Stressed man being investigated by penguins in office, finding a turtle bug in computer server with graphs on laptop screen

The 6 Questions I Always Asked Before an Audit (And Exactly How to Grade the Answers)

July 13, 2026

The 6 Questions I Always Asked Before an Audit (And Exactly How to Grade the Answers)

I remember a night I checked our backup logs twice before bed.

Not because something failed.
Because I didn't trust the answer I got earlier.

If you own audit outcomes for a community bank, you know that feeling.

Here's the real issue:

Most providers don't fail by doing nothing.
They fail by giving answers that sound fine—but won't hold up under scrutiny.

So let's fix that.

The 6 Questions That Actually Matter

  1. What risks would fail an audit today?
  2. When was the last full recovery test—and what broke?
  3. Where is our environment slowing people down?
  4. Where have we drifted out of compliance?
  5. What's going to fail or expire next quarter?
  6. Where are we behind peers our size?

Anyone can ask these.

Very few can grade the answers.

How to Grade Their Answers (Don't Just Ask the Questions)

Bad answers feel reassuring.

Good answers feel specific—and a little uncomfortable.

Security Risk

  • Weak: "We haven't seen any major issues."
  • Strong: "You have three privileged accounts without enforced MFA. That creates audit exposure under identity control expectations."

Backups

  • Weak: "Backups are running successfully."
  • Strong: "Last full restore took 9 hours against a 4-hour RTO. Two systems failed due to dependency gaps."

Compliance

  • Weak: "You're compliant."
  • Strong: "Access review documentation hasn't been updated in two quarters. That creates audit trail exposure."

If you don't hear specifics, you're not hearing the truth.

What a "2" Actually Looks Like (And When to Push Back)

This is the missing piece most teams never define.

Recovery

  • Acceptable (Score = 2):
    Restore tested in under 6 hours, with full dependency validation, documented results
  • Risk (Score ≤1):
    Restore exceeds RTO or hasn't been tested in 90+ days

Risk / Identity

  • Acceptable:
    All privileged accounts protected with MFA, zero undocumented exceptions
  • Risk:
    Any MFA exception without written justification and approval

Documentation

  • Acceptable:
    Policies updated within last quarter, mapped to controls, version-controlled
  • Risk:
    "We have policies" with no update history or mapping

If you can't clearly say what "passing" looks like, everything looks acceptable.

Quick Scorecard: Is Your Provider Actually Audit-Ready?

Score each question:

  • 0 = no clarity
  • 1 = partial answer
  • 2 = specific, documented, validated

Total Score

  • 0-5 → High audit risk
  • 6-9 → Unstable
  • 10-12 → Audit-ready

This gives you a decision tool—not just insight.

How This Maps to What Auditors Actually Check

This is where most providers fall apart.

Your questions should map directly to control expectations:

  • MFA gaps → Identity and access control expectations
  • Recovery testing → Business continuity and disaster recovery validation
  • Documentation gaps → Audit trail and governance failure
  • Patch delays → Vulnerability management exposure

Auditors aren't asking if things exist.

They're asking if they're validated, documented, and repeatable.

Benchmarks We See Repeatedly

Across environments like yours:

  • Recovery tests often exceed stated RTO by 2-3x
  • Most environments have 1-3 undocumented access exceptions
  • Documentation is frequently one audit cycle behind reality

None of these cause immediate failure.

They create compounding exposure.

What This Looks Like in a Real Bank

Before

  • No full recovery test history
  • "Backups are fine" as the only answer
  • No documented dependency mapping

What happened

An examiner asked for recovery validation.

No data. No timeline. No consistency.

What should have taken 15 minutes turned into a multi-day scramble.

After

  • Quarterly recovery tests documented
  • Restore time reduced dramatically
  • Failures tracked and corrected
  • Audit passed with evidence—not explanation

The difference wasn't tools.

It was discipline.

What a Real Audit-Ready Report Looks Like

If your provider is operating at the right level, you should be receiving:

  • A risk register mapped to regulatory controls
  • A recovery test report (date, duration, failures, resolution)
  • A quarterly risk summary showing drift, exposure, and progress
  • A forward risk roadmap (what breaks next if nothing changes)

If you're not seeing these, you're not getting full coverage.

Turn This Into a Tool You Can Use

Bring this worksheet into your next meeting.

Quarterly Audit Readiness Worksheet

Risk

  • What vulnerabilities exist today—and how are they mapped?

Recovery

  • Last full restore date?
  • Actual restore time?
  • What failed?

Performance

  • What systems generate repeat complaints?
  • Where are users creating workarounds?

Compliance

  • What documentation is outdated?
  • Where has drift occurred?

Forward Risk

  • What fails next quarter if nothing changes?

This isn't a checklist.

It's your visibility layer.

If They Can't Answer These… Here's What To Do

Step 1: Ask for written answers
Step 2: Ask for supporting artifacts
Step 3: Watch how they respond

Strong providers will welcome this.

Weak ones will redirect, soften, or generalize.

That pattern tells you everything.

What I'd Do Next Week

Send the six questions ahead of your next IT check-in.

Attach the scoring model.

Tell your provider you want documented answers.

You'll know very quickly whether you have control—or just assumption.

Next Step

Schedule your 10 minute discovery call with 911 IT. We'll walk through your current answers against this scorecard and show you exactly where you're exposed or drifting. In ten minutes, you'll know whether your environment passes—or just sounds like it does.