The 6 Questions I Always Asked Before an Audit (And Exactly How to Grade the Answers)
I remember a night I checked our backup logs twice before bed.
Not because something failed.
Because I didn't trust the answer I got earlier.
If you own audit outcomes for a community bank, you know that feeling.
Here's the real issue:
Most providers don't fail by doing nothing.
They fail by giving answers that sound fine—but won't hold up under scrutiny.
So let's fix that.
The 6 Questions That Actually Matter
- What risks
would fail an audit today?
- When was the
last full recovery test—and what broke?
- Where is our
environment slowing people down?
- Where have we
drifted out of compliance?
- What's going to
fail or expire next quarter?
- Where are we
behind peers our size?
Anyone can ask these.
Very few can grade the answers.
How to Grade Their Answers (Don't Just Ask the Questions)
Bad answers feel reassuring.
Good answers feel specific—and a little uncomfortable.
Security Risk
- Weak: "We
haven't seen any major issues."
- Strong: "You
have three privileged accounts without enforced MFA. That creates audit
exposure under identity control expectations."
Backups
- Weak: "Backups
are running successfully."
- Strong: "Last
full restore took 9 hours against a 4-hour RTO. Two systems failed due to
dependency gaps."
Compliance
- Weak: "You're
compliant."
- Strong: "Access
review documentation hasn't been updated in two quarters. That creates
audit trail exposure."
If you don't hear specifics, you're not hearing the truth.
What a "2" Actually Looks Like (And When to Push Back)
This is the missing piece most teams never define.
Recovery
- Acceptable
(Score = 2):
Restore tested in under 6 hours, with full dependency validation, documented results - Risk (Score
≤1):
Restore exceeds RTO or hasn't been tested in 90+ days
Risk / Identity
- Acceptable:
All privileged accounts protected with MFA, zero undocumented exceptions - Risk:
Any MFA exception without written justification and approval
Documentation
- Acceptable:
Policies updated within last quarter, mapped to controls, version-controlled - Risk:
"We have policies" with no update history or mapping
If you can't clearly say what "passing" looks like, everything looks
acceptable.
Quick Scorecard: Is Your Provider Actually Audit-Ready?
Score each question:
- 0 = no clarity
- 1 = partial
answer
- 2 = specific,
documented, validated
Total Score
- 0-5 → High
audit risk
- 6-9 → Unstable
- 10-12 →
Audit-ready
This gives you a decision tool—not just insight.
How This Maps to What Auditors Actually Check
This is where most providers fall apart.
Your questions should map directly to control expectations:
- MFA gaps →
Identity and access control expectations
- Recovery
testing → Business continuity and disaster recovery validation
- Documentation
gaps → Audit trail and governance failure
- Patch delays →
Vulnerability management exposure
Auditors aren't asking if things exist.
They're asking if they're validated, documented, and repeatable.
Benchmarks We See Repeatedly
Across environments like yours:
- Recovery tests
often exceed stated RTO by 2-3x
- Most
environments have 1-3 undocumented access exceptions
- Documentation
is frequently one audit cycle behind reality
None of these cause immediate failure.
They create compounding exposure.
What This Looks Like in a Real Bank
Before
- No full
recovery test history
- "Backups are
fine" as the only answer
- No documented
dependency mapping
What happened
An examiner asked for recovery validation.
No data. No timeline. No consistency.
What should have taken 15 minutes turned into a multi-day scramble.
After
- Quarterly
recovery tests documented
- Restore time
reduced dramatically
- Failures
tracked and corrected
- Audit passed
with evidence—not explanation
The difference wasn't tools.
It was discipline.
What a Real Audit-Ready Report Looks Like
If your provider is operating at the right level, you should be
receiving:
- A risk
register mapped to regulatory controls
- A recovery
test report (date, duration, failures, resolution)
- A quarterly
risk summary showing drift, exposure, and progress
- A forward
risk roadmap (what breaks next if nothing changes)
If you're not seeing these, you're not getting full coverage.
Turn This Into a Tool You Can Use
Bring this worksheet into your next meeting.
Quarterly Audit Readiness Worksheet
Risk
- What
vulnerabilities exist today—and how are they mapped?
Recovery
- Last full
restore date?
- Actual restore
time?
- What failed?
Performance
- What systems
generate repeat complaints?
- Where are users
creating workarounds?
Compliance
- What
documentation is outdated?
- Where has drift
occurred?
Forward Risk
- What fails next
quarter if nothing changes?
This isn't a checklist.
It's your visibility layer.
If They Can't Answer These… Here's What To Do
Step 1: Ask for written answers
Step 2: Ask for supporting artifacts
Step 3: Watch how they respond
Strong providers will welcome this.
Weak ones will redirect, soften, or generalize.
That pattern tells you everything.
What I'd Do Next Week
Send the six questions ahead of your next IT check-in.
Attach the scoring model.
Tell your provider you want documented answers.
You'll know very quickly whether you have control—or just assumption.
Next Step
Schedule your 10 minute discovery call with 911 IT. We'll walk through
your current answers against this scorecard and show you exactly where you're
exposed or drifting. In ten minutes, you'll know whether your environment
passes—or just sounds like it does.
