Compliance Management Use Cases

  1. Preparing a Test Plan
  2. Evidence Collection Checklist
  3. Document Requests
  4. Self-Assessment Test, Compliance Test, Audit Test
  5. Findings and Mitigation

Test Plan

How to create internal controls

Internal controls are policy statements and/or the control objectives. See Policy Statement instructions to create internal controls. 

How to create new test plan
  1. Go to the internal control tab, go to the Test Plan section and click on New Test Plan. 
How to populate test plan record
  1. Populate the following fields in Test Plan
    1. Control Description
    2. Roles and Responsibilities (denotes who is responsible for each relevant type of test and must be assigned before each test is created)
    3. Document Request Frequency (to determine the regularity of the request)
    4. Collection Approach (this determines a manual or automated collection approach, enabling the Document Request to be sent automatically)
    5. Next Document Request Date (determines when the next test will start and the automated continuation of the workflow based upon the selected frequency of the collection approach)
How to create evidence checklist
  1. Using the horizontal navigation bar, select the Evidence Checklist Tab and click to open it.
  2. Click on the New Evidence Checklist Item button.
  3. Complete the Name of the Evidence required, and if necessary, add a description of the Evidence.
  4. Click Save and your evidence record will populate in the Evidence Checklist Record.
How to map evidence to test plan
  1. If you have created your Test Plan Record, you may add the Evidence to the Test Plan from the Evidence Record. Note: you must have the Evidence Checklist Item created.
  2. In the Evidence Record, select the appropriate section, either ‘New Test Plan Evidence’ or ‘Evidence Reference’ and click the ‘New’ button.
  3. Use the Look Up option to find the appropriate Test Plan, then click Save.

 

Document Requests 

How to send a document request to control owner
  1. In the Test Plans tab, select your Test Plan record Click on Add New Document Request with Automation.
  2. Your Document Request will be sent and the record will appear in the Document Request Section
How to check on the document request response
  1. In the platform, go to the document request tab, make sure the DR status is displayed. If not, edit the list and display the DR Status
  2. You can monitor the document request status in a report. You will not receive an email when a document request is submitted.
  3. Once all required documents are submitted, you can review the document and document the test results

Responding to Document Request

How to submit document requests in CyberOne Portal
  1.  The Email will contain information on the request and a link that will direct you to the C1 Portal where you can upload the required evidence.
  2. Follow the directions in the Portal to upload evidence. You can upload the document or submit an URL link to a file share for the evidence. If you submit a link, make sure you provide the assessor access to the document.
How to upload evidence for compliance 
  1. Click on the Document request link in the Portal if you are not directly taken to the Document Request page.
  2. Fill out the appropriate information and upload your evidence using the File Upload button.
  3. Click Submit, then provide your Attestation. This locks the record, however, you may still recall your submission once sent using the Recall button.
  4. At any time, in the Document Request record, click the Recall button (this appears only after the DR has been submitted) and Click Yes in the Pop-Up window. You may now edit or change your submission.

Self-Assessment Tests

Informal type of tests, typically performs by the second line of defense or someone other than the performer of the control, to review and document the test results. Self-Assessment test purpose is to improve on control design and effectiveness by creating findings to resolve any gaps. This step is for audit readiness and also use for control assurance. 

How to document self-assessment test results
  1. Go to the Self-Assessment tab and click on New Self-Assessment
  2. Select the Document Request you want to test
  3. Document the test result by populating the below fields
    • Test Type
    • Test Results
    • Test Result Documentation
    • If any, create New Findings from the review. See Issue Management manual for finding and mitigation workflow

    Compliance Tests

    Compliance test is different from Self-Assessment test because compliance test have an approval workflow. The assessor will document the test result and assign a reviewer to approve the test result. This approval step tracks the audit log for the compliance test. See also video under Self-Assessment Test.

    How to submit compliance test results
    1. Go to the Compliance Test tab
    2. Click on New Compliance Test
    3. Lookup the Document Request to test
    4. Populate the following test result fields
      • Test Type
      • Test Result
      • Test Result Description
      • If any, create New Findings from the review. See Issue Management manual for finding and mitigation workflow
    How to create a compliance report
    1. Go to the Compliance Report tab
    2. Click on New Compliance Report
    3. Give the report a name and description
    4. In the Compliance Test Report section, click on New Compliance Test Report and add all the test results to include in the report

     

    Audit Test & Audit Report

    Audit test is a tab to log each audit test result for a specific audit procedure or control procedure. Many audit tests can roll up to an audit report for a point in time review. Each report can create findings for mitigation. See also video under Self-Assessment Test.

    How to create audit test result
    1. Go to the Audit Test tab
    2. Click on New Audit Test
    3. Select the scope you want to test or write your own audit procedure and then click Save
    4. Under the related list for Audit Report, map the audit test result into an audit report. If the audit report is not created, open a new tab to create the audit report and then complete the mapping
    How to create an audit report
    1. Go to the Audit Report tab
    2. Click on New Audit Report
    3. Provide the audit name, description, dates and click save
    4. Under the Audit Test related list, add the audit test results for this audit report