The way an audit is set up determines how useful it is. WhizzC's Audit Module is built around a simple idea: define the scope precisely, and let everything else follow automatically.
The Problem with Audit Prep
Most of the pain in a compliance audit doesn't happen during the review itself, it happens before it. Hunting down the right documents, figuring out which evidence maps to which control, chasing approvals across teams, and then doing it all over again when something has expired. By the time the auditor arrives, the team is already exhausted.
WhizzC's Audit Module is designed to absorb that overhead. The core idea is straightforward: if your evidence is already organised and mapped in one place, your audit should almost set itself up. The work you've done maintaining your compliance programme becomes the foundation of the audit, not something you have to reconstruct from scratch each time.
The result is an audit process that feels less like a fire drill and more like a structured, repeatable review.
Scoping as the Foundation
Every audit in WhizzC starts with a scoping exercise and it's worth understanding why that matters, not just what fields to fill in.
When you define an audit's scope, you're making a series of decisions that shape everything downstream: which frameworks are being assessed, which part of the business is in scope, who is responsible for the review, and critically what time window the evidence needs to cover. These aren't administrative details. They're the parameters the system uses to intelligently surface the right evidence and flag gaps.
One distinction that often gets overlooked is the difference between when the audit runs and how fresh the evidence needs to be. These are separate concepts, and treating them as such gives organisations a more honest picture of their compliance posture. Evidence that was valid twelve months ago may not reflect how controls are operating today and the audit setup is where you define exactly what "current" means for this review.
Once the scope is set, WhizzC draws from the Artefact Module to populate the audit with evidence already mapped to the relevant standard controls. There's no manual linking step. The audit begins with a complete, accurate picture of where things stand and the team can focus on addressing gaps rather than assembling them.
⚠️ A note on auditor access: Auditor assignment is controlled, only users with the appropriate access level can be designated as the auditor for a given audit. This ensures accountability and keeps the reviewer role distinct from the rest of the team. |
Evidence That Speaks for Itself
One of the more nuanced challenges in compliance is that "evidence exists" and "evidence is sufficient" are not the same thing. A document might be present but expired. It might be uploaded but only partially reviewed. It might relate to a control that simply doesn't apply to your organisation. WhizzC's evidence display logic handles all of these cases and makes the distinction visible at a glance.
WhizzC evaluates the state of your evidence and gives each control a clear status reflecting whether it's fully covered, has a gap, sits outside your audit scope, or is somewhere in between. That last category is often the most valuable: rather than collapsing everything into a simple pass or fail, the system recognises that compliance is frequently a work in progress and surfaces controls that are close but not yet complete.
The Partial status reflects something important about how compliance actually works: progress is rarely binary. Teams working towards certification or remediation often have evidence that's mostly there but not quite complete. Rather than forcing everything into a pass/fail bucket, WhizzC surfaces these in-between states so they can be addressed before they become findings.
This classification also shifts the conversation in audits. Instead of spending time establishing what evidence exists, the auditor can start from a clear baseline and focus their attention on the controls that genuinely need scrutiny.
Where Human Judgement Still Matters
Automation can surface evidence and classify it but it can't assess intent. A policy document might be technically valid and within the validity period, yet still fail to address the spirit of a control. That's where the auditor comes in.
Auditors in WhizzC have a dedicated set of capabilities that are separate from the rest of the team. This isn't just a permissions distinction, it reflects a deliberate design choice that keeps the review function independent and authoritative.
◆ Annotate individual controls
Auditors can leave structured comments against each control, capturing their reasoning, concerns, or observations in a way that becomes part of the permanent audit record.
◆ Override system classifications
When the automated status doesn't reflect the auditor's professional assessment, they can reclassify a control. Evidence that looks valid on paper but doesn't adequately address the control can be moved to Non-Conformance, with the auditor's reasoning documented alongside.
◆ Request updated evidence
Rather than simply flagging a gap, auditors can formally request new or supplementary documentation from the audit owner, keeping the process moving without leaving loose ends.
The override capability is worth emphasising because it addresses a real tension in automated compliance tooling. Systems are good at checking whether evidence exists and whether it's current. They're not good at judging whether the right people signed off, whether the procedure described actually reflects what happens in practice, or whether the evidence was produced specifically for the audit rather than through normal operations. Auditors are. The override gives them the authority to act on that judgement without being constrained by what the system inferred.
✅ Concluding the review: When the auditor is satisfied that all controls have been assessed, they can formally close the audit. This triggers automatic generation of the audit report capturing every status, comment, and override in a structured, shareable format. |
Keeping Everyone in the Loop
Audits often create information asymmetry. The auditor is deep in the detail; the audit owner is waiting to hear how it's going. In traditional processes, that gap gets filled by status meetings, email threads, and spreadsheet exports none of which are particularly efficient or reliable.
WhizzC's Summary Page addresses this directly. Throughout the audit period, the audit owner has a real-time view of where things stand which controls are conformant, which are flagged, and what the auditor has commented. Evidence requests land in a trackable workflow rather than an inbox.
This transparency matters because it allows the audit owner to respond to issues proactively. If additional evidence is needed for three controls, they can begin gathering it immediately rather than waiting for a formal finding. The audit becomes a collaborative process rather than a one-way assessment.
Once the audit concludes, the generated report captures the complete record statuses, overrides, comments, and evidence decisions in a form that can be shared with stakeholders, stored for future reference, or used as a baseline for the next audit cycle.