Audit Programs
Plan and manage multi-year audit strategies based on compliance frameworks
An Audit Program is an implementation plan that defines how a compliance framework will be used within your organization. It represents a multi-year audit strategy with defined scope, duration, objectives, and team assignments.
Framework-Based
Programs are based on specific compliance frameworks (ISO 27001, SOC 2, PCI-DSS, etc.).
Multi-Year Strategy
Programs typically span multiple years and contain multiple audit cycles for structured planning.
Program Structure
Programs contain cycles, which contain instances, which contain control tests. This hierarchical structure allows for organized, multi-year audit planning.
Creating an Audit Program
Navigate to Programs
Go to Audit Management → Programs in the sidebar.
Click "Create Program"
Click the "Create Program" button to start creating a new program.
Select Framework
Choose the compliance framework this program will be based on (must be licensed first).
Fill in Program Details
Enter the following information:
- Name: Descriptive name (e.g., "2026 ISO 27001 Compliance Program")
- Description: What this program aims to achieve
- Audit Type: Internal, External, Compliance, or Operational
- Start Date: Program start date
- End Date: Program end date (typically 1-3 years)
- Status: Planning, In Progress, Review, Completed, or Cancelled
Assign Team
Assign a Lead Auditor and optionally assign the program to a specific user.
Save Program
Review all information and click "Save" to create the program.
Program Fields Explained
Name
Descriptive name that identifies the program (e.g., "2026 ISO 27001 Compliance Program").
Description
Detailed description of the program's objectives and scope.
Audit Type
Internal, External, Compliance, or Operational audit type.
Start Date
When the program begins. Used for planning and scheduling.
End Date
When the program ends. Typically 1-3 years from start date.
Duration
Automatically calculated in days from start to end date.
Program status options:
- • Planning: Program is being planned
- • In Progress: Program is active
- • Review: Program is under review
- • Completed: Program is finished
- • Cancelled: Program was cancelled
Lead Auditor
Primary person responsible for the program. Required field.
Assigned To
Optional assignment to a specific user for program management.
Example Program
Program Details
Name: 2026 ISO 27001 Compliance Program
Framework: ISO 27001 Information Security Management
Type: Compliance
Duration: January 1, 2026 - December 31, 2026 (3 years)
Status: In Progress
Lead Auditor: John Smith
Planned Cycles
• Year 1: Internal Audit (Q1-Q4 2026)
• Year 2: External Audit (Q1-Q4 2025)
• Year 3: Certification Audit (Q1-Q4 2026)
Program Lifecycle
Planning
Create program, define scope, assign team, and plan cycles.
In Progress
Program is active. Create cycles and instances, execute control tests.
Review
Review program progress, findings, and remediation actions.
Completed
All cycles completed, final reports generated, program closed.
Best Practices
Create programs that span 2-3 years to align with certification cycles and allow for comprehensive coverage of all controls.
Use descriptive names that include year and framework (e.g., "2026 ISO 27001 Compliance Program").
Always assign a lead auditor who will be responsible for program oversight and coordination.
Include detailed descriptions and objectives to guide the team and stakeholders.