Skip to Content
Risk and AssuranceAssurance ReviewsPrograms

Audit Programs

An audit program is an implementation plan that defines how a compliance framework will be used within your organization. Programs represent multi-year audit strategies with defined scope, duration, objectives, and team assignments.

Audit Program (3-Year ISO 27001 Program)
  ├── Audit Cycle (Year 1: Internal Audit)
  │     └── Audit Instance (Q1 2026 Internal Audit)
  ├── Audit Cycle (Year 2: External Audit)
  │     └── Audit Instance (Q1 2027 External Audit)
  └── Audit Cycle (Year 3: Certification Audit)
        └── Audit Instance (Q1 2028 Certification Audit)

Programs contain cycles, which contain instances, which contain control tests. This hierarchical structure supports organized, multi-year audit planning.

Creating a program

Go to Assurance Reviews → Audit Programs and click Create Program.

Select a framework

Choose the compliance framework this program will be based on. The framework must be licensed first — see Frameworks.

Configure program details

FieldDescription
NameDescriptive name (e.g., “2026 ISO 27001 Compliance Program”)
DescriptionProgram objectives and scope
Audit TypeInternal, External, Compliance, or Operational
Start DateProgram start date
End DateProgram end date (typically 1–3 years)

Assign the team

Set a Lead Auditor (required) and optionally assign the program to a specific user for management.

Save the program

Review all information and click Save. The program is created with status Planning and is ready for cycles.

Program lifecycle

Programs progress through four statuses:

Planning — Program is being planned, scope and team are defined, cycles are being structured.

In Progress — Program is active. Cycles and instances are created and executed.

Review — Program progress, findings, and remediation actions are reviewed.

Completed — All cycles are completed, final reports are generated, and the program is closed. Programs can also be Cancelled.

Best practices

Plan programs for 2–3 years to align with certification cycles. Use descriptive names that include the year and framework (e.g., “2026 ISO 27001 Compliance Program”). Always assign a lead auditor who will be responsible for oversight and coordination. Include detailed descriptions and objectives to guide the team and stakeholders.

Next steps

Once your program is created, add audit cycles to organize when audit work happens.

Last updated on
FrameworksCycles