Best way to gather evidence for Control?

vineethnair
Tera Contributor

‎11-30-2016 07:35 AM

Hello,

When a create an audit workbench defining the scope of the audit by including the profiles, controls, risks etc. What is the best way to ask all the control owners to ask for evidence during that point of time? I am aware of the functionality where we can generate control tests based on the test plans associated with the controls. As an organization, we are not yet mature in maintaining test plans for each and every control documented within service now. Is there a functionality to generate attestation survey in bulk to all the control owners ? Similarly to the "Attest" button functionality available on the Controls.

Thanks.

0 Helpfuls
  • 2,260 Views
13 REPLIES 13

cbryant
Mega Contributor
In response to mjdeandrea

‎11-28-2017 04:14 PM

I thought you could attest controls based off of the profile.   I am about to venture into this as I try and attest controls for an audit and sample controls each month.  


0 Helpfuls

mjdeandrea
Tera Expert
In response to cbryant

‎11-28-2017 05:08 PM

Here's my understanding: Attestations are intended to be used to make sure a control is in place and operating effectively before starting to monitor it. The actual monitoring should be done using indicators — not attestations. (Indicators are easier to set up, manage, and are more conducive to automated data collection and evidencing performance. Auditors, when setting up an audit, can have direct access to the indicator results.)



An attestation can be associated with a Policy Statement or with a control. If you associate it with a Policy Statement, then every control generated when you intersect the Policy Statement with a Profile Type will have that attestation assigned to it. But, that attestation isn't sent out to the respondents until the control is moved into the Attest state.



However, you can assign an attestation frequency at the individual profile level. A job runs every night and will send the attestation task to the respondents if it's time to do so. But, the attestation that's sent out is the one specified in the control or the Policy Statement (there's no field on the Profile form for selecting which attestation to assign to that profile).



In general, I typically prefer to use indicators rather than attestations but it really depends on the situation.



Let me know if your understanding is different.



Mike





Michael J. DeAndrea, MBA, CSA, CSOE, CICA


IT GRC Business Process & Documentation Consultant


760-636-6430


Palm Springs, CA


cbryant
Mega Contributor
In response to mjdeandrea

‎11-28-2017 05:37 PM

I agree.   I have setup the indicators to capture the artifacts that support the control.   Additionally, I am looking at setting up indicators to when monitoring a risk (current project).   I perceive the attestation as the way to validate the control; when I said audit, I should have stated it was an internal audit of controls.   I think the engagements are used if you were to prepare for an external audit.   Thanks for the information, it is helpful.  


0 Helpfuls

mjdeandrea
Tera Expert
In response to cbryant

‎11-28-2017 05:40 PM

You're welcome. Glad it was helpful.



Michael J. DeAndrea, MBA, CSA, CSOE, CICA


IT GRC Business Process & Documentation Consultant


760-636-6430


Palm Springs, CA


0 Helpfuls