Manage controls
Learn how to rationalize, and consolidate controls to build an effective control framework when deploying your GRC application. Use entity-based access to manage control visibility, and ensure all controls are properly mapped to entities to maintain audit reliability.
Rationalize your controls
- How does this control affect my business objective?
- Is this control actually preventing or detecting risk?
- Is there a different control that you can place that better protects your business?
- Is there a control that you can put in place that reduces process overhead and improves IT performance while also mitigating risk?
- Can a complicated control be replaced with a simpler more effective control?
Consolidate your controls
Look for opportunities to consolidate controls. For example, you can look for common, repeated controls across multiple regulatory authorities of frameworks (such as SOX,GLBA, and AML). Avoid operating a single control multiple times for each regulation by cross-mapping controls and eliminating the redundant ones. This process establishes a single consolidated control framework. Performing and preserving the cross mapping of controls is critical for audits.
The following diagram shows how industry regulations (financial, insurance, energy and utilities, and healthcare and pharmaceuticals) and requirements can overlap.
Define controls and business rules
- Identify the controls and control owners
- Define the control tests and expected results
- Establish the test and control frequencies
- Identify the risks: Impact and likelihood
- Prepare the attestations, assessments, questionnaires, and required evidence
- Compose the likely use cases (who needs to interact with or view the contents of the GRC system and for what purposes)
- Map the authoritative sources to policies, procedures, controls, or risks
Control requirements
When Create control requirements option is enabled for a control objective, for every control generated under an entity type, control requirements are also created automatically. Previously, only controls were created for entity types. The number of Control Requirements equals the number of control objective requirements.
Attestation at control requirement level
The Attestation at control requirement level feature allows attestation at a granular level for individual control requirements within a control. Admins can enable requirement-level attestation, assign respondents, and generate assessment tasks for each control requirement. Respondents then attest to requirements by indicating whether they are implemented or not, providing evidence or explanations as required. Failed attestations automatically generate issues, mark the parent control as non-compliant, and roll up the status to the associated entity and control objective.
Entity Based Access (EBA)
EBA provides a framework for a more granular approach to managing data access to objects that are associated with an entity. Administrators can grant access to an entity's related records by adding users or user groups or by using entity user fields for entity-based access configuration. For more information, see Entity Based Access.
- Control
- Attestation
- Policy exception to control
EBA rules
When entity based record access rules are enabled on the Entity Based Access Configuration Properties page, any new controls, control attestations, indicators, and indicator tasks associated with a configured entity automatically inherit the entity-based access (EBA) value from that entity. Previously, users had to run bulk access updates to apply EBA restrictions whenever new objects were created.
For more information, see Entity based record access rules to secure new records.