Evidence request workflow and users

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Evidence Request Workflow and Users

    The Evidence Request Workflow allows customers to electronically request necessary information from audit subjects, expediting the collection process. This system enables individuals being audited to upload documents directly, minimizing manual processing time.

    Show full answer Show less

    Key Features

    • Requesting Evidence: Audit users with the snaudit.user role can request evidence and assign it to others, either for themselves or on behalf of other users.
    • Cancellation: Evidence requests can be canceled while in Draft state, and until they reach the Review state, ensuring flexibility if tasks are created in error.
    • Evidence Collection Records: These records outline collection instructions and are essential for generating evidence request tasks assigned to specific users or groups.
    • Confidentiality: Only the assigned user can view the request, maintaining privacy throughout the process.
    • Approvals: Assignees can add approvers for sensitive evidence, allowing for thorough review and approval processes.

    Key Outcomes

    • Streamlined evidence collection leads to faster audit processes.
    • Enhanced oversight and tracking of compliance and audit activities through job queues.
    • Clear roles and responsibilities ensure efficient task management and accountability for auditors, compliance managers, and control owners.

    Evidence request helps customers to electronically request the information that they need from the first and second line of defense. The individuals being audited can then immediately upload their documents to the system, significantly reducing manual processing time.

    The evidence request workflow is as follows:
    1. An audit user with the sn_audit.user role requests evidence and assigns the request to another user. This requester can either request the evidence for themselves or raise a request on behalf of another audit user or GRC user. If the requester determines that an evidence task has been created erroneously, then the requester can cancel that particular evidence task. The ability to cancel the evidence request is available when the request is in Draft state. A requester can cancel the evidence request tasks any time until the tasks reach the Review state.
    2. After you create an evidence request, you must create evidence collection records and then the requester must request evidence. Evidence Collection records contain the evidence collection instructions, assigned to, and assignment group. On clicking Request Evidence, evidence request tasks are generated and they are assigned to a group or user.
    3. The assignee then receives an email with the link to provide the requested evidence.
      Note:
      If the requester changes the assignee after requesting evidence, then the original assignee can no longer view the request. Only the person who is assigned the request can view the request. This feature ensures confidentiality.
    4. The assignee can either attach the requested evidence or provide a URL or location that contains the required evidence.
    5. The assignee can also add an approver for verifying and approving the evidence. Adding approvers is necessary if the evidence is sensitive and confidential in nature.
    6. The approver can then review the evidence and either approve it, request revision, or request further details about the evidence.
    7. If the approver approves the evidence, the requester receives the evidence and can process it further.
    8. The requester can then review the evidence and do one of the following:
      • accept the evidence.
      • request for its review.
      • request further details about the evidence.
      • cancel the evidence request if it is not required anymore.
      • delete the request.
    9. If the requester accepts all the evidence tasks, the request is closed.
    The evidence request workflow is shown in the following figure:Workflow of evidence request
    The following table describes the roles and their responsibilities during the evidence request workflow:
    Table 1. Evidence request users, responsibilities, and requirements
    User Responsibilities Requirements
    Internal auditor
    • Perform audit testing.
    • Request audit testing.
    • Review all audit findings and the evidence collected.
    • Visibility into compliance and risk activity.
    • A job queue (pending, current, upcoming) to plan their team efforts.
    • Track and monitor audit findings.
    • Track and monitor audit activities.
    Compliance manager, Audit manager
    • Can request evidence.
    • Request compliance test evidence.
    • Review all findings and evidence collected.
    • Visibility into compliance activities.
    • A job queue (pending, current, upcoming) to plan their team efforts.
    • Track and monitor compliance findings.
    Compliance user, Control owner
    • Ensure that the controls are implemented.
    • Attest to the controls.
    • Test the controls.
    • Provide audit evidence requested by the auditor.
    • A job queue to direct their day-to-day activities.
    • Track the time spent and performance of activities and tasks they own.
    • Ensures the task they own and additional request from the auditor is fulfilled.