Assurance
The Assurance module is where audit-grade work happens: internal audit engagements, third-party assessments, certification cycles, accreditation reviews, attestations, and management reviews. Each engagement has scope, a plan, an independence posture, workpapers, observations, and conclusions. Each lives inside one assurance program, and each connects to the controls, risks, obligations, evidence claims, and assessments it touches.
This module is the home of the assurance activity, distinct from Assessments (which is the generic evaluation activity any team can run) and Audit Packages (which is the export artifact). Assurance owns the engagement; assessments are what the engagement uses; audit packages are what the engagement produces.
When you would reach for this
You set up assurance when:
- Internal audit is launching a cycle and you want their plan, workpapers, observations, and conclusions to live where the rest of governance lives, not in a parallel spreadsheet.
- An external auditor or certifier is performing an engagement and you want their work captured inside the workspace.
- A regulator-mandated assurance cycle (a periodic certification, an accreditation maintenance review) needs an auditable footprint.
- A management review of a program needs scope, inputs, decisions, and outcomes recorded with full traceability.
- A board needs visibility into “what assurance activity has been performed on this part of the organization in the last year?”
You don’t reach for this when capturing individual control evaluations (those are Assessments) or when producing the export artifact the assurance generates (that’s Audit Packages). Assurance is the engagement activity itself.
What lives in assurance
Three record types:
Assurance program is the umbrella: a recurring assurance theme like “Annual internal audit cycle,” “External SOC 2 readiness program,” “Quarterly compliance attestation.” It carries an assurance kind, a charter snapshot, and an owner.
Assurance engagement is one execution of a program (or a one-off engagement). It carries:
- A title and key.
- Scope (which controls, risks, obligations, scope nodes are in scope).
- Criteria (the standards, frameworks, internal policies the engagement is testing against).
- A plan (timing, sampling approach, resources).
- An independence posture (who runs the engagement, whether they’re independent of the work being assessed, recusals).
- Linked assessment instances that the engagement uses or supersedes.
- Workpapers (the engagement’s working records).
- Observations (preliminary findings noted during the engagement).
- Conclusions (the engagement’s signed-off outcome).
- A status walking through
planned,in-progress,concluded,superseded, etc.
Management review is a specialized engagement: a documented review of a program’s posture by accountable leadership, with inputs (assessment results, indicator measurements, findings, exceptions), discussion, decisions, and actions.
Assurance program kinds
Common kinds (free text):
| Kind | Meaning |
|---|---|
internal-audit | Internal audit’s recurring cycle of engagements. |
external-audit | Third-party financial or compliance audit. |
certification | An externally-issued certification’s recurring assessment cycle. |
accreditation | An accreditation body’s recurring review cycle. |
attestation | A periodic management or third-party attestation cycle. |
management-review | Leadership’s structured review of a program. |
independent-assurance | An independent assurance engagement (e.g., a board-directed special review). |
A worked example: a retail bank runs its annual internal audit cycle
A retail bank operates branches, an online channel, and a mobile app. Internal audit runs an annual cycle covering operational controls, fraud detection, customer onboarding, and the bank’s compliance program. The chief audit executive, Karoliina, wants the full cycle captured in the workspace so observations and conclusions flow into the same governance program everyone else uses.
She sets up Assurance like this.
Step 1: define the program. Karoliina creates an assurance program annual-internal-audit, kind internal-audit. The program charter snapshot captures the audit committee’s mandate, the cycle cadence, the resourcing model, and the scope universe (the full set of areas eligible for engagements over the year).
Step 2: plan the year’s engagements. Internal audit’s annual plan breaks the cycle into eight engagements: branch operations, online channel, mobile app, fraud detection, customer onboarding, compliance program, third-party risk, and IT general controls. For each, Karoliina creates an assurance engagement:
- Scope: the relevant controls and scope nodes.
- Criteria: the bank’s internal control framework plus relevant external standards.
- Plan: estimated start and end dates, lead auditor, team, sampling approach.
- Independence: the lead auditor and team are not the owners of what’s being assessed; recusals are recorded explicitly.
Step 3: conduct each engagement. As each engagement runs:
- The audit team creates assessments through Assessments and links them to the engagement. The audit’s test work happens in assessments; the engagement is the container.
- Workpapers are recorded in the engagement (digital trail of test work, supporting evidence, discussion notes).
- Observations are noted as the engagement progresses. Some observations harden into formal findings (Findings).
- The lead auditor’s running view of “what we’ve found” lives in the observations tab.
Step 4: conclude. When the engagement completes, the lead auditor:
- Writes the engagement conclusion.
- Marks observations as either confirmed (becomes a finding) or not material.
- Captures management’s response to each finding.
- Transitions the engagement to
concludedwith sign-off from the responsible authority.
Step 5: program-level review. Quarterly, Karoliina reviews the program’s progress: completed engagements vs planned, observations and findings produced, themes across engagements, plan adjustments. The audit committee sees a unified view: every engagement in the cycle, their scope, their conclusions, the findings produced, and the remediation status of each finding.
Step 6: management reviews. Separately, the bank runs annual management reviews of each management system (ISMS, privacy program, vendor risk program). Each management review is its own assurance record: inputs (assessments, indicators, findings, exceptions), discussion summary, decisions, actions, sign-off by the program’s accountable owner.
After a year:
- The assurance register shows the full annual cycle.
- Every engagement’s conclusion, workpapers, observations, and findings are reachable in one place.
- The audit committee can answer “show me everything we audited this year, and the open findings from each.”
- Auditors can demonstrate their independence posture from the same record they conducted the work in.
What you’ll see in the product
Assurance lives under Governance → Assurance in the workspace.
Two top-level tabs: Programs and Engagements.
The Programs list shows every assurance program, with its kind, owner, current cycle status, and engagement counts.
Inside a program, you see all engagements that are part of the program, their statuses, and the program-level activity history.
The Engagements list shows every engagement across programs, filterable by status, lead, scope, criteria, and period.
Inside an engagement, you see:
- The scope, criteria, plan, independence posture.
- Linked assessments (with deep links).
- Workpapers (the engagement’s working records).
- Observations (the running list with status: noted / confirmed / not-material).
- Conclusions (the signed-off outcome).
- Linked findings produced.
- Linked audit package (the export artifact, once generated).
- Activity history.
Management reviews are a specialized view inside the program where you can browse the management-review records separately.
Every change is captured in the workspace Audit Log.
Workpapers, observations, and findings
The distinction matters for audit fidelity:
- Workpapers are the auditor’s working records: test schedules, sampling worksheets, supporting evidence, notes from interviews. Workpapers are the trail of how the work was done.
- Observations are preliminary noted issues that the auditor identifies during the engagement. Observations may or may not become findings; sometimes management’s response satisfies the observation in-flight and it doesn’t harden.
- Findings are confirmed issues that need remediation. Findings live in their own module (Findings) so the remediation lifecycle is shared across all sources of finding (audit, assessment, monitor, manual).
Independence posture
An engagement’s independence posture captures the audit team’s relationship to the work being assessed. For external auditors, independence is usually structural (they’re a separate organization). For internal audit, independence is structured by the bank’s audit charter and recorded engagement-by-engagement: who’s the lead, who’s the team, what conflicts have been declared and recused.
Independence isn’t a free pass; it’s a recorded posture that an auditor of auditors can later examine.
Common workflows
Setting up an assurance program
- Assurance → Programs → New program. Kind, name, charter snapshot, owner.
- The program is the umbrella; engagements are added as the cycle plans them.
Planning and running an engagement
- Engagements → New engagement. Link to the program, pick the scope, capture the criteria, write the plan, set the independence posture.
- As the engagement runs, create assessments and link them to the engagement.
- Record workpapers and observations as work progresses.
- Convert confirmed observations into findings (the link is preserved).
- Write conclusions, route for sign-off, transition to
concluded.
Running a management review
- Assurance → Management reviews → New. Link to the management system being reviewed.
- Pull in inputs (recent assessment results, indicator measurements, open findings, exceptions).
- Document the discussion, decisions, and actions.
- Capture sign-off from the accountable program owner.
Annual reporting
- Filter Engagements by the year and program.
- Export the cycle view for the audit committee.
- For each engagement, drill into conclusions and linked findings.
Related
- Assessments - the assessment work an engagement contains.
- Findings - confirmed observations become findings.
- Evidence - evidence claims feed engagements and are reviewed in workpapers.
- Audit Packages - the export artifact an engagement may produce.
- Management Systems - programs subject to management review.
- Controls - what engagements assess.