Good Practices for Participation in Audits

By November 7, 2022 No Comments

São Paulo/SP – November 7, 2022. The employees who will be audited play a fundamental role in the audit process, as their day-to-day procedures and knowledge about the business will be evaluated and judged, having a direct relationship with the result of the audit. audit.

*By João Victor Santos

Given the moment we live in, responsibility and data security is of utmost importance and relevance. The quest for compliance is desired by many companies. The essential controls are implemented and internal and external audits are carried out to evaluate them, where the behavior and involvement of the auditees has a great influence on the result. With this, there are several good practices that must be followed and actions that must be avoided in order to achieve success.


The word “audit” comes from judging/evaluating. Its proposal is related to a list where it will be evaluated if the controls and requirements present in good practices, norms and even regulations are mapped and being executed correctly and properly. An accounting audit, for example, aims to ensure the accuracy of the accounting records and financial statements of a particular institution. While an IT control audit or audit based on a standard such as ISO 27001 aims to demonstrate the correct design and effectiveness of controls that make up the SGSI (Information Security Management System)


In organizations, three types of audit are usually performed with different applications and purposes:

Internal Audit: is the set of procedures for evaluating a company's internal controls, proving the quality of records and their security. It is an activity designed to observe, inquire, question, check and propose changes and procedures. This is the preparation for the External Audit. At this moment it is a thermometer of how the environment is doing, if there are Non-Conformities (NC) and/or Improvement Opportunities (OM).

External Audit: activity carried out by an independent company that accredits a certain certification and attests to the correct design and effectiveness of controls. The purpose of this type of audit is to achieve certification/recertification of the organization's management system, as well as ensuring compliance with requirements in laws and regulations (eg Sarbanes Oxley Act). The certifying company will analyze its management system to verify if it meets all the requirements requested by the standard to be certified.

Internal Audit is an ally that brings maturity to our environment. We must look at it with good eyes and see rich opportunities for further development in our processes, and as a consequence, a better result in the External Audits.

Supplier Audit: also called second-party audit, these are assessments carried out in person in the supplier's environments. Its purpose is to ensure that suppliers are able and adequate to carry out their required activities and operations.


The auditor is one of the main pillars of an audit, as it is his role to carry out the evaluations and deliver the judged results.

As a good practice, the auditor should:

  • Avoid leading the auditees to error;
  • Carry out more open and non-closed questions, avoiding answers like yes and no;
  • Always be as clear as possible and do not hide it from the auditees when an NC (nonconformity) is found;
  • Be upstanding, performing their tasks with honesty, diligence, responsibility and impartiality;
  • Audit evidence must be verifiable. Inference and “guessing” cannot in any way serve as a basis for arriving at an audit finding.


The employees who will be audited play a fundamental role in the audit process, as their day-to-day procedures and knowledge about the business will be evaluated and judged, having a direct relationship with the audit result.

Good practices that auditees should follow include:

  • Conduct studies on the business processes in your area and requirements of the standard or regulation;
  • Not responding beyond what was asked by the auditor;
  • Answer questions calmly and demonstrating confidence on the subject addressed;
  • Keep documents and evidence organized for requests during the audit;
  • Be transparent, avoiding hiding evidence, omitting information or stalling to buy more time;
  • Be open to suggestions for improvement.

— João Victor Santos is a GRC Trainee at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!