility.

The audit team then proceeds with the Onsite Work, which involves making copies of necessary documents, interviewing key staff members, and reviewing office procedures.

The audit concludes with an Exit Conference, usually held on the last day. In some cases, this conference might be scheduled a few weeks after the onsite audit. During the Exit Conference, the audit lead meets with the provider and their key staff to address any remaining questions and discuss the next steps in the audit process.

What is the process for providing any missing records after an onsite audit?

After the onsite visit, if any records are found to be missing, the provider must anticipate that the financial records review could take 2-6 months, depending on the scope and extent of the review/audit conducted. Subsequently, a post-audit follow-up letter will be sent requesting the missing records.

The provider is then obligated to send any remaining missing records to the Division of Program Integrity by mail within 30 days of receiving the follow-up letter.

What information should providers deliver to assist auditors in understanding their administrative structure and operations?

To help auditors understand their administrative structure and operations, deliver a current organization chart of each provider’s area of responsibility. This chart should showcase the hierarchy of positions within the organization, including titles and reporting relationships.

Additionally, providers can offer context concerning the nature of their operations, such as the services they offer, their target audience, and any unique aspects of their business model. Familiarity with employees is also important for auditors to gain insights into the workforce composition, roles, and responsibilities within the organization.

By offering these key pieces of information, providers can assist auditors in developing a comprehensive understanding of their administrative structure and operations.

Have more questions about our audit process? Want more information on how to prepare for your next onsite visit? We’re here to help! Contact us today to speak to one of our Information Security Specialists.

More Onsite Visit Resources

Remote Auditing vs. Onsite Assessments: What Do I Want?

Why Quality Audits Will Always Pay Off: You Get What You Pay For

Was the Gap Analysis Worth It?

Was the Audit Worth It?