The quality of an external audit is largely decided in the 90 days before the auditor shows up. Programs that use those 90 days to run a tight readiness exercise have quiet fieldwork and short reports. Programs that use those 90 days the same way they used the nine months before usually end up writing remediation plans at 11pm during fieldwork week. This article is a week-by-week guide to what the last 90 days should look like, what to freeze, what to document, what to rehearse, and the five things that go wrong most often when the auditor actually arrives.
Day 90: scope confirmation and population pull
The first task of readiness is not remediation. It is confirming what is actually in scope. Pull the population of in-scope systems, accounts, vendors, change events, incidents, and access reviews. Reconcile that population to the scope statement your auditor has in hand. The single most common reason readiness goes off the rails is that the population the organization has in mind is not the population the auditor thinks they are testing. Reconcile early. If the auditor's understanding has drifted from yours, fix it in a scoping call, not in the middle of fieldwork.
Day 75: control walkthrough dry run
Before the auditor walks through each control, you should walk through each control yourself. Sit with the control owner, read the control statement out loud, and ask them to explain — in their own words — what they do, when they do it, who reviews it, and where the evidence lives. If the owner's explanation does not match the control statement, one of two things is wrong: either the statement is stale, or the owner is not actually running the control. Both problems are fixable in week eleven. Neither is fixable in week one of fieldwork.
Day 60: evidence sampling rehearsal
Pretend you are the auditor. Pull a sample of the population for each control — the same kind of sample the auditor will pull — and check whether the evidence is in place, complete, attributable, and contemporaneous. Record your findings on a simple sheet: control, sample size, pass, fail, reason. Every 'fail' is something to fix before fieldwork. Most programs discover three to five systemic gaps in this exercise. The programs that discover none have usually not sampled rigorously enough.
Day 45: readiness assessment report
Formalize what the dry runs surfaced into a readiness report. Each finding has an owner, a remediation plan, and a target close date. Every target close date sits before the start of fieldwork. The readiness report is the single most important artifact of the 90-day window. It is also the artifact most organizations skip. Do not skip it. It converts readiness from a feeling into a schedule.
Day 30: freeze window and change control
Thirty days out, freeze the controls that will be tested. This does not mean you stop running them — you run them harder. It means no changes to control definitions, owners, systems, or evidence patterns unless the change is an emergency. The freeze window is how you prevent the thing that goes wrong most often in the last month: a well-intentioned process improvement that happens to break the evidence trail the auditor was planning to test. Changes during the freeze window are still allowed — they are just logged, deliberately approved, and communicated to the auditor ahead of time.
Day 14: request list rehearsal
Most external auditors send an initial request list 10-14 days before fieldwork begins. Treat it as a rehearsal. Every item on the list should either be ready to hand over — literally ready, not 'I know where it is' — or have a short explanation of why it is not ready and when it will be. If you cannot answer each line of the request list in an hour, you are not ready. Use the remaining two weeks to close the gap.
Fieldwork week: the five things that go wrong most often
First, sample gaps in on-cadence controls — the quarterly access review that happened three times instead of four. Second, missing terminated-user cleanups — a departing employee whose access was revoked fourteen days late. Third, change management documentation — a change that happened but was not logged in the change system, so there is no pre-change review artifact. Fourth, vendor risk — a new vendor that was onboarded without the standard security review. Fifth, scope surprises — a system that everyone agreed was out of scope six months ago but has been handling in-scope data for the last quarter and nobody noticed. None of these are new categories of failure. They are the same five every time. A readiness exercise is a 90-day effort to make sure none of them are on your report.
Key takeaways
- The quality of an external audit is largely decided in the 90 days before fieldwork begins.
- Start with scope reconciliation, not remediation. Drifted scope is the single most common reason readiness goes wrong.
- Run a control walkthrough dry run and an evidence sampling rehearsal. Most programs find three to five systemic gaps.
- Produce a formal readiness assessment with owners and target close dates. Skipping this is the most common readiness mistake.
- Freeze control definitions, owners, and evidence patterns thirty days out. Log any exceptions deliberately.
- Fieldwork failures fall into the same five buckets every time. A 90-day readiness plan is how you keep them off your report.