PCAOB AS 2110 · COSO ERM 2017 · IIA IPPF
Audit teams stop reconciling tools that should already agree because Audvera is one model the engagement workspace and the controls registry both query.
FY26 Q3 SOX - FRS Package
Engagement workspace
R47
Inherent
9
Residual
4
Tenant register
Controls catalog
R47
Inherent
9
Residual
4
"Federation is what GRC vendors call 'we couldn't agree on a data model.'"
— A working hypothesis.
THE AUDIT WEEK YOU RECOGNIZE
Pick a pain to see the product answer.
WHY ONE MODEL
Link tables
engagement_control_link and engagement_risk_register_link keep registry IDs inside the engagement view. The workspace can score and test without creating a second source.
Schema excerpt
Graph link tables
engagement_control_link
engagement_risk_register_link
AI context loading
Controls AI receives objectives, scope, linked risks, and the selected standards pack before drafting a candidate control.
Engagement context loaded
Controls AI suggestion
C-12
Scope: PCAOB. Risks loaded: R47, R52. Last tested 2026-04-15.
State machine + signoff
The lifecycle records draft, CAE gate, acceptance, and release states against the same finding chain.
System event trail
Material finding lifecycle
Step 1
Draft
Step 2
CAE gate
Step 3
Accepted
Step 4
Monitored
Visible in the audit log, reviewer queue, and reporting workflow.
"The audit graph isn't a metaphor. It's a schema."
— Direct quote from the engineering note.
THE ENGAGEMENT VIEW
Engagements are scoped against the registry. Risks come from the canonical row. Test steps and evidence link back to the engagement objectives.
THE COMPLETE AUDIT
Audvera keeps planning, fieldwork, evidence review, and report delivery in one connected workflow so teams move faster without losing audit discipline.
End-to-end workflow
One connected system for planning, execution, review, and final reporting.
Plan build
18 min
Linked evidence
142
Phase 01
1/5Define engagement scope, select control families, and rank risk themes in one guided screen.
Scope locked | expanding mandates without extra budget pressure
Budget-Scope Pressure (IIA Pulse 2025)
47%
audit teams report underfunding
Planning Time
-
from 3 days to 18 minutes
Spreadsheet Fire-Drill Fragmentation
0
evidence items linked, reviewed, and traceable
Report Delivery
-
Fieldwork Workspace
Every audit procedure links to its risk, evidence, and reviewer feedback — no spreadsheet side-quests.
FY2026 Audit
bank-confirmations-q4.pdf
PDF · Linked to P-04
S. Patel
2h agoCut-off sample needs 3 additional items for Dec 28–31 window.
AI AssistantAI
Just nowException cluster detected in Q4 journal entries > $50K. Recommend expanding sample.
THE REGISTRY VIEW
One canonical risk record. Per-engagement scoring lives in a sidecar. Cross-engagement remediation history visible without leaving the registry.
promoted from engagement E-14 · provenance captured
engagement objectives + risks loaded as context
Rank 1
Privileged-access ticket review (n=25 sample)
Rank 2
Segregation of duties: FRA vs SOX-relevant transactions
Rank 3
Quarterly access certification with management attestation
Suggestions cite IIA / COSO / PCAOB skills
From the registry risk → the linked engagement → the test step that surfaced the deficiency → the control owner → the remediation owner. One immutable chain. Replayable for review.
Reporting Workspace
Findings link to source evidence and test procedures, while approved inclusions and engagement context flow into the draft automatically before reviewers sign off.
FY2026 Audit
S. Patel
Engagement Manager
Mar 7, 4:12 PM
J. Chen
Senior Manager
Awaiting
M. Williams
Partner
—
Report PDF
ReadyEvidence Workpapers
6 filesInherited Context
Scope + inclusionsAI Disclosure
IncludedDraft signoff pending
Finding builder
Finding
F-12.3
Control
C-24
Risk
R52
Engagement
FY26 Q3 SOX - FRS Package
CAE signoff required before material release.
"There's a reason no one updates the GRC tool."
— Something every audit lead has learned.
FRAMEWORK COVERAGE
PCAOB AS 2110
Risk assessment and response planning.
IIA IPPF
Internal audit practice requirements.
COSO ERM 2017
Enterprise risk and control vocabulary.
SOX
Financial reporting control coverage.
ISO 19011
Audit program and evidence guidance.
GTAG
Technology audit context.
NIST CSF
Cybersecurity control mapping.
FedRAMP
Cloud authorization control context.
Audvera was built by people who had the problem. Engagement workspace, controls registry, GRC tool, and the spreadsheet that actually got used because the three didn't talk. The product is what that workflow looks like when you stop pretending the engagement and the registry are different things.
Open the live demo and walk through engagement scoping with a real controls graph.