Issue form

  • Release version: Australia
  • Updated June 11, 2026
  • 6 minutes to read

    • Use the Issue form to create a new issue.

    Table 1. Issue form
    Field Description
    Number Unique identification number.
    Assignment group Group to which this issue has been assigned. Each member gets a notification when an activity happens on this issue.
    Assigned to Member of the group assigned to resolve the issue.

    Starting with Version 12.0.1, the user must have at least the sn_grc.business_user role.

    Note:
    Use the bulb icon to get suggestions on who must the issue be assigned to. The bulb icon only appears if you have the GRC: Predictive Intelligence application activated, the form is saved, the Assigned to field is not inactive, and the GRC Property is selected as Similarity Analysis. For more information, see Governance, Risk, and Compliance properties.

    You can configure a hierarchy of users to access the issue record. For more information, see User hierarchy access control for issue and remediation task records.

    Starting with Version 12.0.1, the assigned-to user gets an email notification when the issue manager requests more information.

    Starting with Version 12.0.1, when an issue transitions to the Respond state, an entry in the Assigned to field is mandatory.
    Issue source Source from where the issue was created. This field is auto-populated with one of the following options based on how the issue is created:
    • Indicator Failure: Issue is created by a failure of the indicator
    • Risk Assessment: Issue is created in a risk
    • Risk Event: Issue is created in a risk event
    • Control Attestation Failure: Issue is created due to a non-compliant control
    • Control Test Failure: Issue is created when a control is ineffective and the control test is marked as closed and complete
    • Ad-hoc: Issue is manually created
    Issue type Type of issue. Choices are:
    • Control design effectiveness failure
    • Control operative effectiveness failure
    • Control does not meet requirement
    • Control does not exist
    • Non-compliance to a regulation
    • Non-compliance to a policy
    • Improvement or suggestion to an existing policy
    • Recommendation for a new policy
    • Process optimization or improvement
    • Observation
    • Data Breach
    • Fraud
    • Misstatement
    • Training
    • Documentation
    • Risk issue
    • Other
    Classification The classification of the issue as a risk, compliance, or audit, based on the issue type.
    Issue manager group The group responsible for managing and reviewing the issue.
    Starting with Version 12.0.1, the following enhancements and requirements were introduced:
    • Members of the issue manager group must have one of the following roles:
      • sn_audit.manager
      • sn_audit.user
      • sn_compliance.manager
      • sn_compliance.user
      • sn_grc.manager
      • sn_grc.user
      • sn_risk.manager
      • sn_risk.user
    • When an issue transitions to the Analyze state, an entry in either the Issue manager group or Issue manager field is mandatory.
    • When an issue is assigned to the group, the members receive an email notification. Additionally, the issue manager receives an email notification when the issue transitions to the Review state.
    Issue manager The user responsible for managing and reviewing the issue.
    Starting with Version 12.0.1, the following enhancements and requirements were introduced:
    • The issue manager must have at least the sn_grc.user role.
    • The issue manager receives an email notification when the assigned-to user provides requested information.
    • When an issue transitions to the Analyze state, an entry in either this field or Issue manager is mandatory.
    • When an issue transitions to the Respond state, an entry in this field is mandatory.
    State
    • New
    • Analyze
    • Respond
    • Review
    • Closed Complete
    • Closed Incomplete
    Substate The substate and applicable details for the substate.
    Priority The sequence in which an issue must be resolved, based on its impact and urgency:
    • 1 — Critical
    • 2 — High
    • 3 — Moderate
    • 4 — Low
    • 5 — Planning
    Issue rating Starting with Version 12.0.1, the issue manager can assign the issue rating to the issue. Based on the issue rating, the Due date under the Dates tab is calculated as follows and displayed:
    • Very high (2 days)
    • High (4 days)
    • Moderate (8 days)
    • Low (10 days)
    • Very Low (15 days)
    You can manually override the Due date.
    Note:
    Users with the sn_grc.manager and sn_grc_advanced.issue_triage_manager role can navigate to Policy and Compliance > Administration > Issue rating and define additional issue ratings.p

    When the issue transitions to the Respond state, the Issue rating field is read only.
    Issue group rule Group rule assigned to this issue. The Issue group rule is used to group similar issues together into a parent issue based on the conditions defined in the rule. This rule enables you to work on similar issues simultaneously and close out the parent issue after all issues are resolved. This closes out all the child issues.
    Parent Issue Parent issue this issue belongs to.
    Configuration item Item associated with this issue. If all child issues have the same configuration item, it gets copied over to the parent issue
    Location Location where the issue occurred.
    Short description

    Starting with Version 12.0.1, this label is changed to Name.

    		 A name for the issue.
    Description A more comprehensive description of the issue.
    Details
    Control/Risk Control or risk associated with the issue.

    When the control is associated, the corresponding entity of the control is added to the Entity field, and the control objective is added to the Control Objective/Risk Statement field. These control objective and entity are the ones that are linked to this control.

    When the control is associated to the issue form, an m2m record is created in the source [sn_grc_m2m_issue_item] table. Whenever a record is added in the source table, a corresponding record, Issue to Entity is added in the destination [sn_grc_m2m_issue_to_entity] table, and another record Issue to Content is added in the destination [sn_grc_m2m_issue_content] table for the associated entity and control objective of the control.
    Entity Related entity.
    Policy The policy associated with the issue.
    Authority document The authority document associated with the issue.
    Control Objective/Risk Statement The control objective or risk statement related to this issue.
    Recommendation Resolution actions recommended by the risk, compliance, or audit teams.
    Action Plan The plan for remediating the issue.
    Dates
    Planned start date Date and time that work on the issue is expected to begin.
    Planned end date Date and time that work on the issue is expected to end.
    Planned duration Estimated amount of work time for the issue.
    Confirmed date (Starting with Version 12.0.1) The date when the issue is confirmed. This field is read-only, and displays today's date when the issue is moved from New to any of the following states:
    • Analyze
    • Review
    • Respond
    Note:
    If a triage issue is converted to an actual issue, this field displays the date it was converted.
    Due date (Starting with Version 12.0.1) This date is auto-populated based on a GRC property. Navigate to Policy and Compliance > Administration > GRC Properties. If the Auto populate due date based on issue rating property is set to Yes, this field is auto-populated based on the predefined remediation time frame for the issue's risk rating. Otherwise, you can manually enter a due date.

    When an issue transitions to the Respond state, an entry in this field is mandatory.
    Actual start date Time when work began on this issue.
    Actual end date A read-only value that is determined by the Actual duration input field.
    Actual duration Amount of work time.
    Created The date and time the issue was created.
    Closed The date and time the issue was closed.
    Engagement
    Engagement The related engagement.
    Activity
    Additional comments (Customer visible) Public information about the issue. Click Post to add your comments to the issue.
    Work notes Click the Work notes check box to display the Work notes field. Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Click Post to add your work notes to the issue.
    Confidentiality
    Confidential Option to enable confidentiality of the record. Only the assigned confidential users or confidential groups of users can access the record.

    For more information on the confidential option, see Confidentiality flag for audit and compliance records.
    Risk Event
    Risk event The related risk event.