End-to-End Audit Example
This walkthrough demonstrates the complete audit process in SecureHive using a realistic scenario: Acme Corporation conducting a Q1 2026 ISO 27001 internal audit focused on IT access controls.
This example uses all major audit components — frameworks, programs, cycles, instances, control tests, workflows, templates, workload management, and reporting. Each step references the relevant documentation page for deeper detail.
Phase 1: Setup and configuration
License the framework
Navigate to Assurance Reviews → Audit Frameworks, browse the marketplace, and license ISO 27001. The framework is copied to your tenant with all control groups and controls.
Create the audit program
Go to Audit Programs → Create Program and configure:
| Field | Value |
|---|---|
| Name | 2026 ISO 27001 Compliance Program |
| Framework | ISO 27001 |
| Audit Type | Internal |
| Start Date | January 1, 2026 |
| End Date | December 31, 2026 |
| Lead Auditor | John Smith |
Create the audit cycle
Within the program, create a cycle:
| Field | Value |
|---|---|
| Name | Q1 2026 Internal Audit |
| Start Date | January 1, 2026 |
| End Date | March 31, 2026 |
Create the audit instance
Within the cycle, create an instance:
| Field | Value |
|---|---|
| Name | IT Access Controls Audit |
| Scope | IT Department — Access Management |
| Objective | Verify access control policies are implemented and effective |
| Lead Auditor | John Smith |
| Team | Sarah Johnson, Mike Davis |
Configure workflows and templates
Set up an IT Control Template with default role Executor, priority Medium, and 14-day due period. Create a Standard Control Test Workflow with three steps: Assign Executor → Assign Reviewer → Assign Approver.
Verify team workload
Check the workload dashboard to confirm Sarah and Mike have capacity for new assignments. Adjust max concurrent limits if needed.
Phase 2: Control testing
Select controls
In the instance’s Controls tab, add three controls from ISO 27001:
| Control ID | Control Name |
|---|---|
| A.9.1.1 | Access control policy |
| A.9.2.1 | User registration and de-registration |
| A.9.2.3 | Management of privileged access rights |
Control tests are auto-created for each.
Configure a control test
Open the A.9.1.1 control test and configure: risk level High, planned dates January 20 – February 5, 2026. The IT Control Template applies default settings.
Create the initial assignment
Assign Sarah Johnson as Executor. The workflow triggers automatically — the system schedules a Reviewer assignment (auto-assigned to Mike Davis based on workload) and an Approver assignment (John Smith).
Executor performs the test
Sarah reviews the test procedure, performs the test, documents her findings, uploads evidence (access control policy document, system screenshots, user access review records), and marks the assignment as Submitted for Review. The workflow advances to Step 2.
Reviewer reviews the work
Mike Davis (auto-assigned) reviews Sarah’s evidence for quality and completeness, verifies the procedure was followed, and marks his review as Approved. The workflow advances to Step 3.
Approver approves the test
John Smith reviews the complete package, sets the test result to Pass, and marks the test as Completed. All workflow steps are complete and workload counters are updated.
Phase 3: Findings and remediation
During testing, control A.9.2.3 reveals an issue: privileged access reviews are not performed quarterly as required.
Documenting the finding:
| Field | Value |
|---|---|
| Title | Privileged Access Review Not Performed Quarterly |
| Severity | Medium |
| Status | Open |
| Linked Control | A.9.2.3 — Management of privileged access rights |
Creating a remediation action:
| Field | Value |
|---|---|
| Title | Implement Quarterly Privileged Access Reviews |
| Assigned To | IT Security Team |
| Due Date | March 31, 2026 |
| Priority | High |
| Status | In Progress |
Phase 4: Reporting
Generate the audit report
Navigate to the instance’s Reports tab, click Generate Report, and select Executive Summary. Title it “Q1 2026 IT Access Controls Audit — Executive Summary.”
Review and approve
Review the generated report for accuracy and completeness. Click Approve Report to finalize. The report is ready for distribution as a PDF.
Final metrics
| Category | Metric |
|---|---|
| Control tests | 3 total, 3 completed, 2 passed, 1 failed (with finding) |
| Assignments | 9 total created, 9 completed, 12 days average completion |
| Findings | 1 documented, 1 remediation action in progress |
Key takeaways
Workflows automate the process — assignments flow from executor to reviewer to approver without manual coordination. Templates ensure consistency — the same roles, priorities, and due dates are applied every time. Workload balancing distributes work fairly — auto-assignment selects the most available team member. All components integrate seamlessly — frameworks, programs, cycles, instances, tests, findings, and reports work together as a unified system.