Audit Readiness in 30 Days
A four-week plan to go from scattered records to a clean audit binder — including the controls auditors actually test.
Audit Readiness in 30 Days
Most organisations only think about audit readiness three weeks before the auditor arrives. Papyrus is designed so you can think about it on the day the auditor arrives — and still pass.
Here is the four-week sprint we walk customers through.
Week 1 — Inventory and classification
Before you fix anything, know what you have. Run a content inventory query in Papyrus filtered by:
- Document type (contract, invoice, employee record, board minute, etc.)
- Classification (Public, Internal, Confidential, Restricted)
- Last touch date (when was this last viewed or modified?)
- Owner (which department or user holds it?)
If your classification coverage is below 90%, the AI Classification Review queue (/admin/classification-review) is where you spend Week 1. Confirm or correct AI-suggested classifications until coverage is complete.
Week 2 — Retention and disposition
Auditors do not just want to see records — they want to see you intentionally manage their lifecycle. Spend Week 2 establishing retention policies per document type.
For Kenyan organisations, the baseline is:
| Document Type | Minimum Retention |
|---|---|
| Tax and KRA records | 5 years |
| Employee records | 7 years post-termination |
| Contracts | 6 years post-expiry |
| Board minutes | Permanent |
| Customer communications | 3 years |
| Procurement and tender records | 6 years |
Configure these as Retention Policies in Papyrus. Any document covered by a Litigation Hold is automatically excluded from disposition.
Resist the urge to start deleting on Day 1. Apply retention policies in Week 2, but defer the actual disposition actions until after Week 4 when you've verified that nothing under hold is queued for deletion.
Auditors test three controls at minimum:
- Segregation of duties — Can the same person create, approve, and pay an invoice? (Should be: no.)
- Privileged access review — Who has TenantAdmin? When were the assignments last reviewed?
- Audit log integrity — Can the log be altered? (In Papyrus: no, it's hash-chained.)
Run the audit log export from /compliance/audit-logs for the audit period. Filter by privileged actions: role assignments, permission changes, document deletions, retention policy edits, classification overrides.
Week 4 — The walkthrough rehearsal
In Week 4, run a dry-run audit interview. Pick three sample documents and trace:
- Who uploaded it, when, from where (IP, device)
- What classification was assigned, by whom, with what confidence
- Which workflow it traversed, who approved, with what comment
- Who has accessed it since, and what changes were made
- What retention policy governs it and when it will be reviewed
If you can do this in under 90 seconds per document on Papyrus, you are audit-ready.
What changes on the day
When the auditor arrives, the work is already done. You:
- Grant the auditor an
Auditorrole (read-only access to documents and full read access to the audit log) - Hand them the saved searches you built in Week 1
- Stay available for clarifying questions — they will rarely find anything you haven't already seen