Track every request with the same fields
| Field | Purpose |
|---|---|
| Request ID | Unique reference |
| Control or topic | What the auditor is asking about |
| Owner | Who responds |
| Due date | When the response is needed |
| Evidence link | Where the proof lives |
| Status | Open, in progress, submitted, closed |
| Priority | Helps sequence urgent fieldwork requests |
| Reviewer | Person who confirms the response is complete |
| Submitted date | When the item was sent to the auditor |
| Follow-up notes | Clarifications, exceptions, or auditor comments |
Why this matters
Audit work gets chaotic when requests are tracked in inboxes. A simple intake structure keeps fieldwork organized and visible.
Auditor requests often arrive in waves. One request may ask for a policy, another for a sample population, another for screenshots, and another for evidence tied to a specific control. If each request is handled in a separate email thread, the team quickly loses track of ownership and status.
The intake table should become the single source of truth for fieldwork. It does not need to replace the auditor's portal, but it should give your internal team a clear operating view.
Recommended status flow
Use a small status set:
- New: request has arrived but has not been triaged.
- Assigned: owner has been named.
- In progress: evidence is being gathered or reviewed.
- Needs clarification: request is blocked on auditor or internal context.
- Ready for review: evidence is prepared and needs final check.
- Submitted: response has been sent.
- Closed: auditor accepted the response or no further action is expected.
Owner rules
Assign one accountable owner per request. Contributors can help, but the owner is responsible for driving the response to completion.
Good owner examples:
- Access review evidence: IT or identity owner
- Change management samples: engineering manager or release owner
- Vendor review evidence: procurement or security owner
- Policy approvals: compliance or policy owner
- Incident response samples: security lead
Review before submission
Before sending evidence to the auditor, confirm:
- The evidence matches the request.
- The sample period is correct.
- Screenshots or exports show dates where needed.
- Redactions are appropriate.
- Exceptions are explained.
- Links are accessible.
- The response does not include unrelated sensitive material.
Template usage tip
At the start of fieldwork, load every auditor request into the intake table and review it daily. During calmer periods, twice a week may be enough. Keep the table visible to leadership so blockers are surfaced before due dates slip.