Is there a way to modify submitted attestations?

davidpong · ‎05-08-2019

Hi All,

I'm wondering if there's a way to edit or add on to a submitted attestation. Use case is that a control owner forgot to add an attachment to their attestation and it looks like the only way to turn in that attachment is by doing the whole attestation again by putting the control into draft mode and then attest mode. When I access the attestation form, everything is greyed out and I am also unable to attach anything myself.

Thanks,

David R

Shiva Thomas · ‎05-22-2019

Hi David,

From a Compliance perspective, Assessments are not meant to be editable after they have been sent.
Any workaround against this, like editing the ACL or scripting modifications via Background Scripts, would be some very dangerous door to open… it would kill confidence in the integrity of all your Assessments.

This is why, out of the box, no Admin, nor any user, can edit completed Assessments.

You can use the "Return to Draft" button on the Risk (or Control) itself, and trigger a new assessment from here. By default this option is available to users with role sn_risk.manager (or sn_compliance.manager). I know this is not ideal, as the assessment will have to be completed again, but at least this could not be considered as a form of evidences tempering.

∴
Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.

View solution in original post

Ashik3 · ‎05-23-2019

Hi Shiva,

But there could be a chance that assessor submitted it, and had a rethink to change one of his submitted answer ?

Best,
Ashik

davidpong · ‎05-29-2019

Thank you Shiva. This makes the most sense regarding completeness and accuracy to not tamper with the integrity of the control once submitted. I'll just remind my control owners to make sure everything is filled out.

Would you be able to help me differentiate between the Review and Monitor state? They seem identical to me. I feel like I can just keep all controls in the Review state once the attestations have been submitted.

Thanks,

David R

Shiva Thomas · ‎05-29-2019

Hi David,

When the attestation is completed the Control remains in Review until a compliance officer reviews the attestation results. The idea is that someone check the attestation answers and attachement to confirm their validity. Remember that attestation may by assigned to anyone in the company, regardless of role.

This was made to ensure the principle of Separation of Duty, ensuring that answers are at least validated by a second individual. If the Attestation doesn't meet the expected quality, then the Control is sent back to Draft, or Attest.

This is why, by default, going to Monitor state is manual action, triggered by pressing a UI Action.

Of course, that process may be affected by the maturity level of your customer. I've already implemented a simplified version, where Controls in Review are automatically moved to Monitor. In that case, there was no reviewing process in place.

∴
Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful.
This enables other customers to learn from this thread.

G Balaji · ‎05-23-2019

Attestations can't be edited after submission.

However, If there is a need to override attestation, you could consider using indicators. Attestations could be edited before submitting them, though.

For your use-case, you could make the attestation field mandatory.

Like pal @ashikmuhammed has mentioned, I've seen "Allow retake" option in Attestation list view, but I haven't used it. May be folks here could share their experience if they've tried it.

Good day!

G Balaji · ‎05-26-2019

This could be accomplished using custom UI Action button which would change the state from "Complete" to "wip(In Progress)" or
"ready(Ready)".

However, As pal Shiva Thomas highlighted, from a compliance perspective assessments are not meant to be editable after they have been submitted.