Audits and Maintenance Tasks
How to review and test Plans
Introduction
This episode is only relevant if you have defined Audits or/and Maintenance tasks in your BCPs.
Testing BCPs systematically is challenging and expensive so if you believe your organisation is not ready yet it is best to avoid them.
Audit Records Details
It is important to understand the fields a standard audit record has and what they mean before starting to work with them. Under the "Audit" tab you will find all your audits. The fields on a standard Audit are:
- Audit Methodology: this is inherited from whatever was defined on the parent BCP but can be modified if you want.
- Audit Success Criteria: this is inherited from whatever was defined on the parent BCP, the same as above
- Audit Result: Fail or Passed
- Conclusion: why the control has passed or failed
- Planned Date: the date you planned for the testing to begin. This is inherited from the parent BCP
- Start Date: the date when testing
- End Date: when you finished testing actually began
- Evidence: evidence for the BCP test can be uploaded. This will end up as "Comments & Attachments" of the audit records.
The following fields will have to be completed on every Audit you perform. For those fields that are inherited from the parent BCP, remember that changes done on the parent control will be reflected on all incomplete, future audit records.
Default Audits
After saving a BCP, if you defined audits and/or maintenance tasks, eramba will create audit records for the current and next year based on the dates you defined.
In our example, we created an BCP with the following Audit settings:
When we save the control we get the following:
- 4 audit records (2 for the current year and another 2 for next year) and
Clicking the dropdown icon next to the audit count (shown as 4 in the example image above) will display the Audit tab with a filter that will show the related audit records.
Comments & Attachments
Each audit/maintenance record has the option to include Comments and Attachments.
When you or the person giving you feedback click there they can write whatever they want, for example, "We are collecting the audit evidence, we will let you know". You can then click there as well and reply. In the end, a trail of conversations will be logged where "who", "wrote what" and "when" will be evident.
After all discussions take place you can then complete the audit/maintenance. Is of course important to remind you that accessing those menus is completely controlled by Access Lists, so you can remove the "Remove" function, etc to those that provide you with feedback.
When uploading evidence the files attached appear in the "Comments & Attachments" option for that audit. If you need to upload further evidence you can go directly to the "Comments & Attachments" option instead of editing the Audit.
Adding Audit Records
If you want to add an Audit record to an BCP, outside the ones that the system created based on the dates you provided to the BCP, then you need to go to the Audit tab and click on Actions / Add or use CSV templates (see CSV Imports documentation for details)
Dealing with Failed Audits
If you tag an audit as failed the record will be tagged as such until the next audit record (based on its planned date) will be tested. If you want to re-test a failed audit the best way to record this is to create an additional audit record (see above).
Changing Audit Dates
If you decide to change your audit settings on the BCP because you want to test less frequently, more frequently or on different dates simply edit the BCP and change the dates and save the control.
- If you add new dates (because you changed existing dates to other days or you added new dates) eramba will create audit records based on those dates.
- If you removed dates eramba will not remove anything existing audit records
- If you update the testing methodology, success criteria, auditor or evidence owner fields then eramba will update all incomplete audit records that have a planned date in the future.