Roles and Permissions
Roles and Permissions
🔐 Understanding User Roles
The Audit Management System uses a role-based access control (RBAC) system to ensure users have appropriate access to features and data based on their job functions and responsibilities.
{info} A user can have one or more roles at the same time.
Role Descriptions
Admin
Primary Responsibility: System and organizational management
Core Functions:
- Complete user management (create, edit, delete users)
- Subscription and billing management
- System configuration and settings
- Organization-wide oversight
Access Level:
- Full administrative access to user accounts
- Complete subscription management capabilities
- System configuration control
- Limited audit functionality - Admins focus on system management rather than audit operations
Internal Audit Manager (IAM)
Primary Responsibility: Audit program oversight and management
Core Functions:
- Comprehensive audit program planning and management
- Team leadership and audit coordination
- Complete access to all audit data and processes
- Strategic oversight of organizational compliance
Access Level:
- Super user for auditing - read/write access to all audit data
- Complete visibility across all audit activities
- Authority to create, modify, and manage all audit-related resources
- Full oversight of audit teams and processes
Internal Auditor (IA)
Primary Responsibility: Audit execution and documentation
Core Functions:
- Conducting audits and fieldwork
- Creating and documenting audit findings
- Evidence collection and analysis
- Specific audit task execution
Access Level:
- View access to all audit data
- Create/edit specific resources (like NCRs)
- Limited modification rights - can create findings but cannot modify all audit parameters
- Focus on execution rather than strategic planning
Process Owner (PO)
Primary Responsibility: Process management and corrective action implementation
Core Functions:
- Managing assigned business processes
- Responding to audit findings
- Implementing corrective actions
- Providing process expertise and feedback
Access Level:
- View-only access to most audit data
- Specific edit access to assigned NCRs and related responses
- Limited scope - access only to relevant audit findings and processes
- Focus on response and improvement rather than audit creation
Detailed Permissions Matrix
📊 Complete Role Permissions Breakdown
| Feature |
Action |
Admin |
Internal Audit Manager |
Internal Auditor |
Process Owner |
| Users |
Create/Edit |
✅ Yes |
❌ No |
❌ No |
❌ No |
|
View |
✅ Yes |
❌ No |
❌ No |
❌ No |
| Department/Processes |
Create/Edit |
✅ Yes |
✅ Yes |
❌ No |
❌ No |
|
View |
✅ Yes |
✅ Yes |
✅ Yes |
✅ Yes |
| Audit Programs |
Create/Edit |
❌ No |
✅ Yes |
❌ No |
❌ No |
|
View |
❌ No |
✅ Yes |
✅ Yes |
✅ Yes |
| Audit Plans |
Create/Edit |
❌ No |
✅ Yes |
❌ No |
❌ No |
|
View |
❌ No |
✅ Yes |
✅ Yes |
✅ Yes |
| Checklist Templates |
Create/Edit |
❌ No |
✅ Yes |
❌ No |
❌ No |
|
View |
❌ No |
✅ Yes |
✅ Yes |
✅ Yes |
| Checklists |
Create/Edit |
❌ No |
✅ Yes |
❌ No |
❌ No |
|
View |
❌ No |
✅ Yes |
✅ Yes |
✅ Yes |
| NCR |
Create/Edit |
❌ No |
✅ Yes |
✅ Yes |
❌ No |
|
Edit Non-conformity Details |
❌ No |
✅ Yes |
✅ Yes |
❌ No |
|
Edit Process Owner Response |
❌ No |
✅ Yes |
❌ No |
⚠️ Yes (if assigned) |
|
Edit Target Date |
❌ No |
✅ Yes |
❌ No |
⚠️ Yes (if assigned) |
|
Edit Extended Target Date & Status |
❌ No |
✅ Yes |
❌ No |
❌ No |
|
View |
❌ No |
✅ Yes |
✅ Yes |
⚠️ Yes (if assigned) |
| Observations |
Create/Edit |
❌ No |
✅ Yes |
✅ Yes |
❌ No |
|
Edit Remarks |
❌ No |
✅ Yes |
❌ No |
✅ Yes |
|
View |
❌ No |
✅ Yes |
✅ Yes |
✅ Yes |
| Opportunity for Improvement |
Create/Edit |
❌ No |
✅ Yes |
✅ Yes |
❌ No |
|
Edit Remarks |
❌ No |
✅ Yes |
❌ No |
✅ Yes |
|
View |
❌ No |
✅ Yes |
✅ Yes |
✅ Yes |
Key Permission Notes
Admin Focus:
- Admins are system managers, not audit practitioners
- They handle user accounts and subscriptions but don't participate in audit activities
- This separation ensures proper segregation of duties
Internal Audit Manager Authority:
- Broadest audit access with full read/write permissions
- Can manage all aspects of audit programs and execution
- Supervises audit teams and oversees compliance activities
Internal Auditor Capabilities:
- Can create and document findings (NCRs, Observations, Opportunities for Improvement)
- Cannot modify audit programs, plans, or templates
- Focus on execution and documentation rather than strategic planning
Process Owner Limitations:
- View-only access to most audit information
- Specific edit rights only for assigned NCRs and related responses
- Cannot create new audit findings or modify audit structure
Best Practices
🎯 User Management Recommendations
Role Assignment Guidelines:
- Admin: Assign to IT managers, department heads, or trusted long-term employees
- Internal Audit Manager: Assign to audit team leaders and senior audit professionals
- Internal Auditor: Assign to audit team members and quality professionals
- Process Owner: Assign to department managers and process responsible individuals
Security Best Practices:
- Regularly review user accounts and remove inactive users
- Update user roles when job responsibilities change
- Ensure strong password policies are followed
- Monitor user activity and access patterns
Organizational Structure:
- Align user roles with actual job functions
- Maintain clear separation between administrative and audit functions
- Document user roles and responsibilities for organizational clarity
- Regular training on role-specific system capabilities
🔐 Secure and Efficient User Management
Proper user management ensures your audit system maintains security, compliance, and operational efficiency while providing appropriate access to team members based on their roles and responsibilities.