Compliance Workspace issue form details

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read

    • Field descriptions to enter on the New Issue form in the Compliance Workspace.

    Table 1. Create New Issue form
    Field Description
    Number Unique identification number.
    Name
    Note:
    Until Version 12.0.1, this label was Short description.
    		 A name for the issue.
    Issue source Source from where the issue was created. This field is auto-populated with one of the following options based on how the issue is created:
    • Indicator Failure: Issue is created by a failure of the indicator
    • Risk Assessment: Issue is created in a risk
    • Risk Event: Issue is created in a risk event
    • Control Attestation Failure: Issue is created due to a non-compliant control
    • Control Test Failure: Issue is created when a control is ineffective and the control test is marked as closed and complete
    • Ad-hoc: Issue is manually created
    Issue type Type of issue. Choices are:
    • Control design effectiveness failure
    • Control operative effectiveness failure
    • Control does not meet requirement
    • Control does not exist
    • Non-compliance to a regulation
    • Non-compliance to a policy
    • Improvement or suggestion to an existing policy
    • Recommendation for a new policy
    • Process optimization or improvement
    • Observation
    • Data Breach
    • Fraud
    • Misstatement
    • Training
    • Documentation
    • Risk issue
    • Other
    Classification The classification of the issue as a risk, compliance, or audit, based on the issue type.
    Location Location where the issue occurred.
    State
    • New
    • Analyze
    • Respond
    • Review
    • Closed Complete
    • Closed Incomplete
    Substate The substate and applicable details for the substate.
    Priority The sequence in which an issue needs to be resolved, based on its impact and urgency:
    • 1 — Critical
    • 2 — High
    • 3 — Moderate
    • 4 — Low
    • 5 — Planning
    Issue rating Starting with Version 12.0.1, the issue manager can assign the issue rating to the issue. Based on the issue rating, the Due date under the Dates tab is calculated as follows and displayed:
    • Very high (2 days)
    • High (4 days)
    • Moderate (8 days)
    • Low (10 days)
    • Very Low (15 days)
    You can manually override the Due date.
    Note:
    Users with the sn_grc.manager and sn_grc_advanced.issue_triage_manager role can navigate to Policy and Compliance > Administration > Issue rating and define additional issue ratings.

    When the issue transitions to the Respond state, the Issue rating field is read only.
    Description Comprehensive description of the issue.
    Assignment
    Assignment group Group to which this issue has been assigned. Each member receives a notification when activity has occurred on this issue.
    Assigned to Member of the group assigned to resolve the issue.

    Starting with Version 12.0.1, the user must have at least the sn_grc.business_user role.

    Note:
    Use the bulb icon to get suggestions on who must the issue be assigned to. The bulb icon only appears if you have the GRC: Predictive Intelligence application activated, the form is saved, the Assigned to field is not disabled, and the GRC Property is selected as Similarity Analysis. For more information, see Governance, Risk, and Compliance properties.

    Starting with Version 12.0.1, the assigned-to user receives an email notification when the issue manager requests more information.

    Starting with Version 12.0.1, when an issue transitions to the Respond state, an entry in the Assigned to field is mandatory.
    Issue manager group The group responsible for managing and reviewing the issue.
    Starting with Version 12.0.1, the following enhancements and requirements were introduced:
    • Members of the issue manager group must have one of the following roles:
      • sn_audit.manager
      • sn_audit.user
      • sn_compliance.manager
      • sn_compliance.user
      • sn_grc.manager
      • sn_grc.user
      • sn_risk.manager
      • sn_risk.user
    • When an issue transitions to the Analyze state, an entry in either the Issue manager group or Issue manager field is mandatory.
    • When an issue is assigned to the group, the members receive an email notification. Additionally, the issue manager receives an email notification when the issue transitions to the Review state.
    Issue manager The user responsible for managing and reviewing the issue.
    Starting with Version 12.0.1, the following enhancements and requirements were introduced:
    • The issue manager must have at least the sn_grc.user role.
    • The issue manager receives an email notification when the assigned-to user requests more information.
    • When an issue transitions to the Analyze state, an entry in either this field or Issue manager is mandatory.
    • When an issue transitions to the Respond state, an entry in this field is mandatory.
    Watch list Users who are on the watch list for the issue.
    Schedule
    Due date (Starting with Version 12.0.1) This date is auto-populated based on a GRC property. Navigate to Policy and Compliance > Administration > GRC Properties. If the Auto populate due date based on issue rating property is set to Yes, this field is auto-populated based on the predefined remediation time frame for the issue's risk rating. Otherwise, you can manually enter a due date.

    When an issue transitions to the Respond state, an entry in this field is mandatory.
    Confirmed date (Starting with Version 12.0.1) The date when the issue is confirmed. This field is read-only, and displays today's date when the issue is moved from New to any of the following states:
    • Analyze
    • Review
    • Respond
    Note:
    If a triage issue is converted to an actual issue, this field displays the date it was converted.
    Planned start date Date and time that work on the issue is expected to begin.
    Planned end date Date and time that work on the issue is expected to end.
    Duration Estimated amount of work time. Calculated using the Planned state date and Planned end date.
    Created The date and time the issue was created.
    Closed The date and time the issue was closed.
    Actual start date Time when work began on this issue.
    Actual end date Time when work on this issue was completed.
    Actual duration Amount of work time. Calculated using the Actual state date and Actual end date.
    Issue grouping
    Parent issue Parent issue this issue belongs to.
    Issue group rule Group rule assigned to this issue. The Issue group rule is used to group similar issues together into a parent issue based on conditions defined in the rule. This allows you to work on similar issues simultaneously and close out the parent issue after all issues are resolved. This closes out all the child issues.
    Action plan
    Recommendation Resolution actions recommended by the risk, compliance, or audit teams.
    Action Plan The plan for remediating the issue.
    Confidentiality
    Confidential Option to enable confidentiality of the record. Only the assigned confidential users or confidential groups of users can access the record.

    For more information on confidential option, see Confidentiality flag for audit and compliance records.
    Activity
    Work notes (Private) Click the Work notes check box to display the Work notes field. Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Click Post to add your work notes to the issue.
    Additional comments (Customer visible) Public information about the issue. Click Post to add your comments to the issue.
    Settings
    Functional domain Functional domain for the issue.
    Details
    Control/Risk The control or risk associated with the issue.

    When the control is associated, the corresponding entity of the control is added to the Entity field, and the corresponding control objective is added to the Control Objective/Risk Statement field. The control objective and entity are the ones that are linked to this control.

    When the control is associated to the issue form, an m2m record is created in the source [sn_grc_m2m_issue_item] table. Whenever a record is added in the source table, a corresponding record, Issue to Entity is added in the destination [sn_grc_m2m_issue_to_entity] table, and another record Issue to Content is added in the destination [sn_grc_m2m_issue_content] table for the associated entity and control objective of the control.
    Entity Related entity.
    Policy The policy associated with the issue.
    Authority document The authority document associated with the issue.
    Control Objective/Risk Statement The control objective or risk statement related to this issue.
    Processing activity
    Engagement
    Engagement The related engagement.
    Risk Event
    Risk event The related risk event.