Step 3: Setting up Audit Requests
- Tristan Mohn (Deactivated)
- Victoria Buhler (Deactivated)
- Shelley Fluke (Deactivated)
Page Contents
Overview
This step allows you to add all evidence requests at once. Audit tasks and evidence requests are created in an audit by importing a template containing the required data. Then, those tasks and requests are mapped to the scoped controls.
IMPORTANT
For this step in audit creation, it is critical that your organization already has the framework for your compliance program set up in ZenGRC. Evidence gathering is one of the prime reasons for conducting an audit, and this step assigns evidence requests for effectiveness of controls, which are scoped to your program's objectives. Although there are no constraints in the application stopping you from skipping this step, remember that requests are an integral part of an audit.
This step actually contains several sub-steps within it. They include the following activities, which are outlined on this page:
Downloading the import template.
TIP
For an external audit, use the import template to transfer information from the Document Request List (DRL), which was received from your external auditors.
TIP
For an internal audit, use the import template to add evidence requests for controls that are pertinent to your internal compliance program.
- Completing the template.
- Importing the template into ZenGRC.
- Mapping requests to available controls.
The Import Requests Template
ZenGRC supplies the import requests template with pre-formatted headings that correspond to request fields.
Downloading the Template
To download the import requests template, complete the following step:
- Click click here to download it link. The CSV file will open or download in the manner specified in your browser.
Completing the Template
Add requests surrounding the audit into the import template using provided headings.
WARNING
The request template for Jira audits have important differences that will cause errors if not set up correctly. After reviewing information on this page, please see Configuring CSV Import for the Jira Connector.
The request import template contains the following fields:
- Request - This is the type of data you are importing. The cells under this heading stay blank.
- Title - This must be unique for every request so users can easily identify specific tasks when looking at a large amount of requests. The title limit is 250 characters. This is a required field.
- Description - An optional field for instructions on the evidence-collection task.
- Notes - An optional field for additional remarks.
Assignee - The user's email who will be fulfilling the evidence request. Make sure the email is already set up in the ZenGRC application. When a request is assigned or when comments are added to the request, the assignee receives notifications. This is a required field.
- Reviewers - An optional field for a reviewer who accepts or rejects the evidence prior to the verifier, Fill in the user's email.
Verifier - An optional field for the user who has the final review of this evidence request. Fill in the user's email. Make sure this user has an account with this email in ZenGRC. Users receive email notifications when the assignee submits evidence or when there are new comments.
Starts On - A required date field for when the request starts. If empty, the application posts a warning and will fill in the blank with the date the template is uploaded. The format should be MM/DD/YYYY. This is a required field.
- Due On - A date field for when the request is due. The format should be MM/DD/YYYY. ZenGRC uses this data for overdue calculations and warnings.
IMPORTANT
Save this file in UTF-8 format with a CSV extension to your local machine for easy import.
Importing the Template
To import the template containing your audit requests, complete the following steps:
- Click Choose CSV to Import Requests.
- Select the template saved in the previous section.
Now follow the instructions under Importing a Template in Data Import.
Adding Individual Requests
On First Access to the Page
On first visit to the Step 3. Requests tab, if you want to create and add requests individually, complete the following:
- Click Add Requests Individually.
- The form for creating a new request displays.
- Once saved, the request will display in the mapper to add to controls.
After Importing Requests
After importing requests, but prior to activating the audit, you can still add requests manually by doing the following:
- Click + Add More Requests at the bottom of the page.
- This displays the page shown in the screenshot under the Overview section of this documentation where you can import a spreadsheet or create requests individually.
Mapping Requests to Available Controls
NOTE
If you are creating a ServiceNow audit, requests cannot be mapped to controls. When imported, the request details display with no action available. Click Next to continue to the next step. For more information, please see Creating a ServiceNow-Managed Audit.
Once you have imported requests, the page displays to map them to audit controls. It is comprised of three columns as follows:
Available Controls – These are controls scoped to the audit in Step 2. Scope.
- Requests Mapped – This contains all requests mapped to the selected control. The column is blank when the page is initially accessed since the imported requests have not yet been mapped.
Available Requests – These are requests added to the template and imported for the audit. Any imported request can be mapped to any control within the audit.
NOTE
After the audit is activated, additional requests can be imported within the Audits module.
Mapping Requests
To map requests to a control, complete the following steps:
Select a control in the Available Controls column.
TIP
Selecting a control displays all mapped and unmapped requests to that specific control.
- Select a check box next to a request in the Available Requests column. This activates the Map Requests button.
- Alternatively, select the Select All check box to choose all requests in the column.
- Click Map Requests.
- The request moves to the Requests Mapped column and is now mapped to the control.
- Continue until all appropriate requests are mapped to the control.
- Select another control in the Available Controls column and repeat the process.
NOTE
Once all requests are mapped to the controls, you can finish this step. Please see Completing the Step.
Unmapping Requests
To remove requests from a control, complete the following steps:
- Select a control in the Available Controls column. This displays all associated requests.
- Select a check box next to a request in the Requests Mapped column. This activates the Unmap Requests button.
- Alternatively, select the Select All check box to choose all requests in the column.
- Click Unmap Requests.
- The request is removed from the control and added to the Available Requests column.
Displaying Descriptions
To read descriptions of any control or request, complete the following steps:
- Select an item in any column.
- Click the Details link.
- The control or request opens in a new tab or window and displays all pertinent information.
Opening the Mapper Page
If you were interrupted during mapping and need to return to the mapper page, complete the following:
- On the Step 3. Requests tab, click Show mapper.
Completing the Step
The step is ready for completion after requests have been imported and then mapped to scoped controls.
To complete this step and continue to the review, complete the following:
Click Next. The Step 4. Assessments page displays.
© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com