Create an issue for an engagement

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read

    • Create an issue to document policy, risk, or audit observations, or to accept any GRC problems. You can also identify the source of the issue to help analyze and classify the issues.

    Before you begin

    Role required: sn_audit.manager, sn_audit_ws.supervisor

    Procedure

    1. Navigate to All > Audit > Audit Workspace.
    2. Click the lists icon (List icon.).
    3. Click All engagements or My engagements in the Execution list.
    4. Click the link to the engagement record in the Name column.
      The engagement record details open in the Overview tab.
    5. Click the Other issues related list.
    6. Click New.
    7. On the form, fill in the fields.
      Table 1. Create New Issue form
      Field Description
      Number Unique identification number.
      Name Name of the issue.
      Issue source Source from where the issue was created. This field is auto-populated with one of the following options based on how the issue is created:
      • Indicator Failure: Issue is created by a failure of the indicator.
      • Risk Assessment: Issue is created in a risk.
      • Risk Event: Issue is created in a risk event.
      • Control Attestation Failure: Issue is created due to a non-compliant control.
      • Control Test Failure: Issue is created when a control is ineffective and the control test is marked as closed and complete.
      • Ad-hoc: Issue is manually created.
      Issue type Type of issue.
      Classification Classification of the issue as a risk, compliance, or audit, based on the issue type.
      State
      • New
      • Analyze
      • Respond
      • Review
      • Closed Complete
      • Closed Incomplete
      Substate Substate and applicable details for the substate.
      Priority Sequence in which an issue needs to be resolved, based on its impact and urgency:
      • 1 — Critical
      • 2 — High
      • 3 — Moderate
      • 4 — Low
      • 5 — Planning
      Issue rating Issue manager can assign a issue rating to the issue. Based on the issue rating, the Due date in the Dates tab is calculated as follows and displayed:
      • Very high (2 days)
      • High (4 days)
      • Moderate (8 days)
      • Low (10 days)
      • Very Low (15 days)
      You can manually override the Due date.
      Description Comprehensive description of the issue.
      Assignment
      Assignment group Group to which the issue is assigned. Each member receives a notification when an activity occurs on this issue.
      Assigned to Member of the group assigned to resolve the issue.
      Issue manager group Group responsible for managing and reviewing the issue.
      Issue manager User responsible for managing and reviewing the issue.
      Watch list Users added to view the issue.
      Schedule
      Due date Due date is auto-populated based on a GRC property, Auto populate due date based on issue rating. If it is set to Yes, the field is auto-populated based on the predefined remediation time frame for the issue's risk rating. Otherwise, you can manually enter a due date.

      When an issue transitions to the Respond state, an entry in this field is mandatory.
      Confirmed date Date on which the issue is confirmed. This field is read-only, and displays the current date when the issue is moved from New to any of the following states:
      • Analyze
      • Review
      • Respond
      Note:
      If a triage issue is converted to an actual issue, this field displays the date it was converted.
      Created Date and time the issue was created.
      Closed Date and time the issue was closed.
      Planned start date Date and time when the work on the issue is expected to begin.
      Planned end date Date and time when the work on the issue is expected to end.
      Planned duration Estimated duration of work time. Calculated using the Planned start date and Planned end date.
      Actual start date Time when work began on the issue.
      Actual end date Time when work on the issue was completed.
      Actual duration Duration of work time. Calculated using the Actual start date and Actual end date.
      Details
      Control/Risk Control or risk associated with the issue.
      Control Objective/Risk statement Control objective or risk statement related to this issue.
      Entity Related entity.
      Configuration item Item associated with the issue. If all child issues have the same configuration item, it gets copied over to the parent issue.
      Location Location where the issue occurred.
      Risk event Related risk event.
      Engagement Related engagement.
      Policy Policy associated with the issue.
      Authority document Authority document associated with the issue.
      Issue grouping
      Parent issue Parent issue to which the issue belongs.
      Issue group rule Group rule assigned to the issue.

      Issue group rule is used to group similar issues together into a parent issue based on conditions defined in the rule. This allows you to work on similar issues simultaneously and close out the parent issue after all issues are resolved. This closes out all the child issues.
      Action plan
      Recommendation Resolution actions recommended by the risk, compliance, or audit teams.
      Action plan Plan for remediating the issue.
      Confidentiality
      Confidential Option to enable confidentiality of the record. Only the assigned confidential users or confidential groups of users can access the record.

      For more information on confidential option, see Confidentiality flag for audit and compliance records.
      Activity
      Work notes (Private) Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue.
      Additional comments Public information about the issue.
    8. Click Save.