If you are:
- a company, or corporate group;
- subject to a UK audit;
- turnover between GBP 10m to 100m;
- whose auditor recognises that "artificial intelligence" audit is a non-starter;
- whose auditor performs mainly substantive audit testing (an instrinically manual process); and
- you are a nearly-paperless enterprise;
Q1: How do you publish your initial audit packs to your auditor (for audit planning, i.e. weeks before the onsite audit)?
a. print everything out to paper, post it to the auditor?
b. burn a DVD, post it to the auditor?
c. download the data to your workstation from your server(s), then up-load the data into a portal (either your own portal or your auditor's portal)?
d. wait until the onsite phase happens, then download the data to your workstation from your server(s), save it onto a USB stick and hand it to the onsite audit senior/junior/whoever?
e. give your auditor a login to your server(s) and give them rights to a dedicated, read-only part of the server where the auditor can download the initial packs, plus any additional data sought during the onsite audit?
f. give your auditor a login to your server(s) and give them rights to the same online services that you use daily?
g. email the data as a single, massive encrypted ZIP file?
h. email the data as a series of encrypted ZIP files?
i. email the data as a series of unencrypted files, unzipped?
Q2: How do you publish data to your onsite auditors while they are onsite?
a. print to paper, hand it to the auditor?
b. burn another DVD (twice a day?), hand it to the auditor?
c. up-load the data into a portal (either your own portal or your auditor's portal) (twice a day?)?
d. save it onto a USB stick, hand it to the onsite auditor? (bonus Q3 below!)
e. remind the auditor of the online credentials they already have?
f. email answers to queries in batches;
g. email the answer to a query one-for-one (audit-by-email, i.e. why is the auditor bothering to be onsite?!)?
Q3: bonus question if you use USB sticks. Do you:
a. re-use the same USB stick, poking into your auditors' laptops and your own workstations as if nothing matters?
b. if a = yes, then does your IT department agree with such practice?
c. if a = yes, what controls do you perform on the USB stick before re-inserting it into your workstation?