Audits

The Audits feature has been refreshed to include a useful workflow for performing internal or 3rd party audits. ControlMap has always supported auditing by evidence request list but now you are also able to support audit by Framework or Control Set in addition to Request List (named 3rd party audit).

Internal Audit vs 3rd Party Audit:

The audit function is designed to be used for either an internal audit performed by an internal Super User / Compliance Manager or an external 3rd Party Audit working with an external auditor or assessor with either Compliance Manager or Auditor permissions.

For 3rd Party audits specifically an audit workflow is designed to support evidence approvals and an assignment process outlined below for either Frameworks, Control Sets or Audit Request Lists (named 3rd party audit).

Once you start an audit, you can invite Auditors to work directly within ControlMap from any of the Audit types and then work through the audit with the auditor by assigning exactly what you want the auditor to have access to. See the 3rd Party Audit Workflow below for more information.

TABLE OF CONTENTS

View Audits
Create Audit
Create a Data Request for an existing Audit
Review Framework Objectives within Audit
Export Audit Data
3rd Party Audit Workflow

View Audits

Go to Audits
All the Regulatory Frameworks ready for Audit are visible, along with their status.

Create Audit

Click on Create an Audit button and choose to start to Audit by Framework or Control Set or Third Party Audit where an Evidence Request List would be uploaded.

Name your Audit + Select Framework / Dates / Owner (optional: Auditor):

The following details can be entered:
Name - Provide an appropriate name for the audit program.
Framework / Control Set - Choose the regulatory framework that is ready for audit.
Start date and End date - Enter a start date and end date for the audit.
Owner - Please choose an appropriate owner for the audit program.
Auditor- Optional: Please choose an appropriate auditor for the audit program.

Audit a Framework:
1. This will likely be the most common type of audit you will use. Select this option and fill in the info above - select the Framework you wish to start an audit for and click "Create Program"
2. Once started the framework will load into an audit view the ability to perform an audit by framework objective and evidence will be outlined below:
Audit a Control Set:
1. Similar to audit a Framework you will fill in the info above from step 1 - select the Control Set you wish audit for and click "Create Program" select a Control Set to audit --> set the dates and start the audit. You will then be provided with the control set to manage for audit where all controls are loaded for audit.
Third Party Audit (Evidence Request List)
1. This audit workflow is slightly different from the others in that you will need to Create & upload data request csv file for this audit. You can create this audit blank or upload within the setup workflow. Either way you will be need to provide a CSV of evidence requests and map the audit requests to upload a data request file for the Audit.
2. Click on "Click here for download Sample File" for a template
  1. Note that the header row of the CSV file contains additional data for each column of data.
3. ```
A sample data file is available for download.
```
Click next and map the fields from uploaded data to relevant data request attributes.
Click on Start Import. The created program, along with the data requests, can be reviewed on the Audit Programs screen.

Create a Data Request for an existing Audit

Go to Audits.
Choose the audit program from the existing list for which you intend to create the data request.
Click on Create Data Request.
Enter relevant details to create a data request.
- Description - Provide a relevant description.
- Owner - Please choose an appropriate owner for the data request.
- Auditor - Select an auditor for the data request. The Auditor search will only show users with Auditor Role.
- Map Requirements - Search and select the appropriate requirement to map to this data request. Mapping the data request to the right requirement will allow the users to attach pre-collected and existing evidence to the data request.
Click Create. The created data request can be reviewed on the Audit report screen. Click on the Data Request to Edit/View.

Review Framework Objectives within Audit

As your business is getting ready to answer audit data requests, ControMap provides a convenient dashboard where you can review frameworks from within the Audit feature. This is helpful for the auditor to be able to reference evidence directly within the framework objectives.

Go to Audit.
Choose an Audit Program and click on it and then click on the Framework button to change views to view.

Export Audit Data

Go to Audit.
Choose an audit program and click on it and then click on the Export button next to Request Button.
ControlMap will send you an email when the report is ready for download.

3rd Party Audit Workflow

When working with a 3rd party auditor or assessor ControlMap includes additional steps necessary to Assign an Auditor + Confirm Completion Status + Submit to auditor for each piece of evidence to ensure the appropriate evidence is submitted and controlled

Open an audit program and click on it and then click on any Evidence.
Assign evidence to an auditor in the above screen by clicking "Assign" or within the evidence itself (Bulk select and assign is available in list view)
Confirm Completion Status of evidence then Submit the evidence to the Auditor. (Note below is not assigned nor submitted so Auditor cannot view yet)
Click on "Submit to auditor" to submit to the auditor to view
Auditor status will update to "With Auditor" and a "Withdraw" option is now available
Evidence Approvals are necessary to specify what evidence you want the auditor to have access to within "Evidence Documents Selected for audit" or "Evidence directly attached to the request"
Once clicked you can select exactly what evidence you wish to approve for the auditor to view: