GRC terminology

The following terms are used within GRC applications.

Term Definition Additional information
Authority documents The regulations, certifications, frameworks, standards, and best practices that an organization chooses or is required for compliance with regulations. Related to controls, risks, policies. IT audits typically rely on the authority documents downloaded from Network Frontiers, Unified Compliance Framework.
Citations Citations are records with the specific requirements cited by an authority document. The citation record relates authority documents to its applicable control.
Policies Policies include policies, standards, and procedures. Policies are related to authoritative documents and control records. Publishing and version control of policies are managed using document and knowledge management capabilities from the Now Platform. Custom workflows ensure all policy changes are routed to the appropriate work owners for final approval. All approved organizational policies are published in the knowledge base.
Risks A risk is any threat or vulnerability that could adversely affect your organization’s business objectives. All risks are contained in one risk repository. Risks can be related to any item, policy, control, and remediation task. Risks requiring immediate or ongoing attention can be mitigated, prevented, or controlled using the defined controls and related control tests.
Controls Controls are the actual control activities performed by your organization. These control records include the basic required information about the control (owner, activity, frequency, etc.) Controls can be related to authoritative source contents, policies, and risks.
Control framework The control framework is a single consolidated set of controls which perform and preserve the cross mapping of controls that are critical for audits.
Control test definitions Control test definitions specify how and when controls are tested, including testing steps, expected results, the group or individual responsible for the testing, and the test schedule. Control test instances are automatically generated from the test schedule. Remediations are automatically created when control tests fail or when audit observations are noted.
Control Test Instances Control test instances are the specific occurrences when a control is tested, including: the assigned person or group, the execution steps and expected results (from the control test definition), and the results of the control test. Includes details from the control test definition.
Audit An audit is a coordinated event where the organization identifies all of the controls that they want to test at one time and assigns responsibility of the overall audit to a single person. A single task manages the testing of all the controls. Audits are related to controls and control tests.
Audit Activities An audit activity is one of the tasks within an audit that is assigned to an individual for execution of the audit.
Audit Observations Audit observations are used by internal auditors for identifying control gaps or identifying new risks. Audit observations are related to control gaps and risks.
Remediation Remediation tasks are automatically created when a control test fails or when audit observations are noted. Remediation tasks include information about the control test instance and is typically assigned to a remediation group or to the control owner. Remediations are related to controls, control test failures, and control test instances.