When the customer security audit visit lands, a manufacturer's prep playbook

The customer security audit visit is the second-stage event that follows the questionnaire. The questionnaire is paper. The visit is people. Mid-market manufacturers selling into automotive, aerospace, defense supply chain, industrial OEMs or large healthcare systems are increasingly the target of these visits, and the bar for showing up prepared has moved.

A 2020-vintage customer audit was rare and informal. A 2026-vintage customer audit is a 6-hour to 2-day engagement run by the customer’s information-security team, sometimes with the customer’s external auditor in the room, against a documented scope that maps to NIST CSF 2.0 or the customer’s own control set. The output is either a clean continuation of the relationship or a written remediation timeline with consequences for missing it.

Here is how to be ready before the calendar invite shows up, and how to run the visit when it does.

Why customer audit visits got serious

Three forces compressed the timeline.

• Regulatory scrutiny on the customer. When the customer is a defense prime, an automotive Tier 1 or a hospital system, their own examiners require documented evidence that critical suppliers meet specific controls. The audit visit is the artifact that satisfies that obligation.
• Cyber insurance renewal questions. Customer-side carriers ask whether the customer can attest to vendor security posture. The audit visit is how attestation gets produced for the suppliers that matter.
• Recent third-party incidents. Multiple high-visibility incidents in 2024 and 2025 traced to mid-market suppliers compromised the upstream brand. Customers responded by tightening supplier oversight, and visits replaced or supplemented the questionnaire-only approach for tier-1 vendors.

Treat the visit as an examination of your control environment by an informed adversary. Firms that rehearse tend to pass cleanly. Firms that wing it tend to take findings.

What the visit actually looks like

A typical visit is structured around 4 or 5 review sessions, each 60 to 90 minutes, with a named subject-matter expert from your team. The auditor walks in with a scope document, a list of controls they want evidence on and a follow-up request template. Common session structure:

• Session 1, governance and program. Your written information security program, framework alignment, executive oversight cadence, named roles. Led by the security lead or vCISO.
• Session 2, identity, endpoint and network. MFA coverage, EDR coverage, patch management, segmentation, remote access. Led by the IT operations lead or the MSP operations lead.
• Session 3, data, backup and recovery. Data classification, encryption posture, backup architecture, last tested restore, recovery objectives. Led by the IT operations lead.
• Session 4, third-party and incident response. Vendor inventory, due-diligence records, IR plan, last tabletop, incident history. Led by the security lead.
• Session 5 (optional), site walk. Physical security, server room (if on-prem), production-floor IT exposure, OT segmentation if relevant.

Auditors take notes throughout. The follow-up request list is the output that matters. Items closed cleanly within 2 weeks of the visit reset the customer relationship to ongoing. Items left open past 30 days escalate.

60 days out, the prep window opens

The audit invite typically lands 30 to 90 days before the visit. Use the window.

Confirm the scope in writing with the customer’s security team. Specifically:

• Frameworks referenced (NIST CSF 2.0, ISO 27001, the customer’s own control set or a hybrid)
• Document review depth (control narratives only, or evidence samples)
• On-site versus remote (most are now hybrid, with the bulk done remotely)
• Named participants from the customer’s side (security lead, IT auditor, external auditor)
• Expected sessions and durations

Begin assembling the evidence binder against that scope. The binder is the artifact the auditor will work from. Aim for a structured PDF with control narratives, attestations and recent test results, organized by the auditor’s likely framework. Every section should have a named owner and a recency date.

30 days out, close the gaps that close

Run the auditor’s likely scope against your control environment honestly. The four gaps that most often surface and close cleanly inside a month:

• Phishing-resistant MFA on privileged and executive accounts. If you are at standard MFA on these accounts, upgrade to FIDO2 or hardware keys before the visit.
• EDR coverage attestation. If your EDR coverage is below 100% on managed endpoints, close the remaining endpoints or document the deliberate exclusions with reasoning.
• A fresh tested-restore date. If your last tested restore is more than 90 days old, run one. The auditor will ask for a date, not a policy.
• Updated vendor inventory with critical-tier due diligence. Pull the inventory, classify, document due diligence on the top tier.

Gaps you cannot close in the window get documented as known with a remediation date. Auditors accept honest in-progress answers more readily than vague “we are working toward it” answers.

Week of, room and materials prep

The week of the visit is logistics, not surprise control work. Confirm:

• The conference room (on-site) or video bridge (remote) and the recording posture
• The order of sessions and the SME for each
• The printed or shared evidence binder, accessible in real time during sessions
• The follow-up request capture process. A shared spreadsheet with owner, date, status columns is the modern norm.

Brief every participant on the scope they own and which questions to defer to the security lead. The most common visit-day failure is an SME getting boxed into answering a question outside their lane and creating a finding that did not need to exist.

Day of, controlled cadence

Open the visit with a 15-minute company and program overview from the security lead. Cover:

• Company size, industries served, regulatory posture
• Cybersecurity program ownership and framework alignment
• The MSP relationship, if applicable, and what the MSP owns versus what is internal
• The agenda for the day, with named SMEs

Walk the auditor through the evidence binder section by section, with the SME for each section in the room. Let the auditor lead the question flow inside each session. Capture every follow-up request in writing in real time, with an owner and a date.

Where you do not know an answer, say so and capture it as a follow-up. Inventing an answer is the second most common visit-day failure.

Day after, follow-up disposition

Within 48 hours, return the follow-up request list with completion dates, owners and any supporting evidence the auditor asked for. The auditor’s report typically goes to the customer’s security leadership within 1 to 2 weeks. Audit visits that close cleanly within 2 weeks of the visit tend to result in the customer relationship continuing without escalation.

Items that slip past 30 days move from “supplier in good standing” to “supplier under review.” That is a longer conversation than anyone wants.

What does not work

A few patterns we see fail in customer audit visits.

• Treating it as a sales meeting. Auditors are not the customer’s procurement team. Pitching capabilities they did not ask about wastes their time and signals that the program does not have substance behind the slogans.
• Letting the IT manager run the program session. Governance and program is a security-leadership session. If the IT manager runs it because there is no security lead in the org, the program reads as IT-driven rather than security-driven, and that is a finding.
• Showing up without an evidence binder. Auditors who arrive with no organized evidence to work from take that absence as the answer to “is there a documented program.”

What manufacturers in our practice get from us

Atticus Rowan’s manufacturing practice is built around the customer-audit reality. We design and operate the IT-OT boundary, the cybersecurity program governance, the evidence binder and the audit-visit prep cadence. Manufacturing OT in particular is a discipline of its own. We run the cybersecurity program. The integrator runs the controls engineering. That separation is healthy and we make it explicit in customer conversations.

Our Manufacturing Cybersecurity Guide maps the IT-OT boundary, the customer-audit response cadence and the OEM remote-access governance pattern.

If your team is staring down a customer audit visit this quarter, start a conversation before the prep window closes. The 30-day-out remediation window is the highest-leverage moment.