Understanding Audit Workflow Roles

Overview

Through an audit, you'll be able to track the following mapped objects:

• Controls
• *Requests
• *Assessments
• Issues

For full definitions of these objects and others, please see ZenGRC Definitions.

*These are the only items that utilize automated email notifications. Please see Workflow for Items in an Audit for links to workflows for each object.

Best Practices

In collaboration with our ZenGRC experts, we created information to help you get started. Please see Audits - ZenGRC Best Practice for definitions and audit tips.

User Assignment Fields

If you do a little legwork prior to the audit, it makes audit creation simple and accurate. This section explains the fields to complete on controls and within audits that then allow you to automatically assign assessors and verifiers. 

Control Fields to Populate

Controls have fields that can be automatically pulled into the audit, and the users in those fields are tagged as default assessors or default verifiers on the audit's assessments.

Control Owner, Primary Contact, and Secondary Contact

These fields were designed to provide flexibility in your control set up. Each control can have one or more users in the following fields:

• Control Owner
• Primary Contact
• Secondary Contact

To understand how these fields can be utilized during audit set up, please see Step 4: Generating Assessments.

Audit Fields to Populate

In the audit itself, there are fields where users in Administrator, Editor or Contributor roles may be placed for additional visibility of the audit as a whole. This is meant to expand permissions for someone who is essential to the audit, but who does not need access to any other ZenGRC objects.

These users are assigned when an audit is created as documented in Step 1: Adding Basic Audit Information and they can be selected in Step 4: Generating Assessments.

Audit Manager

• This field defaults to the person creating the audit, but any user in an applicable role can be selected.
• Users in this field can create and edit most object fields related to the audit, which includes requests, assessments, tasks, and issues.
• If users assigned to this field are in a Contributor role (recommended for external users), the following permissions apply:
  
  • In the Audits module, they only see the audit to which they're assigned.
  • They have read access to the first level of objects mapped to the audit.
  • They cannot delete the audit itself or any of the mapped objects.
  • They cannot override the statuses of the audit, assessments, requests or tasks.
• If users in this field are assigned to an Administrator or Editor role, they still have all read/write/delete global permissions already available to them.
• This field differs from the Auditors field in that it can be selected during audit setup to be the default assessor or default verifier on all assessments. Please see the documentation at Step 4: Generating Assessments.

Auditors 

• This field is empty by default.
• The remaining permissions mirror the Audit Manager as explained above, with the exception that this field cannot be selected as an assessor or verifier of assessments.

Workflow for Items Within the Audit

One of the keys to a successful ZenGRC audit is understanding workflows for items that play critical roles. This also includes knowing how to set up email notifications in a way that work for your organization.

To understand the workflow for items within an audit, please consider the following:

• Tasks and requests workflows are described together in the To-Do List documentation. Please see Workflow for Requests and Tasks.
• Assessments function slightly different and are explained separately in the To-Do List documentation. Please see Workflow for Assessments.
• Once item workflows are understood, please review Email Notifications to determine how to configure notifications so they best serve your organization's needs.