Audit Campaign User Guide

Last updated: March 9, 2026

Overview

A YeshID Audit Campaign helps organizations review and certify user access across applications to ensure only appropriate access is maintained. It provides a structured workflow - from capturing an access snapshot through certification, remediation, and verification - while generating auditable evidence and reports to support compliance and security requirements.

Roles

Owner

An owner ensures the audit is completed end-to-end. They have visibility into all aspects of the audit and can take action themselves. They manage campaign setup, participants, reminders, and closure.

Certifier

A certifier evaluates access findings and decides whether access should be kept or removed within assigned applications (scopes).

  • Reviews findings during the Certification phase.

  • Sets a decision for each finding:

    • Approve (keep access)

    • Deny (remove access)

    • Undecided (decision not finalized)

  • Provides a reason when selecting Deny.

  • If self-certification is disabled, certifiers cannot certify their own access.

Remediator

A remediator is responsible for executing remediation workflows for denied findings. They are also able to verify that the work was actually completed.

Phases

Audit campaigns move through the following phases:

  1. Snapshot

  2. Certification

  3. Remediation and Verification

  4. Close

Campaign status labels reflect this lifecycle:

  • Waiting for Snapshot

  • In Review

  • Closed

1) Snapshot

Purpose: establish a reliable audit baseline.

  • Sync or upload the latest access data for each in-scope application.

  • Capture the campaign snapshot when data is ready.

  • The snapshot becomes the baseline used for downstream decisions and evidence.

  • After certification decisions begin, snapshot recapture is blocked.

2) Certification

Purpose: make explicit access decisions for every finding.

  • Review each finding and select Approve, Deny, or Undecided.

  • Deny requires a written reason.

  • Bulk decisions can be applied to multiple findings.

  • The campaign cannot be closed while any findings remain Undecided.

3) Remediation and Verification

Purpose: execute denied-access changes and confirm results.

  • Launch remediation workflows for scopes with denied findings.

  • After workflow execution finishes, run verification.

  • Scopes that do not have the user import integration enabled require manual evidence upload/import before verification can pass.

  • After verification passes for a scope, decision updates for that scope are locked.

4) Close

Purpose: finalize campaign results.

  • Closure is allowed only when all findings are decided.

  • If denied, findings exist, remediation verification must pass first.

  • Once closed, the campaign is read-only.

Actions and What They Do

Campaign Actions

  • Settings: update owners, certifiers, remediators, and self-certification settings.

  • Notify (Nudge): sends reminders to users with outstanding work.

  • Close Audit: finalizes the campaign and prevents further edits.

Snapshot Actions

  • Sync / Re-Sync: refreshes data from connected integrations.

  • Upload / Re-Upload: provides manual data when automated sync is unavailable.

  • Capture Snapshot / Re-capture Snapshot: records the campaign baseline dataset.

Certification Actions

  • Approve: confirms access should remain.

  • Deny: flags access for removal (reason required).

  • Undecided: leaves a finding open for later decision.

  • Bulk Approve / Deny / Undecided: applies one decision to selected findings.

Remediation and Verification Actions

  • Launch Workflow: starts remediation for denied findings in a scope.

  • View Workflow: opens the remediation run details.

  • Verify: validates expected access state against observed results.

  • Upload Verification Evidence: submits required evidence for manual verification paths.

Evidence and Reporting Actions

  • Evidence Vault > Download: downloads stored audit artifacts.

  • Copy SHA256: copies artifact hash values for integrity checks.

  • Export > Download PDF Report: generates campaign reports (Full or Executive).

  • Audit Trail: shows the immutable record of campaign activity.