Audit Preparation — Evidence and Mock Review
You have the compliance map. You know which obligations are CURRENT and which are not. Six weeks from now, the FCA supervisory team arrives. The question is not whether you have done the work — it is whether you can demonstrate it.
This is the distinction most organisations miss. Evidence existence is not the same as evidence availability. The ISO 27001 surveillance auditor does not accept "we have a risk assessment" — they ask to see it, dated, signed, and reviewed by the named owner in the previous 12 months. The FCA reviewer does not accept "we take client suitability seriously" — they ask to see a suitability assessment for a specific client, the complaint log for the past year, and the training records showing every relevant staff member completed the required training. Evidence that exists in a folder nobody can locate on audit day is, for practical purposes, absent.
The second failure is unpreparedness for the questions auditors actually ask. Internal audit teams often brief only the team lead. Nobody else knows what scope the auditor has declared, what questions to expect, or how to answer without accidentally creating new findings. The result is a three-hour audit that produces six findings, four of which were caused not by genuine control gaps but by unprepared team members giving incomplete or inconsistent answers.
This lesson teaches structured audit preparation: using the compliance map from Lesson 7 as the foundation, building a week-by-week preparation plan, running a mock audit before the real one, and learning to respond to findings in a way that demonstrates governance maturity rather than defensiveness.
This exercise requires the Operations plugin (official) and the Operations Intelligence plugin (custom). If you have not installed them, follow the instructions in the Chapter 38 prerequisites before continuing.
The Five Audit Types
Different audits have different preparation requirements. Knowing which type you are preparing for shapes everything that follows.
| Audit Type | Who Conducts It | Primary Focus | Preparation Priority |
|---|---|---|---|
| Internal | Your own audit function | Control effectiveness; process compliance | Evidence that controls work; not just that they exist |
| External | Third-party auditor | Financial accuracy; material misstatement | Reconciliations; supporting schedules; audit trail |
| Regulatory | FCA, ICO, HMRC, HSE | Statutory compliance; consumer protection; market integrity | Regulatory obligation evidence; audit log of decisions |
| Customer | Your client reviewing your controls | Information security; data handling; SLA performance | SLA data; security attestations; data flow maps |
| Certification | BSI (ISO 27001), QSA (PCI), SOC auditor | Conformance with standard | Evidence pack aligned to standard controls; NC history |
A regulatory audit (FCA supervisory visit) has the highest stakes — enforcement action, fines, and licence conditions are potential outcomes. A certification audit (ISO 27001 surveillance) has moderate stakes but failure means losing the certification. Customer audits have commercial stakes — a poor result can trigger contract suspension or renegotiation. Preparation depth should reflect these stakes.
From Compliance Map to Preparation Plan
The compliance map from Lesson 7 is the foundation for audit preparation. Every obligation in the map corresponds to a potential audit area. The preparation plan converts "obligation with status" into "evidence ready by date."
Worked example. Your firm has an FCA supervisory visit in 6 weeks. The FCA has indicated they will review: client suitability procedures, complaint handling, and SM&CR governance. You type:
/audit
Prepare for our FCA supervisory visit in 6 weeks.
The FCA has indicated they will review:
- Client suitability (COBS)
- Complaint handling
- SM&CR governance (annual certification)
Using the compliance map I built in Lesson 7:
- OBL-REG-001 (COBS): CURRENT — evidence assembled
- OBL-REG-002 (SM&CR): REVIEW NEEDED — certification cycle due
- Client SLAs (OBL-CTR-001/002): CURRENT / PARTIAL
Generate: a week-by-week 6-week preparation plan, an evidence
inventory for each focus area, the top 3 gaps to close before
audit day, and a briefing plan for staff who may be interviewed.
What to expect: A structured preparation plan with a week-by-week timeline, evidence inventory by focus area, gap closure actions ranked by priority, and briefing requirements for staff.
A well-formed preparation plan looks like this:
AUDIT PREPARATION PLAN: FCA Supervisory Visit
════════════════════════════════════════════════════════════
Audit type: Regulatory
Auditor: Financial Conduct Authority
Date: [Date — 6 weeks from today]
Focus areas: Client suitability; complaint handling; SM&CR governance
Time to prepare: 6 weeks
WEEK-BY-WEEK PREPARATION TIMELINE:
Weeks 1–2: Evidence gathering and gap assessment
— Collect all suitability assessments from past 12 months (CCO)
— Pull complaint log, response times, and outcome analysis (Operations)
— Initiate SM&CR annual certification process (CEO/HR)
— Verify AML PEP screening status — this is NOT in scope but
auditors have discretion to expand; resolve before visit (MLRO)
Week 3: Evidence review and gap closure
— Review suitability assessment quality; identify any
assessments that would not withstand scrutiny (CCO review)
— Complaint log: verify all responses meet required timelines;
investigate any outliers (Operations)
— SM&CR: complete certification; update FCA register (CCO/HR)
Week 4: Mock audit — client suitability
— Run mock audit: simulated FCA questions on suitability
process, documentation standard, and outlier cases (CCO)
— Close any gaps identified in mock
Week 5: Mock audit — complaints and SM&CR; staff briefing
— Run mock audit: complaint handling and SM&CR governance
— Brief all staff who may be interviewed: scope, their role,
what to say when asked about their area
Final week: Final checks and logistics
— Confirm evidence pack is complete and accessible
— Rehearse opening statement: our approach, what we have prepared
— Confirm logistics (meeting room, document access, attendees)
EVIDENCE INVENTORY (by focus area):
| Area | Evidence Required | Location | Age | Status |
| --------------------- | ---------------------------------- | ---------------- | ------ | ------- |
| Client suitability | 12 months of suitability assessments| SharePoint/CRM | Current| Ready |
| Suitability — training| Staff training records | HR system | Current| Ready |
| Complaint handling | Complaint log + response records | CRM | Current| Ready |
| Complaint — outcomes | Root cause analysis for complaints | CCO folder | [date] | Verify |
| SM&CR — register | FCA approved persons register | FCA Portal | N/A | In progress|
| SM&CR — certification | Annual certification records | HR system | Overdue| Gap |
GAPS TO CLOSE BEFORE AUDIT:
Priority 1 (close by Week 3):
SM&CR annual certification — initiate immediately; overdue
Owner: CEO/HR | Deadline: Week 3
Priority 2 (close by Week 4):
Complaint root cause analysis documentation — ensure all
complaints have documented outcomes and root cause analysis
Owner: Operations Manager | Deadline: Week 4
BRIEFING REQUIRED:
— CCO: scope, suitability process, complaint handling approach
— HR: SM&CR certification process and record location
— Operations Manager: complaint log, SLA performance data
— All Directors: their specific SM&CR responsibilities and statements
════════════════════════════════════════════════════════════
The Mock Audit
A mock audit simulates the auditor's approach before the real review. Its purpose is to find the gaps between knowing a control exists and being able to demonstrate it to a sceptical reviewer.
Worked example. You have 3 weeks before the FCA visit. You want to simulate the client suitability review. You type:
/audit
Run a mock FCA review of our client suitability process.
Simulate 5 questions an FCA reviewer would ask about:
1. How we assess client suitability before making recommendations
2. How we document the assessment
3. How we handle cases where the client disagrees with our assessment
4. How we train staff on suitability requirements
5. What we do when COBS requirements change
For each question, provide:
- The question as the FCA reviewer would phrase it
- The ideal answer (what we should say)
- The evidence we would present
- Any gap between the ideal answer and our current reality
A well-formed mock audit output looks like this:
MOCK FCA AUDIT: Client Suitability (COBS)
─────────────────────────────────────────────────────────
Q1: "Walk me through your suitability assessment process for a
new client seeking investment advice."
Ideal answer: "We conduct a fact-find covering [objectives, risk
tolerance, financial situation, knowledge and experience, time
horizon]. We document this in our suitability report, cross-
referenced to the COBS 9 requirements. The adviser signs the
assessment and it is stored in the client record."
Evidence: Suitability report template; sample completed reports
(with client consent); adviser sign-off procedure
Gap: Current template was last reviewed before the Consumer Duty
implementation (July 2023). Need to confirm it covers the
Consumer Duty requirements added post-implementation.
Action: CCO to review template against Consumer Duty requirements
by Week 3. Owner: CCO. Deadline: [date]
─────────────────────────────────────────────────────────
Q2: "Show me three suitability assessments from the past 6 months."
Ideal answer: Present three assessments from CRM with required
fields completed, adviser signature, and outcome documentation.
Evidence: CRM records — 3 sample assessments
Gap: Two of the 12 assessments reviewed show incomplete outcome
documentation (no written rationale for the recommendation).
Action: Remediate the 2 affected records; add mandatory fields
to template to prevent future omissions.
Owner: Operations Manager. Deadline: Week 2.
─────────────────────────────────────────────────────────
[Continue for remaining questions]
Any gap identified in the mock audit that is not closed before the actual audit is a real finding. The mock audit's value is only realised if the gaps it surfaces are acted on. A mock audit that produces findings that are then filed and ignored is worse than no mock audit — it creates a paper trail showing the organisation was aware of the gap.
Writing Audit Responses
When audit findings arrive, your response is being read as evidence of governance maturity. Two organisations can receive identical findings and produce very different responses.
| Defensive Response (damaging) | Mature Response (demonstrates governance) |
|---|---|
| "We disagree with this finding." | Acknowledges the finding factually without argument |
| "This has never caused a problem in practice." | Identifies the root cause — why did this gap exist? |
| "We will address this in our next review cycle." | States the specific corrective action, named owner, and target date |
| "Our team is highly experienced in this area." | Describes what evidence of completion will be provided |
Worked example. The FCA has issued a finding: "The firm's SM&CR annual certification records were not current at the time of the supervisory visit. Certification was due [date] and had not been completed. Finding classification: MAJOR." You type:
/audit
Draft an audit response for this FCA finding:
Finding: SM&CR annual certification records were not current at
the time of the supervisory visit. Certification was due [date]
and had not been completed.
Classification: MAJOR
Draft a response using the structure: finding (acknowledge),
our response, root cause, action taken/planned, owner, target
completion date, evidence of completion.
What to expect: A structured response that acknowledges the finding without argument, explains root cause honestly, and commits to a specific corrective action with a named owner and date.
AUDIT RESPONSE: SM&CR Annual Certification — MAJOR Finding
════════════════════════════════════════════════════════════
Finding: SM&CR annual certification records were not current at
the time of the supervisory visit. Certification due [date] was
not completed.
Our response: We acknowledge this finding. The SM&CR annual
certification cycle was not completed within the required
timeframe.
Root cause: The certification calendar reminder was set in the
previous compliance officer's calendar and was not transferred
when they left the firm in [month]. The oversight was identified
during our pre-audit compliance review but could not be remediated
before the supervisory visit date.
Action taken: Certification process initiated [date — within week
of identification]. All Certified Persons have been contacted and
are completing the process. CEO has signed the Statements of
Responsibilities update.
Action planned: Certification to be fully completed and records
updated by [date]. A recurring calendar reminder has been
established in the compliance system (not individual calendars)
to trigger the process 8 weeks before the annual deadline.
Owner: CCO
Target completion: [date]
Evidence of completion: Completed certification records for all
Certified Persons, signed and dated. Updated FCA register entries.
Confirmation letter to FCA upon completion.
════════════════════════════════════════════════════════════
What makes this response mature: It acknowledges the finding without argument. It identifies the specific root cause (calendar not transferred after personnel change). It describes both immediate action (already taken) and systemic remediation (calendar now in system, not individual). The root cause explanation is plausible and demonstrates the organisation understood why it happened.
Exercise: Prepare for the FCA Supervisory Visit (Exercise 4 — Part 2)
Type: Audit preparation
Time: 40 minutes
Plugin command: Custom /audit
Goal: A six-week audit preparation plan with evidence inventory, a mock audit on the highest-risk area, and a draft audit response for a hypothetical finding
This exercise uses the compliance obligation map from Lesson 7 as its foundation. If you have not completed Lesson 7, complete it before continuing — the preparation plan is built from the compliance map, not from scratch.
Step 1 — Define the Audit Scope
Use the following scenario. The FCA has notified your firm of a supervisory visit in 6 weeks. Focus areas declared: client suitability procedures, complaint handling, and SM&CR governance. Your compliance map from Lesson 7 shows:
- COBS suitability (OBL-REG-001): CURRENT
- SM&CR certification (OBL-REG-002): REVIEW NEEDED (certification overdue)
- AML PEP screening (OBL-AML-001): URGENT (resolved or in progress from L07)
- Client incident notification (OBL-CTR-002): PARTIAL
Step 2 — Generate the Preparation Plan
/audit
Prepare for our FCA supervisory visit in 6 weeks.
Focus areas declared: client suitability (COBS), complaint
handling, and SM&CR governance.
Key compliance map status:
- COBS suitability: CURRENT (evidence assembled)
- SM&CR certification: REVIEW NEEDED (overdue by 3 weeks)
- AML PEP screening: URGENT (resolving — new provider contracted)
- Client incident notification SLA: PARTIAL (1 breach last quarter)
Generate a week-by-week 6-week preparation plan with:
1. Evidence inventory for each declared focus area
2. Top gaps to close before audit day (with Priority 1 / Priority 2)
3. Staff briefing plan (who needs to be briefed; on what; by when)
4. Pre-visit logistics checklist
Step 3 — Run the Mock Audit
Using the highest-risk area from your preparation plan (likely SM&CR or complaint handling), run a mock audit:
/audit
Run a mock FCA review of [your highest-risk area — SM&CR or
complaint handling].
Simulate 4 questions an FCA reviewer would ask, covering:
- Process design and documentation
- Evidence and record-keeping
- Staff training and awareness
- How you handle exceptions or near-misses
For each question, provide:
- The question as the FCA reviewer would phrase it
- The ideal answer
- The evidence to present
- Any gap between the ideal answer and our current reality
- Corrective action if a gap exists
Step 4 — Draft an Audit Response
The following hypothetical finding has been issued:
"The firm's complaint handling procedure requires documented root cause analysis for all complaints. Review of 12 complaint records found 3 records with no root cause analysis documented. Finding: MINOR."
Run:
/audit
Draft an audit response for this finding:
Finding: Three of twelve complaint records reviewed showed no
documented root cause analysis. The firm's procedure requires
root cause analysis for all complaints.
Classification: MINOR
Use the structure: acknowledge finding, our response, root cause,
action taken, action planned, owner, target date, evidence of
completion.
What to evaluate:
- Does the preparation plan cover all three declared focus areas with an evidence inventory for each?
- Are the mock audit questions realistic for an FCA review of complaint handling or SM&CR governance?
- Does the mock audit identify at least one gap between the ideal answer and the firm's current reality?
- Does the audit response acknowledge the finding without arguing?
- Is the root cause specific (not "process failure" but why the specific process failed)?
- Is every action in the response owned by a named role with a target date?
- Would an FCA reviewer reading this response conclude that the firm understands the finding and has taken governance-mature steps to close it?
Deliverable: A six-week preparation plan with evidence inventory, mock audit output with identified gaps and corrective actions, and a draft audit response demonstrating governance maturity.
Try With AI
Reproduce: Apply what you just learned to a simple case.
Prepare for a BSI ISO 27001 surveillance audit in 4 weeks.
The auditor will review: risk assessment (Clause 6.1), incident
management (Clause 10), and internal audit programme (Clause 9.2).
Key status:
- Risk assessment: completed 14 months ago (slightly overdue)
- Last internal audit: 8 months ago (within cycle)
- Incident log: maintained; no major incidents this year
Generate a 4-week preparation plan with evidence inventory,
top two gaps to close before the audit, and a staff briefing plan
for the CISO and operations team who may be interviewed.
What you are learning: The ISO 27001 surveillance audit is a certification audit — structurally different from a regulatory audit, but the preparation logic is identical: know the focus areas, confirm evidence is current and locatable, run a mock, brief the team. Applying the preparation framework to a different audit type builds transfer.
Adapt: Modify the scenario to match your organisation.
I have an upcoming [audit type] in [N] weeks.
The auditor or reviewing body is [name].
Declared focus areas: [list].
Using my compliance map (key statuses below), generate a
week-by-week preparation plan, evidence inventory, and top
gaps to close before the review.
My compliance map status:
[Paste or describe the relevant obligations and their statuses]
Also generate a mock audit for my highest-risk area with
4 questions the auditor would likely ask.
What you are learning: Applying the /audit command to your own firm's compliance map moves this from a classroom exercise to a real operational capability. The preparation plan it generates is one you can actually use.
Apply: Extend to a new situation the lesson didn't cover directly.
We have just received audit findings from our annual ISO 27001
surveillance audit. The auditor has issued:
- 1 MAJOR non-conformance: our change management procedure does
not include a documented impact assessment step
- 2 MINOR non-conformances:
(1) 3 access reviews were not completed on schedule
(2) Training records for 2 new starters are incomplete
Draft three audit responses — one for the MAJOR and one for each
MINOR. For the MAJOR, the root cause is genuine: the procedure was
written before we implemented our current ERP and the change
management workflow changed. For the MINORs, the access review
delay was caused by a resourcing gap during annual leave season;
the training gap was caused by an onboarding checklist oversight.
Each response should demonstrate governance maturity: acknowledge,
root cause, action taken, action planned, owner, date, evidence.
What you are learning: Writing responses for different finding classifications — MAJOR vs MINOR — requires calibrating the response depth. A MAJOR finding requires a systemic corrective action (not just fixing the instance); a MINOR requires fixing the instance and explaining why it will not recur. This prompt also tests root cause identification: specific, honest root causes produce better responses than generic ones.
Flashcards Study Aid
Continue to Lesson 9: Operational Risk Register That Works →