Create an auditable unit and scope entities at risk

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Create auditable units to identify business entities that can possibly be at risk and scope them into audits.

    Before you begin

    Role required: sn_audit.manager, sn_audit_ws.supervisor, sn_audit.user, sn_audit_ws.auditor

    About this task

    Auditable units are a combination of different entities such as business units, products or services, legal entities, regulatory required audits, processes, programs, systems, policies, regulation, financial statements, and others.

    After you determine the nature and scope of the auditable units, your goal is to perform risk assessments, and scope auditable units and entities based on the risk rating.

    See also Perform advanced risk assessment in the Risk workspace.

    Procedure

    1. Navigate to All > Audit > Audit Workspace.
    2. Click Create and select Auditable unit from the Home page.
      You can also create an auditable unit by navigating to the Audit workspace List page.
      1. Click the lists icon (List icon.).
      2. Click All auditable units or My auditable units in the Scoping list.
      3. Click New.
    3. On the form, fill in the fields.
      Table 1. Create New Auditable Unit form
      Field Description
      Number Unique number of the auditable unit.
      Name Name of the auditable unit. For example, Accounts Payable – Finance.
      State State of auditable unit. The default state is Draft.
      Priority Priority of the auditable unit.
      Description Brief description of the auditable unit.
      Assignment
      Owning group Group that owns the auditable unit.
      Owner Owner of the auditable unit.
      Risk assessment
      Method Type of risk assessment to obtain the risk rating of the auditable unit. The choices are:
      • Basic Risk Assessment: Allows you to manually enter a value for the risk rating.
      • Detailed Risk Assessment: Appears when the Advanced Audit plugin is activated. When you select this option, the Risk Assessments related list appears.
      Risk rating Risk rating of the auditable unit obtained from a basic risk assessment.
      Inherent risk rating Inherent risk score. The value in this field is derived from advanced risk assessment. This field appears if the risk assessment method is Detailed Risk Assessment.
      Control effectiveness Control effectiveness score. The value in this field is derived from advanced risk assessment. This field appears if the Method field has Detailed Risk Assessment.
      Residual risk rating Residual risk score. The value in this field is derived from advanced risk assessment. This field appears if the Method field has Detailed Risk Assessment.
    4. Click Save.
    5. To add entities such as business units, department, vendors, products, business processes, and others to the auditable unit, click the respective related list in the Details page.
    6. Select the records from the respective pop-up.
    7. Click Add.
    8. Click Activate.
      The state of the auditable unit becomes Active.
    9. To retire the auditable unit, click the Retire button in the more actions icon (More actions icon.)
    10. If you have GRC: Advanced Risk application installed and if you have selected Risk Assessment Method as Detailed Risk Assessment, then you can assess risk by clicking the Assess risk button.
      For more information, see risk assessment method in Create an auditable unit.