The audit is scheduled. The auditors arrive. And within the first hour, the engagement shifts from a planned assessment into an uncomfortable excavation of gaps nobody knew existed.
Across East Africa, a predictable pattern is emerging: businesses that genuinely want to be secure are failing their security audits — not because of malice or negligence, but because of a structural gap between what compliance frameworks demand and what most SMEs can realistically deliver.
The compliance landscape has shifted
Kenya's Data Protection Act (DPA) came into full force with the 2022 Regulations. SASRA, which regulates Kenya's 176+ Deposit Taking SACCOs, has moved from guidelines to enforcement. The Financial Reporting Centre (FRC) now requires all regulated financial institutions — including SACCOs — to register via the goAML portal as part of Kenya's response to FATF grey-listing in 2024.
The fundamental problem: Most SMEs do not fail audits because they are insecure. They fail because they cannot demonstrate their security posture in the structured, documented way that auditors require.
The five most common failure points
1. No asset inventory
Every major compliance framework — ISO 27001, NIST CSF, CIS Controls — begins with asset identification. Yet most SMEs operate without a maintained inventory of their hardware, software, user accounts, or data stores. Auditors will ask: "Show me your asset register." The answer most organisations give is verbal.
2. Policies that exist only on paper — or not at all
Information security policies are evidence that your organisation has thought through its security obligations. An acceptable use policy, access control policy, incident response procedure, and data classification standard are the minimum for any meaningful audit. Many organisations have templates downloaded from the internet — with another company's name still in the header.
3. Unmanaged access and privilege creep
Former employees with active accounts. Administrative privileges granted to users who don't need them. Shared passwords on critical systems. No multi-factor authentication on email or financial platforms. Each of these is both a genuine security risk and a clear audit finding.
4. No evidence of monitoring or incident response
Auditors want to see evidence that controls are working and being tested. For most SMEs, the honest answer to "how would you know if you had been breached?" is: "We probably wouldn't."
5. Backup with no tested recovery
A backup that has never been restored is a hypothesis, not a control. Recovery time objectives (RTOs) are rarely defined, let alone tested against actual recovery capability.
SACCOs specifically: SASRA's 2026 framework now requires mandatory goAML registration, AML/CTF programme implementation, and Fit and Proper vetting for senior management. A cybersecurity audit in this context is about organisational governance, not just technology.
What auditors are actually looking for
A well-conducted security audit evaluates your security posture across predictable control domains. The goal is to verify that you have implemented appropriate controls and can demonstrate they are working. Demonstrating security is a communication and documentation task as much as a technical one.
| Audit area | What's typically found | Minimum remediation |
|---|---|---|
| Asset management | No register | Documented inventory of all hardware, software, data |
| Access control | Shared accounts, no MFA | IAM review + MFA on critical systems |
| Policy framework | No policies or stale templates | Core policies reviewed and communicated |
| Incident response | No documented procedure | IR plan with defined roles and tested procedure |
| Backup and DR | Never tested restore | Documented RTO/RPO + evidence of test restore |
| Risk management | No risk register | Risk register with treatment decisions documented |
The S.I.N.S. Framework™ approach to audit preparation
RETACH uses the S.I.N.S. Framework™ to structure audit preparation in a way that addresses both technical controls and the governance evidence auditors require.
Endpoint and identity control
Asset inventory, user account management, endpoint configuration standards, MFA deployment.
Backup and availability
Documented backup procedures, tested recovery, server hardening, cloud posture management.
Perimeter and monitoring
Firewall policy documentation, network segmentation, log collection, anomaly detection.
Governance evidence
Policy framework, risk register, incident response plan, staff awareness training records.
A practical 90-day audit readiness path
Days 1–30: Conduct a gap assessment. Build the asset inventory. Begin policy development starting with the four core policies: acceptable use, access control, incident response, and data protection.
Days 31–60: Address highest-risk findings. Remediate access control (stale accounts, MFA, admin privileges). Test and document backups. Begin collecting evidence of control operation.
Days 61–90: Complete the risk register. Conduct a tabletop incident response exercise. Finalise documentation. Run an internal pre-audit. Brief staff on their roles.
Important: Many organisations begin audit preparation four to six weeks out. This is rarely enough time. Start earlier than you think you need to.
The goal is not audit preparation as a one-time event — it is the establishment of a security management system that is audit-ready as a natural consequence of how the organisation operates.
Ready to prepare for your audit?
RETACH's S.I.N.S. Framework™ Health Scan gives you a clear gap assessment and prioritised remediation roadmap — starting at KES 32,500.
Talk to RETACH →