- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2025 01:32 AM
Dear experts,
I would like to ask if we are able to open up the attestation form questionnaire for the BU to edit their response again and to submit again after it is submitted for the first time? Currently I am testing using the GRC Classic Attestation form, and I would like the owner to review and if the attestation form is not approved under the review state. The owner will be able to send back to the BU to edit again their attestation form response.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2025 03:51 AM
Hi @ChuanYanF
The OOTB process would allow the reviewer to evaluate the responses and if they are not happy, to then move the control to draft and re-trigger the assessment by moving the control to Attest.
Compliance is a black and white scenario. You are either compliant or you are not; reflected in the 2 statuses - Compliant / Non-compliant.
If the Attestation has questions that could be interpreted differently (ambiguity), then it is clear that the control or the Attestation Type used to evaluate the control is not properly defined.
The reviewer must not be able to interpret the state of the control differently to the assessor. if you had to ask the question to 100 different people they should be able to arrive at the same response.
Example:
OHS Control: Emergency exits must be kept clear at all times.
Additional info: Check the emergency exit weekly for obstructions
Attestation: Weekly. Is the emergency exit clear? Yes / No
Attach evidence
Comment
If the assessor found the emergency exit to be blocked by boxes, then the control fails.
When the reviewer checks the emergency exit the boxes have been cleared away.
The Reviewer cannot ask the assessor to change the response, as it was the truth at that point in time. the control failed.
The control did not ensure that the Emergency Exit was clear. Something needs to be enhanced / fixed / improved. As this failure could result again, you want these to follow the process so that the audit trail records the actual.
This is exactly why it is important that these failure be highlighted. Continuous improvement.
Issue is raised -> issue is resolved by strengthening the control -> issue is closed -> retrigger attestation. Now it passes.
Maintain the integrity of the governance and control process. Maintain the segregation of duties.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2025 03:51 AM
Hi @ChuanYanF
The OOTB process would allow the reviewer to evaluate the responses and if they are not happy, to then move the control to draft and re-trigger the assessment by moving the control to Attest.
Compliance is a black and white scenario. You are either compliant or you are not; reflected in the 2 statuses - Compliant / Non-compliant.
If the Attestation has questions that could be interpreted differently (ambiguity), then it is clear that the control or the Attestation Type used to evaluate the control is not properly defined.
The reviewer must not be able to interpret the state of the control differently to the assessor. if you had to ask the question to 100 different people they should be able to arrive at the same response.
Example:
OHS Control: Emergency exits must be kept clear at all times.
Additional info: Check the emergency exit weekly for obstructions
Attestation: Weekly. Is the emergency exit clear? Yes / No
Attach evidence
Comment
If the assessor found the emergency exit to be blocked by boxes, then the control fails.
When the reviewer checks the emergency exit the boxes have been cleared away.
The Reviewer cannot ask the assessor to change the response, as it was the truth at that point in time. the control failed.
The control did not ensure that the Emergency Exit was clear. Something needs to be enhanced / fixed / improved. As this failure could result again, you want these to follow the process so that the audit trail records the actual.
This is exactly why it is important that these failure be highlighted. Continuous improvement.
Issue is raised -> issue is resolved by strengthening the control -> issue is closed -> retrigger attestation. Now it passes.
Maintain the integrity of the governance and control process. Maintain the segregation of duties.