Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 22 Next »


Page Contents


Benefits

A control is an activity or technical configuration put in place to satisfy an requirement, which is called an objective in ZenGRC. Controls are the only objects that are tested in the Audits module, which are then "assessed" in an assessment. Assessments are typically made after evidence showing the control in action has been submitted.

Overview

Assessments rate the effectiveness of a control in two ways:

  1. Design.
  2. Operation.

Typically, if a control receives an “Ineffective” rating in either category, then a corresponding issue is created.

Accessing Control Assessments from Audits

Administrators and those with additional permissions access requests from the Audits module.

NOTE

This section describes actions conducted on the Audit summary page, which opens from the Audits visual display page.

To view and evaluate a control assessment on the Audit summary page, complete the following steps:

  1. On the Audits visual display page, select the audit from the dropdown.
  2. Click the Assessments tab. 
  3. Find the control assessment and click the link in the Title column.



  4. A dialog box displays with several steps for verifying or declining the control assessment.



  5. If the page opens in the Details tab, click the Attachments tab to review evidence and complete one of the following actions.

Accessing Assessments from the To-Do List

Those with limited permissions who are assigned requests will only have access to them from their assignments in the To-Do List.

NOTE

For additional information, please see To-Do List.

Evaluating Control Assessments

You can open control assessments in several ways, with the main access points coming from the To-Do List and Audits. 

  1. If the Attachments area is not already displaying, select that tab.



  2. Review evidence on the Attachments tab.
  3. Click the Comments tab to review any additional information.
  4. To add a reason behind declining or verifying the assessment, enter a comment in the Comments text box and click Send to post. This only saves the comment. It does not impact the status of the assessment.



  5. After review, there are two selections in the upper, left corner:
    • Conclusion: Design – Control language is appropriate and it satisfies the objective. Select one of the following:
      1. --- - No rating. The control has not been rated. The page defaults to this.
      2. Effective - The control's design works as intended.
      3. Ineffective - The control's design does not work as intended.
      4. N/A - Rating the design is not applicable or can't be done.
    • Conclusion: Operational - Control is working effectively. If ineffective, create issue and report finding that you can work on. Select one of the following:
      1. --- - No rating. The control has not been rated. The page defaults to this.
      2. Effective - The control is operating as intended.
      3. Ineffective - The control is not operating as intended.
      4. N/A - Rating the operational effectiveness is not applicable.



  6. To complete the step, do one of the following:
    1. For an assessor, click Complete Assessment. This is the selection even if the conclusion for the design and/or operation is deemed ineffective. This sets the status to Submitted if there is a verifier or Completed if there is no verifier.



    2. For a verifier, click Verify Assessment. This is the selection even if the conclusion for the design and/or operation is deemed ineffective. This sets the status to Completed and shows that the control either is or is not effective. Alternatively, click Decline Assessment to set the status back to Open. This notes that the information is incomplete and sends it back to the assessor. It does not close or complete the assessment.



Viewing Additional Details

When compliance items are opened from the To-Do List or Audits, the pages display a toggle button to show more or less information. If these objects are accessed by clicking System of Record in the left-hand navigation, they do not have this toggle.

TIP

The example shown below is for an assessment. The functionality is the same for assessments, requests, and tasks that are opened from the To-Do List or Audits.


To change how much information is displayed in an object, complete the following steps:

  1. Open the item.
  2. In the top, right corner, click Show less for a streamlined view of onlyAttachments and Comments tabs.



  3. Alternatively, if you need more details, click Show more to display all tabs and other fields.

Filtering Control Assessments in Audits

Narrow control assessments displayed on the Control Assessments tab within an audit by utilizing the filter functionality.

To filter control assessments, complete the following steps:

  1. Click one of the percentages displayed beside a status.
    1. All - This shows all control assessments, regardless of status.
    2. Open - This displays control assessments currently being worked on.
    3. Effective - This displays control assessments that have been researched and deemed effective.
    4. Ineffective - This shows control assessments that have been researched and deemed ineffective.



  2. The page refreshes with results.

Exporting Control Assessments

Information in a control assessment can be exported for external auditors or any other reviewers your organization may have. The export can be formatted as a CSV or as a zip file with the attachments inside.

NOTE

For instructions on exporting, please see the To-Do List or Managing Audits, depending on the module in which you are working.




Other Helpful Content

•  Access and User Assistance 
•  System of Record List Views  
•  Actions on the Details Page 
•  Creating New Objects 
•  Favorites 
•  Quick Tips for End Users (Printable) 
•  Searching the Left-Hand Navigation

  • No labels

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com