Audit Instances
An audit instance is where audit work happens — team assignment, control selection, test execution, evidence collection, and findings documentation. Each instance represents a specific audit execution within an audit cycle.
Audit Instance (IT Access Controls Audit)
├── Control Tests (test individual controls)
│ ├── Assignments (user assignments)
│ ├── Evidence (supporting documents)
│ └── Findings (issues discovered)
├── Team Members (assigned users)
└── Audit Report (final deliverable)Creating an instance
Open a cycle
Navigate to your program, select a cycle, and click Create Instance.
Configure instance details
Provide a name (e.g., “IT Access Controls Audit”), description, scope (areas being audited), objectives (what you’re trying to achieve), and methodology (how the audit will be conducted).
Set the timeline
Set Planned Start Date and Planned End Date for the audit. Actual start and end dates are updated automatically as work progresses.
Assign the lead auditor
Select a Lead Auditor who will be responsible for overseeing this audit instance.
Add the audit team
Add team members who will participate in the audit. These users can be assigned to control tests as executors, reviewers, or approvers.
Save the instance
Review all information and click Save. The instance is created with status Planning.
Instance tabs
Each audit instance provides six management tabs:
| Tab | Purpose |
|---|---|
| Controls | Select and manage controls from the framework for testing |
| Control Tests | View test status, results, and assignments for each control |
| Findings | Document and track issues discovered during testing |
| Evidence | Upload and manage supporting documents linked to tests |
| Team | Manage members, view workload, configure workflows and templates |
| Activity | View the full audit trail of actions and status changes |
Instance lifecycle
Instances progress through five statuses:
Planning — Create the instance, assign the team, select controls, and configure workflows and templates.
Fieldwork — Execute control tests, collect evidence, and document findings. Team members work on their assignments.
Review — Review test results, findings, and evidence. Approve work or request changes.
Reporting — Generate audit reports (Executive Summary, Detailed Report, or Compliance Report).
Completed — All tests are completed, reports are generated, and findings are documented. The instance is closed.
Best practices
Define a clear, focused scope for each instance — don’t try to audit everything at once. Select team members with relevant expertise for the controls being tested. Plan sufficient time for testing, evidence collection, review, and reporting. Set up workflows and templates before creating control test assignments to automate the process.
Next steps
After creating an instance, add controls and create control tests to begin audit execution.