After finding out the Government Accountability Office (GAO) was coming to pay our program a visit, I was also told to work with a small cross-functional team to collect all of the data to meet their requests. There was a list of recommended executive actions and we had to prove how we were satisfying those recommendations. To visualize our progress of collecting the data, I used a physical task board and sticky notes. I would call it a Kanban but we really didn't have any work in progress (WIP) limitations. The board was comprised of 4 columns: Backlog, WIP, Blocked, Done.
As of last night, everything was in the done column and I even had one team member come up and shake my hand. For some reason, I think there may have been a lack of confidence that we could identify and collect the data requested. With some leadership, inspiration and clear goals, we got it done. Though I'm not at liberty to say exactly what we supplied them, the requests they made were not unreasonable.
I've been through a SOX audit before so I understood how an audit works. Provide proof that you do what you say you do. Be able to explain why you do it. Now, what you do and how it aligns with how others think you should do it is another story. But, if the auditor is not satisfied with how you do it, they will make a recommendation on how you can meet their expectations. Here is the important thing. An auditor does not care what you say you are going to do. They care what you say you've done or do.