Skip to content

6 Things I Wish I Knew on My First Foray into Auditing

1. Audits are more than just a checklist

When I started with PCI DSS auditing in finance, I thought that was the full extent of what audits entailed. But I quickly learned that audits vary widely, especially when moving from a technology supplier to a regulated entity. Each environment brings its own complexities, especially when tied to compliance and the ability to move money. The shift from clear, strict standards like PCI DSS to risk-based regulatory approaches can be a challenging adjustment for engineers and other professionals alike.

2. The Three Lines of Defense (3LoD) make everything click

One of the core concepts I wish I understood earlier is the 3LoD model. It's simple yet foundational for most regulatory frameworks:

  • First Line: These are the people and teams responsible for delivering the work. As part of their delivery, they implement controls (such as quality controls). For example, the 'four-eyes principle' is often applied when making software changes.

  • Second Line: This layer monitors the controls performed by the first line, aiming to identify and help correct any significant defects. It's important to note that actual changes must still occur within the first line.

  • Third Line: This is the Internal Audit (IA) function. IA operates on a 3-5 year audit plan, auditing both the first and second lines according to the defined scope. Typically, IA reports directly to the Board, providing an independent perspective to help balance the risks taken by the rest of the business.

Understanding this structure clarified why roles are segmented and helped me see how the pieces fit together.

3. Certification audits are (usually) the easier part

Certifications like ISO 27001, SOC 2, or PCI DSS often come with predictable, stable yearly audits. These processes are easier to manage because the scope evolves slowly, and teams quickly become familiar with the requirements. In contrast, internal audits often involve more fluid scopes and higher expectations, requiring a broader understanding of risks and mitigation strategies.

4. An internal audit will identify gaps and it is ok (as long as you are managing them)

I used to think the aim was to show there were no gaps, but the reality is different. Auditors expect to find gaps, that’s their job! What matters is demonstrating that you’re aware of the risks, that you’re actively managing them, and that you have a plan to resolve or mitigate them. This mindset shift made audits feel less daunting and more like a collaboration.

5. External audits are your PR for investors and regulators

Investors and regulators are external to your organization and rely on independent assessments to gauge whether the business is being managed properly. Having your financial statements audited on schedule by a reputable auditor can significantly strengthen these relationships. External audits are also a great opportunity to showcase your compliance program, demonstrating that you’re building a healthy, scalable business while adhering to regulations and best practices.

6. Companies in general and Corporations in particular take auditing seriously

Whether it’s a simple questionnaire or a detailed inspection, customers want to know that your organization complies with regulations and best practices. Large corporations often have the resources to conduct rigorous audits, and working with them means being prepared for a deep dive into your processes. This level of scrutiny can feel overwhelming, but it’s an opportunity to showcase your organization’s strengths and build trust.

Conclusion: what I’ve learned along the way

Auditing can feel complex and overwhelming at first, but with experience, patterns emerge, and the process becomes more manageable. From understanding the Three Lines of Defense to shifting your mindset about gaps, each lesson I’ve learned has helped me navigate the challenges of compliance with more confidence.

Audits are not just a regulatory checkbox—they’re a chance to build trust, improve processes, and strengthen your organization in a rapidly evolving financial landscape.