Audit Configuration Settings

Owned by Phillip Hanegan
Last updated: Nov 03, 2019
6 min read

In EmpowerID, an audit is a logically named user-defined object that you create for identifying or grouping attestation tasks and running the Recertification policies that generate those tasks. Audits have a number of settings that can be configured to determine certain aspects of recertification. 

  • Enabled — Used to enable or disable an audit. When you first create an audit, this is set to false by default.

    Audits should not be enabled until you are ready to run them because when an audit is enabled, it immediately runs any Recertification policies added to it

  • Do No Allow Delete — Specifies whether the audit can be deleted within the EmpowerID Web interface.
  • Is Template — Determines whether the audit should be used as a template for future audit(s). If set to true, EmpowerID creates each new audit(s) with the same configuration settings as those applied to the template. This is helpful in situations where a specific type of recertification occurs regularly. For example, if your organization audits the members of all high security groups on a monthly or quarterly basis, you can configure a template once with the necessary Recertification policies and specify that EmpowerID create and run a new audit as directed by your organization's security requirements. Schedule settings include the following:
    • Enable Audit Creation On Schedule — This is a Boolean flag that when set to true allows new audit(s) to be created from the template as scheduled. 
    • Audit Creation Schedule — Used to specify the time period during which new audit(s) should be created from the template. The audit creation schedule includes a Start and End date, as well as frequency settings.
    • Start Date — The date the first audit is to be created from the template.
    • End Date — The date that no new audits are to be created from the template.
    • Frequency — Specifies how often a new audit is to be created during the date range set by the Audit Creation Schedule
      • Once — A new audit is created once.
      • Minute Interval —  A new audit is created "X" times every "Y" minutes as specified in the Run IndefinitelyIterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, a new audit is created and run twice. The first occurrence is at the Audit Creation Schedule Start Date and the second is 24 minutes later. However, if you select Run Indefinitely, and then select an Interval of 24,  a new audit is created and run once every 24 minutes throughout the date range set for the Audit Creation Schedule.
      • Hour Interval —  A new audit is created "X" times every "Y" hours as specified in the Run Indefinitely, Iterations and Interval fields. So, for example, if you select an iteration of 2 and an interval of 24, a new audit is created and run twice. The first occurrence is at the Audit Creation Schedule Start Date and the second is 24 hours later. However, if you select Run Indefinitely, and then select an Interval of 24, a new audit is created and run once every 24 hours throughout the date range set for the Audit Creation Schedule.
      • Daily —  A new audit is created once every "X" days at a designated time as specified in the Run Indefinitely, Iterations and Times fields. So, for example, if you select an iteration of 2, a new audit is created and run twice. The first occurrence is at the date and time specified in the Audit Next Creation field and the second occurrence is on the following day at the time specified in the Times field. However, if you select Run Indefinitely, a new audit is created and run on the days and times specified in the Times and Days fields throughout the date range set for the Audit Creation Schedule.
      • Weekly—  A new series of audits are created "X" times a week at a designated time and day of the week as specified in the Run IndefinitelyIterations and Times fields. So, for example, if you select an iteration of 2, two new series of audits will be created and run during the date range set for the Audit Creation Schedule. The first series occurs at the Start date and completes after the interval cycle, with the second occurring after the first completes. However, if you select Run Indefinitely, a new audit is created and run on a weekly basis on the day and time specified in the Times and Days fields throughout the date range set for the Audit Creation Schedule.
      • Monthly — A new series of audits are created "X" times a month at a designated time on a specific day or days within a particular month or months as specified in the Run Indefinitely, Iterations and Times fields. So, for example, if you select an iteration of 2, two new series of audits will be created and run during the Start and End Dates. The first series occurs at the Start date and completes after the interval cycle, with the second occurring after the first completes.

  • Skip Quality Check For Group Membership — Specifies whether the recertification tasks generated when the audit runs require an additional level of certification beyond that of the line manager, application or group owner. If set to true, EmpowerID either executes the operation associated with the recertification decision or routes it for further approval. Approval routing is based on the Access Levels or delegations of the line manager, application or group owner making the decision. If set to false, the decision is marked and routed to Quality Check personnel for final review and approval.
  • Skip Quality Check For Business Role — Specifies whether the recertification tasks generated when the audit runs require an additional level of certification beyond that of the line manager, application or group owner. If set to true, EmpowerID either executes the operation associated with the recertification decision or routes it for further approval. Approval routing is based on the Access Levels or delegations of the line manager, application or group owner making the decision. If set to false, the decision is marked and routed to Quality Check personnel for final review and approval.
  • Skip Quality Check For Management Role — Specifies whether the recertification tasks generated when the audit runs require an additional level of certification beyond that of the line manager, application or group owner. If set to true, EmpowerID either executes the operation associated with the recertification decision or routes it for further approval. Approval routing is based on the Access Levels or delegations of the line manager, application or group owner making the decision. If set to false, the decision is marked and routed to Quality Check personnel for final review and approval.
  • Notify Participant On Audit Creation — Specifies whether EmpowerID should send email notifications to all participants when the audit is created. If set to true, you select the All Participant Notification Email Template to be used. 
  • Enable Notification — Specifies whether EmpowerID should send email notifications to all participants with open recertification tasks that need to be reviewed and completed. If set to true, you set the following additional settings:
    • Open Task Notification Email Template — Specifies the email template to be used.
    • Notify Open Task Participant After Audit Start In Days — Specifies the number of days after the audit start date that the initial notification should be sent to all participants with open tasks.
    • Notification Frequency In Days — Specifies the how often after the initial notification is sent that participants with open tasks should be notified again. Reminder notifications will be resent to participants with open tasks every "X" days until they close their tasks.
       
  • Enable Escalation — Specifies whether EmpowerID should send email notifications to the managers of all audit participants with open recertification tasks. If set to true, you set the following additional settings:
    • Open Task Escalation Email Template — Specifies the email template to be used.
    • Escalate Open Task Participant Before Audit End In Days — Specifies the number of days before the audit end date that the initial escalation notification should be sent.
    • Escalation Frequency In Days — Specifies the how often the escalation notification should be resent to the managers of participants with open tasks. Reminder notifications will be sent to managers every "X" days until their direct reports close their tasks. 

  • Enable Automatic Revocation After Due Date — Specifies whether EmpowerID should automatically revoke access after an audit due date. This setting is only valid for Person Direct Entitlement Recertification Policy types. 
  • Recertification Policy — Specifies the Recertification policy or policies to be compiled when the Audit runs. Audits can have a many Recertification policies associated with them as makes sense.

The below configuration settings are only accessible after an audit is created.

  • Ignore Any Certified Within Last X Days — This is an optional setting that can be used to specify that the audit should ignore any Recertification tasks generated from a Recertification policy if those tasks were previously certified within the specified last number of days. This is useful in situations where a previous audit closed before all recertification tasks it generated were completed. This way, managers only receive recertification tasks for any direct reports who were not certified in the last audit. This setting does not completely exclude previously audited direct reports; it only excludes those access assignments that were re-certified within the specified day range. Thus, if a direct report gains access to a new resource, such as becoming the member of a new group, the audit generates a recertification task for that new membership.
  • Exclusions — This is an optional setting that can be used to keep the audit from creating recertification tasks for certain access assignments that would normally be generated by the attached Recertification policy.