Manage control attestations
-
- UpdatedAug 1, 2024
- 10 minutes to read
- Xanadu
- Policy and Compliance Management
Attestations are surveys that gather evidence to prove that a control is implemented. Attestations document how the control is measured. This method is frequently used during the Draft and Monitor state.
The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch.
Users can create multiple attestation types and set their control objectives to different attestations. A sample attestation called GRC Attestation is also provided as the default attestation, which is composed of the following simple questions:
- Is this control implemented?
- Attach evidence
- Explain
My Attestations is in the Controls section of the Policy and Compliance application and contains active attestations for which you are the respondent. The attestations appear in a list with a single attestation record per control.
My Grouped Attestations contains attestations that you have grouped to eliminate the task of providing repetitive responses for similar assessments.
All Attestations is contained in the Controls section of the Policy and Compliance application and contains all active attestations.
Compliance managers can create attestation types containing different types of questions to fit their needs. See Create a control attestation using the Attestation Designer.
Compliance managers can create a new set of questions for each control objective. The Question Bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. See Create an attestation type.
Attestation Designer
The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters.
All attestation records are stored in assessment tables and displayed in Attestation views of those tables.
Create a control attestation using the Attestation Designer
Use the Attestation Designer to create and edit metric types. Use different metric types for different controls. Select multiple respondents for an attestation, as well as change scoring parameters.
Before you begin
Role required: sn_compliance.attest_creator, sn_compliance.manager, sn_compliance.administrator
Procedure
What to do next
If you are implementing the Policy and Compliance Management software, return to the Policy and Compliance Management setup checklist and proceed to the next step.
Create an attestation type
Rather than using the default GRC attestation type, the compliance manager can create a new set of questions for each control objective.
Before you begin
Role required: sn_compliance.attestation_creator or sn_compliance.manager or sn_compliance-admin
Procedure
Consolidate control attestations using the Same Response feature
Policy and Compliance Management and Risk Management offer two methods for consolidating attestations and risk assessments into groups that help eliminate the task of providing repetitive responses for similar assessments. You can provide the same evidence to the grouped assessments or respond to individual assessments in the same user interface.
Before you begin
About this task
If you do not want your users to access to this capability, navigate to sn_grc.enable_consolidate_asmt property.
, and disable theProcedure
Consolidate control attestations using the Different Response feature
Policy and Compliance Management and Risk Management offer two methods for consolidating attestations and risk assessments into groups that help eliminate the task of providing repetitive responses for similar assessments. You can provide the same evidence to the grouped assessments or respond to individual assessments in the same user interface.
Before you begin
About this task
Procedure
Define assessment grouping criteria
You can optionally define additional grouping criteria if the default criteria does not meet your needs.
Before you begin
Role required: sn_compliance.admin, sn_compliance.manager
Procedure