Skip to main content
Audit Hub

Helping you understand what information, evidence, and data that Auditors sees during an audit.

Faraz Yaghouti avatar
Written by Faraz Yaghouti
Updated over a week ago

HERE’S WHY

When conducting an audit (or starting to), it can be really nerve racking for you. We want to ensure that what you see is also what your auditors see, and there aren’t any discrepancies or misaligned views or data in terms of what the auditor can access when performing an audit.

BEFORE DIVING IN

  • You must have an active audit within Drata

  • You cannot have the Risk Manager or Workspace Manager role within Drata

  • Drata maintains a high level of data transparency between our customers and the auditors that are invited to perform audits. Therefore control evidence, audit pre-packages, evidence requests, and request details are always remaining the same for both parties

  • Auditors do have some additional functionality (e.g. ability to change statuses to ‘completed’, request evidence, delete requests etc.) that is different from the customer experience

  • You cannot invite an auditor with a personal email, or an email that matches your Drata tenant domain

HERE’S HOW

The Auditor View is almost identical to the customer view. Below you will see comparisons and additional information between both your view and the auditor view, which are extremely similar. Additionally, we’ll also highlight the subtle differences in relevant functionality as well.

Main Page

Customer View: Main Audit Framework Page

You can see the following information:

  • Audit Name, Audit Period, Ability to Complete an Audit.

  • Assigned Auditors

  • Request Summary

  • Request Pane with associated statuses and messages

Auditor View: Main Audit Framework page

The Auditor can see the same following information:

  • Audit Name, Audit Period, Ability to Complete an Audit.

  • Assigned Auditors

  • Request Summary

  • Request Pane with associated statuses and messages

The Auditor can also have additional functionality that allows them to:

  • Request Evidence - this allows the auditor to manually ask for pieces of evidence as apart of the audit, in which case you will receive the request

  • Change Evidence Sample - this allows the auditor to change the audit sample period in case the auditor needs new evidence or there is a personnel change that is relevant to the audit

    • NOTE 1: If you upload additional evidence after the auditor has already set their audit samples, this new evidence will not appear in the Control Evidence package for you or the auditor. This is because the Control Evidence package is generated as a snapshot of all mapped evidence at the time of the sample being set. In order for you and your auditor to see new evidence, instruct them to set new audit samples.

      1. Click the small three dot icon in the upper right of the Audit Resources card

      2. Click "Change evidence sample"

      3. The "Set audit samples" modal will appear - this is the same modal the auditor saw when they set their first samples for this audit

    • NOTE 2: If your auditor is conducting a SOC 2 Type 1 Audit, during sample setting, the auditor will only be able to select one personnel record. This is typically sufficient for an audit of this particular type. The auditor can always set a new audit sample if they want to inspect another personnel record.

Audit Resources

One of the main features that maintains complete transparency are the downloadable evidence and audit packages. This is to ensure that the evidence that is being reviewed can be accessed by both the auditor and by in the exact same state.

Customer View: Pre-audit package.

The Pre-audit package is generated for you at the time the audit is opened by the auditor, and is pulled from the same data source for both yourself as the customer as well as the auditor.

  • NOTE: The Pre-audit package will not update in the same way as the Control Evidence Package if and when the auditor requests new samples. At this time, the only way to see updates in the Pre-audit package is for you as the customer to complete the audit and open a new one.

Auditor View: Pre-audit package

The auditor’s Pre-audit package is exactly the same, as mentioned above. They should not see a difference within the ZIP file that was downloaded.

Customer View: Control Evidence.

Similar to the Pre-audit package behavior noted above, the control evidence download is pulled from the same data source for both yourself and the auditor.

IMPORTANT: When an auditor first creates the sample, the auditor who created the sample will receive an email with the downloadable link. If you are not the auditor that created the sample, select “Resend email” to get the email with the download link. You both will receive the same ZIP file.

Auditor View: Control Evidence

The ZIP file for control evidence for the auditor is exactly the same as yours.

NOTE: as mentioned above, the Control Evidence package is generated as a snapshot of mapped control evidence at the time your auditor set samples. If you've mapped new evidence after that time, you must instruct your auditor to set new samples.

Request Page

The request page is to view details about the requests that have been selected. You can view basic details about the request, related controls, download related controls, and view messages related to the request.

Customer View: Request Page

Drata users can view the control drawer when you select a related control, which is something auditors cannot directly do. This allows Drata users the ability to create and view ticket management, control tasks, and upload control evidence directly in the drawer, without needing to ever leave Audit Hub and the request page.

Customer View: Request Page

The information displayed within the request page remain the same for both parties. This includes any downloadable controls mapped to that request. Auditors and Drata users have the option to download controls individually, or select which controls they’d like to download.

Limitation: For both the auditor and the Drata user, the download evidence from the request page capability is only available during the selected audit period. Once the audit period has expired, an error will be thrown. This limitation does not apply to the Control Evidence download under Audit Resources.

Auditor View: Request Page

One notable difference here for the auditor, is that the auditor is allowed to map controls to a Request, which would be reflected within your view should that action be taken.

Additional differences to note on a Request, are that an auditor can not only mark a request as ‘Completed,’ but they can also ‘Delete’ a request. Again, both actions are reflected in real-time so that the data viewed by both parties remain consistent and the same.

Auditor View: Request Page

Auditors can move requests into a ‘Completed’ state as they review materials and evidence. They can also delete the request in the same dropdown.

System Message

When a Drata customer uploads evidence within the control drawer from the request page, a system message is generated in the ‘Messages about this request’ section. The system message will notify the auditor and Drata users that new evidence is attached to a control, and includes a download or URL link to fetch the evidence.

Customer View: System Message

Auditor View: System Message

Did this answer your question?