You can do that pre Fuji. This scenario is using a control test definition with "include supporting data" to test against a field on the vendor record, type:basic. Returning all vendors that tested non-compliant.   I can show you an example of how that would work.

Scott, would love an example if you wouldn't mind.

My questions are:

1. Are you just checking a custom field on the core_company table?
2. How are you limiting the Control Test to only Vendors (not Manufacturers or Customers)
3. Do you have the actual NDA itself stored in the custom field?   Or is it just an indicator and the NDA may be attached?
4. What does the actual Control Test Definition look like, and the associated Control
5. Are you using a Certification Filter (and therefore a Template in the Control Test) to provide the filtering on the core_company table?

Thanks so much!

1) looking at company table specifically those flagged as a vendor

2) Yes limited to those that has vendor flag set to true

3) NDA is attached.   With a custom field that indicates that one is attached... Or better yet, link managed docs to the company records.   Then attach the NDA as a managed doc, approved.   Return company is vendor and dot walk to managed docs of type nda.

4) The control is going to be one from an authority document.   For example "Formalize client and third party relationships with contracts or nondisclosure agreements as necessary." from Cobit DS2.2

4a) The control test definition is what I was referring to in #3.   It is how you are going to test the control.   Think of it as a template.

5) I was not using a cert filter.   I was just adding it to the condition builder in the control test definition.   Then when you execute, a control test instance re-uses the definition to run.

Hope that helps.