Conduct an Audit

Conduct an Audit for review of compliance related to an industry standard or key Configuration Items.

To conduct an Audit:

  1. On the CSM Desktop Client or the CSM Browser Client toolbar, select New > New GRC Audit.
  2. Select a source and type.
  3. Select a priority and level of effort.
  4. Select a lead auditor.
    1. Select the Next: Assigned link under Status in the Default form.
    2. In the Audit Participants tab of the form arrangement, define stakeholders for the Audit. Use Table Management to populate this table or select New GRC Participant.

      You must have at least one participant with a role of Approver to move the audit to the Approving phase.

  5. In the Audit Scope and Schedule section, (in the Overview tab of the form arrangement), provide Audit scope and criteria.
    For the Audit scope, provide information related to the extent and boundaries of the Audit (example: Audit affects all laptops, but focuses on remote employee laptops). The Audit criteria will be used as a reference for analyzing evidence found during the Audit.
    1. Select the proposed start and end dates. These dates are populated and represented on the audit calendar.
    2. Select the Recurring Audit check box, if appropriate. If selected, choose the following:
    • Review Frequency
    • Future Start Date
    • Future End Date
  6. Under Status, select the Next: Approving link.
    1. The Audit automatically enters the Approving phase. An Approval record displays in the Approvals tab of the form arrangement. The Approver reviews the Audit record details and validates the dates, scope, and criteria.
    2. After the Audit is approved, the status changes to Active.
  7. (Optional) On the Risk Assessments tab, select the Link button.
    The GRC Risk Assessment Selector window opens.
    1. Select one or more risk assessments from the list, and then select OK.
  8. In the Overview tab of the form arrangement, provide objective evidence.
    This information is related to evidence found during the course of the Audit (example: Discovered that two employees downloaded unauthorized programs on their computers).
  9. Provide an overall conclusion (example: Provided two employees with additional security training).
  10. Select the actual start and end dates.
  11. Select an Audit response (example: Corrective Actions Created).
  12. Under Status, select the Next: Complete link.
    The status changes to Completed. This indicates that the core auditor activities have been completed. Active compliance activities may still occur.
  13. Under Status, select the Next: Closed link to close the audit once all activities are completed.

(Optional) Select the Create Preventative Action or Create Corrective Action link in the Actions list and complete the form.