Audit Module

Search

Audits Module

Secureframe’s Audits Module gives customers a single place to manage and run audits end-to-end. Company admins can create audits for any framework that’s ready for assessment, define the observation window, and collaborate with auditors as they review evidence directly in the platform.

Video Overview

Adding an Audit

To create an audit, a company admin selects Add audit in the Audits Module. During setup, the admin is prompted to provide:

  • Framework: Select the framework being assessed.

  • Observation window: Set the date range that determines which evidence is in scope.

Observation Window & Evidence Visibility Important Note: 

  • Evidence visibility in Audit Mode is strictly controlled by the observation window.
    Only evidence with a completion date that falls within the selected observation window will be considered in audit and visible to auditors.
  • If evidence was uploaded outside of this date range, it will appear as Out of Audit until the completion date is updated or the observation window is expanded.

Selecting your auditor 

  • When adding an audit, begin typing the legal name of the audit firm in the Audit firm field. You must enter at least 4 characters for audit firms to appear in the search results.
  • Once a firm is selected, if the audit firm has an Audit Partner Console (APC), the audit will automatically be linked to their APC instance.

  • Audit window start date: Set when auditors gain access to your instance.

    Notes

    • A minimum of 4 characters is required for the audit firm search to populate results.
    • If your audit firm does not appear after entering 4 or more characters, you can select Other and enter the audit firm details manually.
    • After selecting Other, reach out to Support or your CSM to have the audit firm and APC linked if applicable.

Secureframe then pulls in all related requirements, controls, tests, and in-scope evidence.

Active Audits

Once created, the audit becomes a workspace where auditors can review evidence and run their assessment.

Active audits include three main tabs:

  • Framework: Shows all framework requirements with their mapped controls and tests.
  • Controls: Lists all in-scope controls and the tests mapped to each.
  • Testing: Displays all in-scope tests, their response statuses, and any related evidence.

Tests in an Active Audit

When an audit is created, Secureframe automatically pulls in all relevant tests and determines which evidence falls in scope based on the framework and the observation window. Everything appears in the Testing tab.

In the core Secureframe platform, tests use automated health statuses (passing, at risk, or failing). In an audit, tests use Responses instead, allowing admins and auditors to manually move items through review.

How Tests Responses Work

Responses help both sides move through review, feedback, and approval in a clear, structured way.

Admin responses:

  • Submitted: Test is ready for auditor review
  • Not Ready: Test is not ready for auditor review

Auditor responses:

  • Accepted: Auditor reviewed and accepted the evidence
  • Action Required: Auditor reviewed the test and is requesting additional information or evidence

Note: Users with a Custom Access role do not have permission to update test responses to Submitted or Not Ready in the Audit module. These actions are currently restricted to Admins and Super Admins only.

Automatic Tests Response Updates

At audit creation, Secureframe automatically updates any test that is already passing and has in-scope evidence to Submitted. Admins can still review and adjust these responses as needed.

Adding New Tests During an Audit

Sometimes an auditor may request additional evidence that goes beyond the existing tests. Instead of using spreadsheets or external tools, these requests can be added directly within the audit.

  • Both company admins and auditors can create new tests
  • When an auditor adds a test, admins are notified by email and the test appears in the audit’s test list
  • New tests sync back to the main Tests module, allowing teams to retain them and reuse them in future assessments.

Upload Tests 

Upload tests in the audit module mirror the tests in the main Tests module. All evidence for each test is shown, but each item appears as either In Audit or Out of Audit.

In Audit means the evidence is visible to the auditor because it has been marked as in scope. Out of Audit means the evidence exists on the company side but is not included for this audit.

At audit creation, Secureframe evaluates each evidence item and marks it In Audit if:

  • It is linked to an active test in the main Tests module, and
  • Its completed at date falls within the audit’s observation window.

Admins can move evidence between In Audit and Out of Audit at any time if they choose to include or exclude it from the audit.

Auditor Access

The Auditor access tab allows you to control what auditors can see across different areas of the platform. This page is used to grant or restrict read only access by module.

Each module includes two access options:

  • No access

  • Read access

Select the appropriate option for each module to determine whether auditors can view that area of the platform. Modules listed include Company onboarding, Company settings, Dashboard, Integrations, System Security Plan, and Compliance.
Note: The Tests, Frameworks, and Controls modules are hidden by default for auditors. Auditors are encouraged to use the Audits Module to review evidence and complete their assessment. If an auditor requires access to these modules, a company admin can grant it through the Auditor Access tab within the Audits Module.

 

Auditor Communication

Each test in the Audits module includes two comment threads:

Auditor comments: Shared between company admins and the auditors for questions, clarifications, or requests.

  • Admins are emailed when an auditor adds a new comment

  • Auditors are emailed when an admin adds a new comment

Internal comments: Visible only to company admins. 

  • Ideal for internal discussion and coordination
  • Auditors cannot view this thread

Note: User mentions are not supported yet. The ability to tag a specific user and notify only them is coming soon.

Email Notifications

Secureframe sends email notifications to keep both sides aligned throughout the audit. Notifications are generated by key events:

Auditors receive emails when:

  • A test is marked Submitted
  • A company admin adds a comment in the Auditor comments tab

Admins receive emails when:

  • A test is marked Action required
  • An auditor adds a comment in the Auditor comments tab
  • An auditor adds a new test requesting additional evidence

 These notifications make it easy for both teams to stay updated and move the audit forward.

Note: Email notifications for auditor comments in the Audit module are sent only to Admins and Super Admins. Users with the Custom Access role do not receive Audit module related notifications.

Completed Audits

Once your auditor has finished their review, you can complete your audit using the audit completion workflow. This workflow allows you and your auditor to upload reports, exchange comments, and confirm the final report before closing out the audit.

How to complete an audit

  1. Navigate to Audits and select the audit you want to complete.
  2. Select Complete audit in the top right corner to open the completion modal.

Upload reports

Both admins and auditors can upload reports directly to the audit. You can upload as many reports as needed throughout the review process, such as draft reports, revised versions, and the final report.

To upload a report, click or drag and drop your file into the upload area. The max file size is 25MB. Uploaded reports will display the file name, upload date, and the name of the person who uploaded it.

We recommend uploading your final report to Secureframe so you have a centralized record of all audit documentation for future reference.

Leave comments

Use the comments section to share feedback, ask questions, or flag issues related to the uploaded reports. When a comment is left, an email notification is sent to the auditor or admin so they can review and respond.

You can mention specific people using @mentions to direct comments to the right person. 

Note: Comments are intended for asynchronous communication and require a page refresh to see new updates.

Confirm the final report and complete the audit

Uploading a report is not required to complete an audit, but we strongly recommend it so you have a centralized record of all audit documentation in one place.

Whether or not a report has been uploaded, the admin must toggle on Final report received to confirm the final report has been delivered. The Complete audit button remains disabled until this toggle is turned on. This gives you full control over when the audit can be closed.

This toggle is only visible to admins. Auditors do not see or control it.

Once the toggle is on, you or your auditor can select Complete audit to close out the audit. The audit status will update accordingly across your account.

Frequently Asked Questions (FAQ)

Audit Setup

Can I create multiple audits?

  • Yes. Each audit is managed independently.

Can I start an audit before inviting my auditor?

  • Yes. This lets you prepare before granting access.

How does Secureframe determine whether evidence is In Audit or Out of Audit? Secureframe automatically reevaluates all evidence and updates its audit visibility:

  • Within the observation window → marked In Audit
  • Outside the observation window → marked Out of Audit

Can Auditors control their email notifications? 

  • Yes, auditors can enable or disable notifications by going to their customer’s Secureframe tenant. From there, navigate to My Settings → Notifications, where they will see a toggle for audit emails.

Audit Workflow

Why does my auditor see tests as “Not Ready” when they pass for me?

  • This typically means the evidence is outside the observation window or has not been explicitly marked as in audit from Audit Mode.

How does Secureframe determine which tests are automatically marked Submitted at audit creation? 

  • Passing tests with in-scope evidence are set to Submitted.

Will evidence uploaded in an audit appear in the Tests module?

  • Yes. 

What’s the difference between Submitted and Accepted?

  • Submitted = ready for auditor review
  • Accepted = auditor approved the evidence

What does Action required mean?

  • The auditor needs more information or updates.

What if my auditor requests a new test? 

  • You or the auditor can add the test in the Audits module. These tests sync back to the main Tests module.

How do I get notified about updates or comments? 

  • Secureframe sends automated notifications for test responses, new tests, and new comments. See the Email Notifications section for a more in-depth breakdown.

What evidence can auditors see in Secureframe?

  • Auditors can only see evidence that is labeled as In Audit. Evidence that is not labeled as In Audit will not be visible to them.

Why is my evidence marked as “Out of Audit” even though it was uploaded within the observation window?

Evidence can appear as “Out of Audit” even if it was uploaded within the audit’s observation window due to the status of the test at the time the evidence was evaluated, not just the upload date.

Here’s how this can happen:

  • Each test has a due date that determines whether uploaded evidence is considered valid for the current audit.

  • If a test is past due at the time an automated test run occurs, any uploaded evidence for that test may be archived.

  • Archived evidence is automatically marked as “Out of Audit,” even if the upload date falls within the observation window.

In these cases:

  • Hovering over the “Out of Audit” badge will show the specific reason the evidence was excluded.

  • The test itself may be flagged as at risk, indicating that updated or re-submitted evidence is required.

If your evidence was uploaded recently and unexpectedly marked as out of audit, this can occur when:

  • The test transitioned from passing to failing due to a missed due date.

  • The evidence was uploaded before the test’s due date was automatically advanced during the next evaluation cycle.

What to do next:

  • Review the test’s current due date and status.

  • Re-upload evidence if needed after confirming the test is no longer past due.

  • If the behavior seems incorrect, contact Support so we can review the test evaluation timing and ensure everything is aligned correctly.

Who receives email notifications when an auditor adds a comment in the Audit module?

  • When an auditor adds a comment in the Audit module, email notifications are sent only to Admins and Super Admins. Users with the Custom Access role do not receive Audit module related notifications.

What do the Audit Module test status labels mean?

  • What does “Met” mean

    • Met indicates that the requirements for the test have been satisfied.

  • What does “Not met” mean

    • Not met indicates that one or more requirements for the test have not been satisfied

  • What does “In review” mean

    • In review indicates that the auditor is actively reviewing the submitted evidence for the test. This status helps signal that the test is currently under evaluation.

  • What does “Submitted” mean

    • Submitted indicates that the test has been completed by the organization and is ready for auditor review.

Why is the "Enter Audit" button greyed out?

  • If the "Enter Audit" button appears greyed out and you're unable to access an audit in the Audits module, this is typically a temporary state that resolves automatically. The button may be disabled while the system is processing your audit setup or applying permissions. In most cases, refreshing your browser after a few minutes will resolve the issue and the button will become available.

Can auditors see all active audit projects, or only the ones they're assigned to?

  • Auditors can currently see all active audit projects — there is no restriction limiting their view to only the projects they've been assigned to. That said, audits are separated by firm, so auditors should only be accessing the projects relevant to them.

Why am I unable to tag evidence as 'Met' or 'Action required' in an audit?

  • To update responses in an audit, including tagging evidence as Met or Action required, your user must have the Auditor access role. If your current role is Admin, it needs to be changed to Auditor to enable these updates. After the role change, log out and log back in so the new permissions apply.

Post-Audit

Can I reopen a completed audit?

  • No. Completed audits are locked.

Is the audit report stored in Secureframe?

  • Yes. It’s available in the Completed tab.

 

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.