Security Audits

When to use

Create a new security audit when scheduling a security audit according to your security audit plan or when conducting an ad-hoc security audit in response to a security event, threat intelligence, or regulatory requirement.

Steps

1. Click Add new audit in the top-right corner
2. Complete the security audit details in the window that opens:
   • Audit name: Short descriptive name (e.g., "Q2 Access Control Security Audit")
   • Audit type: Select from configured security audit types (e.g., Access Control, Cargo Security, Cybersecurity)
   • Area: The security domain being audited (e.g., Perimeter Security, Passenger Screening)
   • Entity conducting audit: Organisation or department conducting the security audit (optional)
   • Entity being audited: Organisation or department being audited (optional)
   • Template: Select a pre-configured security audit checklist template (optional)
   • Start and end dates: Security audit period
   • Bases: Select relevant operational bases or security zones
   • Aircraft: Select relevant aircraft if scope includes aircraft security (optional)
   • Team members: Assign security auditors and reviewers with appropriate access levels and security clearance
3. Click Save to create the security audit

Result

The security audit appears in the Active audits table with status "Pending Start". An audit code is automatically generated. Team members receive notification of their assignment.

When to use

Use this workflow to perform the security audit, work through checklist items, and record security findings as you identify vulnerabilities, non-conformances, or observations related to security management.

Steps

1. Locate the security audit in the Active audits table
2. Click the Audit items button (envelope icon) in the "Audit items" column
3. The audit detail page opens with:
   • Groups: Audit checklist organised into logical security domains
   • Checklist items: Individual security items to review
   • Finding entry: Record security findings for each item
4. For each checklist item:
   • Review the item description and security requirements
   • Mark as Compliant, Non-Compliant, Not Applicable, or Observation
   • If non-compliant or an observation, click Add Finding
5. When recording a security finding:
   • Enter finding description (focus on security implications and threat exposure)
   • Select compliance type
   • Assess threat and risk:
     • Identify the threat category
     • Assess pre-mitigation risk (likelihood × consequence)
     • Document existing security controls
     • Assess post-mitigation risk
   • Assign responsible person for corrective action
   • Set due date for corrective action response
   • Save as Draft or Submit the finding
6. Continue through all checklist groups until the security audit is complete

Result

Security findings are created, assigned to responsible persons who receive notifications, and appear in the expandable row beneath the audit in the main table.

When you click Audit items for an audit, you navigate to the audit checklist interface where you conduct the actual audit work.

Checklist structure

Audit checklists are organized hierarchically:

• Groups: Major sections of the audit (e.g., "Flight Operations", "Ground Handling", "Documentation")
• Items: Specific audit points within each group
• Findings: Non-conformances or observations identified for specific items

Navigating the checklist

The checklist interface displays:

• Expandable groups: Click a group header to expand and view its items
• Progress indicators: Visual indicators show which items have been completed
• Item cards: Each item displays its description, reference number, and current outcome
• Action buttons: Edit item outcome, add findings, attach documents

Auditing an item

To audit a checklist item:

1. Click the Edit button (pencil icon) on the item card
2. The audit item window opens showing:
   • Item description: What is being audited
   • Reference number: Regulatory or procedural reference
   • Custom fields: Section-specific data fields (if configured)
   • Outcome selection: Choose Compliant, Findings, or Not Applicable
   • Comments: Add auditor observations
   • Attached documents: Upload evidence or supporting documentation
3. Select the appropriate outcome:
   • Compliant: Item meets all requirements with no issues
   • Findings: Non-conformances or observations identified (requires adding findings)
   • Not Applicable: Item does not apply to this audit context
4. If you select Findings, the window expands to show finding entry sections
5. Click Save to record the outcome

Adding findings to an item

When you select Findings as the outcome, additional sections appear:

1. Click Add Finding to create a new finding for this item
2. A finding card appears with the following fields:
   • Finding description: Detailed description of the non-conformance or observation
   • Compliance type: Select from configured types (e.g., Non-Compliance, Observation, Positive Finding, Opportunity for Improvement)
   • Hazard/Risk assessment: Assess security threat level and potential impact if applicable to the finding
   • Root cause analysis: Optional analysis of underlying causes
   • Corrective action: Immediate actions taken during audit
   • Recommended action: Suggested longer-term corrective actions
   • Attached documents: Evidence, photos, or supporting documentation
3. Complete the required fields (marked with asterisks)
4. Save the finding as Draft (returns to list for later completion) or Submit (creates corrective action request)

Creating corrective action requests from findings

When you submit a finding (not save as draft), the system:

• Automatically creates a Corrective Action Request (CAR) linked to the finding
• Assigns the CAR to responsible person(s) you specified
• Sends email notifications to assigned respondents
• Displays the CAR code in the audit findings table
• Tracks the CAR through its lifecycle (draft, pending review, approved, implemented)

Multiple findings for the same item are numbered (e.g., "First finding", "Second finding") and each generates its own CAR.

After creating findings during an audit, you can manage them through the expandable rows in the main audits table.

Viewing findings

1. Click the expand button (arrow icon) next to an audit in the audits table
2. The findings sub-table appears showing all findings for that audit
3. Each row displays:
   • Status badges: Current corrective action status (Draft, Pending Review, Approved, Overdue, etc.)
   • Review buttons: If you're a reviewer, buttons to review pending corrective action plans
   • Edit button: Modify the finding (auditors only, not available if audit is closed)
   • CAR Code: Corrective Action Request code (click to view full details)
   • Finding code & description: Click to view complete finding details
   • Requestor: Who created the finding
   • Respondents: Who is responsible for corrective actions
   • Messages: Communication thread with unread message count
   • Hazard/Risk: Risk assessment status and details
   • Cancel/Restore: Deactivate or reactivate the finding

Editing findings

To edit a finding after creation:

1. Expand the audit row to show findings
2. Click the Edit button (pencil icon) for the finding
3. The finding window opens with all previously entered information
4. Make your changes
5. Save as Draft or Submit (updates the corrective action request)

Reviewing corrective action plans

When respondents submit corrective action plans, reviewers see Review buttons in the findings table:

1. Click the Review button for a pending corrective action
2. The review window opens showing:
   • Original finding details
   • Proposed corrective action plan
   • Proposed implementation timeline
   • Supporting documentation
3. Choose to:
   • Approve: Accept the proposed plan
   • Reject: Return for revision with comments
4. Add review comments explaining your decision
5. Submit your review

The corrective action workflow progresses through multiple stages:

• Corrective Action Plan (CAP): Initial plan review
• Short-term Corrective Action Implementation (SCAI): Review of immediate actions
• Long-term Corrective Action Implementation (LCAI): Review of sustained corrective measures

Communicating about corrective actions

Use the Messages button to communicate with corrective action respondents:

1. Click the Messages button (message icon) for a finding
2. The message thread window opens
3. View previous messages in the thread
4. Type your message in the text box
5. Optionally attach documents
6. Click Send

All participants (requestors, respondents, and audit team) can see and contribute to the message thread. Unread messages are indicated by a badge count on the messages button.

Cancelling findings

To cancel a finding that was created in error:

1. Expand the audit row to show findings
2. Click the Cancel button (ban icon) for the finding
3. Enter a reason for cancellation in the confirmation window
4. Click Confirm

Cancelled findings remain visible but are marked as cancelled. The associated corrective action request is also cancelled. You can restore a cancelled finding by clicking the Restore button.

When to use

Edit security audit details when you need to change the scope, dates, team members, or other audit metadata. You cannot edit an audit that is closed or has a close-out request in review.

Steps

1. Locate the security audit in the Active audits table
2. Click the Edit audit button (pencil icon) in the "Edit audit" column
3. Update the security audit details in the window that opens
4. Click Save to apply changes

Result

The security audit is updated with the new details. Team members receive notifications if their assignments changed.

When to use

Finalise a security audit when all audit checklist items have been completed, but some findings still have pending corrective actions. Finalisation is an optional step that allows you to formally sign-off that the auditing process itself is complete and corrective action requests have been issued, even though the corrective actions are not yet fully implemented and closed.

Steps

1. Ensure all security audit checklist items have been audited
2. Ensure all findings have been recorded and corrective action requests have been created
3. Locate the security audit in the Active audits table
4. In the "Finalize / Close" column, click the Finalise Audit button
5. In the finalisation request window:
   • Enter executive summary of the audit process and findings identified
   • Provide findings summary describing the corrective actions requested
   • Note any audit conclusions or observations
   • Optionally use Musket Autopilot (AI assistant) to generate summaries based on audit data
   • Attach supporting documents (optional)
   • Select reviewers from team members with review access
   • Add any additional comments for reviewers (optional)
6. Save as Draft or Submit for review

Result

The finalisation request is submitted to the selected reviewers. The audit status shows "Pending finalisation review". Once all reviewers approve, a table with signatures and stamps of the auditors, reviewers, and endorser is included in the exportable PDF audit report. The audit status shows "Finalised" and the audit record becomes read-only, though corrective actions can continue to be worked on until they are all closed.

Review process

Reviewers receive a notification and see a Review button in the "Finalize / Close" column. Reviewers can:

• Approve: Finalisation is accepted; formal sign-off is recorded in the audit record and PDF report
• Reject: Finalisation is returned to requestor with comments for revision

When to use

Close out a security audit when all audit checklist items have been completed AND all findings have been fully addressed (all corrective actions have been approved or findings have been cancelled/marked as no action needed). Close-out is the required final step to formally close and archive the audit record.

Steps

1. Ensure all security audit checklist items have been audited
2. Ensure all findings have been fully addressed: all corrective action plans and implementations have been approved, or findings have been cancelled/marked as no action needed
3. Verify all threat and risk assessments are complete
4. Locate the security audit in the Active audits table
5. In the "Finalize / Close" column, click the Close out button (appears when all findings are closed)
6. In the close-out request window:
   • Enter executive summary (include security compliance status and threat assessment)
   • Provide audit conclusions (highlight security findings and vulnerability trends)
   • Provide findings summary describing how all findings were addressed
   • Note any limitations or scope exclusions
   • Optionally use Musket Autopilot (AI assistant) to generate summaries based on audit data
   • Attach supporting documents (optional)
   • Select reviewers from team members with review access
   • Add any additional comments for reviewers (optional)
7. Save as Draft or Submit for review

Result

The close-out request is submitted to the selected reviewers. The audit status shows "Pending close out review". The security audit is locked from further editing until the close-out is approved. Once all reviewers approve, a table with signatures and stamps of the auditors, reviewers, and endorser is included in the exportable PDF audit report. The audit status shows "Closed" and the audit record becomes read-only and archived.

Review process

Reviewers receive a notification and see a Review button in the "Finalize / Close" column. Reviewers can:

• Approve: Close-out is accepted; security audit is formally closed and archived
• Reject: Close-out is returned to requestor with comments for revision

When to use

Export a security audit report to generate a PDF document containing the audit details, checklist items, security findings, threat assessments, and corrective actions. Use this for formal audit reports, management security reviews, regulatory compliance documentation, or authority submissions.

Steps

1. Locate the security audit in the Active audits table
2. Click the Export audit button (PDF icon) in the "Export audit" column
3. Select the audit report configuration from the dropdown (if multiple configurations exist)
4. The PDF report is generated and opens in a new window or downloads to your device

Result

A formatted PDF security audit report is generated containing all audit information including threat assessments according to the selected report configuration.

When to use

Cancel a security audit when it is no longer required or cannot be completed. Cancelled audits are moved to the "Cancelled" view.

Steps

1. Locate the security audit in the Active audits table
2. Click the Cancel button (ban icon) in the "Cancel" column
3. Enter a reason for cancellation in the confirmation window
4. Click Confirm

Result

The security audit is cancelled and moved to the Cancelled view. Team members receive notifications. The audit can be restored later if needed.

Opens when you click Add new audit or click the Edit audit button for an existing audit.

Window sections

Validation rules

• Audit name is required
• Audit type is required
• At least one team member with Auditor access is required
• Start date cannot be after end date
• At least one base must be selected

Opens when you click Edit on a checklist item during audit conduct (from the AuditGroups page).

Window sections

Working with findings in the window

• Click Add Finding to create additional findings for the same item
• Each finding is numbered (First finding, Second finding, etc.)
• Click Remove on a finding card to delete it before submission
• Save individual findings as Draft or Submit
• Submitted findings automatically create corrective action requests

Opens when you click Edit on a finding from the findings sub-table (expandable rows in main audits table).

Purpose

Allows auditors to modify findings after they have been submitted. Changes update the associated corrective action request and notify respondents if significant changes are made.

Key fields

• Finding description: Detailed non-conformance or observation description
• Compliance type: Classification of the finding
• Hazard/Risk section: Assess security threat level and potential impact if applicable to the finding
• Root cause analysis: Analysis of underlying factors
• Immediate corrective action: Actions taken during audit
• Recommended corrective action: Suggested long-term actions
• Respondents: Who is responsible for addressing the finding
• Due date: Deadline for corrective action response

Opens when you click Close out or Finalise Audit in the "Finalize / Close" column. The same modal window is used for both operations with the same fields.

Close-out vs Finalisation

The same window is used for both close-out and finalisation requests, but they serve different purposes:

• Finalisation request (OPTIONAL): Used when all audit checklist items are complete, but findings still have pending corrective actions. Provides formal sign-off that the auditing process is complete and corrective action requests have been issued. Findings can continue to be worked on after finalisation.
• Close-out request (REQUIRED): Used when all audit checklist items are complete AND all findings are fully closed (corrective actions approved/cancelled/no action needed). This is the final step to formally close and archive the audit record.

Window fields

Review workflow

Selected reviewers review requests sequentially:

1. First reviewer receives notification and sees Review button
2. Reviewer can Approve (passes to next reviewer) or Reject (returns to requestor)
3. If rejected, requestor revises and resubmits
4. After all reviewers approve, the close-out/finalisation is complete

Signatures and PDF export

Once a close-out or finalisation request is fully approved by all reviewers, a signature table is automatically included in the exportable PDF audit report. This table contains:

• Auditor signatures: Names and digital stamps of audit team members who conducted the audit
• Reviewer signatures: Names and digital stamps of reviewers who approved the close-out/finalisation
• Endorser signature: Name and digital stamp of the final endorser/approver
• Timestamps: Date and time of each signature

This provides formal proof that the audit has been properly conducted, reviewed, and signed-off by authorized personnel.

Opens when a reviewer clicks Review for a pending close-out or finalisation request.

Window sections

• Request details: Shows all information submitted by requestor (summary, conclusions, documents)
• Review decision: Radio buttons for Approve or Reject
• Review comments: Required field to explain approval or rejection decision
• Audit status summary: Read-only display of audit metrics (items audited, findings, CARs)

Review considerations

When reviewing a close-out or finalisation request, consider:

• Are all audit items completed?
• Are all findings properly documented with corrective action requests?
• For close-out: Are all findings fully closed (all corrective actions approved/cancelled/no action needed)?
• For finalisation: Is the audit checklist complete and are corrective actions properly requested (even if still pending)?
• Is the executive summary accurate and complete?
• Do the conclusions align with the audit evidence?
• Are any limitations or scope exclusions properly documented?

Impact of approval

When all reviewers approve a close-out or finalisation request:

• Your signature and digital stamp are recorded in the audit record
• A signature table is generated in the exportable PDF report showing all auditors, reviewers, and endorsers with timestamps
• The audit record becomes read-only (for close-out) or the auditing process is formally signed-off (for finalisation)
• This provides formal proof of proper audit conduct, review, and authorization

Opens when you click a Review button for a pending corrective action plan in the findings sub-table.

Purpose

Allows authorized reviewers to evaluate and approve/reject corrective action plans and implementations submitted by respondents.

Review stages

Corrective actions progress through multiple review stages:

1. CAP Review: Review of the proposed Corrective Action Plan
   • Evaluate: Is the planned action adequate to address the finding?
   • Review: Timeline, resources, responsibilities
2. SCAI Review: Review of Short-term Corrective Action Implementation
   • Evaluate: Were immediate actions completed as planned?
   • Review: Evidence of implementation, effectiveness
3. LCAI Review: Review of Long-term Corrective Action Implementation
   • Evaluate: Are sustained corrective measures in place?
   • Review: Long-term effectiveness, process improvements

Window contents

• Finding details: Read-only display of original finding
• Proposed action: Respondent's submitted corrective action plan or implementation evidence
• Risk assessment: Assess security threat level and potential impact if applicable to the finding
• Supporting documents: Evidence uploaded by respondent
• Review decision: Approve or Reject
• Review comments: Required feedback for respondent

Opens when you click the Messages button for a finding in the findings sub-table.

Purpose

Provides a threaded communication channel between audit team members and corrective action respondents.

Features

• Message history: Chronological display of all messages in the thread
• Sender identification: Each message shows who sent it and when
• Document attachments: Attach files to messages for evidence sharing
• Unread indicators: New messages are highlighted until you read them
• Participant visibility: All team members and respondents can see all messages

Common uses

• Request clarification on corrective action plans
• Provide additional context or guidance
• Share evidence or documentation
• Discuss implementation challenges
• Confirm completion of corrective actions

Opens when you click an audit code in the audits table.

Purpose

Provides a comprehensive read-only view of audit details without the ability to make changes. Useful for reviewing audit information, sharing with stakeholders, or viewing audits you're not assigned to (if you have appropriate permissions).

Displayed information

• All audit metadata (name, type, dates, scope)
• Audit team members and their roles
• Audit status and progress
• Associated findings summary
• Audit logs (who created, modified, closed, finalised)

Top toolbar actions

View toggles

The page has two main views accessed via radio buttons in the toolbar:

• Active: Shows all audits that are scheduled, in progress, or completed but not cancelled
• Cancelled: Shows all audits that have been cancelled and removed from active work

The search bar at the top-left allows you to quickly find security audits. Searchable fields include:

• Audit code
• Audit name
• Security audit type
• Team member names
• Entity names

Additional filters available via the FilterInput component:

• Date range: Filter by security audit start date period
• Items assigned to me: Show only audits where you have review actions pending

Pagination controls

When the audits table contains more than 15 items (or your configured page size), pagination controls appear below the table:

• Items per page: Change how many audits display per page (15, 30, or 45)
• Page numbers: Click page numbers to navigate through results
• Previous/Next: Navigate to the previous or next page
• First/Last: Jump to the first or last page of results
• Page indicator: Shows current page and total pages (e.g., "Page 2 of 8")

The main audits table displays all active or cancelled security audits based on the selected view toggle. The table includes:

Click the expand/collapse button on an audit row to reveal all security findings associated with that audit. The findings sub-table includes: