Overview
This step defines the program/framework along with the controls you want to scope for the audit. You can remove irrelevant controls from the audit or create a custom audit from different combinations of programs, standards, and targets. It can be skipped by clicking any of the circled step numbers or by clicking the Next button.
TIP
This step is the same for both internal and external audits.
TIP
If your System of Record is already set up with programs, objectives, controls, and other objects mapped, it makes completing this step more efficient.
Intro to the Scope Page
The page for defining the scope is comprised of the following fields:
Select audit target - This is the product, process, or system (or any other object within ZenGRC) to audit. This is optional.
TIP
Making a selection in the Select audit target populates the Control column with the list of controls already scoped to the selection.
Select program/standard - This contains the desired framework/program for the audit. This is optional.
TIP
If you select options in both the Select audit target and the Select program/standard dropdown menus, only controls mapped to both menus display. This is useful if you want to select a system or office location in the Select audit target and then select the program in the Select program/standard to test it against.
- Audited period (optional) - When you are auditing a specific time period, such as a fiscal year, use these date fields to set the beginning and end date.
Scoping Controls to an Audit
To scope controls to an audit, complete the following steps:
Select an option in the Select audit target and/or the the Select program/standard dropdown menus.
Select the checkboxes next to the desired controls in the Controls column.
TIP
If a control you want to scope is not found in the audit target or the program/standard selected for this audit, you can still map it to this audit. See Finding Controls Outside the Audit Target or Program.
Click Move to Scope. The selected controls display in the In-Scope Controls column.
NOTE
To scope all controls at once, please see Scoping All Controls to an Audit.
- Click Next to continue to Step 3: Exporting Audit Data or Setting up a Template.
Scoping All Controls to an Audit
To scope all controls to an audit, complete the following steps:
- In the Controls column, click the Select all checkbox.
- Click Move to Scope. The selected controls display in the In-Scope Controls column.
Removing Controls from an Audit
To remove controls from an audit, complete the following steps:
In the In-Scope Controls column, click the checkboxes next to the desired controls.
TIP
There will only be controls in the In-Scope Controls column if they have previously been scoped to the audit.
- Click Remove from Scope. The selected controls display in the Controls column and are no longer in scope for the audit.
Removing All Controls from an Audit
To remove all controls from an audit, complete the following steps:
In the In-Scope Controls column, click the Select all checkbox.
TIP
There will only be controls in the In-Scope Controls column if they have previously been scoped to the audit.
- Click Remove from Scope. The selected controls display in the Controls column and are no longer in scope for the audit.
Finding Controls Outside the Audit Target or Program
If there is a control you want to use that is not found in the audit target or the program/standard, you can still scope it to your audit.
To display a control mapped to a program other than the audit target, complete the following steps:
Select an option from either the Select Audit target or Select Program/Standard dropdown menus.
TIP
If the Select Audit target or Select Program/Standard dropdown menus already have selections, you will need to remove them.
TIP
Making a selection in both the Select Audit target or Select Program/Standard dropdown menus only displays controls mapped to both.
- Find the desired control and click the check box to select it.
- Click Move to Scope.
- After the control is scoped, remove the selection from the dropdown and select your prior choices in the dropdown menus.
Displaying Control Descriptions
Brief descriptions of controls are available within the Controls and the In-Scope Controls columns and can be accessed from this page.
TIP
In order to display controls in the Controls column, you must make a selection in the Select audit target or the Select program/standard dropdown boxes.
To see a description of a control, complete the following steps:
- Hover over the desired control. The icon for information displays.
- Hover over the icon to display the description.
- Alternately, remove the mouse from the icon to remove the description.
Searching for Controls
The Controls and the In-Scope Controls columns are searchable. The search boxes are located directly below the column headings. Each search box only searches the information displayed within the column it resides.
TIP
The search within each column covers words in the titles as well as in descriptions displayed when you hover over the information icon for an individual control.
To conduct a search, complete the following steps:
- Click inside the applicable Search box.
- Type any word associated with the desired topic. The system updates the column below the search box in real time.
Alternately, to remove the search term, click the x to the right of the search box.
NOTE
Continue to the next section - Step 3: Exporting Audit Data or Setting up a Template.