An audit definition establishes a set process for validating controls and control tests.
From the definition, audit instances can be generated as a task to power the audit. During the
audit process, audit observations can be recorded by the auditor to track the gathered
information. The auditors can use these observations to create remediation tasks.
Once generated, audit instances can reference any existing evidence of compliance by
associating previously executed control tests with the control test definitions that have been
established in the audit.
During the audit process, an administrator can create and assign remediation tasks that need
to be performed before and during an audit. In addition, audit requirements associate citations
to the audit, allowing auditors to track compliance or non-compliance with the original
If the latest evidence is not recent enough, click Execute Now in the
Control Test Definition form to execute a control test instance. This action creates the control
test instance and automatically associates it to the audit. The control test instance record
also has the Generate from audit field populated with the audit number,
so that it is clear that the test was created from an audit and not manually.
The following diagram illustrates the process of managing an audit with IT Governance, Risk