Audit Workspace

The Audit Workspace is your central hub for evidence management, control readiness tracking, and auditor collaboration. Admins, Auditors, and Employees all work from the same workspace — each seeing only what their role permits.

Audit Workspace Overview

The Audit Workspace provides a real-time view of your compliance posture across all active frameworks. It is the primary workspace for your internal GRC team to manage controls and evidence during an audit engagement.

Summary Cards

The top of the Audit Workspace shows five key metrics updated in real time:

78%
Control Readiness
91%
Evidence Coverage
142
Approved Evidence Items
23
In Review
7
Rejected / Failed

Control List

Below the summary cards, every control in your active frameworks is listed. You can:

  • Filter by framework, category, status, or owner
  • Search by control code or title
  • Sort by priority, due date, or status
  • Expand any control row to see its full details inline

Evidence File Uploads

Each expanded control shows its evidence checklist. For each checklist item:

  1. Click the Upload button next to the checklist item
  2. Select a file (PDF, PNG, JPG, XLSX, CSV, DOCX, or TXT)
  3. The file is uploaded and linked to the control
  4. The checklist item status changes to PENDING
  5. An auditor (ADMIN or AUDITOR role) can then approve or reject it
File upload API pattern Evidence files are uploaded using multipart/form-data (not JSON). Do not set Content-Type: application/json for file uploads. See the API Reference for the correct upload pattern.

Auto-Collected Evidence

When an integration check passes, zGovern automatically creates an evidence entry tagged with [Auto]. These entries appear at the top of the evidence list with a blue banner, distinguishing them from manually uploaded files.

Auto-evidence items are pre-approved — they do not require an auditor to manually review them unless your organisation's policy requires it. You can convert auto-evidence to manual review mode in organization settings.

Comment Threads

Each control has a comment thread for collaboration between team members and auditors. Comments can be of two types:

Type Description Use Case
COMMENT General discussion comment visible to all workspace members Explaining why evidence is structured a certain way; noting related controls
REQUEST_EVIDENCE Formal evidence request from an auditor to the control owner Asking for an additional file, a configuration screenshot, or a process walkthrough

Control Engine Status

For controls linked to automated monitoring checks, the expanded control view shows:

  • Last auto-check timestamp: when the control was last automatically evaluated
  • Auto-check result: PASS / FAIL / WARNING
  • Auto-fail reason: if the check failed, the specific reason returned by the integration adapter (e.g., "S3 bucket 'logs-prod' has public ACL enabled")

Superseded Documents

When you upload a new version of an evidence file to a checklist item that already has an approved file, the old file is moved to the Superseded section. Superseded files are retained for the complete audit history — auditors can expand this section to review the evidence progression over time.

Audit Bundle Export

The Audit Bundle is a ZIP archive containing everything an external auditor needs to review your compliance posture. Download it from the Export Audit Bundle button at the top right of the Audit Workspace.

ZIP archive structure
audit-bundle-2026-03-08.zip
├── summary.txt              # High-level compliance overview
├── controls.csv             # All controls with status, owner, evidence counts
├── risks.csv                # All risks with severity, status, mitigation
├── evidence-checklist.csv   # All checklist items with approval status
└── policies.txt             # All ACTIVE policies with version and content
GET /api/export/audit-bundle Download audit bundle as ZIP
Response

Binary ZIP file. Content-Type: application/zip. Content-Disposition: attachment; filename="audit-bundle-YYYY-MM-DD.zip"

Approve / Reject Workflow

Users with the ADMIN or AUDITOR role can approve or reject evidence checklist items directly within the Audit Workspace. For each control, they see:

  1. The control code, title, and plain-English description
  2. Each checklist item with its uploaded file and current status
  3. An Approve button (green) and a Reject button (red) per checklist item

Rejecting Evidence

Clicking Reject opens a modal where the reviewer must provide a rejection note explaining:

  • Why the evidence is insufficient
  • Exactly what is needed to replace it
  • (Optional) A reference to the specific framework clause that requires different evidence

The rejection note is stored and displayed to the control owner. The checklist item reverts to REJECTED status.

POST /api/compliance/checklist/:itemId/reject — request body
{
  "note": "The screenshot provided does not show the MFA enforcement policy applied to all users. Please provide an export from Okta showing 100% MFA enrollment, or a screenshot of the Authentication Policy with 'Require MFA' enabled for the 'Everyone' group."
}

Approving Evidence

Clicking Approve immediately sets the checklist item to APPROVED status. No additional note is required.

POST /api/compliance/checklist/:itemId/approve — request body
{} // No body required — approval is implicit