How can IT leaders work smarter, not harder, when it comes to the various compliance frameworks required for audits?

One thing that we’ve learned is that the TISAX audit is very different from the others in that they want to hear the practice from someone in-country. We started our audit with our evidence ready and had these nice S-expert packages and video recordings of our SMEs, etc. I started off with an overview of our program—governance, structure, control, and so on—and the auditor looked like he was having an absolute conniption because I was coming at it from a US-centric oversight rather than country-specific. 

So, if you're starting to frame key resources in the design of your audit response programs outside of the US, start grooming a person in each who would be the voice of the program for that country so they understand the protocols. The TISAX auditor will want to hear from the practice in that country to confirm the in-country resources in relation to the work that site does. So if it’s an engineering site, or a support site, whatever it is, they want to hear from a person at that site. And they want to hear how the practice is executed in that site, from that in-country resource.

Right now, we've got the major compliance and TISAX things all bundled together as the top priorities. I'm looking at TISAX more as my ultimate goal because the other one just focuses on finances and our financial process, but it is as important. So to me, it's those two compliance frameworks first, and then when I have time I'll work on NIST, CIS, etc., because I know that as I'm going through TISAX, most of the other stuff will cross over anyway.