IRM 3 states Control Attestation template Use Case

NishONish
Tera Expert

Hello, 

 

All IRM professionals know that we have OOTB GRC attestation template and it has 3 Qs, which ultimately gives us outcome as Compliant or Non-compliant. This outcome then gets logged against control we attested, further this status flows compliance scores of connected entities, control objectives, citation, policies, authority docs etc. 

 

My use case is more advanced than this. I have 3 compliance status as below:

Effective - 100% compliance in last 30 days (monthly attestation frequency)

Partially effective - >= 90% compliance in last 30 days 

Ineffective - < 90% compliance in last 30 days 

 

All these will be part of my attestation template and entity owner will select the right option from above + provide evidence + comments if any.

 

Now comes my Qs -

1. Is there anything available OOTB for this use case which makes life easy for me and during the upgrades?

2. If not. what list of things need to be done to pick up owners compliance status from the attestation and how it can be linked to its connected control + further linking to compliance scores of connected entities, control objectives, citation, policies, authority docs etc. 

3. Any guidance on keeping it OOTB

 

tx in advance

1 REPLY 1

HenkHeath
Kilo Guru

Hello @NishONish 

 

This is the portion of compliance that many customers confuse.  You would need to guide them back to the basics.

When you have a control objective -> you have indicated what you require as a control.  In assessing this control (attestation) you have either done what you set out to do (compliant) or you have not achieved what you set out to do (non-compliant).  There is no middle ground.  

 

When you view a risk (Risk assessment), you may have chosen a control to mitigate the risk.  This is where you determine how effective the control is in mitigating the risk.

Example:  Risk of Fire

Control : Fire extinguisher

 

Applying these to context (Entity):  Kitchen , Forrest

 

When looking at the control (attestation) - Both are compliant : we have fire extinguishers at each entity  (control owners did their work in implementing the control.

 

When looking at the Risk (Risk Assessment : Control Effectiveness) - the fire extinguisher is effective in control;

Kitchen - Effective

Forrest - Ineffective

 

Remember that control could be mapped to many risks and the effectiveness in mitigating the risk could be different.

 

When looking at Audit Management - you could look at how well the control was designed  (zDesign Effectiveness) and how well it is operating (Operating Effectiveness)

 

Keep your lines of defence clear so that you maintain segregation of duties  

 

If you maintain the OOTB intent, your questions 1, 2 and 3 are taken care of.

 

I hope this helps

 

Henk