Regular Evidence Requests

Michael Oosten1 · ‎02-06-2023

Hi,

We want to automatically schedule evidence requests to our control owners every month. The evidence is being reviewed and approved, which then impacts the control state (compliant / non-compliant).

There are multiple ways we can go about this:

Control Attestation - Can be scheduled, but not really meant for continuous compliance monitoring
Control (PA) Indicators - Can be scheduled and set up as a manual task. But, do not provide review / approval steps OoB.
Control Evidence Request - Are specifically built for (audit) evidence collection, including review / approval steps. No scheduling OoB, assignments are not to control owners, nor would the outcome impact the control state.
Control Test - Test of Design / Test of Effectiveness are typically only used during an audit engagement.
Control Metric - Geared towards tracking goals and targets.

I don't think there are any other options OoB 😉

We are leaning towards adding review / approval steps to a manual indicator task. But I'm wondering if we should use evidence request instead. Any ideas / experience in using evidence request in this scenario?

Interested to hear your thoughts!

Community Alums · ‎02-06-2023

Hi @Michael Oosten1 ,

Evidence Request are usually used mostly when we have Audit management in place.

Evidence request helps customers to electronically request the information that they need from the first and second line of defense. The individuals being audited can then immediately upload their documents to the system, significantly reducing manual processing time.

Evidence is all the information used by an auditor in determining the audit opinion. Evidence includes the information contained in the accounting records underlying the financial statements and other information. Evidence is cumulative in nature. It includes evidence obtained from audit procedures performed during the audit. Evidence may also include audit evidence obtained from other sources such as, previous audits

While if you want to use Evidence Request, it already follows a Workflow of it's own , learn the workflow from here : Evidence request workflow and users

Ideally, we should follow the indicator tasks, which can be triggred as per your need and it would in turn requests for evidences for the control being applied or not , which would result as control being complaint or not. Same goes for Risk indicators as well.

Michael Oosten1 · ‎02-06-2023

Hi Sandeep, thanks for your reply. I know what the documentation says. And as I said, I'm leaning towards using Indicators. So far, we agree...

What I'm interested in is if others have used the Evidence workflow to achieve the same goal. Because in both cases there is custom development involved. There might be other arguments to go the Evidence route...

Community Alums · ‎02-06-2023

Hi @Michael Oosten1 ,

So what i mentioned above is what i would have implemented provided your requirement.

marknyquist · ‎04-14-2023

I was also interested in seeing how Evidence Requests would fit, and determined that sticking with Indicators would be best for our work workflow. This is how we built our flow process - I'd be grateful for any feedback or improvements from the community:

1. We added a field to the Entity record - Evidence Reviewer (so it could be a different person for each entity)

2. We added a Result to the indicator task called 'Submit for Review'

3. We hide the option for Pass/Fail and Close to only evidence reviewers

4. We notify the Evidence Reviewer when something is in 'Submit for Review' state

5. We suspend the SLA in 'Submit for Review' state

5. The Evidence Reviewer validates and selects closed and Pass/Fail

In addition, we added logic that when a new indicator task is created, it checks if one already exists in an open state. If yes, it fails the previous one and adds a comment 'Not completed timely'. We then use the issue record to understand why a group wasn't able to provide this on time. (Especially important for any point-in-time items like monthly evidence where it would not make sense to have multiple open tasks).

Mark