🚧 Early alpha — building the foundation. See the roadmap →
For internal audit
What you own in the model
Section titled “What you own in the model”| Entity | Your role |
|---|---|
| Assessment (audit) | ◎ own |
| Finding / Issue (+ remediation) | ◎ own |
| Control | ● test (GRC/ISRM owns the library) |
| Risk / Risk Scenario | ● use for risk-based planning |
| Requirement / Framework | ○ reference |
How you get into it
Section titled “How you get into it”- Reuse the shared control library. Your audit programs reference the same control objects GRC/ISRM maintains — no parallel control universe to keep in sync.
- Map tests to controls. An audit test points at a control (which already hangs off the relevant CRI / framework requirements via the crosswalk), so a passed/failed test rolls up to framework coverage automatically.
- Write findings to the shared register. A finding records against the control/requirement that failed — visible to GRC and compliance, who own remediation alongside you.
- Plan risk-based. Use the shared risk scenarios (tagged to CRI functions) to scope the audit universe.
Why this beats a siloed audit tool
Section titled “Why this beats a siloed audit tool”A standalone audit workpaper engine (Pentana / Ideagen, AuditBoard) keeps its own objectives-risks-controls-tests library. That’s fine — but if it doesn’t share the control objects with GRC, you get drift: audit tests one control definition, GRC manages another. In the unified model, the control is one object; audit tests it, GRC maintains it, compliance maps obligations to it. Crosswalker can hold that shared control + crosswalk layer your audit tool points at.
Related
Section titled “Related”- Unified risk model — the shared model
- For GRC / ISRM — who owns the control library you test
- Related tooling — audit engines (Pentana, AuditBoard) + where they connect