Run an internal pre-audit drill against your own narrative

Why this matters

The first time someone challenges your audit narrative under live questioning should not be the auditor or the buyer. By that point the stakes are external: a contested control row drags the audit window; a vague paragraph extends the sales cycle. A 30-minute internal exercise surfaces the same gaps when fixing them is still cheap.

The drill is not a performance review of the narrative’s author. It is a rehearsal of the conversation that happens when an external reviewer asks “show me how you know that.” The team that runs this exercise quarterly walks into real audits and buyer security reviews with the answers already practiced and the weak spots already named.

This is also the first owned exercise for a new compliance lead who just inherited the program (Hand off the audit narrative when your compliance lead changes). The drill structures their first defense of the artifacts in a low-stakes setting; they leave knowing where the gaps are and which paragraphs need their own rewrite before the next renewal.

Nothing rehearses itself — you book the room, you assign the four roles, you capture the gaps in the report.

Quick start

1. Pick the narrative version — the audit narrative you would currently send to a buyer or hand to an auditor. Not a draft; the live version. Note the last-reviewed date inside the file.
2. Assemble four roles — Presenter (defends the narrative paragraph by paragraph), Auditor (asks the hard questions, plays the external reviewer), Observer (silent, takes notes for the report), Facilitator (keeps time, calls scope, plays neither side). Different people in each seat.
3. Run the 30-minute structure — 5 minutes orient, 20 minutes question-and-defend on the actual narrative, 5 minutes gap capture. The Auditor role drives the middle 20; the Presenter answers without rehearsed lines.
4. Capture the gaps in the report — Admin Agent power move 3 turns the Observer’s notes into a fix list with owners and dates. Each gap becomes a row: which paragraph, what the Auditor questioned, what the Presenter could not defend, who fixes it, by when.
5. Schedule the fixes before the next real review — the drill is only useful if the fixes ship. Book the work on the calendar against the next real milestone (next questionnaire, audit window, renewal date) so the gaps close before the external version of this conversation happens.

Done? A dated drill report — the question list, the gap list, the fix list with owners and dates — filed beside the audit narrative. Next drill scheduled on the calendar (quarterly minimum).

The agent can do that?

1. Generate the questions a real auditor would ask

Chat → Admin Agent:

Audit narrative pasted: [paste current narrative]. Generate the 15 questions an experienced SOC 2 Type II auditor would most likely ask while reviewing this narrative. For each question: (1) which paragraph it targets, (2) what evidence the auditor will expect, (3) what failure mode is exposed if the answer is weak. Be specific. Skip generic questions; favor the ones tied to claims in this exact narrative.

Why it’s non-obvious: Generic auditor-question lists are not useful; they produce generic rehearsal. Forcing the question generator to read the actual narrative and target specific paragraphs produces questions the Presenter has not pre-scripted. The Auditor role uses the list as a starting point and asks harder follow-ups when the Presenter’s answer is weak.

2. Stress-test a specific claim

When the Auditor role finds a specific paragraph that needs harder pressure:

Narrative paragraph: [paste the specific paragraph]. List three ways this paragraph could be challenged: (1) the claim is true but the evidence is hard to surface in 90 seconds, (2) the claim is partially overstated and a careful reader will notice, (3) the claim was true six months ago but no one verified it recently. Suggest one specific question that probes each.

Why it’s non-obvious: The most dangerous paragraphs are not the obviously vague ones; they are the confident ones where the evidence has gone stale. This prompt forces the team to challenge their own writing the way an external reviewer would.

3. Produce the fix list with owners and dates

After the drill:

Observer notes pasted: [paste raw notes from the drill]. Next external compliance milestone: [date and type — e.g., "SOC 2 Type II window closes 2026-09-30" or "largest customer's renewal questionnaire due 2026-08-15"]. Turn the notes into a fix list — Gap | Paragraph | Owner placeholder | Suggested due date (working backward from the milestone) | Source of fix (which existing artifact carries the answer, or which is missing). Mark anything that requires a policy change vs a wording change vs a new evidence collection.

Why it’s non-obvious: Drill notes without dated fix lists become institutional shrug. Tying the fix dates to a real milestone makes the work concrete. Tagging by fix type (policy vs wording vs evidence) tells the team how to staff each gap.

Go deeper

The four roles, in detail

• Presenter: defends the narrative paragraph by paragraph. Answers without prepared lines; the point of the drill is to see what the answers actually sound like under pressure. Usually the current compliance lead, or a new lead testing their own understanding.
• Auditor: plays the external reviewer. Asks the hardest questions, follows up when answers are weak, does not let vague responses pass. Best chosen from outside compliance (engineering lead, finance partner, an external consultant if available); insiders soften the pressure unintentionally.
• Observer: silent. Takes notes on what the Presenter could not defend, where the Auditor pushed and got stuck answers, which paragraphs need rewriting. Reads the report back at the 5-minute close.
• Facilitator: keeps time, calls scope when the drill drifts, plays neither side. Often the program manager or a peer compliance person. If only three people are available, the Facilitator and the Observer can be the same person, but the Auditor and Presenter must stay separate.

What to rehearse, beyond the narrative paragraphs

• Filter sequences in Audit Logs. The Presenter should be able to surface a specific Job, Thread, or Event under live questioning. Pair with Walk your auditor through the logs in 30 minutes for the filter-sequence choreography.
• The frequency table. The Auditor asks about a buyer-frequent control; the Presenter knows it is buyer-frequent because the questionnaire log says so (Track which audit fields each questionnaire asks about).
• The trust packet’s current version. The Auditor asks “which version did this buyer get?” The Presenter does not improvise the answer; they open the packet log and read it.
• The “what is not in the packet” line. The Presenter should be able to name the gaps the trust packet acknowledges out loud, calmly, without sounding defensive.

Drill cadence

Quarterly minimum. Plus one extra drill in the quarter after a new compliance lead starts (the new lead plays Presenter). Plus one extra in the month before any major external milestone (SOC 2 Type II window, largest customer’s renewal questionnaire, cyber insurance renewal). The cadence is the discipline; one drill a year is theater.

Pairs with the new-lead handoff

If the drill is the new compliance lead’s first defense of the artifacts (Hand off the audit narrative when your compliance lead changes), the bus-factor backup attends as Observer. The departing lead, if still around, plays Auditor; their question depth is the closest internal proxy for an external reviewer. The fix list from the drill becomes the new lead’s first 60-day work plan.

Troubleshooting

• The Presenter answers every question perfectly. Either the questions were too easy or the Auditor is pulling punches. Run again with a harder Auditor.
• The Auditor asks questions the narrative does not even address. That is a finding. Add the scope to the next narrative refresh, do not improvise an answer in the room.
• The fix list balloons past 20 items. Triage. The 5 highest-stakes gaps get owners and dates; the rest go to a backlog for the next quarterly narrative refresh. A 20-item list that ships nothing is worse than a 5-item list that ships everything.
• No one wants to play Auditor. That is a culture signal worth reading. Compliance functions that treat internal questioning as adversarial produce thin narratives. Rotate the Auditor role each drill.

Variations and edge cases

• First-ever drill: budget 45 minutes. The team needs longer for the structure to land. The first one is also mostly about establishing that internal questioning is normal, not a critique of the author.
• Remote team: run by video. Add 10 minutes for screen-sharing transitions. The Observer types notes into a shared doc the whole drill instead of reading them back at the end.
• Distributed compliance function: if compliance is shared across multiple teams, run separate drills per team scope, then a fifth roll-up drill that focuses on cross-team handoffs.
• External consultant available: they make the best Auditor for the first few drills. Their job is to model the questioning depth; the team takes over after two or three rounds.

Walkthrough

Step 1: Prepare the materials

Open the audit narrative, the SOC 2 mapping, the trust packet’s current version, and the questionnaire log. The Presenter should be able to surface any of these in under 30 seconds during the drill.

Step 2: Run power move 1 to seed the Auditor’s questions

Use the prompt above to generate 15 candidate questions targeting specific paragraphs in the current narrative. The Auditor role reviews the list, picks the 8 to 10 they will lead with, and writes down 3 to 4 follow-up questions for each in case the Presenter’s first answer is weak.

Step 3: Run the 30-minute drill

• Minute 0–5: Orient. Facilitator opens with scope (“we are rehearsing the audit narrative as if a SOC 2 Type II reviewer were here”). Presenter opens the narrative on screen. Observer confirms they have a shared notes doc open.
• Minute 5–25: Question and defend. The Auditor asks the seeded questions and the follow-ups. The Presenter answers without prepared lines, surfacing evidence from Audit Logs, the mapping, or the questionnaire log as needed. The Facilitator calls scope if the Auditor drifts into adjacent topics.
• Minute 25–30: Gap capture. The Observer reads back what the Presenter could not defend cleanly. The Presenter does not push back; the report captures the surface impression, not the underlying truth. Underlying truth gets handled in the fix-list work.

Step 4: Write the report within 48 hours

Power move 3 produces the structure. The Observer’s notes become the source. The report needs: date, participants, scope, list of questions asked, list of gaps surfaced, fix list with owners and dates, next-drill date.

Step 5: Schedule the fixes

Each gap gets a calendar entry on the owner’s calendar. Each fix-list row has a due date tied to the next external milestone. The Facilitator (or the program manager) verifies the schedule at the 30-day check-in.

Step 6: File the report as evidence

The dated drill report goes in the same folder as the audit narrative. SOC 2 walkthroughs can cite it as CC4 / CC7 monitoring evidence. Buyer security reviews that ask “how do you stress-test your own claims” get the report as the answer.

What’s next

• → Walk your auditor through the logs in 30 minutes. The live external walkthrough this drill rehearses for. Same structure, real auditor.
• → Build an audit narrative from your logs. The artifact the drill defends; fixes land here.
• → Bundle a customer trust packet from your audit evidence. The buyer-facing version the Presenter must be able to surface during the drill.
• → Track which audit fields each questionnaire asks about. The frequency table that tells the Auditor role which paragraphs deserve the hardest pressure.
• → Build a SOC 2 control mapping for your Auxot deployment. The control-by-control evidence map the Presenter cross-references during the drill.
• → Hand off the audit narrative when your compliance lead changes. When a new lead starts, the drill is their first owned defense of the artifacts.
• → Run a post-mortem that leads to action. Same shape as the drill’s gap-capture step, applied to a real incident.

Reference

• Four roles (different people): Presenter (defends narrative), Auditor (plays external reviewer), Observer (silent, captures notes), Facilitator (keeps time, calls scope). Facilitator and Observer can collapse to one person at three-person headcount; Auditor and Presenter must stay separate.
• 30-minute structure: 5 orient + 20 question-and-defend + 5 gap capture.
• Drill cadence: quarterly minimum, plus a new-lead drill, plus a pre-milestone drill.
• Report fields: date, participants, scope, question list, gap list, fix list with owners and dates, next-drill date.
• Fix-list discipline: 5 highest-stakes gaps get owners and dates; the rest go to a backlog. Working backward from a real external milestone.
• First-drill budget: 45 minutes, not 30. The structure needs ramp time.
• See also: Hand off the audit narrative when your compliance lead changes, Walk your auditor through the logs in 30 minutes, Build an audit narrative from your logs, Run a post-mortem that leads to action