The impact of dates set for audit windows within the Trustero app, and what happens when the state of the audit instance is Closed
Audit Periods: End Date vs Closed State
Most audits have a start and end date (some audits, e.g., SOC 2 type 1, are just a point in time). In Trustero, they also have a state of either Open or Closed.
Start and End Date
Although preparation is key before the start date of an audit, evidence from before the start date is not typically necessary or relevant.
For example, if you have a control requiring that Engineering run a security check every week, you won’t need proof that the check ran until the start date. From the start date to the end date, you’ll need to show that check ran. Again, after the end date, you won’t need to show any evidence that it kept running.
When an audit period closes, then, in theory, no new evidence should be added to the audit.
The exception to this rule is evidence added post-audit which describes events that happened during the audit. For this evidence to pull in, change the Relevant Dates to a date within the audit window.
Additionally, requests from auditors are often responded to after the end date of an audit has passed.
More information about setting Relevant Dates for manually added evidence can be found in this article.
Open and Closed
Audits default to Open, though they won’t include evidence from before their Start Date.
When the audit’s End Date arrives, automatic evidence will stop posting to the audit instance. Although it's not being updated, it's likely the audit instance will still be in use while the auditors wrap up their review and collect responses to documents requests.
We recommended using the option to Close your audit only after you have your report or certificate in hand.
To Close an audit, navigate to the audit listing page by clicking the icon in the top left of your screen (at the top of the leftnav).
Use the triple dot icon for a specific audit and select Close.
When the audit closes, no new evidence can be added and a snapshot of all your documents will be saved for you. This lets you modify policies, controls, and other documents for future compliance efforts, without changing records for a finished, past, audit.
End Date has Passed, but Audit Remains Open
It is possible to creep into a twilight state where your audit is open, but its end date has passed. This is a confusing situation for various reasons.
Automated evidence won’t be included in the audit, because it samples from a date outside the audit period range.
If you change the wording of your controls or policies, this will change them for all Open audits, even if the End Date has passed. This means you may want to change your compliance processes for the next audit period but accidentally modify them retroactively for your previous audit period.
You can also get into trouble with audit scans, which are calibrated to rescan under certain conditions that may no longer make sense for an Open audit that has passed its End Date.