Copy Frequently Asked Questions

During audit creation, controls are added in Step 2: Scope. Then assessments are automatically generated for those controls when you complete Step 5: Review. On that page, you will see how many assessments will be generated after you click Start Audit. See Creating an Audit.

If you need to add an assessment after audit creation, complete the following steps:

1. Click the blue New button at top left (of any module).

2. Select Assessment.

3. In the Audit dropdown, select the audit for which you're creating the assessment.

4. Complete the necessary fields and click Save.

5. Map the control and the assessment to the audit.

6. Map the control to the assessment. See Mapping and Unmapping in Fundamentals of Navigating and Editing.

This can happen if the request is not mapped to the control in Step 4 of Audit Creation. If this occurs, you can correct it by completing the following steps:

1. Click System of Record | Requests.

2. Select the check box beside the request, and click Map/Unmap.

3. Click Select Object Type and select the Control radio button.

4. Find the applicable control in the Available Controls column and click + to add it.

5. Click Complete. See Mapping and Unmapping in Fundamentals of Navigating and Editing.

No. Assessments are meant for controls and are only automatically generated for them when the audit is started. If an assessment or a request is added through import, there is no auto-generation. However, if you add a request and map it to a control that already has an assessment, the request will show up on the mapped assessment.

Here are some instructions for changing any field in an existing, active audit:

1. Click Audits and select your audit.

2. Go to Actions in the top right corner

3. Choose View Audit Details. Here you can edit desired fields. Please see Editing Overall Audit Details in the Managing Audits documentation.

If there is still a step to complete when the due date passes, such as the outside auditor verifying the evidence, ZenGRC recognizes it as overdue.

If you don't want your statuses to say overdue, update the Due On date to reflect the actual day that evidence verification can take place.

There are several ways to update a field for multiple items at once. To change the dates on evidence requests in bulk, complete the following steps:

1. Click System of Record | Audits.

2. Click the linked audit name to open the details page. See our documentation on The Details Page, which is within the Navigation tutorial.

3. Toward the middle of the details page, there are several sub-headings such as Details, Mapped Objects, History and Questionnaires.

4. Click Mapped Objects.

5. Directly below the Mapped Objects header, click the Requests link.

6. Click the gear in the top right of the sub-menu and select Starts On and Due On to make sure those fields are in the headings and are then editable.

7. Filter if necessary.

8. Select all requests where the date needs to change.

9. Once you make selections, an Edit Values menu displays with the headings to edit.

10. Make changes and click Save.

If requests are imported without being mapped to an audit, you will see them by clicking System of Record | Requests. They will not be added to any audit unless the requests are mapped to an audit.

They indicate the number of days the issue has been open.

The first step is to set a meeting to discuss what you'd like to accomplish. We may either guide you on how to do the work directly or offer a professional services quote should the work fall outside the current contract. It all depends on the volume of work and time needed to accomplish it. Please contact us at support@reciprocitylabs.com.

Our mapping structure is as follows: 

Program-->Standard-->Section-->Objective-->Control

If your controls are mapped to objectives and a program, but they're missing the in-between mappings to standards and sections, it breaks the ZenGRC structure and makes the controls appear unmapped to the program within the Audit function. Since each program is unique, please contact us at support@reciprocitylabs.com for additional support.

ZenGRC supports downloading files from the application in CSV format only. At this time there is no PDF download option from Data Export.

Print to PDF options are available from Dashboards

Backend storage is required when using ZenGRC storage for evidence collection (vs. using hyperlinks to link to evidence stored in an external system). 

For the on-premises install, we provide a service that runs alongside the main ZenGRC application and enables ZenGRC storage to store evidence files directly to the filesystem. 

ZenGRC requires persistent storage for an on-prem install (e.g., configuration files, log files, data files for the database), aside from the requirements for evidence collection. We recommend at least 50GB of available space on the filesystem where ZenGRC is installed to have a safe margin.

Please see Editing Overall Audit Details in the Managing Audits documentation.

ZenGRC allows you to connect to different storage solutions at once, but it does not migrate content. If it's necessary to migrate documents from one to another, please contact your IT department.

Not at this time. One of the reasons is because SharePoint is generally for organization-wide document and file collaboration. While evidence storage is used to store sensitive data that is not shared throughout a company.

SharePoint does have the ability to link to a OneDrive file when referring to evidence. This is the preferred method of using SharePoint with ZenGRC.

For additional questions and answers on evidence storage, please see ZenGRC Storage Security FAQs.

The DRL template is found on Step 4: Setting up Audit Requests. For instructions, see Step 3: Setting up Audit Requests with additional formatting tips under Data Import.

Upload the DRL in the same step where you downloaded the template. See Step 3: Setting up Audit Requests. 

If you've already created your audit and need to add additional requests, please follow these steps:

1. Open your audit. See Finding Draft Audits. To access the import area, see Uploading Additional Requests in Managing Audits.

This accesses Step 4: Generating Assessments.

To delete duplicated requests, complete the following steps:

1. Click System of Record | Requests.

2. Add a heading that contains information common to all the requests. (For example, if they can all be found by searching on an audit, add the Audit heading to the Requests page.) Please see Changing Headings in Navigation.

3. Click the applicable heading and filter it by the common information. Please see Filtering Data in Navigation.

4. Select the requests and delete them. Please see Editing Multiple Selections at Once in Navigation.

To turn off recurring requests, complete the following steps:

1. Open the last automatically created request.

2. On the Details tab, click the pencil beside Repeats.

Select Never; then Save.

Please see the information under Jira Connector.

ZenGRC tracks every Jira issue mapped to the audit (by default these are epics, but you can set other Jira issue types for audits). Issues created in Jira and mapped to epics will be visible in ZenGRC as well.

The current integration does not allow Jira to write to ZenGRC. We only pull data from Jira to display in ZenGRC.

Technically, there is no sync. The data is pulled each time.

No fields are changed inside ZenGRC.

Evidence files are stored in Jira (and so are comments or any other attributes of a request which is linked to Jira). When you open a request, ZenGRC pulls data from Jira.

ZenGRC instances have dynamic IPs, so you need to update your firewall configuration based on looking up the IP for the hostname of your instance. (i.e. https://[yourdomain].zengrc.com). For additional information, please see IP Whitelisting.

Another option, though less common, is to open your Jira instance to the range of IP addresses that are part of the Amazon AWS US-east and US-west regions. If you have questions about this, please contact support@reciprocitylabs.com.

You will need to update your Jira configuration by following the guide under Add Issues in Configuring ZenGRC with Jira Software Cloud.

After assignees submit evidence, they cease receiving email on that request/task/assessment. If their evidence is rejected, they will begin receiving a daily email until it is submitted again.

Notifications don't actually go out until the morning after an audit is activated. However, you can force them to be sent by adding a specific string to the end of your URL which then sends out the notifications. Add this to the end of your ZenGRC instance URL /_notifications/send_todays_digest. So your link name would be similar to this http://[yourdomain].zengrc.com/_notifications/send_todays_digest. This will send out notifications to everyone in the application who is assigned a task, request or assessment.

You may also want to check your settings to ensure they're set up as expected. For assistance with notifications, please see the Configuring Email Settings documentation.

In addition, to simply display an overall digest of assignments without sending emails, use the following in the URL: 

https://[yourdomain].zengrc.com/_notifications/show_todays_digest.

Yes. Please see Configuring Email Settings.

User accounts are not deleted in ZenGRC but rather set to No Access. The purpose behind this methodology is to maintain an audit trail for all user actions, even though they may no longer have access.

You can change your password by signing out and choosing the reset option, see below:

After we import the programs that your organization selected, there are still a few things to do before starting an audit.

1. Each program in ZenGRC needs additional formatting that's done in the Program Scoping Wizard. Not every program needs to be set up in the Program Scoping Wizard at once, just the one needed for the audit. See Program Scoping Dashboard.

2. Add your controls to our template, import them and ensure controls are mapped. See Mapping Controls.

3. Complete all steps in the Program Scoping Wizard for the targeted program, and begin your audit. See Creating an Audit.

If you have a control associated with two programs, the deleted program will be removed, but the control itself will not be deleted (only the mapping). Just be sure to delete the Program via the Program menu in the application, not through import.

Yes, we're happy to say  Please see Configuring Email Settings.

Answers cannot be deleted at this time. If we receive multiple requests for the same feature, we evaluate the validity and place it on our roadmap.

Yes, edits will not impact previously received responses.

They should be assigned the Contributor role and added to the Audit Manager field for the specific audit. See Adding and Removing Users. This gives them access to the specified audit and allows you to assign assessments to them in the audit set up wizard. See Step 4: Generating Assessments.

If you don't want to give external auditors access to the entire audit, you can skip assigning them as audit manager in the audit and bulk assign assessments to them. They won't have access to anything else in the application but will see everything they need in the audit, such as the text of the controls and objectives on the assessment card. To bulk assign assessments, complete the following steps:

1. Click System of Record | Assessments.

2. Add the Audit Manager heading to the page. 

3. Select assessments needing to be changed. See Actions on the Details Page.

Those dropdown options only populate when the following are true:

• The Risk has impact and likelihood assigned (needs to be something other than N/A).

• The Risk is mapped to the program. To map a program, please review our documentation on Mapping and Unmapping Objects.

Please see Evidence Storage in this document.

The To-Do List and relevant items are only visible to individual users. However, an admin may view those items by doing the following:

1. Click System of Record in the left-hand menu.

2. Choose either Requests or Assessments.

3. You can add headings for Assignees and then filter the requests or assessments to your choosing.

Users can create and send out questionnaires on any object, not just vendors. For more information, please see Questionnaires.

All users can view the Vendors tab in the left-hand navigation. On click, Readers can see (read) everything, meanwhile, Contributors need to be assigned to specific attribute fields on an individual vendor object for them to see the vendor. Users with Contributor access must be added to the Owners field to view a vendor.