Audit Workflow
Complete end-to-end process from artifact submission through final approval, including human validation, decision gates, and audit trail recording.
Audit Lifecycle Overview
A compliance audit moves through six distinct phases, each with defined responsibilities, gates, and audit trail recording:
| Phase | Duration | Owner | Key Decision |
|---|---|---|---|
| 1. Setup | 30 min | Audit Sponsor | Define scope, applicable rules, required documents |
| 2. Artifact Submission | 1-2 days | Project Team | Complete artifact collection before analysis can begin |
| 3. AI Analysis | 30 min - 2 hours | Autonomous Assistant | Generate findings with evidence citations |
| 4. Finding Validation | 2-4 hours | Compliance Officer | Review and validate each finding for accuracy |
| 5. Approval Routing | 1-2 days | Governance Chain | Approve audit findings and decisions |
| 6. Archive & Reporting | 1 hour | QMS System | Finalize audit record and generate reports |
Phase 1: Audit Setup
Owner: Audit Sponsor (Compliance Officer or Manager)
Duration: 30 minutes
Goal: Define audit scope and compliance rules
Step-by-Step Process
- Create Audit Record: Audit sponsor navigates to "New Audit" in compliance portal
- Enter audit name/ID, project name, business unit
- Select audit type (routine, risk-based, regulatory-triggered)
- Assign primary compliance officer
- Define Scope: Specify what documents must be submitted
- Select applicable artifact types (test strategy, implementation plan, business case, etc.)
- Set optional minimum requirements (e.g., "must include stakeholder list")
- Set submission deadline
- Configure Rules: Select which compliance rules apply to this audit
- Default rule set suggested based on audit type
- Audit sponsor can add/remove rules for specific project context
- Rule versions frozen at audit creation (ensures consistency if rules updated later)
- Approve & Activate: Review setup, approve, audit status moves to "Active - Awaiting Artifacts"
- Email notification sent to audit sponsor and project team with submission link
- Audit trail records setup action
Audit Trail Recording
✓ Audit created (timestamp, creator ID, configuration)
✓ Rules selected (rule names, versions, effective date)
✓ Scope defined (artifact types, submission deadline)
✓ Audit activated (status changed to Active)
Phase 2: Artifact Submission
Owner: Project Team
Duration: 1-2 days
Goal: Collect all required compliance documentation
Step-by-Step Process
- Receive Submission Link: Project team receives email with audit ID and submission portal link
- Portal displays required artifact types with descriptions
- Displays submission deadline and SLA
- Upload Artifacts: Team uploads required documents via drag-and-drop interface
- Support for: PDF, Word, Excel, images, ZIP archives
- Auto-classification: system identifies artifact type from filename or content
- Version tracking: if same artifact uploaded twice, system treats as update
- Progress indicator: "3 of 5 required artifacts uploaded"
- Validate Completeness: System checks that all required artifacts present
- Red flag if required artifacts missing at deadline
- Project team receives alert: "Missing test strategy — please upload before EOD"
- Submit for Analysis: Once complete, team clicks "Submit Audit" (or auto-trigger at deadline)
- Artifacts locked (no further edits possible)
- Status changes to "In Progress - Analysis Running"
- Compliance officer notified that analysis is starting
Audit Trail Recording
✓ Each artifact upload (timestamp, uploader ID, document hash, file size)
✓ Document classification (auto-detected type)
✓ Artifact version history (if document re-uploaded)
✓ Audit submission (timestamp, status change to "In Progress")
✓ Document integrity hashes recorded on blockchain
Phase 3: AI Analysis
Owner: Autonomous Compliance Assistant
Duration: 30 minutes to 2 hours (depends on document volume)
Goal: Analyze artifacts and generate findings
Step-by-Step Process
- Document Processing: System parses each artifact
- Extract text from PDFs (including OCR for scanned docs)
- Identify document structure (sections, tables, lists)
- Extract metadata (title, author, dates)
- Generate document embeddings for semantic search
- Rule Execution: For each compliance rule, execute analysis
- Check for required content presence
- Analyze content against regulatory requirements
- Cross-reference multiple documents for consistency
- Generate confidence score (how certain is the AI about this finding?)
- Finding Generation: Create structured findings from analysis results
- Each finding includes: title, description, severity, evidence quotes, regulatory citations, confidence score
- Group related findings together
- Sort by severity (critical first)
- Progress Notification: Audit sponsor receives real-time update
- Dashboard shows: "Analyzing document 3 of 7... 15 findings generated so far"
- Email notification when analysis complete: "Analysis complete - 23 findings for review"
- Analysis Complete: Status changes to "Findings Ready - Awaiting Validation"
- Compliance officer can now begin finding review
Audit Trail Recording
✓ Analysis started (timestamp, AI model version, rules version)
✓ Each document processed (timestamp, text length, embeddings generated)
✓ Each rule executed (rule ID, documents evaluated, outcomes)
✓ Each finding generated (finding ID, severity, evidence, confidence, timestamp)
✓ Analysis completed (timestamp, total findings, analysis duration)
Phase 4: Finding Validation
Owner: Compliance Officer (Subject Matter Expert)
Duration: 2-4 hours (for 20-30 findings)
Goal: Review, validate, and dispute findings as needed
Step-by-Step Process
- Review Finding: Compliance officer opens finding card
- Displays: Title, description, severity level, confidence score
- Shows evidence: quoted text from artifact with document context
- Displays regulatory citation: which requirement is violated?
- Links to full document for additional context if needed
- Validate Accuracy: Officer assesses whether finding is correct
- Accept: Click "Validate" — finding is accurate
- Dispute: Click "Dispute" — finding is incorrect or not applicable
- Request Analysis: Ask Assistant to provide more detail on specific aspect
- Add Context (Optional): Officer can add comments or notes
- "This was addressed in email with project manager — may not be critical"
- "Similar finding in last audit — remediation in progress"
- Comments attached to audit trail for next review
- Assess Severity (If Needed): For borderline findings, officer can adjust severity
- AI suggested "Medium" but officer believes "Low" given business context
- Change recorded in audit trail with justification
- Move to Next Finding: Batch or one-by-one review
- Dashboard shows: "15 of 23 findings reviewed (65%)"
- Findings sorted by severity; officer can filter by type if desired
- Complete Validation: Once all findings reviewed, officer clicks "Validation Complete"
- Status changes to "Findings Validated - Pending Approval"
- System calculates: 18 accepted, 5 disputed (disputed findings escalated for review)
Finding Validation Workflow
Decision Flow:
Finding → Accept? → Proceed to next
Finding → Dispute? → Route to secondary reviewer or subject matter expert
Finding → Request more analysis? → Queue analysis request; finding paused
Disputed Finding Escalation
- If officer disputes finding, system routes to secondary reviewer (another compliance team member or subject matter expert)
- Secondary reviewer reviews with context of original dispute
- If still disputed after secondary review, escalates to Compliance Manager for final determination
- All dispute decisions recorded in audit trail with justification
Audit Trail Recording
✓ Finding review started (timestamp, reviewer ID)
✓ Each finding decision (accept/dispute, timestamp, reviewer ID)
✓ Comments added (comment text, timestamp)
✓ Severity adjustments (original/adjusted, justification, timestamp)
✓ Dispute escalations (escalated to, timestamp)
✓ Validation complete (timestamp, accept count, dispute count)
Phase 5: Approval Routing
Owner: Governance Chain (Compliance Officer → Manager → Executive as needed)
Duration: 1-2 days
Goal: Obtain required approvals through governance chain
Step-by-Step Process
- Determine Routing: System identifies required approvers based on rules
- Rules define: "Critical findings require Manager and Chief Compliance approval"
- High findings require Manager approval
- Medium/Low findings approved by Compliance Officer
- Rules may also trigger: "If >10 findings, must go to Audit Committee"
- Initial Approval Gate: Compliance Officer signs off on validation and findings
- Option to add final comments before routing
- Click "Approve for Management Review"
- Timestamp and digital signature recorded
- Status changes to "Pending Manager Approval"
- Manager Review: If required, audit routes to manager
- Manager can: approve, request changes (send back to compliance officer), or escalate
- Manager adds comments if needed
- SLA: 1 business day for approval
- If SLA breached, escalate automatically
- Executive Review (If Critical): Critical findings routed to Chief Compliance Officer or CFO
- Executive summary provided highlighting critical/high findings
- Executive can approve or request remediation before approval
- SLA: 2 business days
- Final Approval: Once all required approvals obtained, audit status changes to "Approved"
- Completion notification sent to all stakeholders
- Audit results published to stakeholders (based on role-based access)
Approval Rules Configuration
| Finding Severity | Required Approver(s) | SLA |
|---|---|---|
| Critical | Compliance Officer → Manager → Chief Compliance Officer | 2 business days total |
| High | Compliance Officer → Manager | 1 business day total |
| Medium | Compliance Officer | Auto-approved after validation |
| Low | Compliance Officer | Auto-approved after validation |
Audit Trail Recording
✓ Approval routing determined (rules applied, approvers identified)
✓ Each approval gate passed (timestamp, approver ID, digital signature)
✓ Approval changes requested (requester, change details, timestamp)
✓ SLA tracked (deadline, actual completion, on-time indicator)
✓ Final approval completed (timestamp, approver ID, status changed to Approved)
Phase 6: Archive & Reporting
Owner: QMS System & Compliance Office
Duration: 1 hour
Goal: Archive audit records and generate compliance reports
Step-by-Step Process
- Archive Audit Record: Completed audit moved to immutable archive
- All documents, findings, approval records bundled together
- Archive hash recorded on blockchain (immutable proof of record)
- Audit marked as "Archived" — no further changes possible
- Generate Audit Report: System automatically generates summary report
- Executive summary: project, dates, total findings, status
- Finding breakdown: # critical/high/medium/low findings
- Remediation summary: decisions made, timelines assigned
- Audit trail summary: key dates, approvers, SLAs
- Distribute Report: Report distributed to stakeholders based on access permissions
- Project team: sees their findings and remediation tasks
- Compliance Officer: sees full report and audit trail
- Manager: sees findings summary and approval status
- External Auditors: can verify audit trail using cryptographic proofs (no sensitive data)
- Track Remediation: System monitors remediation progress
- Findings with remediation deadlines tracked in QMS
- Regular status checks: "Remediation 60% complete, on track for deadline"
- Escalate if remediation delayed
- Close Audit: Once all remediation tasks completed (or deferred to next cycle), audit closed
- Status changes to "Closed"
- Final closeout approval from Compliance Officer
Compliance Reporting Outputs
- Audit Summary Report (PDF): For executives and regulators
- Finding Detail Report (Excel): For compliance team tracking
- Audit Trail Extract (JSON): For external audit verification
- Trend Report: Compare current audit to previous cycles (same project, same type)
- Portfolio Dashboard: Aggregate compliance posture across all audits
Audit Trail Recording
✓ Audit archived (timestamp, archive hash, blockchain record)
✓ Report generated (timestamp, report type, recipients)
✓ Report distributed (recipient, delivery method, timestamp)
✓ Remediation tracking started (finding ID, deadline, assigned party)
✓ Audit closed (timestamp, closeout approval, final status)
Audit Workflow Rules & Decisions
The system enforces defined rules and decision gates throughout the audit:
| Decision Point | Rule / Gate | Enforcement |
|---|---|---|
| Analysis Trigger | Cannot start analysis until all required artifacts submitted | Block "Submit for Analysis" button if incomplete |
| Finding Validation | All findings must be reviewed before routing | Block "Approve for Routing" if findings pending validation |
| Disputed Findings | If disputed count > threshold, escalate to manager before approval | Auto-escalate if >20% of findings disputed |
| Critical Findings | Critical findings block full approval until addressed | Must approve critical findings separately before Medium/Low approval |
| Approval SLA | Each approval gate has max time (1-2 days depending on severity) | Auto-escalate if SLA breached |
| Audit Archive | Audit must be fully approved before archival | Block archival if pending approvals |
Human Validation Touch Points
The system enforces human validation at critical decision gates. The AI never:
- ✓ Approves findings without human review
- ✓ Routes findings without compliance officer validation
- ✓ Escalates critical findings without management awareness
- ✓ Archives audits without final approval
- ✓ Makes remediation decisions (humans decide remediation path)
AI Role: Analyze, identify gaps, generate findings
Human Role: Validate accuracy, make decisions, approve, govern