Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Live Search
spaceKeyZenGRCOnboardingGuide
additionalnone
placeholderSearch our site
typepage

Benefits


A control is an activity or technical configuration put in place to satisfy a requirement, which is called an objective in ZenGRC. Controls are the only objects that are tested in the Audits module, which are then "assessed" in an assessment. Assessments are typically performed after evidence showing the control in action has been submitted.

Overview


When an audit is started, assessments are automatically created on a one-to-one basis with the audit's controls. Assessments rate the effectiveness of a control in both design and operation. To make the process more efficient, you can review the associated details of the control (title, description and, test plan) on the assessment itself. In order to perform the control assessment, the related objectives (on the Design tab) and the related evidence requests (on the Operational Effectiveness tab) can be reviewed on the assessment card as well.

After reviewing the necessary information, the assessor can evaluate the control on a design and operational effectiveness level. Typically, if a control receives an “Ineffective” rating in either category, then a corresponding issue is created. See the issue creation process in Working with Issues.

Info
titleNOTE

Audit managers and those with additional permissions access requests from the Audits module, while those with limited permissions access assessments from the To-Do List. See details of access rights in Role-Based Permissions.

Accessing Control Assessments from Audits


This section describes actions conducted on the Audit summary page, which opens when an individual audit is clicked in the Audits module.

On the Audit summary page, complete the following steps:

  1. Click the Assessments tab. 



  2. Find the control assessment and click the link in the Title column.

Accessing Assessments from the To-Do List


Those with limited permissions who are assigned assessments will only have access to them from their To-Do List.

Info
titleNOTE

For additional information, please see To-Do List.


Include Page
DI:Include - More and Less
DI:Include - More and Less

Evaluating Assessments


Assessors evaluate the design and operating effectiveness of controls. Verifiers review the judgment of the assessors. Both see the same information with the exception of the buttons to complete their roles in the control assessment process. The next two sections describe the two views.

The Assessor's View

The person who performs the assessment is the assessor. It is mandatory to select at least one user for this role. It is possible to have multiple assessors, but any of these assessors can complete the assessment on their own.

The Verifier's View

If your workflow requires, you can assign a user to the optional Verifier field. This user reviews the assessment after the assessor clicks Complete Assessment. It is also possible to have multiple verifiers, but any of them can complete the analysis on their own.

View Control Information

Any assessment conducted on the control being assessed is available for view, no matter the audit. By reviewing conclusions made and evidence provided in other audits, an assessor can make a more informed decision on the effectiveness of the control.

The information is provided on a tab on the control itself. To access the information from an assessment, complete the following steps:

  1. Click the linked control name. This opens the control.



  2. On the control, click the Assessments tab. This provides a comprehensive list of active and completed assessments conducted on the control.



  3. Click any Title link to open an assessment and view findings.

View All Other Information

To examine all applicable evidence and information located on the assessment card, complete the following steps:

  1. Review the associated control's information.



  2. Click the Design tab for a list of all objectives to which the control is mapped.

    Tip
    titleTIP

    Only one control can be mapped to one assessment, but that one control can be mapped to objectives in multiple programs. The Design tab shows all the objectives to which the control being assessed is mapped. Reviewing that information allows you to compare the control against other regulatory requirements and may help with decision making.


    Image Modified

  3. Click the Operational Effectiveness tab to display all requests mapped to the assessed control.

    Tip
    titleTIP

    The information in Operational Effectiveness makes it easy to review whether the evidence provided for other audit requests was satisfactory.




  4. Click the Attachments tab to attach or review files. This is useful to attach any document during the assessment, such as workpapers.



  5. To add hyperlinks to the request, click Click here to attach links.



  6. Enter the URL in the Linktext box and the name in the Title text box.

  7. Click Add link.

  8. Click the Comments tab to review or add information pertinent to the assessment.


       
Info
titleNOTE

Clicking Send on the Comments tab only only saves comments and has no impact on status. However, if email settings are configured for immediate notifications, clicking Send automatically sends emails to all assigned users that a comment has been made. It does NOT send an email to the person posting the comment. For additional information, please see Email SettingsIf you'd like to send an instant email to certain users, ZenGRC accommodates using the @ along with their names. Instant notifications do not need to be turned on for this feature to work.

Finishing the Assessment

  1. After reviewing all available information, make selections in the two dropdowns with definitions as follows:
    1. Conclusion: Design – Control language is appropriate and satisfies the objective.
      1. --- - No rating. The control has not been rated. The page defaults to this.
      2. Effective - The control's design works as intended.
      3. Ineffective - The control's design does not work as intended.
      4. N/A - Rating the design is not applicable or can't be done.
    2. Conclusion: Operational - Control is working effectively. If ineffective, create an issue and report finding that you can work on.
      1. --- - No rating. The control has not been rated. The page defaults to this.
      2. Effective - The control is operating as intended.
      3. Ineffective - The control is not operating as intended.
      4. N/A - Rating the operational effectiveness is not applicable.



  2. Complete the assessment in one of the following ways:
    1. For an assessor, click Complete Assessment. This is the selection even if the conclusion for the design and/or operation is deemed ineffective. This sets the status to Submitted if there is a verifier or Completed if there is no verifier.



    2. For a verifier, click Verify Assessment. This is the selection even if the conclusion for the design and/or operation is deemed ineffective. This sets the status to Completed and shows that the control either is or is not effective. 



    3. Alternatively, click Decline Assessment to set the status back to Open. This notes that the information is incomplete and sends it back to the assessor. It does not close or complete the assessment.

Filtering Control Assessments in Audits


Narrow control assessments displayed on the Control Assessments tab within an audit by utilizing the filter functionality.

To filter control assessments, complete the following steps:

  1. Click one of the percentages displayed beside a status.
    1. All - This shows all control assessments, regardless of status.
    2. Open - This displays control assessments currently being worked on.
    3. Effective - This displays control assessments that have been researched and deemed effective.
    4. Ineffective - This shows control assessments that have been researched and deemed ineffective.



  2. The page refreshes with results.

Exporting Control Assessments

Information in a control assessment can be exported for external auditors or any other reviewers your organization may have. The export can be formatted as a CSV or as a zip file with the attachments inside.

Include Page
DI:Note - Exporting To-Do and Audit
DI:Note - Exporting To-Do and Audit

Setting Up Recurrence


Requests, assessments and tasks can be set up to repeat on a monthly, quarterly, semi-annual, and annual basis.

Include Page
DI:NOTE - Recurrence
DI:NOTE - Recurrence