OK, no one jumps for joy when the subject of IT security compliance comes up. But there are ways you can change the regulatory process from being an annoying, and expensive, distraction into a relatively painless, short exercise. As one credit union CIO told us recently, "the exam is not just about being in compliance. It's about being in business." In other words, passing or failing is not the main issue (80% of credit unions make 1′s or 2′s); it's how much work you'll have to do once the exam is over. The worse you perform, the closer you'll be watched … and the more work you'll have to do after the regulators leave. Here are some tips we can share with you, based on our experience in providing IT security services to more than 300 credit unions. Before the examiners arrive: Be ready in season and out. That means before the request letter arrives. The government says they give 21 days' notice, but we've talked with credit unions who've received as little as one week, and as many as six. Small to mid-sized credit unions are examined every year and a half, while large credit unions can expect to be examined once every 12 months. Be prepared for the first question: "What's changed since your last exam?" Regulators know that any time you introduce greater complexity or change into your system, you've created a new level of risk. Have you: Added new services? Changed core processors? Brought on new vendors? Changed hardware or software? Grown significantly (over 30%)? Experienced turnover in the management team? If any of these apply, document the steps you've taken to mitigate the risks. Provide written proof. Examiners will ask to see documentation of actions taken to address weaknesses identified in previous audits, and they'll review your security policies and business continuity plan. They're looking for a top-down approach to security, with board awareness and senior management involvement. Avoid boxes overflowing with paperwork. As an examiner in Texas told us, "the more organized the documentation is, the more it says about the credit union." One credit union that has never scored below a 1 shared that they post a pre-exam questionnaire on a shared directory on the server, have employees answer applicable sections, and then burn the completed files on a CD to present to examiners on the day they arrive. Consider printing and binding a compliance notebook, as well. Get vendors to do their part. Ask for electronic copies of current SAS 70 information, financial statements and network penetration results, and include them on the CD. Now, during the exam: Showcase your good judgment. Instead of hoping the examiner doesn't find anything, show off those things you've done well. Keep regulators from having to look by making visible those best practices and controls you already have in place. Ultimately, making their job easier makes your job easier, too. Be available. The exam will be an interruption to your normal work schedule. Regulators will be packed in your office for up to two weeks, and they'll be coming back and forth to ask questions several times a day. Be prepared to devote 50% of your time to their needs, and don't schedule meetings or off-days. Attitude counts, too. Begrudging, irritable, or inaccessible staff will damage your rating as definitively as poor paperwork. Answer the question. No more, no less. Your scores reflect three variables: the quality of your documentation, the results of your procedural tests, and the responses to questions asked during the exam. A common error is to focus only on the first two. Much of the substance of the exam, however, is face-to-face. Counsel your staff to listen more, and talk less. Don't go into any more detail than requested; inevitably you'll open a can of worms. Finally, there's always a surprise question. Expect it. And, after the exam: Ask to see results. If the examiner doesn't arrange an exit meeting, initiate one. Read a draft of the report before it's filed, and point out legitimate areas of disagreement at the meeting. Be prepared to challenge examiners' findings. Most credit unions aren't ready with the documentation they need at this stage. In the end, applying a few common sense tips before, during, and after the exam can save you and your staff a lot of effort. And it can make all the difference between having a relatively short post-audit process and an extensive one.