Audit Engagements

Manage compliance audits from preparation to completion.

Overview

Audit Engagements helps you:

Plan and track audit activities
Manage auditor access and requests
Collect and organize evidence
Track audit findings and remediation
Generate audit-ready reports

Navigate to Audits in the sidebar.

Audit Types

Internal Audits

Self-assessments and internal reviews:

Security assessments
Policy compliance checks
Control effectiveness testing
Gap analysis

External Audits

Third-party auditor engagements:

SOC 2 Type I/II
ISO 27001 certification
PCI-DSS assessment
HIPAA audits
Regulatory examinations

Creating an Audit

New Audit Engagement

Go to Audits → Create Engagement
Enter audit details:
- Audit name
- Type (Internal/External)
- Framework (SOC 2, ISO, etc.)
- Audit period start/end
- Auditor/firm name
Set key milestones
Click Create

Audit Details

Field	Description
Name	Audit engagement name
Type	Internal or External
Framework	Compliance framework
Period	Audit period dates
Status	Planning, In Progress, Complete
Lead	Internal audit lead
Auditor	External auditor/firm

Audit Workflow

Phases

Planning → Fieldwork → Reporting → Remediation → Close

1. Planning Phase

Prepare for the audit:

Define scope and objectives
Identify key controls
Gather preliminary evidence
Schedule auditor meetings
Assign internal resources

Checklist:

[ ] Confirm audit scope
[ ] Identify in-scope systems
[ ] Assign control owners
[ ] Prepare evidence inventory
[ ] Schedule kickoff meeting

2. Fieldwork Phase

Active audit period:

Respond to auditor requests
Provide evidence
Facilitate testing
Address preliminary findings

Auditor Activities:

Control testing
Evidence review
Walkthroughs
Interviews

3. Reporting Phase

Receive and review results:

Draft report review
Management response preparation
Final report delivery

4. Remediation Phase

Address audit findings:

Create remediation tasks
Assign owners
Track progress
Provide evidence of remediation

5. Close Phase

Complete the engagement:

Final report accepted
Remediation verified
Lessons learned documented
Archive engagement

Evidence Requests

Managing Requests

When auditors request evidence:

Go to Audits → [Engagement] → Requests
View pending requests
Click request to see details
Upload or link evidence
Submit for auditor review

Request Status

Status	Description
Pending	Awaiting response
Submitted	Evidence provided
Accepted	Auditor approved
Rejected	Auditor needs more info
Closed	Request complete

Request List

Open Requests: 8

Due Today (2):
- CC6.1: Access control policy
- CC6.3: User access review

Due This Week (4):
- CC7.1: Vulnerability scan results
- CC7.2: Incident response plan
- CC8.1: Change management process
- CC9.1: Risk assessment

Due Later (2):
- CC1.1: Board meeting minutes
- CC2.1: Communication policy

Bulk Response

Respond to multiple requests:

Select related requests
Click Bulk Response
Upload evidence covering multiple requests
Map evidence to requests
Submit all

Auditor Portal

Professional Feature

Auditor Portal requires Professional or Enterprise plan.

Portal Access

Grant auditors read-only access:

Go to Audits → [Engagement] → Access
Click Invite Auditor
Enter auditor email
Set permissions
Send invitation

Portal Features

Auditors can:

View assigned controls
Submit evidence requests
Review submitted evidence
Add comments/questions
Mark requests complete

Access Levels

Level	Capabilities
Viewer	View evidence only
Reviewer	View + comment
Requester	View + comment + request

Audit Findings

Finding Types

Type	Description
Observation	Minor issue, informational
Finding	Control deficiency
Exception	Instance of non-compliance
Material Weakness	Significant control failure

Tracking Findings

Go to Audits → [Engagement] → Findings
View all identified findings
Click finding for details
Assign remediation owner
Track to resolution

Management Response

Document your response to findings:

Open finding
Click Management Response
Add response:
- Root cause
- Remediation plan
- Target date
- Responsible party
Submit response

Remediation Tracking

Finding: Access Review Frequency

Status: In Remediation
Owner: Jane Smith
Target: Feb 15, 2026

Progress:
[✓] Root cause identified
[✓] Remediation plan approved
[ ] Technical implementation
[ ] Documentation update
[ ] Verification testing

Reporting

Audit Dashboard

View audit status at a glance:

SOC 2 Type II Audit 2026

Status: Fieldwork (65% complete)
████████████████████████░░░░░░░░░░░░░░ 65%

Timeline:
Jan 15 - Kickoff ✓
Feb 1  - Fieldwork Start ✓
Mar 1  - Fieldwork End (in progress)
Mar 15 - Draft Report
Apr 1  - Final Report

Requests: 45 total
├── Accepted: 30 (67%)
├── Submitted: 10 (22%)
└── Pending: 5 (11%)

Status Report

Generate status report:

Click Reports → Audit Status
Select engagement
Choose sections
Generate PDF

Evidence Package

Create comprehensive evidence package:

Go to Audits → [Engagement] → Package
Select controls and evidence
Add table of contents
Include metadata
Generate package

Package includes:

Cover page
Control matrix
Evidence documents
Collection metadata
Chain of custody

Audit Calendar

Timeline View

View all audit activities:

January 2026
─────────────────────────────────────────────────
Week 1: SOC 2 - Kickoff meeting
Week 2: SOC 2 - Control testing begins
Week 3: ISO 27001 - Pre-assessment
Week 4: PCI-DSS - SAQ completion due

Milestones

Track key dates:

Milestone	Date	Status
Audit Kickoff	Jan 15	Complete
Evidence Request Deadline	Feb 15	Pending
Fieldwork Complete	Mar 1	Upcoming
Draft Report	Mar 15	Upcoming
Final Report	Apr 1	Upcoming

Reminders

Receive notifications for:

Upcoming milestones
Overdue requests
Response deadlines
Finding due dates

Multi-Framework Audits

Combined Audits

Manage audits covering multiple frameworks:

Create engagement
Select multiple frameworks
Map shared controls
Evidence used for all frameworks

Efficiency Benefits

Control: Access Reviews

Maps to:
- SOC 2 CC6.2 ✓
- ISO 27001 A.9.2.5 ✓
- PCI-DSS 8.1.4 ✓

One evidence set, three frameworks!

API Access

bash

# List audit engagements
GET /api/v1/audits?status=in_progress

# Get engagement details
GET /api/v1/audits/{audit_id}

# Create engagement
POST /api/v1/audits
{
  "name": "SOC 2 Type II 2026",
  "type": "external",
  "framework": "soc2",
  "period_start": "2025-01-01",
  "period_end": "2025-12-31",
  "auditor": "Example CPA Firm"
}

# List evidence requests
GET /api/v1/audits/{audit_id}/requests

# Respond to request
POST /api/v1/audits/{audit_id}/requests/{request_id}/respond
{
  "evidence_ids": ["evidence_123", "evidence_456"],
  "notes": "Please see attached documents"
}

See API Reference for full documentation.

Best Practices

Start Early: Begin preparation 2-3 months ahead
Assign Owners: Each control needs an owner
Organize Evidence: Keep evidence organized year-round
Communicate Clearly: Regular updates to auditors
Track Everything: Document all interactions
Learn from Findings: Address root causes
Automate Collection: Use automated evidence where possible

Audit Engagements ​

Overview ​

Audit Types ​

Internal Audits ​

External Audits ​

Creating an Audit ​

New Audit Engagement ​

Audit Details ​

Audit Workflow ​

Phases ​

1. Planning Phase ​

2. Fieldwork Phase ​

3. Reporting Phase ​

4. Remediation Phase ​

5. Close Phase ​

Evidence Requests ​

Managing Requests ​

Request Status ​

Request List ​

Bulk Response ​

Auditor Portal ​

Portal Access ​

Portal Features ​

Access Levels ​

Audit Findings ​

Finding Types ​

Tracking Findings ​

Management Response ​

Remediation Tracking ​

Reporting ​

Audit Dashboard ​

Status Report ​

Evidence Package ​

Audit Calendar ​

Timeline View ​

Milestones ​

Reminders ​

Multi-Framework Audits ​

Combined Audits ​

Efficiency Benefits ​

API Access ​

Best Practices ​