Versions Compared

Version Old Version 20 New Version Current
Changes made by

Tristan Mohn (Deactivated)

Victoria Buhler (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Contents

Table of Contents
indent18px


Live Search
spaceKeyZenGRCOnboardingGuide
additionalnone
placeholderSearch our site
typepage

Benefits

A control is an activity or technical configuration put in place to satisfy an a requirement, which is called an objective in ZenGRC. Controls are the only objects that are tested in the Audits module, which are then "assessed" in an assessment. Assessments are typically made performed after evidence showing the control in action has been submitted.

Overview

This documentation highlights additional functionality that audit managers or administrators may need. For streamlined steps on how to finish your portion of an assignment, please see Quick Tips for Assessments.

When an audit is started, assessments are automatically created on a one-to-one basis with the audit's controls. Assessments rate the effectiveness of a control in two ways: 1. Design; 2. Operationboth design and operation. To make the process more efficient, you can review the associated details of the control (title, description and, test plan) on the assessment itself. In order to perform the control assessment, the related objectives (on the Design tab) and the related evidence requests (on the Operational Effectiveness tab) can be reviewed on the assessment card as well.

After reviewing the necessary information, the assessor can evaluate the control on a design and operational effectiveness level. Typically, if a control receives an “Ineffective” rating in either category, then a corresponding issue is created.

Accessing Control Assessments from Audits

Administrators See the issue creation process in Working with Issues.

Info
titleNOTE

Audit managers and those with additional permissions access requests from the Audits module, while those with limited permissions access assessments from the To-Do List.


Info
titleNOTE

See details of access rights in Role-Based Permissions.

Accessing Control Assessments from Audits

This section describes actions conducted on the Audit summary page, which

opens from the Audits visual display page.

To view and evaluate a control assessment on opens when an individual audit is clicked in the Audits module.

On the Audit summary page, complete the following steps:

  1. On the Audits visual display page, select the audit from the dropdown.
  2. Click the Assessments tab. 

    Image Added

  3. Find the control assessment and click the link in the Title column.
    Image Removed
    A dialog box displays with several steps for verifying or declining the control assessment.
    Image Removed
    If the page opens in the Details tab, click the Attachments sub tab to review evidence and complete one of the following actions
    Image Added

Accessing Assessments Through the System of Record

To access requests, complete the following steps.

  1. Click System of Record | Assessments.
  2. The Assessments page displays showing all existing items.

Accessing Assessments from the To-Do List

Those with limited permissions who are assigned requests assessments will only have access to them from their assignments in the To-Do List.

Info
titleNOTE

For additional information, please see To-Do List.

Evaluating

Control Assessments

You can open control assessments in several ways, with the main access points coming from the To-Do List and Audits. 

If the Attachments area is not already displaying, select that sub tab.
Image Removed
  • Review evidence on the Attachments sub tab.
  • Click the Comments sub tab to review any additional information.
    • To add a reason behind declining or verifying the assessment, enter a comment in the Comments text box and click Send to post. This only saves the comment. It does not impact the status of the assessment.
    Image Removed
    After review, there are two selections in the upper, left corner:
  • Conclusion: Design – Control language is appropriate and it satisfies the objective. Select one of the following:
    1. --- - No rating. The control has not been rated. The page defaults to this.
    2. Effective - The control's design works as intended.
    3. Ineffective - The control's design does not work as intended.
    4. N/A - Rating the design is not applicable or can't be done.
    • Conclusion: Operational - Control is working effectively. If ineffective, create issue and report finding that you can work on. Select one of the following:
  • --- - No rating. The control has not been rated. The page defaults to this.
  • Effective - The control is operating as intended.
  • Ineffective - The control is not operating as intended.
    • N/A - Rating the operational effectiveness is not applicable.
    Image Removed
    To complete the step, do one of the following:For an assessor, click Complete Assessment. This is the selection even if the conclusion for the design and/or operation is deemed ineffective. This sets the status to Submitted if there is a verifier or Completed if there is no verifier.
    Image Removed
    For a verifier, click Verify Assessment. This is the selection even if the conclusion for the design and/or operation is deemed ineffective. This sets the status to Completed and shows that the control either is or is not effective. Alternatively, click Decline Assessment to set the status back to Open. This notes that the information is incomplete and sends it back to the assessor. It does not close or complete the assessment.
    Image Removed
    Include PageDI:Include - More and LessDI:Include - More and Less

    Assessments

    For streamlined steps on how to finish your portion of an assessment, please see Quick Tips for Assessments.

    Filtering Control Assessments in Audits

    Narrow control assessments displayed on the Control Assessments tab within an audit by utilizing the filter functionality.

    To filter control assessments, complete the following steps:

    1. Click one of the percentages displayed beside a status.
      1. All - This shows all control assessments, regardless of status.
      2. Open - This displays control assessments currently being worked on.
      3. Effective - This displays control assessments that have been researched and deemed effective.
      4. Ineffective - This shows control assessments that have been researched and deemed ineffective.
        Image Removed
        Image Added

    2. The page refreshes with results.

    Exporting Control Assessments

    Information in a control assessment can be exported for external auditors or any other reviewers your organization may have. The export can be formatted as a CSV or as a zip file with the attachments inside.

    Include Page
    DI:Note - Exporting To-Do and Audit
    DI:Note - Exporting To-Do and Audit

    Setting Up Recurrence

    Requests, assessments and tasks can be set up to repeat on a monthly, quarterly, semi-annual, and annual basis.

    Include Page
    DI:NOTE - Recurrence
    DI:NOTE - Recurrence


    Include Page
    di:RH Navigation
    di:RH Navigation