866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Do You Need A Readiness Assessment? Blog Feature
JORDAN HICKS

By: JORDAN HICKS

Print/Save as PDF

Do You Need A Readiness Assessment?

Compliance and Certification

If you’re a parent, you’ve likely had the debate in the car with your young kids—they want to stop for McDonalds and you tell them, “we’ve got food at home.” From their perspective, they want what they want, but from yours, you understand you’ve already made an investment in perfectly good food at the grocery store, and you’re not about to spend any more money that you don’t have to.

While we totally understand about the fast food, we think you should hear us out on a different kind of investment—one that may also be seen as unnecessary—the readiness assessment (RA).

You can opt for a readiness assessment ahead of several different compliance assessments—SOC, ISO, PCI DSS, FedRAMP. But many organizations, having been pushed by market demands or their customers to invest in compliance, believe they can jump right in, and that’s not always the best move.

Maybe you’re ready, maybe you’re not, but it could help to know for sure. As providers of a suite of compliance services for over two decades now—including readiness assessments—we’ve seen firsthand how our clients have benefited from doing an RA ahead of their audit.

We know that it potentially means paying more for this pre-assessment, but there’s more value in these than you might think. That’s why, in this article, we are going to lay out the four big benefits you can gain from investing in a readiness assessment, as well as what will happen during one and how you can prepare.

Maybe you really can “skip the stop at McDonald’s and just go home,” but after reading this, you’ll understand better if this investment is right for your organization.

What Is a Readiness Assessment?

 

For the uninitiated, you might be wondering what a readiness assessment even is. What happens during one?

Unlike the audit you will eventually undergo which has the objective of reporting on existing your controls, readiness assessments are designed to identify those controls that should be implemented or improved before an actual audit, as well as any gaps within your current control environment. Essentially, they’re available to you if you’d like to assess your preparedness and if you’d like to understand any shortcomings before they show up in your final audit report.

Performed well in advance of the audit, an RA typically involves conversations between your selected auditor with relevant personnel within your organization. There’s a mutual sharing of information before your auditors will then go on to test the controls you have in place.

Similar to the one you’ll get at the end of the service assessment, you’ll also get a report after the RA process is complete—it will contain a complete review of which controls would pass and which ones would fail.

4 Benefits of a Readiness Assessment

1. You’ll Establish Early Rapport Between Your Auditors and Your Team.

You can’t overstate the advantage of this. We understand the negative stereotypes surrounding audits and the burden they place on your internal personnel. That can often lead to more confrontation between organization and auditor, rather than collaboration.

A readiness assessment can provide a valuable opportunity to not only allow everyone to get into a more beneficial audit mindset but also for the two teams to gel their working styles better together before the heightened stress of the audit.

2. You and Your Auditor Gain Better Understanding.

In establishing that rapport during the readiness assessment, the conversations between your team and the auditors will also prove advantageous themselves. You’ll get to learn more about the standards and requirements you’re aiming to achieve and your assessors will gain an even better knowledge base of your environment, system, or services.

Plus, you’ll get everyone on the same page. If you work in an organization where some may not be fully bought into the idea of putting their time and effort into compliance, a readiness assessment can be useful in getting all your ducks in a row.

3. There’s an Opportunity to Review Gaps and Implement Controls.

Though a readiness assessment is not meant to provide the final results, it can still provide assurance to your organization internally. Given the significantly lower stakes, you shouldn’t hold back on pulling back the curtain, so to speak—take advantage of this less-pressurized situation and have candid discussions with your audit team regarding where your compliance stands.

If you feel like there are areas where the controls are insufficient, don’t hold back. One of the core objectives of the readiness assessment is to identify areas for improvement so that gaps are closed before your actual examination—if you know specifically where to look, you can implement any additional preventative security measures immediately (or at least, get the gears moving in the budget to accommodate this).

Better for a finding to turn up during an RA than during your audit where it will be officially noted and may require costly remediation that’s more of a surprise. Plus, it increases your chance of a favorable audit outcome when all is said and done. Consider it a trial run.

There’s also an added advantage in that your assessors—and their knowledge—will be in-house already. You’ll be able to leverage their experience and expertise as you fill in or strengthen any controls.

4. You’ll Get More Out of Your Audit.

To recap: though it is a less rigorous review, the RA provides an opportunity to align your teams, lay a solid foundation, and get pre-assessed means that when it comes time to pivot to your assessment, you’re already looking at a serious value-add.

That’s because you’ll spend less time:

  • Worrying about any potential surprises that could erode the trust of your customers
  • Chasing down evidence
  • Squeezing in calendar time for your resources to be interviewed and recreating timelines when things need to be rearranged 

We’re not saying that readiness guarantees audit success because things can and will happen, but getting audit ready sets you up well for two things:

 

  • The Future:
    • Having already been through a trial run, things in your assessment should progress at least a little more smoothly than had you not undergone an RA before, and that will give you more time to explore other options with your assessor.
    • Maybe you only need the one assessment now, but you may need to expand beyond and with your process that much more streamlined, you’ll have more time to pick the brains of your audit team to see where your compliance journey might need to go next.
  • Saving Audit Fees:
    • Now we’ve likely got your attention, no? And it’s true—becoming assessment “ready” through an RA can help you avoid one of the biggest causes of audit overrun: insufficient documentation.
    • When that happens, your assessors will be forced to either alter their methodology or delay timelines, both of which result in not only more fees but also a continued burden on your internal team. You’ll better avoid this possibility by investing in an RA. 

How to Prepare for a Compliance Readiness Assessment

 

Knowing all that, you may be thinking that this strategic step is the right move for your organization. If that’s the case, there are a few things you should do. Even though a readiness assessment functions as a kind of preparatory period, you should still organize a few things before your assessors commence work:

  • A brief knowledge of the standard you’re working towards: We mentioned how your conversations during the RA would involve this, but if you have at least a basic understanding, those discussions with your assessors will be more fruitful than if you came in cold.
  • Documented policies, procedures, and processes: It may be that the RA reveals you have gaps in this area, but you should already have recordings of your cornerstones down, e.g., your information security policies and procedures, software development lifecycle (SDLC), etc.

Do You Need a Readiness Assessment?

Though mistakenly considered by many to be an optional first step, a readiness assessment can help you identify weaknesses in your processes and find gaps in your internal controls, among other things. Now you understand that this type of assessment is more valuable than you might’ve thought with four big advantages. It might even be healthy for your objectives, and that’s more than we can say for the cheeseburger and fries.

To learn more specifically about RAs as specific to different services, check out our other content here that can shed further light on the particulars:

About JORDAN HICKS

Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.