Hello,

From what you describe, it looks like you have a duplication of control objectives. You can either choose to work with just one of them, or if you want to achieve what you described, you can leverage a parent–child relationship between control objectives.

For example:

SOX-AP-11 would be the parent control objective linked to the citation.
CA02 would be the child control objective, with SOX-AP-11 as its parent.

The key idea is to use SOX-AP-11 as a container for the overall compliance score, while CA02 is the control objective you actually associate with entities or entity types and attest.

This way, attestation results on CA02 can roll up and impact the compliance status of the parent SOX-AP-11.

However, even if this is technically achievable, I would not recommend this approach as the first option. In GRC, multiple related records can be created from or linked to control objectives, such as issues, risks, attestations, test results, and other related records.

If you represent the same control objective in two different records, you may end up with related information stored only on some of them. Over time, this can make reporting, traceability, and maintenance more complicated.

A cleaner approach is usually to maintain one operational control objective, such as CA02, and map it directly to the relevant citations or policies. This supports the “test once, comply with many” approach and avoids unnecessary duplication.

Please hit Like and mark as Helpful if this helped you.

Regards,
Marek