Create an auditable unit

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Create auditable units with entities such as business units, departments, vendors, products, business processes, business applications, locations, authority documents, and policies to perform risk assessments on the auditable units.

    Before you begin

    Role required: sn_audit.user or sn_audit.manager

    Activate the GRC Advanced Audit plugin (com.sn_audit_advanced).

    About this task

    You can create an auditable unit and decide the type of risk assessment you want to perform on the auditable unit. After the risk assessment is done, based on the risk ratings, the audit managers can decide if they want to audit the entities. You can scope an auditable unit as an entity on an engagement.

    Procedure

    1. Navigate to All > Audit Universe > All Auditable Units.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. Auditable Unit form
      Field Description
      Number Unique number of the auditable unit.
      Name Name of the auditable unit. For example, Accounts Payable - Finance.
      Owning group Group that owns the auditable unit.
      Owner Owner of the auditable unit.
      State State of auditable unit. The default state is Draft.
      Priority Priority of the auditable unit.
      Description Brief description of the auditable units.
      Risk Assessment
      Method Type of risk assessment to obtain the risk rating of the auditable unit. The choices are:
      • Basic Risk Assessment. This option allows you to manually enter a value for the risk rating.
      • Detailed Risk Assessment. This option appears when the Advanced Audit plugin is activated. When you select this option, the Risk Assessments related list appears.
      Risk rating Risk rating of the auditable unit obtained from a basic risk assessment. This field appears if the Method field has Basic Risk Assessment.
      Inherent risk rating Inherent risk score. The value in this field is derived from advanced risk assessment. This field appears if the Method field has Detailed Risk Assessment.
      Control effectiveness Control effectiveness score. The value in this field is derived from advanced risk assessment. This field appears if the Method field has Detailed Risk Assessment.
      Residual risk rating Residual risk score. The value in this field is derived from advanced risk assessment. This field appears if the Method field has Detailed Risk Assessment.
    4. If you have selected Basic Risk Assessment in the Method field, click Submit.
    5. If you have selected Detailed Risk Assessment in the Method field, click Assess Risk.
      1. In the Assessor field, select an assessor for the risk assessment.
      2. In the Approver field, select an approver for the assessment.
      3. Click Submit.
      A risk assessment instance link is created at the top left and the assessor gets a notification to perform the risk assessment. After the detailed risk assessment is performed, the Risk Assessments related list shows the assessment.
    6. Click the following available related lists, and add entities to them as required.
      • Business Units
      • Departments
      • Vendors
      • Products
      • Business Processes
      • Business Applications
      • Locations
      • Authority Documents
      • Policies