Home Orlando Governance, Risk, and Compliance Governance, Risk, and Compliance Policy and Compliance Management Manage control attestations

Manage control attestations

Attestations are surveys that gather evidence to prove that a control is implemented. The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch.

If the attestation and respondents fields of the control are set, then when a controls moves from the Draft state to the Attest state, a notification is sent to the attestation respondents.

Users can create multiple attestation types and set their control objectives to different attestations. A sample attestation called GRC Attestation is also provided as the default attestation, which is composed of the following simple questions:

By default, GRC Attestation is used for controls and provides the following assessment questions:

Is this control implemented?
Attach evidence
Explain

My Attestations is in the Controls section of the Policy and Compliance application and contains active attestations for which you are the respondent. The attestations appear in a list with a single attestation record per control.

My Grouped Attestations contains attestations that you have grouped to eliminate the task of providing repetitive responses for similar assessments.

All Attestations is contained in the Controls section of the Policy and Compliance application and contains all active attestations.

Compliance managers can create attestation types containing different types of questions to fit their needs. See Create a control attestation using the Attestation Designer.

Compliance managers can create a new set of questions for each control objective. The Question Bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. See Create an attestation type.

Attestation Designer

The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters.

All attestation records are stored in assessment tables and displayed in Attestation views of those tables.

Create a control attestation using the Attestation Designer

Use the Attestation Designer to create and edit metric types. Use different metric types for different controls. Select multiple respondents for an attestation, as well as change scoring parameters.

Before you begin

Role required: sn_compliance.attest_creator, sn_compliance.manager, sn_compliance.administrator

Procedure

Navigate to Policy and Compliance > Administration > Attestation Types.

Click Attestation Designer.

The designer contains the following elements:


Element	Description
Controls	Supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type.
Questions	A library of questions for various categories, so you do not have to build each questionnaire from scratch.
Categories	New assessment opens in the Design view. The questionnaire Name field appears above the first category in the canvas. A blank question field appears in the category container.

Enter a name in the Name field.

Drag a control onto the designer canvas to create a question of that type.

Table 1. Question controls
Data type	Description	Scored
Attachment	Question with a Manage Attachments icon that allows users to attach one or more files.	N
Boolean	Question with a check box or a Yes/No list for user responses.	Y
Choice	List of predefined options. For more information, see the definition for Choices.	Y
Date	Date field.	N
Date/Time	Date and time field.	N
Number	Number field with predefined minimum and maximum values. The default is 1–10.	N
Percentage	Percentage field with a prescribed range.	N
Scale	Predefined Likert scale. Answer options appear as radio buttons.	Y
Numeric Scale	Selectable number scale. The default is 1–5. Answer options appear as radio buttons.	Y
String	Single or multi-line text field.	N
Template	Choice list of templates that provide a predefined scale of options. Note: It is important to assign a template to every attestation. This allows controls to be created automatically based on control objectives and entity types.	Y
Reference	Choice list of fields from a specified reference table. This data type does not support reference qualifiers.	N

Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the controls.

Point to the menu icon in the upper right of the Attestation Designer to select one of the following options:

Note: The availability of each option depends on the status of the attestation that is opened in the designer.

Option	Description
New Attestation	Opens a fresh canvas for a new attestation.
Load Attestation	Opens a list of existing attestations that you can select and edit.

Unlike other types of assessments, control attestations do not appear in the Self-Service > My assessments & surveys module, because many control attestations could be generated at once. Instead, controls attestations are shown as a list in the Policy and Compliance > Controls > My Attestations module and All Attestations module.

What to do next

If you are implementing the Policy and Compliance Management software, return to the Policy and Compliance Management setup checklist and proceed to the next step.

Create an attestation type

Rather than using the default GRC attestation type, the compliance manager can create a new set of questions for each control objective.

Before you begin

Role required: sn_compliance.attestation_creator or sn_compliance.manager or sn_compliance-admin

Procedure

Navigate to Policy and Compliance > Administration > Attestation Types.
Click New.

On the form, fill in the fields.

Table 2. Assessment Metric Type form
Field	Description
Name	Name of the assessment type.
Assessment duration	Length of time allowed from generation to completion of the assessment.
Table	Table this assessment applies to.
Scale factor	Scale value to use for all assessment results.
Condition	Define specifics records from the table.
Description	More details about the assessment.
State	State of the assessment: Draft or Published
Enforce condition	Option that indicates whether accessible records of this type that do not meet the conditions specified are deleted.
Roles	Roles that have access to information about this metric type.

Click Submit.

Consolidate control attestations using the Same Response feature

Policy and Compliance Management and Risk Management offer two methods for consolidating attestations and risk assessments into groups that help eliminate the task of providing repetitive responses for similar assessments. You can provide the same evidence to the grouped assessments or respond to individual assessments in the same user interface.

Before you begin

Role required: None

About this task

When you consolidate control attestations using the Same Response feature, you can group attestations that contain a maximum of 1000 questions. When the attestation or risk assessment for the group is taken, all records in the group inherit the answers.

Note: To change the 1000-question limit, navigate to Policy and Compliance > Administration > GRC Properties and modify the sn_grc.consolidated_questions_limit property.

Note: If you do not want your users to access to this capability, navigate to Policy and Compliance > Administration > GRC Properties, and disable the sn_grc.enable_consolidate_asmt property.

Procedure

Navigate to Policy and Compliance > Controls > My Attestations.
Select the attestations you want to group.
From the Actions on selected rows choice list, click Group Assessments.
In Response Type, select Provide same response for all assessments.

Fill in the fields, as needed.


Field	Description
Default criteria	This field defaults to Metric Type.
Additional criteria	You can optionally define additional grouping criteria: Category Control Objective/Risk Statement Entity You can also define additional assessment criteria options if the defaults do not meet your needs. Note: Using these grouping schemes makes sense if the grouped attestations contain multiple instances of the selected criteria. For example, if you selected a group of 20 attestations with 10 associated with one entity and the other 10 associated with a different entity, selecting Entity in this field causes two separate groups of attestations to be created. If, however, the group consists of 5 attestations associated with one entity and each of the other 15 attestations associated with different entities, only those 5 are grouped and the rest are ignored.
Preview	The Preview shows the number of attestations to be grouped. Depending on the Additional criteria you selected, the Preview may show multiple groups. If you want to see the attestations to be grouped, click the link that shows the number of attestations or risk assessments to be grouped.

When you are satisfied with the attestations or risk assessments to be consolidated, click Group. A confirmation message displays, along with a link to the attestation group.

Note: When attestation groups are created, you can view them by navigating to Policy and Compliance > Controls > My Grouped Attestations. If you open a grouped attestation, you have the option of removing one or more attestations from the group. This is achieved by selecting the ones you want removed, and selecting Ungroup Assessment from the Actions on selected rows choice list. If you remove attestations from a group to the point where there is only one attestation, the group is removed.
When you are ready to take the assessment, click the link in the confirmation message or the attestation number in My Grouped Attestations.
Click Take assessment.
Complete the assessment like you would any other, and click Submit. All attestations in the group inherit the answers you provided and the state of each attestation in the group changes to Complete.

Consolidate control attestations using the Different Response feature

Before you begin

Role required: None

About this task

When you consolidate control attestations or risk assessments using the Different Response feature, you can group up attestations or risk assessments that contain a maximum of 150 questions. All of the questions appear in a single UI.

Note: To change the 1000-question limit, navigate to Policy and Compliance > Administration > GRC Properties and modify the sn_grc.grouped_questions_limit property.

Procedure

Navigate to Policy and Compliance > Controls > My Attestations.
Select the attestations you want to group.
From the Actions on selected rows choice list, click Group Assessments.
In Response Type, select Provide different response for each assessment.

Fill in the fields, as needed.


Field	Description
Default criteria	This field defaults to Metric Type.
Additional criteria	You can optionally define additional grouping criteria: Category Control Objective/Risk Statement Entity You can also define additional assessment criteria options if the defaults do not meet your needs. Note: Using these grouping schemes makes sense if the grouped attestations contain multiple instances of the selected criteria. For example, if you selected a group of 20 attestations with 10 associated with one entity and the other 10 associated with a different entity, selecting Entity in this field causes two separate groups of attestations to be created. If, however, the group consists of 5 attestations associated with one entity and each of the other 15 attestations associated with different entities, only those 5 are grouped and the rest are ignored.
Preview	The Preview shows the number of attestations to be grouped. Depending on the Additional criteria you selected, the Preview may show multiple groups. If you want to see the attestations to be grouped, click the link that shows the number of attestations or risk assessments to be grouped.

When you are satisfied with the attestations or risk assessments to be consolidated, click Group. A confirmation message displays, along with a link to the attestation group.

Note: When attestation groups are created, you can view them by navigating to Policy and Compliance > Controls > My Grouped Attestations. If you open a grouped attestation, you have the option of removing one or more attestations from the group. This is achieved by selecting the ones you want removed, and selecting Ungroup Assessment from the Actions on selected rows choice list. If you remove attestations from a group to the point where there is only one attestation, the group is removed.
When you are ready to take the assessment, click the link in the confirmation message or the attestation number in My Grouped Attestations.
Click Take assessment. A window that contains questionnaires for all of the selected attestations in the group.
Complete the assessment for each of the attestations, and click Submit.

Define assessment grouping criteria

You can optionally define additional grouping criteria if the default criteria does not meet your needs.

Before you begin

Role required: sn_compliance.manager

Procedure

Navigate to Policy and Compliance > Administration > Assessment Grouping Criteria.
Click New.

On the form, fill in the fields.


Field	Description
Name	Name of the assessment grouping criteria.
Field name	Select the field name from the Assessment Instance [asmt_assessment_instance ]table.
Active	Select to activate the grouping croteria.

Click Submit.

GRC Attestation Overview dashboard

The GRC Attestation Overview dashboard provides views attestations assigned to you, as well as pending and overdue attestations.

Reports

The GRC Attestation Overview dashboard contains the following reports:


Name	Type	Description
My Past Due Attestations	Column	Total number of past due attestations assigned to you
My Attestations	Column	Total number of attestations assigned to you, broken down by state
My Pending Attestations	List	A list of the pending attestations assigned to you

Previous topic

Next topic

Release version

Manage control attestations

If the attestation and respondents fields of the control are set, then when a controls moves from the Draft state to the Attest state, a notification is sent to the attestation respondents.

By default, GRC Attestation is used for controls and provides the following assessment questions:

Is this control implemented?
Attach evidence
Explain

My Grouped Attestations contains attestations that you have grouped to eliminate the task of providing repetitive responses for similar assessments.

All Attestations is contained in the Controls section of the Policy and Compliance application and contains all active attestations.

Compliance managers can create attestation types containing different types of questions to fit their needs. See Create a control attestation using the Attestation Designer.

Attestation Designer

The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters.

All attestation records are stored in assessment tables and displayed in Attestation views of those tables.

Create a control attestation using the Attestation Designer

Use the Attestation Designer to create and edit metric types. Use different metric types for different controls. Select multiple respondents for an attestation, as well as change scoring parameters.

Before you begin

Role required: sn_compliance.attest_creator, sn_compliance.manager, sn_compliance.administrator

Procedure

Navigate to Policy and Compliance > Administration > Attestation Types.

Click Attestation Designer.

The designer contains the following elements:


Element	Description
Controls	Supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type.
Questions	A library of questions for various categories, so you do not have to build each questionnaire from scratch.
Categories	New assessment opens in the Design view. The questionnaire Name field appears above the first category in the canvas. A blank question field appears in the category container.

Enter a name in the Name field.

Drag a control onto the designer canvas to create a question of that type.

Table 1. Question controls
Data type	Description	Scored
Attachment	Question with a Manage Attachments icon that allows users to attach one or more files.	N
Boolean	Question with a check box or a Yes/No list for user responses.	Y
Choice	List of predefined options. For more information, see the definition for Choices.	Y
Date	Date field.	N
Date/Time	Date and time field.	N
Number	Number field with predefined minimum and maximum values. The default is 1–10.	N
Percentage	Percentage field with a prescribed range.	N
Scale	Predefined Likert scale. Answer options appear as radio buttons.	Y
Numeric Scale	Selectable number scale. The default is 1–5. Answer options appear as radio buttons.	Y
String	Single or multi-line text field.	N
Template	Choice list of templates that provide a predefined scale of options. Note: It is important to assign a template to every attestation. This allows controls to be created automatically based on control objectives and entity types.	Y
Reference	Choice list of fields from a specified reference table. This data type does not support reference qualifiers.	N

Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the controls.

Point to the menu icon in the upper right of the Attestation Designer to select one of the following options:

Note: The availability of each option depends on the status of the attestation that is opened in the designer.

Option	Description
New Attestation	Opens a fresh canvas for a new attestation.
Load Attestation	Opens a list of existing attestations that you can select and edit.

What to do next

If you are implementing the Policy and Compliance Management software, return to the Policy and Compliance Management setup checklist and proceed to the next step.

Create an attestation type

Rather than using the default GRC attestation type, the compliance manager can create a new set of questions for each control objective.

Before you begin

Role required: sn_compliance.attestation_creator or sn_compliance.manager or sn_compliance-admin

Procedure

Navigate to Policy and Compliance > Administration > Attestation Types.
Click New.

On the form, fill in the fields.

Table 2. Assessment Metric Type form
Field	Description
Name	Name of the assessment type.
Assessment duration	Length of time allowed from generation to completion of the assessment.
Table	Table this assessment applies to.
Scale factor	Scale value to use for all assessment results.
Condition	Define specifics records from the table.
Description	More details about the assessment.
State	State of the assessment: Draft or Published
Enforce condition	Option that indicates whether accessible records of this type that do not meet the conditions specified are deleted.
Roles	Roles that have access to information about this metric type.

Click Submit.

Consolidate control attestations using the Same Response feature

Before you begin

Role required: None

About this task

Note: To change the 1000-question limit, navigate to Policy and Compliance > Administration > GRC Properties and modify the sn_grc.consolidated_questions_limit property.

Note: If you do not want your users to access to this capability, navigate to Policy and Compliance > Administration > GRC Properties, and disable the sn_grc.enable_consolidate_asmt property.

Procedure

Navigate to Policy and Compliance > Controls > My Attestations.
Select the attestations you want to group.
From the Actions on selected rows choice list, click Group Assessments.
In Response Type, select Provide same response for all assessments.

Fill in the fields, as needed.


Field	Description
Default criteria	This field defaults to Metric Type.
Additional criteria	You can optionally define additional grouping criteria: Category Control Objective/Risk Statement Entity You can also define additional assessment criteria options if the defaults do not meet your needs. Note: Using these grouping schemes makes sense if the grouped attestations contain multiple instances of the selected criteria. For example, if you selected a group of 20 attestations with 10 associated with one entity and the other 10 associated with a different entity, selecting Entity in this field causes two separate groups of attestations to be created. If, however, the group consists of 5 attestations associated with one entity and each of the other 15 attestations associated with different entities, only those 5 are grouped and the rest are ignored.
Preview	The Preview shows the number of attestations to be grouped. Depending on the Additional criteria you selected, the Preview may show multiple groups. If you want to see the attestations to be grouped, click the link that shows the number of attestations or risk assessments to be grouped.

When you are satisfied with the attestations or risk assessments to be consolidated, click Group. A confirmation message displays, along with a link to the attestation group.

Note: When attestation groups are created, you can view them by navigating to Policy and Compliance > Controls > My Grouped Attestations. If you open a grouped attestation, you have the option of removing one or more attestations from the group. This is achieved by selecting the ones you want removed, and selecting Ungroup Assessment from the Actions on selected rows choice list. If you remove attestations from a group to the point where there is only one attestation, the group is removed.
When you are ready to take the assessment, click the link in the confirmation message or the attestation number in My Grouped Attestations.
Click Take assessment.
Complete the assessment like you would any other, and click Submit. All attestations in the group inherit the answers you provided and the state of each attestation in the group changes to Complete.

Consolidate control attestations using the Different Response feature

Before you begin

Role required: None

About this task

Note: To change the 1000-question limit, navigate to Policy and Compliance > Administration > GRC Properties and modify the sn_grc.grouped_questions_limit property.

Procedure

Navigate to Policy and Compliance > Controls > My Attestations.
Select the attestations you want to group.
From the Actions on selected rows choice list, click Group Assessments.
In Response Type, select Provide different response for each assessment.

Fill in the fields, as needed.


Field	Description
Default criteria	This field defaults to Metric Type.
Additional criteria	You can optionally define additional grouping criteria: Category Control Objective/Risk Statement Entity You can also define additional assessment criteria options if the defaults do not meet your needs. Note: Using these grouping schemes makes sense if the grouped attestations contain multiple instances of the selected criteria. For example, if you selected a group of 20 attestations with 10 associated with one entity and the other 10 associated with a different entity, selecting Entity in this field causes two separate groups of attestations to be created. If, however, the group consists of 5 attestations associated with one entity and each of the other 15 attestations associated with different entities, only those 5 are grouped and the rest are ignored.
Preview	The Preview shows the number of attestations to be grouped. Depending on the Additional criteria you selected, the Preview may show multiple groups. If you want to see the attestations to be grouped, click the link that shows the number of attestations or risk assessments to be grouped.

When you are satisfied with the attestations or risk assessments to be consolidated, click Group. A confirmation message displays, along with a link to the attestation group.

Note: When attestation groups are created, you can view them by navigating to Policy and Compliance > Controls > My Grouped Attestations. If you open a grouped attestation, you have the option of removing one or more attestations from the group. This is achieved by selecting the ones you want removed, and selecting Ungroup Assessment from the Actions on selected rows choice list. If you remove attestations from a group to the point where there is only one attestation, the group is removed.
When you are ready to take the assessment, click the link in the confirmation message or the attestation number in My Grouped Attestations.
Click Take assessment. A window that contains questionnaires for all of the selected attestations in the group.
Complete the assessment for each of the attestations, and click Submit.

Define assessment grouping criteria

You can optionally define additional grouping criteria if the default criteria does not meet your needs.

Before you begin

Role required: sn_compliance.manager

Procedure

Navigate to Policy and Compliance > Administration > Assessment Grouping Criteria.
Click New.

On the form, fill in the fields.


Field	Description
Name	Name of the assessment grouping criteria.
Field name	Select the field name from the Assessment Instance [asmt_assessment_instance ]table.
Active	Select to activate the grouping croteria.

Click Submit.

GRC Attestation Overview dashboard

The GRC Attestation Overview dashboard provides views attestations assigned to you, as well as pending and overdue attestations.

Reports

The GRC Attestation Overview dashboard contains the following reports:


Name	Type	Description
My Past Due Attestations	Column	Total number of past due attestations assigned to you
My Attestations	Column	Total number of attestations assigned to you, broken down by state
My Pending Attestations	List	A list of the pending attestations assigned to you

How search works:

Topics are ranked in search results by how closely they match your search terms

Manage control attestations

Manage control attestations

Attestation Designer

Create a control attestation using the Attestation Designer

Create an attestation type

Consolidate control attestations using the Same Response feature

Consolidate control attestations using the Different Response feature

Define assessment grouping criteria

GRC Attestation Overview dashboard

Reports

On this page

Manage control attestations

Manage control attestations

Attestation Designer

Create a control attestation using the Attestation Designer

Create an attestation type

Consolidate control attestations using the Same Response feature

Consolidate control attestations using the Different Response feature

Define assessment grouping criteria

GRC Attestation Overview dashboard

Reports

Log in to personalize your search results and subscribe to topics