Audit Process
Providing evidence does not always mean that the evidence is sufficient, or relevant. It's possible the objective was misunderstood, or that the evidence is no longer applicable. To truly ensure that all evidence satisfies the requirements of the compliance objective, an audit will be required.
Audits can be performed internally or externally. An internal audit would normally be performed under the supervision of the Chief Compliance Officer. Often internal audits will be performed to prepare for an external audit, so corrections can be made and evidence collected.
External audits are usually performed either in order to obtain certification (for example, for SOC2 or ISO certification), or to satisfy regulatory requirements, such as the legal requirements as set by law. They can also be performed at the request of clients as part of contractual obligations.
Our platform's Compliance Module helps automate the audit process, and record the outcome of each audit. To start an audit, you must first have a user defined who has the "Auditor" flag checked, in addition to the Risk Analyst flag. This will give them access to the Compliance tab, and also special access that will let them dig deeper into the evidence. For example they will be able to view all tasks in the system.
To start an audit, go back to the framework's main dashboard screen, and click Start Audit:
This will pop-up with a form where you can select an auditor, and the date the audit started. Once you click OK, the system will assign all objectives in that framework to that auditor. This means they will all show as red in the system, and a reminder email can be configured to send them a reminder of those outstanding objectives each day.
Once the auditor logs in, and goes to the appropriate framework, they would see the assignments as follows:
They would then click on each objective that is assigned to them to review the objective and the supplied evidence.
Once they are finished reviewing, they would click the Audit button:
And fill in the details of whether it was satisfactory, with notes if appropriate:
It will then mark the objective as being audited, remove the assignment, and let the auditor move on to the next item - telling you how much of the audit is complete:
The audit can be performed in any order, it does not have to be sequential. Remember that you can use the navigator icon (the gray folder icon at the end of the title) to switch between objectives.
In some cases the auditor will decide to add sub-objectives that are specific to your organization. For example, while the objective may say to perform an information audit, the auditor may add sub-objectives detailing which departments in that specific organization need to supply that information.
They may also add tasks to evidence, which we'll discuss next.