The audit that's never really "finished"

Why the final page of an audit report is usually the start of the work, not the end.

We delivered the report in March. Eighty-six pages, structured findings, a remediation plan with owners and dates. The client’s operations director thanked us at the closing call, said the board would receive it the following week, and we shook hands (virtually, it was a Teams call) and the engagement closed.

Then in May, an email. “Quick one, finance found a contract during a year-end clean that wasn’t in your audit. Should it have been? Does it change anything?”

In July, another. The marketing team had spun up a new SaaS tool (software-as-a-service, cloud software you pay for monthly rather than install). Was it in scope?

In October, a third. A small acquisition had completed; the acquired company’s IT was going to be folded in over the next six months. Could we update the audit?

By March of the following year, twelve months after the report, about forty per cent of what we’d written was already out of date, not wrong exactly, just superseded. The estate had moved, the audit had been a snapshot, and the thing it had snapshotted had kept moving.

Why audits look like they finish

Most audit engagements are scoped to look like discrete projects. There’s a kick-off. There’s a fieldwork phase. There’s a draft report. There’s a closing meeting. There’s a final report. There’s an invoice. Both sides treat it as a project with a beginning and an end, because that’s how projects work and that’s how budgets work and that’s how audit firms train their teams.

The trouble is the underlying thing, the estate, the supplier relationships, the data flows, the controls, whatever the audit was actually looking at, doesn’t have beginnings and ends. It has a continuous flow of small changes. New tools. Departed staff. New contracts. Renewed contracts. A reorganisation. A change of bank. A new piece of regulation. The shape on the day you took the snapshot is not the shape on the day you delivered the report, and it’s certainly not the shape three months later.

That doesn’t make audits useless. A good audit on day one is a much better starting point than no audit. But the framing matters: the report isn’t the deliverable but a starting position from which you maintain a current picture. The deliverable is the maintained picture, which only exists if somebody keeps maintaining it.

What “maintained” actually means

Most clients don’t want us to repeat the full audit every year. It’s expensive, it’s intrusive, and a lot of the eighty-six pages don’t materially change. What they want is a way of keeping the parts that change up to date without redoing the parts that don’t.

We’ve ended up with a rhythm that works for most.

Quarterly: a 90-minute review call with whoever owns the audit findings on the client side. Walk the action plan. Check what’s been done, what’s slipped, what’s been deprioritised. Update the document. Cost: small. Value: high, because it forces the action plan to be a live document rather than a PDF in a folder.

Annually: a half-day refresh. We don’t redo fieldwork. We ask three questions: what’s changed since last year that wasn’t in the report? what’s still in the report but no longer accurate? what’s still in the report but no longer relevant? We update the report, mark the changes, and reissue. Cost: maybe one to three days of our time. Value: a report that’s still defensible to the board.

Every three to five years: a full re-audit. Fresh fieldwork, fresh scope, fresh perspective. We tend to bring in a different lead on our side for these, because familiarity with the previous report makes you blind to things you wrote three years ago and stopped noticing.

That rhythm doesn’t suit every engagement, but the principle generalises. Some maintenance is much cheaper than redoing the whole, and much more valuable than letting it rot.

What changes between audits

The things that change most between audits, across years of running them:

• The supplier landscape. Renewals, new contracts, retired contracts. Every audit has a supplier list; every supplier list is out of date within a quarter.
• The shadow IT. Tools spun up by individual teams without coming through IT. Sometimes useful. Sometimes a data-protection grenade. Always present.
• The staff topology. People joining and leaving change who has access to what, who owns what process, who maintains which document. The audit’s RACI chart (the grid that maps who’s responsible, accountable, consulted and informed for each task) is the first thing to go stale.
• The regulatory ground. ICO guidance shifts. FCA, SRA, CQC, whichever applies, issues something. A new piece of EU or UK legislation hits. The control framework you built on stops being quite the same framework.

The things that change less:

• The estate of physical kit. Three-to-five-year refresh cycles mean the hardware moves slowly.
• The core network topology. Once built, slow to change.
• The high-level governance structure. Boards and committees move slowly.

Knowing which is which lets you build a maintenance schedule that’s proportionate. Frequent and light on the fast-moving stuff, occasional and deep on the slow.

Where this lands with us

This is something our Consulting Services practice spends a lot of time on. Not the headline audit, we do those, but the ongoing work that keeps the audit honest after the report has been signed off. The quarterly review call, the annual refresh, the periodic reality-check.

It’s not the most glamorous work, and it’s not the most expensive, but it’s the work that makes the audit actually pay back what it cost, because an audit you don’t maintain is a sunk cost; an audit you do maintain is a working document.

A short close

If your last audit was sitting on the shelf for a year and you can’t remember the last time you opened it, the cost is already accruing. The next bad surprise, a failed Cyber Essentials renewal, a board question you can’t answer, a regulator’s letter asking about a control you no longer have evidence for, lands at the worst possible moment, and the gap between what the report says and what’s actually true gets harder to close every quarter. Audits aren’t projects but starting positions, and the work is keeping the position current, the longer that work goes undone, the more it costs to catch back up.

Got an audit report on the shelf that’s gone a bit dusty? Drop us a note at info@jmopartners.co.uk. One of us will read it.

JMO|Partners · Enterprise IT, sized for SMEs.