1. Introduction
The Audits feature in redOrange.ai provides organizations with a structured way to evaluate the effectiveness of compliance controls and ensure readiness for internal or external audits. It allows administrators, owners, and auditors to track audit progress, review evidence, flag issues, and generate reports.
This guide explains how to create and manage audits, mark controls as "Ready for Audit," assign auditors, and review audit findings.
2. Permissions
To access and manage the Audits section:
Users must have either Owner access or the Can Access Audits permission.
To mark a control as Ready for Audit, the user must:
Be the Owner of that control.
Have the control approved by the designated approver.
3. Accessing Audits
Log in to redOrange.ai.
Navigate to Audits from the side menu.
Use the Add Audits option to begin the audit creation process.
4. Creating an Audit
Step 1: Add Audit
Click on Add Audit.
A pop-up will appear to guide you through the setup.
Step 2: Select Framework
Choose the relevant Framework you want to audit from the dropdown list.
Step 3: Choose Audit Type
You need to choose Audit Type as either Internal or External based on your requirement
Procedure for Type: Internal Audit
Internal Audit:
Assign any user within redOrange.ai as an Internal Auditor.
Procedure for Type: External Audit
External Audit:
Select audit type as External.
Enter the following details of the external auditor:
Name
Email
Company Name
Save the details.
A Set Up Password email invitation is sent to the external auditor, granting them restricted access to the Audits module only.
Step 4: Define Timeline
Choose the Start Date and End Date for the audit.
Step 5: Create Audit
Click Create to finalize.
The audit will now be visible in the Audits section.
5. Filters and Sorting
Within the Audits section, you can:
Filter by Framework Type
Filter by Auditor
Sort audits by Date
This helps streamline access to relevant audits when managing multiple frameworks.
6. Marking Controls as Ready for Audit
Prerequisites
The control must be approved by the assigned approver.
The user marking the control must be its Owner.
To know about managing framework controls through task management refer this following documentation.
Steps
Navigate to the control within its framework.
Open the Control Sidebar.
Locate the Ready for Audit option (indicated by a thumb icon).
Add an Audit Note (optional).
Mark the control as Ready for Audit.
Behavior
The control immediately appears under the Audit section of its respective framework.
If no audit exists for that framework, the control remains flagged until an audit is created. Once created, the control automatically links to it.
7. Performing an Audit
Audit Framework View
When you open a framework under Audits, you will see a table of all controls marked as Ready for Audit, with the following columns:
Control ID
Control Name
Control Description
Owner
Audit Status:
Audit in Progress (default when first marked ready)
Audited (once reviewed)
Submitted Response (assigned response to the control)
Audit Note (notes added during readiness stage)
Evidence (files uploaded manually or auto-collected for automated controls)
Audit Review Options:
Flag (to mark issues with audit)
Accept or Reject Evidence
Comment (add, view, edit, or delete reviewer comments)
Important Notes
If an audit review is Flagged, evidence cannot be accepted until it is unflagged.
Evidence may include manually uploaded documents or automatically captured logs for automated controls.
Auditors can filter controls based on Audit Status or by Evidence availability.
8. Reports
Summary Reports
At the bottom of the Audit Page, use the Download Report option.
Reports are generated in XLSX format.
Reports contain comprehensive details of all controls, their audit statuses, responses, evidence, and reviewer comments for the selected framework.
9. Best Practices
Ensure all controls are approved by approvers before marking them ready.
Assign clear timelines to avoid overdue audits.
Use Audit Notes for context when marking readiness.
Always flag questionable controls to ensure auditors investigate further.
Regularly download and archive audit reports for record-keeping.
10. Troubleshooting
Issue | Solution |
Unable to mark control as Ready for Audit | Ensure you are the owner and the control is approved. |
External auditor not receiving invitation | Check email spelling, confirm external mail server not blocking notifications. |
Evidence not visible | Verify that assignee or owner uploaded correctly (supported formats: docx, pdf and png) |
Audit review stuck at "Flagged" | Unflag the control before accepting or rejecting evidence. |
11. Frequently Asked Questions (FAQs)
Q1: Can I mark any control as “Ready for Audit”?
A: No. To mark a control as Ready for Audit, you must:
Be the Owner of that control.
Ensure the control has already been approved by the assigned approver.
Q2: What happens if a control is marked Ready for Audit but no audit exists yet for that framework?
A: The control will remain flagged as ready. Once an audit is created for the framework, the control will automatically appear under that audit.
Q3: Can we assign external auditors?
A: Yes. When creating an audit, choose External Audit and provide the auditor’s name, email, and company. An invitation email will be sent to the external auditor with restricted access limited to the Audits module.
Q4: What’s the difference between Internal and External audits?
Internal Audit: Performed by internal users of redOrange.ai assigned as auditors.
External Audit: Performed by outside auditors who are invited and given access only to the audits section.
Q5: Can flagged controls be audited?
A: Yes, but when a control is flagged, evidence cannot be accepted or rejected until it is unflagged. This ensures issues are resolved before finalizing review.
11. Contact Support
For help with audits sections, contact:
Email: support@redorange.ai