Skip to main content
Version: 1.0.0

Audit Playbooks

Use these playbooks when working inside the Audit Management module. They explain how audits, findings, verification, assessment controls, issues, and risks connect.

Run an Audit Linked to an Assessment

  1. Open Audit Management.
  2. Create or select an audit program.
  3. Create the audit with scope, period, audit manager, team, and planned dates.
  4. Link the audit to the assessment being tested.
  5. Review assessment controls, responses, evidence, comments, and approval history.
  6. Record observations.
  7. Create findings for failed controls, missing evidence, weak evidence, or unsupported responses.
  8. Link each finding to the exact failed assessment control where applicable.
  9. Assign finding owner, severity, due date, root cause, recommendation, and evidence expectation.
  10. Monitor remediation and evidence upload.
  11. Verify findings when owners submit remediation evidence.
  12. Close the audit only after findings, verifications, and required approvals are complete.

Verify and Close a Finding

Finding closure is not a direct owner close.

  1. Owner completes remediation.
  2. Owner uploads remediation evidence.
  3. Material finding is linked to an issue or risk.
  4. Owner uses the close action.
  5. The action submits the finding for verification.
  6. Auditor reviews the evidence.
  7. Auditor verifies or sends it back.
  8. Verified findings can be closed or accepted with rationale.

Trigger Targeted Assessment Reassessment

Use this when the finding is linked to a failed assessment control.

  1. Auditor verifies the finding.
  2. The linked assessment control is marked Requires Reassessment.
  3. The control compliance status resets to Not Assessed.
  4. A targeted reassessment due date is set.
  5. If the assessment was Completed or Closed, it reopens to In Progress.
  6. Control owner reassesses only that control.
  7. Control owner uploads updated evidence.
  8. Saving the control response clears the reassessment flag.
  9. Linked issue, treatment, or risk closure can proceed based on the corrected control state.

Screenshots

Audits

Audits

FAQ

QuestionAnswer
Can a finding close without evidence?No. Remediation evidence is required.
Can a material finding close without issue or risk linkage?No. Material findings need governed remediation or exposure tracking.
What does close action do on a finding?It submits the finding for auditor verification.
Does audit verification create a full reassessment?No. It triggers targeted reassessment for the exact failed assessment control.
Who updates risk after verification?The risk owner reviews residual exposure after reassessment evidence is available.