| Panel | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Audit Documentation • Audits in ZenGRC |
| borderColor | FireBrick |
|---|---|
| bgColor | AntiqueWhite |
| titleColor | black |
| borderWidth | 1 |
| titleBGColor | AntiqueWhite |
| borderStyle | solid |
Overview
ZenGRC provides a robust forum to effectively manage audits for your organization. This best practice guide will help ZenGRC administrators successfully set them up so assignees understand the role they play and external auditors have easy access to the information they need.
For step-by-step instructions, please see links under Audit Documentation in the right panel.
Definitions
In ZenGRC, there are four unique objects for audits:
- Audits
- Requests
- Assessments
- Issues
Audits - A container object for audits run against controls. This object will contain metadata around the audit itself (i.e., title, period, managers, etc.). When creating an audit, any requests and assessments will be automatically mapped to the audit object. Additionally, Issues created from assessments will be mapped to the corresponding audit object.
Requests - Objects used to request evidence as part of an assessment. The request object is sent to the identified assignee, who can respond to the request and upload evidence. Additionally, all communication between the assessor and the assignee will be tracked. Request status is tracked in Audits.
Assessments - Objects used to assess the effectiveness of a control. Assessments are typically made after requested evidence has been submitted and based on that evidence. Assessments are made on the 1) Design and the 2) Operation of a control by selecting either “Effective” or “Ineffective." Typically, controls that receive an “Ineffective” rating in either category will have a corresponding issue created. The status of assessment objects is tracked in Audits.
Issues - Object used to track the remediation of an issue (finding) discovered during the assessment of a control. Information that this object should contain includes an owner, remediation plan, and due date. The status of Issue objects is tracked in Audits.
Preparation
This section offers suggestions to consider prior to creating an audit in ZenGRC:
- Complete Fields for Auto Population - A fast way to assign assessors in audit creation is to pull information from other fields during Step 3 of an internal audit. Depending on the selection, users will be assigned as assessors or verifiers for all assessments generated in the audit.
- The Default assessors dropdown is shown below (the Default verifiers dropdown is directly to the right of it):
- If Control owner is selected, the audit wizard pulls information from a control's Owner field, as shown on the control object below:
- If Audit managers is selected, the audit wizard pulls information from the Audit managers field in Step 1 of audit creation, as shown below:
- The Default assessors dropdown is shown below (the Default verifiers dropdown is directly to the right of it):
- Create the import template - Although the requests template isn't imported until Step 4 of Audits, it should be an immediate action item. One suggestion specific to audit spreadsheets is as follows:
- Code column, use the period/name of audit and DRL line number, which is easily identifiable for external auditors. For example:
- 2018-Q3 PCI audit - request 1
- 2018-Q3 PCI audit - request 2
- 2018-Q3 PCI audit - request 3
The external auditor recognizes what request matches their DRL line item through export of evidence and downloadable reporting.
Note that Jira audits use a different import template.
Info title NOTE For additional information on requests, templates and Jira, please see Step 4: Setting up Audit Requests
- Code column, use the period/name of audit and DRL line number, which is easily identifiable for external auditors. For example:
- Create alternative programs - For repeated audits that are always scoped to the same set of controls, you can create multiple, but slightly different versions of a program to accommodate quicker scoping of audits. For example, create the following programs with selected controls:
- PCI Audit A
- Scope a subset of controls to this program.
- PCI Audit B
- Scope a subset of controls to this program.
PCI Audit C
Scope a subset of controls to this program.
- During audit creation, select one of the programs and the subset of controls automatically displays for you to "Select all" and scope all controls at once. This saves having to search for and select individual controls each time the audit is conducted.
Creating the Audit
The following are tips for building an audit within your ZenGRC instance:
- Set realistic start dates
- Compress audit period
- Set a timeframe of 2-3 weeks max, if possible.
- Impress urgency for recipients.
- Provide guidance - After starting the audit, either link to a common shared drive or pre-populate the requests with evidence from a prior audit/period so assignees have examples to follow. While this may have extra admin/setup time, the benefit includes more accurate and complete evidence submitted.
- Work with external auditors
- Create the ZenGRC audit as an “External audit.”
- For ZenGRC access, set up the external auditor in a Contributor role. In Step 1 of audit creation, you can assign the auditor access in the External auditors field.
- Establish a communication plan for when evidence is rejected by the auditor for reasons such as needing more or something else than what is provided.
- Establish how subsequent requests are handled/created. After the initial DRL is loaded into ZenGRC Requests, determine whether the external auditor (not recommended) or the ZenGRC admin/audit manager (recommended) will create them.