Control attestation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2024 05:05 AM
Hello,
What happens if I check 'not applicable' in the control attestation? will the indicators attached to the control put as not applicable run?
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2025 02:16 PM
Hello @LachelleT
When your attestation respondent submitted the attestation, your control is in the Review state, this is when the compliance manager has the opportunity to review the responses. It is an important step that is often overlooked.
From your question, it sounds like you do not agree with the respondent's interpretation of compliance of the control. If this the case Return to draft, and trigger the attestation again, and provide the respondent with some guidance (without influencing their evaluation).
Typically the Additional Information field on the control record should provide the attestation respondent with enough information to evaluate the control, also ensure that the description details what is required from the control.
If the second evaluation of the control returns a non-compliant control, the issue will be created automatically (OOTB).
I would retain issues for when an attestation fails or if you know beforehand you have an issue with your control and you create it manually on the control. Remember you do not want to misrepresent issues as compliance manager use these metrics to determine health of the control environment.
In short, see if it is a user education issue (Return to draft) or if it is truly an issue with the control (create manually on control).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2025 06:29 AM
Thank you, this really helps. Also, with IRM Lite roles, does it allow the users to respond to evidence requests and control attestations? I noticed that in order to respond to indicator tasks, the user needs IRM Operator access. However, I do not want them to have full access to the compliance space yet due to the possibility of someone getting confused and deleting something that they're not supposed to. Is it possible to create a custom role where the user can respond to evidence requests, control attestations, and indicator tasks quarterly/annually without having complete access to the compliance space? If so, which custom role fits best? Or what do you suggest is best to do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2025 09:32 PM
Maybe consider the Business User (sn_grc.business_user) rather than the Lite version. This too is a fulfiller role rather than an Operator Licence, so they will only see the records, tasks, etc - WHEN and IF assigned.
They will perform their activity via the Employee Service Centre (ESC)
