What you can do
- Create audit periods — Define an audit window (start/end date), framework scope, and audit type (Type 1 or Type 2)
- Record auditor information — Capture the external auditor’s name and email for coordination
- Respond to information requests — Manage audit requests (IRLs) from auditors with a
NOT_READY → INTERNAL_REVIEW → AUDIT_READY → APPROVED / FLAGGEDworkflow - Log findings and issues — Issues can be sourced from the audit, Control Tests, Access Reviews, or manual entry
- Track issue status — Move issues from Open → In Progress → Resolved as your team remediates
- Assign and monitor — Assign owners, set due dates, and see progress in dashboards
Plan an audit period
Open Audit Periods
In the Compliance module sidebar, click Audit Periods (sits under the small EVIDENCE & REPORTING caption).
Click New Audit Period
Fill in the audit name (e.g. “Q1 2026 SOC 2”), choose your Framework, select report type, and set start/end dates.
Add auditor details (optional)
Enter the external auditor’s name and email so coordination is logged in one place.
Audit period statuses and types
| Status | Meaning |
|---|---|
| Active | Audit is currently underway or scheduled to start soon |
| Completed | Audit has finished; findings are documented |
| Cancelled | Audit was postponed or abandoned |
- Type 1 — snapshot audit of controls at a point in time
- Type 2 — audit of controls over a period of time (more common for SOC 2, ISO 27001)
Log and track compliance issues
Open Compliance Issues
In the Compliance module sidebar, click Issues (under the EVIDENCE & REPORTING caption).
Click New Issue (or generate from findings)
Choose title, description, severity (Critical / High / Medium / Low), and source (Audit, Test Failure, Access Review, or Manual).
Link to control and audit period
Select the control and audit period the issue relates to. This ties the issue to your audit scope.
Issue status lifecycle
| Status | Meaning | Next step |
|---|---|---|
| Open | Issue is new or not yet addressed | Assign and begin work |
| In Progress | Remediation is underway | Complete work and gather evidence |
| Resolved | Issue is fixed; evidence is collected | Share with auditor for verification |
| Accepted | Auditor acknowledges the fix | Verify closure in audit report |
| Closed | Issue is officially resolved and documented | Archive; reference for future audits |
Linking issues to controls and evidence
Each issue can reference:- Control — the specific control being tested
- Audit Period — which audit uncovered the issue
- Evidence — links to Evidence Collection items (test results, attestations, logs) that support closure
Compliance issues created from failed Control Tests automatically link to the control and test. Issues from Access Reviews findings also auto-link to the review evidence.
Integration with audit reports
Issues, findings, and their closure status flow into Reports under the audit period. Auditors can review:- Total issues vs. resolved
- Severity distribution
- Remediation timeline and evidence
- Sign-off on closed issues
Frequently asked questions
Can I create audit periods for multiple frameworks?
Can I create audit periods for multiple frameworks?
Yes. Each audit period is tied to one framework. If you’re audited against SOC 2 and ISO 27001 simultaneously, create two separate audit periods.
How do I know which issues must be closed before the audit ends?
How do I know which issues must be closed before the audit ends?
Review the issue due date alongside the audit period end date. The audit report flags any unresolved critical/high-severity issues that fall within the audit window.
Can I link an issue to multiple controls?
Can I link an issue to multiple controls?
Each issue links to one control. If the issue affects multiple controls, create separate issues or a summary issue and link the others as related.
What evidence proves an issue is resolved?
What evidence proves an issue is resolved?
Test results, attestations, policy documents, configuration screenshots, or audit logs — whatever demonstrates the control now works. See Evidence Collection.