Hi @AWinden 

I'm not sure Entity Classes are relevant? They're used for grouping and also in advanced risk, but to my knowledge not for control scoping.

What is the control testing? I assume it's the Business Process that's being tested as you don't usually create a Control about testing a Business Unit - this is normally the target for a Control rather than the content of the Control itself.

Who will attest the Control? Who is ultimately responsible? Then ask yourself where that stakeholder belongs - are they related to the Business Unit or the Business Process (or both)?

One possible solution is to create an Entity Type of Business Process and the stakeholder who attests the Control (Owner) will be related to a given Business Unit (assuming your processes are aligned with Business Units). For reporting you could bring all this together, but if you want just one Control per entity you can't have both Business Process and Business Unit as entity types linked to the Control Objective.

The other possibility is that the Control Objective references a need for a specific Business Process. Now the Control Objective description contains one element, so scope it to the other element (Business Units) and have them attest the Controls. It's again a single Control.

Of course, depending on your data and needs there could be other options. However the fundamental fact is to get a Control you must scope a Control Objective to an Entity type (you can have manual entities, but they're not recommended as you lose the dynamic filtering of Entity Types).

I hope this helps!

Mat