IRM 3 states Control Attestation template Use Case
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hello,
All IRM professionals know that we have OOTB GRC attestation template and it has 3 Qs, which ultimately gives us outcome as Compliant or Non-compliant. This outcome then gets logged against control we attested, further this status flows compliance scores of connected entities, control objectives, citation, policies, authority docs etc.
My use case is more advanced than this. I have 3 compliance status as below:
Effective - 100% compliance in last 30 days (monthly attestation frequency)
Partially effective - >= 90% compliance in last 30 days
Ineffective - < 90% compliance in last 30 days
All these will be part of my attestation template and entity owner will select the right option from above + provide evidence + comments if any.
Now comes my Qs -
1. Is there anything available OOTB for this use case which makes life easy for me and during the upgrades?
2. If not. what list of things need to be done to pick up owners compliance status from the attestation and how it can be linked to its connected control + further linking to compliance scores of connected entities, control objectives, citation, policies, authority docs etc.
3. Any guidance on keeping it OOTB
tx in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello @NishONish
This is the portion of compliance that many customers confuse. You would need to guide them back to the basics.
When you have a control objective -> you have indicated what you require as a control. In assessing this control (attestation) you have either done what you set out to do (compliant) or you have not achieved what you set out to do (non-compliant). There is no middle ground.
When you view a risk (Risk assessment), you may have chosen a control to mitigate the risk. This is where you determine how effective the control is in mitigating the risk.
Example: Risk of Fire
Control : Fire extinguisher
Applying these to context (Entity): Kitchen , Forrest
When looking at the control (attestation) - Both are compliant : we have fire extinguishers at each entity (control owners did their work in implementing the control.
When looking at the Risk (Risk Assessment : Control Effectiveness) - the fire extinguisher is effective in control;
Kitchen - Effective
Forrest - Ineffective
Remember that control could be mapped to many risks and the effectiveness in mitigating the risk could be different.
When looking at Audit Management - you could look at how well the control was designed (zDesign Effectiveness) and how well it is operating (Operating Effectiveness)
Keep your lines of defence clear so that you maintain segregation of duties
If you maintain the OOTB intent, your questions 1, 2 and 3 are taken care of.
I hope this helps
Henk
