GH GambleHub

Re-audits and follow-up

1) Purpose and role of re-audits

Re-audit is the verification of the effectiveness and robustness of the measures taken (CAPA) and updated controls after the primary findings. Is he:
  • confirms the closure of violations and the reduction of residual risk to the Appetite level;
  • protects against repetition (repeat findings) through preventive measures;
  • forms a legally significant evidence base ("audit-ready by button").

2) When to assign re-audit (triggers)

CAPA closure by Critical/High (mandatory), by Medium - by sample/risk.
High severity incident or regulatory prescription.
CCM/observability drift.
Architecture/process changes (releases, migrations, providers).
Quarterly/semi-annual calendar windows for high-risk domains.

3) Scope & methods

Design test: policy/standard/SOP updated, control formalized.
Operational efficiency test: control works stably in the period (sample for 30-90 days).
Sample: risk-based (increase n for high/critical), mix of random and target cases.
Reperform: if possible repeat the procedure/request to confirm the result.
Evidence: logs, configs, uploads, screencasts, tool reports - with hash receipts and WORM.

4) Roles and RACI

ActivityRACI
Planning re-auditCompliance/GRCHead of ComplianceSecOps/Owners/LegalInternal Audit
Evidence collectionControl OwnersCompliance/GRCData PlatformInternal Audit
Design/efficacy testCompliance/Internal AuditHead of ComplianceSecOps/PlatformCommittee/Exec
accept/extend CAPA solutionCommittee (Co-chairs)Executive SponsorLegal/DPOBoard
Repeat monitoringCompliance AnalyticsHead of RiskCCM/SecOpsCommittee

(R — Responsible; A — Accountable; C — Consulted; I — Informed)

5) Re-audit lifecycle (SOP)

1. Initiation: re-audit card (findings, CAPA, risk, sampling period, deadline).

2. Preparation: checklist of tests, acceptance criteria, list of artifacts, access "by case."

3. Data collection: auto-uploads, sampling, hash fixation, placement in WORM.
4. Tests: design (availability/correctness) → efficiency (samples, reperform).
5. Assessment: residual risk, stability, presence of drift.
6. Decision: Close/Extend CAPA/Escalate (committee, regulator).
7. Fixation: protocol, update dashboards, "audit pack" re-audit.
8. Supervision: observation 30-90 days; when drifting - re-open with a new CAPA.

6) Definition of Done

Corrective measures implemented and confirmed.
Preventive measures reduce the risk of repetition (training, gates, detections).
Evidence is full and consistent (WORM, hash receipts).
CCM rules have been updated, alerts are normal, there is no drift.
Policies/SOPs/charts are synchronized with actual changes.
Vendors performed mirror actions (retention/deletion/certificates).

7) Re-audit ↔ CAPA bundle

Keep the Re-audit Plan (period, success metric, owner) in the CAPA card.
A "partial success" → an extension of the CAPA with compensating controls and an expiration date.
For systemic problems - epics of prevention (architecture change, process revision).

8) Metrics and KRI

Re-audit On-time:% completed on time (target ≥ 95%).
First-Pass Close:% of closures without CAPA renewal (higher is better).
Repeat Findings (12 months): proportion of repetitions by domain/owner (↓ trend).
Residual Risk Δ: risk reduction after re-audit.
Evidence Completeness:% re-audit with full set of artifacts (100% target).
Drift After Fix: cases of control drift in 30-90 days (target 0 critical).
Vendor Mirror SLA: confirmations from contractors (100% target for critical).

9) Dashboards (minimum)

Re-audit Pipeline: Planned → In Progress → Close/Extend → Observe.
Heatmap repeats: by domain (IAM, data, DevSecOps, VRM, DR/BCP).
CAPA & Re-audit Link: status of bundles, delays, vulnerable areas.
Evidence Readiness: presence of WORM/hashes, freshness of samples.
Drift & CCM: post-fix violations, alert frequency.
Vendor Assurance: mirror retention/removal, certificates, SLA.

10) Sampling and test methods

Risk stratification: more cases for critical controls/jurisdictions.
Combined tests: documentary check + actual reperform (e.g. DSAR export, access revocation, TTL deletion).
Negative scenarios: an attempt to bypass control (ABAC/SoD, rate limits, secret scan).
Stability test: repeat after 30 days on a subsample (sanity check).

11) Automation and assurance-as-code

Test cases for controls as code (Rego/SQL/YAML), scheduled autorun.
Auto-generation "audit pack re-audit" from the evidence showcase with a receipt.
Auto-escalation by SLA (CAPA/re-audit delays).
Integration with CI/CD: gates block release under red controls.

12) Vendors and Supply Chain

The contracts include the right to re-audit and the timing of the provision of artifacts.
Mirror retention and confirmation of destruction/fixes.
In case of violations - loans/SLAs, off-ramp and migration plan.
External certificates (SOC/ISO/PCI) - in fresh status; when "qualified opinion" - re-audit is enhanced.

13) Artifact patterns

13. 1 Re-audit card

ID findings/CAPA, risk/jurisdictions, sampling period

Design/performance tests, acceptance criteria

List of artifacts (source, format, hash)

Results, residual risk, recommendations

Solution (Close/Extend/Escalate), owner/due, evidence links

13. 2 Re-audit report (table of contents)

1. Summary and context

2. Methodology and scope

3. Test results (sample tables)

4. Residual risk and conclusions

5. Solutions and Challenges (CAPA/waivers)

6. Applications: hash receipts, screenshots, uploads

13. 3 Acceptance checklist

  • Policies/SOPs/Controls Updated
  • Evidence collected and WORM/hash confirmed
  • CCM rules enabled, alerts valid
  • Training/communication completed (LMS, read-receipt)
  • Vendor Confirmations Received
  • No re-open required/expansion plan in place

14) Exception management (waivers)

Allowed only under objective restrictions; the expiry date and compensatory controls are mandatory.
Publicity in dashboard, reminders 14/7/1 day, escalation to the Committee.

15) Antipatterns

"Paper closure" without an efficacy test.
Evidence without WORM/hashes - audit controversy.
No CAPA ↔ re-audit ↔ CCM link - controls are not pinned.
Narrowed scope (jurisdictions/vendors/critical roles not covered).
One-time unobserved checks 30-90 days → repetitions.
CAPA extensions without a compensatory measures plan and deadline.

16) Maturity model (M0-M4)

M0 Hell-hoc: rare "point" checks, no acceptance criteria.
M1 Scheduled: re-audit calendar, basic templates and reports.
M2 Managed: link to CAPA, dashboards/metrics, WORM-evidence.

M3 Integrated: assurance-as-code, reperform, automatic "audit pack."

M4 Continuous Assurance: predictive KRIs, auto-re-scheduling, post-fix stability monitoring.

17) Related wiki articles

Remediation Plans (CAPAs)

Risk-Based Audit (RBA)

Continuous Compliance Monitoring (CCM)

Logging and Audit Trail

Storage of evidence and documentation

Compliance Policy Change Management

Due Diligence and Outsourcing Risks

Risk Management and Compliance Committee

Total

Re-audits are verification of robustness, not formality: a test of design and efficiency, a robust evidence base, transparent solutions (Close/Extend/Escalate), and drift observation. With such a system, risk is not "returned," and compliance remains measurable and predictable.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.