Audit Management
Plan, execute, and track audits from a single workspace. SecureHive supports both internal assessments and external audit coordination through a structured hierarchy: programs contain cycles, cycles contain instances, and instances contain control tests.
For a complete walkthrough of the audit process from framework setup to final report, see the end-to-end example.
Audit hierarchy
Audit Program (3-Year ISO 27001 Program)
└── Audit Cycle (Q1 2026 Internal Audit)
└── Audit Instance (IT Access Controls Audit)
├── Control Tests
├── Findings & Evidence
└── Audit ReportPrograms define your multi-year strategy. Cycles organize audits into time-bound periods (quarterly, semi-annual, annual). Instances represent actual audit executions with teams, control testing, and deliverables.
Compliance frameworks
Frameworks provide the control structure that audit programs test against. SecureHive supports both platform frameworks (pre-built standards available in the marketplace) and custom frameworks you create yourself.
Licensing a framework
Browse the marketplace
Navigate to Audit Management → Frameworks and browse available frameworks including ISO 27001, SOC 2, PCI-DSS, and NIST CSF.
License the framework
Click License Framework on your chosen standard. The framework is copied to your tenant with all its control groups and individual controls.
Verify in My Frameworks
The licensed framework appears in the My Frameworks section, ready to use in audit programs.
Each framework is organized into control groups (logical groupings like “Access Control” or “Cryptography”) containing individual controls with IDs, names, descriptions, and assessment questions.
Audit programs
An audit program links a licensed framework to a multi-year audit strategy with defined scope, team, and objectives.
Creating a program
Select a framework
Navigate to Audit Management → Programs → Create Program and select a licensed framework.
Configure program details
| Field | Description |
|---|---|
| Name | Descriptive name (e.g., “2026 ISO 27001 Compliance Program”) |
| Description | Program objectives and scope |
| Audit Type | Internal, External, Compliance, or Operational |
| Start / End Date | Program duration (typically 1–3 years) |
Assign the team
Set a Lead Auditor (required) and optionally assign the program to a specific user for management.
Save the program
The program is created with status Planning and is ready for cycles.
Program statuses progress through Planning → In Progress → Review → Completed (or Cancelled).
Audit cycles
Cycles are time-bound periods within a program that organize when audit work happens.
Creating a cycle
From your program, click Create Cycle and configure the name, description, and start/end dates. Common patterns include quarterly (3 months), semi-annual (6 months), and annual (12 months) cycles.
| Pattern | Frequency | Best for |
|---|---|---|
| Quarterly | 4 per year | Regular focused audits with different areas each quarter |
| Semi-Annual | 2 per year | Comprehensive audits requiring more time |
| Annual | 1 per year | Full certification cycles |
Cycle statuses follow the same progression as programs: Planning → In Progress → Review → Completed.
Audit instances
An instance is where audit work happens — team assignment, control selection, test execution, evidence collection, and findings documentation.
Creating an instance
Open a cycle
Navigate to your program, select a cycle, and click Create Instance.
Configure instance details
Provide a name (e.g., “IT Access Controls Audit”), description, scope, objectives, and planned start/end dates.
Assign the team
Set a Lead Auditor and add team members who will be assigned to control tests.
Select controls
In the Controls tab, click Add Controls and select controls from the framework. Control tests are automatically created for each selected control.
Instance tabs
Each instance provides six management tabs: Controls (select and manage controls for testing), Control Tests (view test status, results, and assignments), Findings (document issues discovered during testing), Evidence (upload and manage supporting documents), Team (manage members, workload, workflows, and templates), and Activity (view the full audit trail of actions and status changes).
Instance statuses progress through Planning → Fieldwork → Review → Reporting → Completed.
Evidence collection
Evidence can be collected through manual upload (documents, screenshots, attestations), automated collection from integrated tools, and scheduled snapshots on a defined cadence. Each piece of evidence links to specific control tests and is preserved for audit reporting.
Findings management
Each finding includes a severity rating, root cause analysis, remediation owner, target date, and links to the control tests and risks involved. Findings automatically update the risk register and compliance status when resolved.
Reporting
SecureHive generates three types of audit reports from your instance data.
| Report type | Audience | Includes |
|---|---|---|
| Executive Summary | Leadership and stakeholders | Key metrics, findings summary, risk assessment, recommendations |
| Detailed Report | Audit teams | Complete control test results, evidence review, all findings, full audit trail |
| Compliance Report | Regulators and auditors | Control coverage analysis, gap analysis, remediation roadmap, certification readiness |
Generating a report
Navigate to your audit instance’s Reports tab, click Generate Report, select the type, and configure the title and included sections. Reports move through Draft → Approved → Published status. Download as PDF for distribution.
Workflow automation
Workflows automate the assignment process for control tests. Define sequential steps that auto-assign users, send notifications, and manage the executor → reviewer → approver flow.
A typical three-step workflow assigns an Executor (performs the test, auto-assigned based on workload), then a Reviewer (reviews work after executor completes), then an Approver (gives final sign-off). See Control Tests for details on roles and the testing workflow.
Workload management
SecureHive tracks each team member’s active assignments, capacity, completion rate, and average completion time. The auto-assignment engine uses this data to select the most available, highest-performing user.
Workload status indicators show capacity at a glance: Available (0–50% utilization), Busy (50–70%), Optimal (70–90%), and Overloaded (90–100%). Configure per-user limits under the workload dashboard — recommended ranges are 5–7 for junior auditors, 10–15 for senior, and 15–20 for leads.
Assignment templates
Templates standardize the assignment process by providing default roles, priorities, due dates, and auto-assignment rules for common scenarios. Create templates for different control types (IT, financial, high-risk) and the system selects the best match based on control type and risk level, falling back to a default template.
Templates support JSON-based auto-assignment rules that filter users by department, expertise, role, and workload utilization.
Best practices
Plan programs for 2–3 years to align with certification cycles. Use consistent naming conventions that include the year and framework. Set realistic timelines that account for testing, evidence collection, review, and reporting. Configure workflows and templates before creating control test assignments. Monitor the workload dashboard weekly to identify overloaded team members.