GRC Part 1 Flashcards
What is the database table name for Control Objectives starting with Orlando?
sn_compliance_policy_statement
Can you nest or stack policy records?
Yes
Can you nest or stack control objectives?
Yes
What GRC record generates a KB article when approved
Policy
What must be set up for controls to be generated?
The Control Objective has the checkbox for “Create Controls Automatically” checked and Entity Type is applied to the Control Objective,
Attestations are generated when a control is moved from draft to what?
Attest
What can you do with the Policy Acknowledgement feature?
Send out policies for review & acknowledgement, Track responses on the campaign record, designate the campaign audience for acknowledgement.
What can you NOT do with the Policy Acknowledgement feature
Enable employees to ask for more info about the policy.
A control attestation can be used to measure the level of compliance - T or F
False
How many entity types can an entity belong to?
None, 1 or multiple
Entities can be added to an entity type via what methods?
Manually, from the All Entities module or using a filter defined on the Entity Type record.
Entities can be added to an entity type on a Policy Related List - True or False
False
An entity must always relate to a record in a ServiceNow table - True or False
False
What records are generated when an entity type is related to a risk statement/template?
Risks, Risk Indicators (if there is an indicator template related to the risk statement)
Risk Frameworks are required records in Risk Framework Process - T or F
False
What’s another name for Risk Statement Records
Risk Templates
Risk statements can be nested or created in a hierarchy - T or F
True
Risk Events always involve a loss - T or F
False
Customers may refer to Risk Events as Loss Events - T or F
True
Risk Events are the same as Risk Statements - T or F
False
Risk Events can be related to Risks - T or F
True
What is the module name for all Registered Risks?
Risk->Risk Register->All Risks
Entity Types can be applied at what level to generate risks?
Risk Framework and Risk Statement/Template
Default Risk Scoring Method in SN baseline is ___
Quantitative
What does ALE refer to in Risk Scoring
Annualized Loss Expectancy - Expected loss in a single year - SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence)
What is equivalent to SLE in Qualitative Risk Scoring?
Single Loss Expectancy - Impact - $$$$
What is equivalent to ARO in Qualitative Risk Scoring?
Annual Rate of Occurrence - Likelihood - %
Which type of risk is “worst case scenario” according to ServiceNow?
Inherent (not residual or calculated)
Calculated Risk Scoring values are impacted by Controls and Indicators. Can you configure one control to have more weight than another control?
Yes
Risk Responses are generated after Risk Assessments are complete - T or F
True
Which fields cover the duration covered by the audit? (not the dates that the audit occurred)
Audit Period (start and end)
When creating an audit engagement record, what record is used to scope the audit?
Entity
Control Test Records are set up to control the Design of the Control and the Effectiveness of the Control. When is a control set to ineffective?
When either the design effectiveness or the operational effectiveness of the control are set to ineffective.
When an audit engagement is created and an entity is related to it, what records are automatically related to the engagement when it moves to Validate?
Risks, Controls, Test Plans, Indicator Results
When an audit engagement is created and an entity is related to it, what records are NOT automatically related to the engagement?
Policies, Control Objectives
A control objective in SN GRC is often called what by people in the GRC industry? (3)
Control Objective, Requirement, Control Template
If an entity type has 5 entities related to it, then when the entity type is related to a control objective, 5 controls will ALWAYS be generated - T or F
False - Depends on whether the “Create Controls automatically” checkbox is checked on the control objective.
Can you nest or stack Risk Statements?
Yes, but only with Advanced Risk (and post NY)
Can a Risk Manager update Entity Types and Entities?
Yes (requires grc.manager and risk manager inherits it)
Entity Types can be applied at what level to generate Registered Risks
Risk Framework or Risk Statement
Alternative Terms for a Control Objective (4)
Control, Control Template, Requirement, Policy Statement
Alternative Terms for an Entity (4)
Scope definition, Scope Object, Target, Profile
Alternative Terms for an Entity Type (1)
Entity Group
Alternative Term for a Control (1)
Control Instance
Alternative Term for a Risk Statement
Risk Template
Alternative Term for an Issue
Finding
NY onward - table name for Entity Class
sn_grc_profile_class
NY onward - table name for Entity Type
sn_grc_profile_type
NY onward - table name for Entity
sn_grc_profile
NY onward - table name for Control Objectives
sn_compliance_policy_statement
What are compliance related roles in order of inheritance
Compliance Developer, Admin, Manager, User, Reader
What are Risk related roles in order of inheritance
Risk Admin, Manager, User, Reader
What roles do you get with GRC Developer?
Compliance Developer
What roles do you get with GRC Admin?
Risk Admin and Compliance Admin
What roles inherit Survey Reader?
Compliance User and Risk User
What role will Compliance Managers group get?
sn_compliance.manager
What can Compliance Managers with sn_compliance.manager role do?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policies, Control Objectives, Policy Exceptions, Controls, Authority Documents, Citations
What role will Compliance Analysts group get?
sn_compliance.user
What can Compliance Analysts with sn_compliance.user role do?
1) View Authority Documents and Citations 2) Create Policies, Control Objectives, Policy Exceptions and Controls
What can Compliance Managers do that Analysts cannot?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Authority Documents, Citations
What role will Risk Managers get?
sn_risk.manager
What can Risk Managers do with the sn_risk.manager role?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policy Exceptions 4) View Risk Frameworks, RIsk Statements, Assessments, Risk Response Tasks 5) Create Risks, Risk Frameworks, Risk Statements 6) View GRC Workbench
What role will Risk Analysts get?
sn_risk.user
What can Risk Analysts do with the sn_risk.user role?
1) Create Policy Exceptions 2) View Risk Frameworks, Risk Statements, Assessments, Risk Response Tasks, Risks
What role is needed to answer a risk assessment?
No role
What role is needed to create a risk assessment
Risk Assessment Creator (sn_risk.asmt_creator)
What role is needed to answer a control attestation?
No role
What role is needed to create policies?
Compliance User (Analyst)
What role is needed to approve policies?
Compliance User (Analyst)
What role is needed to Submit a control for attestation?
Compliance User (Analyst)
What role is needed to create an issue for Risk?
Risk User
What role is needed to Create an indicator template for Risk?
Risk Manager
What role is needed to Create a Policy Exception from Control Issue?
Compliance User (Analyst)
What role is needed to retire policies
Compliance Manager
An entity can only be related to a single entity class - T or F
True
What tables are frequently used on the Entity Type filter to generate Entities
Department, Group, Service (not Control or Indicator)
Entity Owner is derived from Managed by field on the Service record for the Critical Service Entity Type - T or F
True
What tables are extended from the Document table?
Risk Framework, Policy, Authority Document
What tables are extended from the Content table?
Risk Statement, Control Objective, Citation
What tables are extended from the Item table?
Risk, Control
What is the Policy Lifecycle?
Draft, Review, Awaiting Approval, Published, Retired
Who can create a Policy?
Compliance Users/Analysts and above
Who can set a Policy to Review state?
Compliance users/analysts and above
Who can move a Policy from Review to its next state?
Named reviewer or the Policy Owner
Compliance admins can move a Policy from Review to its next state - T or F
False
A policy waiting for apporval will be published when at least 1 approver approves it - True or False
False - all approvers must approve it.
What happens when a Policy is published?
A KB article is created
Who can retire a policy?
Compliance Manager or Policy Owner
What is the Control lifecycle?
Draft, Attest, Review, Monitor, Retire
Who can modify a Draft control?
Compliance users/analysts
Who can use Attest button on a Draft control?
Compliance users/analysts
Who can complete an attestation?
The person to whom it is assigned
Can a system admin complete an attestation for someone?
Only via impersonation
What is best practice when an attestation cannot be completed by its assignee?
Return the control to Draft state.
Who moves a control to the Review state?
It happens automatically when the attestation is done
Who can move a control from Review to Monitor?
Compliance Manager
When a control is in Monitor state, Indicators can be scheduled - T or F
True
Who edits the control in a Monitor state?
Controls are usually not edited when in Monitor. Updates happen via Indicators.
When does a control go to the Retire state?
Compliance is no longer required or relevant to the business (manually retired) or if the Entity becomes inactive (auto-retired)
When a control is in Retired state, Indicators will run - T or F
False
Who can manually retire a control?
Compliance Manager
What is the Issue lifecycle?
New, Analyze, Respond, Review, Closed
Who can create a new issue?
Compliance, Risk or Audit User
An issue can be related to what other things? (6)
Entities, Control Objectives, Risk Statements, Controls, Risks, other Issues
Who can move issue to Analyze?
Any GRC user
Who can move issue to Respond?
Any GRC User
What things will auto-trigger an issue creation? (4)
1) Indicator Result=Failed or Not Passed, 2) Control Attestation result is Not Implemented, 3) Control Test with state Closed Complete and Control effectiveness=Ineffective, 4) Continuous monitoring based on Configuration Test scanning results
What is the Policy Exception Lifecycle?
New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed
Who can request a Policy Exception?
Any internal user.
How does a Policy Exception go from New to Analyze?
Requester uses Request Approval UI Action/button.
Who performs the Analyze phase of the Policy Exception?
Compliance Manager
How does a Policy Exception get to the Risk Assessment state?
Compliance Manager requests a risk assessment.
What happens when a Compliance Manager requests a risk assessment for a Policy Exception?
A notification goes to the Risk Manager’s group and a risk manager performs the assessment.
How does a Policy Exception get to the Review state?
Compliance Manager requests a risk assessment and risk manager requests a review.
What happens when a Policy Exception is set to Review by the Risk Manager?
Notification goes to the Compliance Manager.
What happens after a compliance manager is notified that a Policy Exception needs a Review?
Compliance manager can either 1) Approve the Policy Exception 2) Reject the Policy Exception or 3) Request a Business Level Approval.
How does a Policy Exception get to the Awaiting Approval state?
Compliance manager request Business Level Approval.
How does a Policy Exception get to the Approved state?
Compliance manager approves it during Review or Business Level approver approves it when it is Awaiting Approval.
How does a Policy Exception get to the Closed state?
Compliance manager rejects it during review (maybe?) or otherwise sets it to Closed.
Who can request an extension to an approved Policy Exception?
Control Owner
Where can you initiate a Policy Exception? (6)
Policy Exception modules, Related Lists - Issue/Control Objective/Policy, other integrated SN applications, Service Portal
What happens during Analyze phase of a Policy Exception?
Compliance manager will review and update Source, Schedule, Comments, look at impacted Controls, mitigating controls and risks, update business impact analysis including residual likelihood, impact and score.
What are options for the compliance manager when the analysis is complete for a Policy Exception? (4)
Compliance manager can either 1) approve it 2) Request more info from the Control Owner 3) Request that a Risk Manager review it (where it goes to Review state) 4) Request a business owner approval
What is the Policy Acknowledgement lifecycle?
New, Pending Acknowledgement, Closed, Cancelled
Who can create a Policy Acknowledgement campaign?
Compliance User/Analyst
Who can designate the audience for a Policy Acknowledgment campaign?
Compliance Admin or Compliance Manager
Who can be added to a Policy Acknowledgement campaign?
Users, Groups, filtered user definition.
Where can audience members of a Policy Ack campaign respond?
On the portal.
How can audience members of a Policy Ack campaign respond?
Accept, Decline or Request Exception (if allowed)
When does a Policy Ack campaign get closed?
When it’s overdue. (any other???)
When does a Policy Ack record get reset?
When a policy exception is expired
Who can cancel a Policy Ack campaign?
Compliance manager or owner of the campaign
What Policy and Compliance components do you get to via the P&C->Compliance module?
Authority Documents (sn_compliance_authority_document) and Citations (sn_compliance_citation)
What Policy and Compliance components do you get to via the P&C->Policies and Procedures
Policies (sn_compliance_policy) and Control Objectives (sn_compliance_policy_statement)
What module do you use to get to Authority Documents?
Policy and Compliance->Compliance
What module do you use to get to Citations?
Policy and Compliance->Compliance
What module do you use to get to Policies?
Policy and Compliance->Policies and Procedures
What module do you use to get to Control Objectives
Policy and Compliance->Policies and Procedures
What are table names for policy acknowledgement campaign and policy acknowledgement record
sn_compliance_policy_acknowledgement
sn_compliance_policy_acknowledgement_instance
Which Script Include? Requirement is to modify who can edit a policy in the Review State.
ComplianceUtils
Which Script Include? Requirement is to modify how compliance scores roll up.
ComplianceScoreCalculator
Which Script Include? Requirement is to display the number of controls excluded from the compliance score.
AssessmentStrategy
Which Script Include? Requirement is to use a different criteria to create control records.
ControlGeneratorStrategy
Which Script Include? Requirement is to add a new state to Policy Exception process
PolicyException
Which Script Include? Requirement is to modify the policy acknowledgement process.
PolicyAcknowledgementUtil
How is compliance score calculated when there are no children control objectives?
((Sum of weight of compliant controls)/ (Sum of weight of all controls))*100 - excluding any in states of Draft,Retired or Not Applicable
How is compliance score calculated when there ARE children control objectives?
Calculate compliance percentage of parent control same as if it did not have children -> ParentPerc
Get average score for all downstream (child) controls.
->ChildAvg
Score=(ParentPerc+ChildAvg)/2
What happens if a compliance manager requests a business approval for a Policy Exception?
Policy Exception Business Owner Approval workflow sends a notification to the control owners for all of the controls in the impacted controls related list.
For P&C - Entity Types can be applied to what objects (2) and which is the best practice?
Policies and Control Objectives. Control Objectives is best practice.
What are the Policy Exception workflows?
Policy Review, Policy Approval, Policy Exception and Policy Exception Business Owner Approval
What P&C tables can have SLAs associated with them?
Indicator Tasks, Issues, Policy Exceptions
What Risk tables can have SLAS associated with them?
Risk Responses and Remediation Task
What Audit tables can have SLAS associated with them?
Control Test, Interview, Audit, Walkthrough Task
What Risk Event tables can have SLAS associated with them?
Risk Events, Risk Event Tasks
What GRC tables are not extended from Task? (6)
Control, Control Objective, Registered RIsk, Risk Statement, Risk Framework, Policy
What is the Risk Record Lifecycle
Draft, Assess, Respond, Review, Monitor, Retired
Who can create a risk?
Risk User
Who can create a risk statement?
Risk Manager
Who can create a risk framework?
Risk Manager
Who can return a risk to the Draft state?
Risk Manager
Who performs risk assessment?
Usually Risk Owner
What happens during risk assessment?
Risk is reviewed and either sent back to draft or the assessment is completed which moves the risk to Respond and generates Risk Responses
What is the Risk Response lifecycle?
Draft, Work in Progress, Review, Closed
What is “Governance” in GRC?
Policies and oversight to ensure consistent sustainability of internal controls and objectives while understanding inherent risk and adhering to external laws and regulations.
What is “Risk Management” in GRC?
Process of determining where the org is vulnerable and exposed. Manages and monitors the System of Internal Controls
What is “Compliance Management” in GRC?
Implements and manages the governance structure by managing and monitoring the system of internal controls.
What is “Audit Management” in GRC?
Internal or External consultancy process to prove effectiveness of controls that are used to ensure the effectiveness of compliance.
Where does SN GRC store external legislation/regulation data?
Authority documents - headers and citations. These documents dictate things an organization should do.
What are some sources of authority documents
UCF (United Compliance Framework) and HITRUST, COSO, Lexis-Nexis
How can customers use the UCF?
UCF will map headers and citations to control objectives.
What is an Entity?
Records that aggregate GRC information related to a specific item - can be a record in any table in the instance. Examples would be applications, locations, business services, etc.
What is a Citation?
Specific requirement in an authority document. Citation record relates an Authority Document to its applicable control.
What is a policy?
Internal practice followed by business process to ensure compliance and reduce risk. Related to authority documents and controls.
Where are policies published in SN?
Knowledge base
What is a control objective?
Specific details that a process follows within a policy. They are the templates from which controls are generated.
What is a control?
Actual control activity to be performed by an organization. Contains information such as owner, activity and frequency. Related to Authority Documents, Policies, and Risks via Control Objectives
What is an issue?
GRC task to track control and risk issues.
What is an indicator?
A metric to collect data to monitor controls and risks and collect audit evidence.
What is a risk framework?
Manageable hierarchy of Risk Statements. Formalized process for managing risk. Consists of assessment, response, accountability, remediation. Related to Entity Types and Risk Statements
What is a risk statement?
Defined consequence when a threat exploits a vulnerability.
What is a risk register?
Repository of key attributes of potential and known risk issues.
What is a risk?
Specific occurrence of a risk statement against a single entity. Also, threat or vulnerability that can adversely affect an organization’s businesses objectives. Can be related to Policies, Controls or Remediation Tasks.
What are the possible outcomes for a risk?
It can be mitigated, prevented or controlled using Controls and Control Tests.
What is Risk Criteria?
Qualitative or Quantitative values against which level of risk is evaluated
What is the Risk’s Residual Score?
Score AFTER response strategy is implemented.
What is the Risk’s Inherent Score
Score BEFORE response strategy is implemented.
What is the Risk’s Calculated Score?
Score derived from inherent and residual scores - refers to actual exposure of risk based on quality of the control system.
What is the Risk’s Inherent Likelihood?
Likelihood BEFORE response strategy is implemented.
What is the Risk’s Inherent RIsk?
Level of Risk BEFORE response strategy is implemented.
What is the Risk’s Residual Likelihood?
Likelihood AFTER response strategy is implemented.
What is the Risk’s Residual RIsk?
Level of Risk AFTER response strategy is implemented.
What is the Risk’s Qualitative Impact?
Uses Impact (significance of risk) and Likelihood (probability of risk occurring) ratings. Result is impact*likelihood.
What is the Risk’s Quantitative impact?
SLE (Single Loss Expectancy) * ARO (Annualized rate of occurrance) = ALE (annualized Loss Expectancy)
What is an audit engagement?
Audit project with audit tasks to accomplish specific objectives.
What is an audit test plan?
A specific audit test of the effectiveness of a control. Used to generate control tests during engagements.
What is an audit test plan template?
Used to establish criteria for many test plans. Related to control objectives.
What is an audit task?
Task completed to provide evidence that a control is operating effectively
What are the 4 types of audit tasks?
Control Tests, Interviews, Walkthroughs and Activities
What are some examples of Authority Documents?
GDPR, HIPPA, Sarbanes-Oxley
Where do UCF control documents go in SN GRC?
Control Objectives
If you import the UCF framework to SN GRC, what tables will be populated? What relationships will be created?
Authority Documents, Citations, Control Objectives
Auth Doc->Citations, Citations->Ctl Obj, Relationships between overlapping Auth Docs/Citations/Ctl Objs.
What are the different policy types? (6)
Procedure, Standard, Plan, Checklist, Framework, Template
What are attestations?
Surveys to gather evidence to prove a control is implemented.
Attestations are used to measure if a control is effective - T or F
False, Indicators are used to measure effectiveness. Attestations are just to gather evidence.
What drives the compliance status for a control?
The attestation results.
What are 3 levels of control validation?
Attestation (evidence), Indicators (manual or automated steps to measure effectiveness, Tests (used during audit to validate that the control is effective)
What are entities?
People/Places/Things that require 1 or more of these: Risk management, Controls to be applied, Audits to be conducted.
What can entities be related to?
Entity Types, upstream and downstream entities, downstream risks, downstream controls
What are entity types assigned to?
Control Objectives and Risk Statements (can be assigned to policies or risk frameworks also, not best practice?)
What is the name of the risk table?
sn_risk_risk
Under what module will you find Risk Framework and Risk Statements?
Risk Library
Where all can you create a risk?
Risk Framework Entity Type related list, Risk Statement Entity Type related list, Entity Type Risk Framework Related list, Entity Type, Risk Statement Related list. Risks are created as relationships are created.
What happens to risk assessments if a risk is retired?
Assessments are cancelled.
What are the possible risk response types and what prefix will each type of task have?
Risk Acceptance (APT), Risk Avoidance (AVT), Risk Mitigation (MGT), Risk Transfer (TFT)
What is an example of a way to mitigate a risk?
Create a control. Relate the control to the risk.
A control is related to a risk for mitigation purposes. What does the Control Weight field signify?
Weight tells us how impactful the control is in mitigating the risk - high impact=high weight, low impact=low weight. Used to determine control failure factor.
A control is related to a risk for mitigation purposes. What does the Control Compliance field signify?
Control Compliance is a calculated field based on the # of controls mitigating the risk that have a compliant status. (Empty or N/A status=compliant)
A control is related to a risk for mitigation purposes. What does the Control Non-Compliance field signify?
Control Non-Compliance is a calculated field based on the # of controls mitigating the risk that have a non-compliant status.
What happens to a Risk Response Task (Avoid, Mitigate, Review types) after it is created?
Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Review.
What happens when a Risk Response Task (Avoid, Mitigate, Review type) is set to Review?
The Risk is also automatically set to Review. The Risk Manager will review the Response Task and determine if it can be closed.
What happens to a Risk Response Task (Accept type) after it is created?
Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Awaiting Approval.
What happens to a Risk Response Task (Accept type) after it is set to Awaiting Approval?
Risk Owner approves or rejects the task. If approved, the Risk Response Task is set to Review. If rejected, the Risk Response Task is Rejected. The Risk is set to Review.
If an “Accept” Risk Response Task is created, what is required to move the task and the risk forward?
Risk Owner Approval
Controls can be identified to mitigate risk? How can you get controls to be automatically related to risks?
If a control objective is related to a risk statement (done manually), and if the control objective and the risk statement have the same entity, then a relationships will be automatically created between the registered risks and the controls (control instances.)
What is a Risk Event?
Part of Advanced Risk - Potential or actual, financial or non-financial losses, near misses or gains that occur within an organization
How are risk events useful?
They provide hard data about existing risks - ability to quantify and validate them, and provide visibility to new risks.
What are the 2 types of Risk Events?
Financial, Non-financial
Who can report a RIsk Event?
Any employee (via the portal.)
What is the Risk Event Lifecycle?
New, Analyze, Awaiting Approval, Approved, Closed/Rejected
What happens during the Analyze phase of a Risk Event?
Additional info is gathered, the Risk Event is related to Risks (new or existing), Controls, other RIsk events, response tasks and issues can be created and assigned out, approvers are assigned. When analysis is done, Risk Event is sent for approval.
What is minimum role that approvers for a Risk Event need?
Risk User
Risk Event is approved when at least 1 designated approver approves it. T or F
False - all approvers must approve it.
For a Risk Event to close - all related Issues and Remediation Tasks must be closed. T or F
True
What is the role of the person who analyzes a risk event, requests approval and closes the Risk Event?
Risk Manager
What happens when an entity is deactivated?
Associated controls, risks, indicators and test plans are all deactivated or retired.
What happens when an entity is re-activated?
Associated controls, risks go to Draft. Associated indicators and test plans become Active.
Indicators in GRC are used to monitor what?
Controls and Risks
What does an indicator do in GRC?
Continuously monitors a controls compliance/non-compliance. Within risk, an indicator will adjust a risk score up or down. Indicators are used to gather evidence of performance for the compliance and risk processes
Risk indicators and Policy & Compliance Indicators are stored in 2 different tables. T or F
False. 2 modules, same table.
What are the 3 default types/methods of indicators?
Manual, Basic, Script
What are additional types of indicators that come with integrations?
Configuration Test, Vulnerability Response, PA Indicator
How do you get indicators to get auto-created and related to controls or risks.
Create indicator templates and relate them to Risk Statements and Control Objectives. Then when an entity is applied to a Risk Statement or a Control Objective, the indicator will get related to the risk or control.
How do issues get created (5)?
1) Manually 2) If an Indicator gets a result that is Failed or Not Passed 3) If a Control Attestation returns a result of Not Implemented 4) if a Control Test is Closed Complete and the Effectiveness is set to Ineffective 5) Continuous Monitoring (based on Configuration Test scan results)
True or False - A control can be marked compliant even if it has an open issue.
False
What are the 2 ways to respond to an Issue?
Remediate (can result in remediation tasks) or Accept (meaning the issue is an exception). If accept, the control status is non-compliant until it is re-assessed.
Issues can be grouped under a parent. What is the parent record?
An issue.
How do you group Issues?
From List view, select issues to group, Select Group from Actions on Selected Rows list.
How many times can you request a policy exception for a policy?
1
What is a Policy Exception?
A Policy Exception provides temporary relief for a non-compliant control. It will have evidence, comments and rationale to support acceptance or rejection of the Policy Exception request.
What are the things for which you might request a Policy Exception (3)?
Policy, Control Objective, Issue (or combination of the 3)
A policy exception must have related controls (that are not Draft or Retired) - T of F
False. This is true if the exception is for a Control Objective or an Issue. Not if it is for a Policy.
To request a policy exception for an issue, what needs to be true about the issue?
It must not be in Draft or Retired and it must have at least 1 active control.
What are the 3 groups of audit users?
Audit Administrators - run the internal audit department , Audit Managers - plan, conduct and manage audit engagements,
Internal Auditors - Conduct control tests and other tasks for an Audit Engagement
What does an audit Control Test task do?
Performs a design or operation test to determine the effectiveness of a control
When do you use an Interview audit task?
When you need to gather data for auditors, possibly to learn a process or evaluate evidence.
When do you use a Walkthrough audit task?
To establish reliability of an organizaton’s internal Control over a procedure or Process
What is an Activity audit task used for?
Any miscellaneous activity that is part of the audit process.
What is the only kind of Audit task that can have a parent that is another Audit task rather than an Engagement?
Activity audit task.
What are the 3 types of Audit Interview Tasks
Structured, Unstructured, Mixed
Audit engagements must always be created from scratch. True or False
False. You can use another audit engagement as a template.
What is a Test Template?
A generic audit test that applies to a control objective.
What is a Test Plan?
A specific audit test that applies to a control
What is the Engagement lifecycle?
Scope, Validate, Fieldwork, Awaiting Approval, Follow-up, Closed
How do Control Test audit tasks get created during an engagement?
From a Control, go to the Test Plans related list and select Generate Control Test. This will create the audit tasks.
What is the module for creating Test Templates and Test plans?
Audit->Audit Testing->Test Templates
Audit->Audit Testing->Test Plans
What are the components of an audit Test Plan?
Design Test - steps to test the design.
Operational Test - steps to test operational effectiveness.
What is the Control Test lifecycle?
Open, Work In Progress, Review, Closed
What happens while a Control Test audit task is Work In Progress?
The effectiveness of the controls are evaluated. When complete, it is set to Review.
What happens when a Control Test audit task is in Review?
All auditors on the engagement receive an approval test to review the Control Test task. If any one approves it, then the Control Test task moves to Closed.
A Control Test audit task requires only one of the approvers to approve it for it to move from Review to Closed. True of False
True
It is possible to skip the approval process for a Control Test audit task by just moving it to Closed. T or F
True
Control Effectiveness will be “Effective” if at least one of “Design Effectiveness” or “Operational Effectiveness” is “Effective” for the control. T of F
False. They both must be Effective. If one is ineffective, the control is ineffective.
What happens to the related risks when a risk statement is deactivated?
The risks are automatically retired.
If a risk is in a retired state, do the indicators still run?
No
What happens to the related risks when a risk statement is re-activated?
Risks are set to Draft.
What role is required to manually retire a risk?
Risk Manager
What is the table name for Risk Statements and Risk Frameworks?
sn_risk_definition and sn_risk_framework
What are the table names for Indicators and Indicator Templates and what app are they part of?
sn_grc_indicator and sn_grc_indicator_template
GRC:Profiles
What items can be related to a Risk Event? Which are in m2m tables?
Another Risk Event (m2m), Risk Event Task, Event Entry, Risks (m2m), Entity(m2m), Issue, Control (m2m)
What is the Script Include if you want to modify the calculations of multiple risks on an entity?
RiskUtils
What is the Script Include if you want to add additional calculations to risks?
RiskALECalculator
What is the Script Include if you want to change the relationship behavior between a control and a risk?
MitigationControls
What is the Script Include if you want to change the states and behaviors of risk mitigations?
RiskResponse
What is the Script Include if you want to modify how risks are generated and associated to entities?
RiskGeneratorStrategy
What is the Script Include if you want to adjust color and display settings when creating a risk heat map?
RiskHeatMap
What SN core table can you use to see all components installed by a particular application/plugin?
sys_metadata
What role is used for creating GRC attestations?
Attestation Creator - sn_compliance.attestation_creator
What role is used for creating Risk assessments?
Risk Assessment Creator - sn_risk.asmt_creator
What role is required to answer a risk assessment?
Risk Analyst (sn_risk.user) I think
What role is required to answer a control attestation?
No role required
What role is required to create a policy?
Compliance Analyst (sn_compliance.user)
What role is required to approve a policy?
Compliance Manager (sn_compliance.manager)
What role is required to submit a control for attestation?
Compliance Analyst (sn_compliance.user) I think?
What role is required to create an issue within Risk?
Risk Analyst (sn_risk.user)
What role is required to create an indicator template within Risk?
Risk Manager (sn_risk.manager)
What role is required to create a policy exception?
Risk Analyst (sn_risk.user)
What role is required to Retire policies?
Compliance Manager (sn_compliance.manager)
What are some considerations that drive your choice of entity types?
Regulations you need to comply with, Who are the people working on risks and controls, How are you managing policies/exceptions/risks today? What areas are audited?
What are Entity Classes used for?
Reporting and roll up of risk responsibility.
What are the 3 parent tables in GRC:Profiles application/scope that are extended in P&C and Risk?
Document (sn_grc_document), Content (sn_grc_content), Item (sn_grc_item)
What tables in P&C and Risk are extended from the Document table?
Risk Framework (sn_risk_framework) , Authority Document (sn_compliance_authority_document), Policy (sn_compliance_policy)
What tables in P&C and Risk are extended from the Content table?
Risk Statements (sn_risk_definition), Control Objectives (sn_compliance_policy_statement), Citations (sn_compliance_citation)
What tables in P&C and Risk are extended from the Item table?
Risks (sn_risk_risk), Controls (sn_compliance_control)
An entity can only be related to a single Entity Class. T or F
True
An entity can only be part of a single Entity Type. T or F
False. An entity can belong to 1 or multiple entity types.
What is the table name that holds Entity Filters?
sn_grc_enrichment_query
What is the name of the m2m table that relates entities and entity types?
sn_grc_m2m_profile_profile_type
Indicator and Issue tables are part of what scope?
GRC:Profiles
What are 3 GRC tables extended from the Global scope?
Indicator Task is extended from task.
Issue is extended from Planned task,
Acknowledgement Campaign is extended from task.
What is baseline frequency for generating entities and deleting invalid entities?
Generating entities happens hourly.
Deleting invalid entities happens daily.
What happens if someone requests approval for a policy record and there are no approvers designated?
It goes straight to published.
What is the Control Objective lifecycle?
It doesn’t have one. It is managed by the lifecycle of its parent, the policy record.
When a control goes to Attest, who receives the attestation?
Control Owner
Can Policies be nested?
Yes
A control objective can only be related to 1 policy. T or F
False.
A control objective can be related to multiple citations. T or F
True. This is what allows you to test once to satisfy many requirements.
Can Control objectives be nested?
Yes
Can Citatons be nested?
Yes
Authority docs and citations are required to use SN GRC. T or F
False
Implementing Policy and Compliance, what is a common configuration task?
Updating choice lists for Category, Classification and Type fields on Control Objective table.
A policy must be published before you can create a policy acknowledgement campaign. T or F
True
Give an example of how you might define/use an indicator.
A policy/citation? is Manage Change Requests. A control is “All change requests must have a back out plan prior to approval.” An indicator could be defined to look at changes that have been approved and the backout plan is empty. If found, the control will be marked non-compliant.
Are the knowledge article templates for the GRC Knowledge base stored in the same table as the templates for the other KBs?
No, they are in a different table and they require javascript.
