Each Audit typically contains multiple Request Items. Request Items are the specific "asks" of your auditor, like "System configuration standard documents or system hardening documentation for all systems (including router)."
There are a few ways to map evidence to Request Items and manage its completion.
- Map requests to internal controls to have Comply automatically suggest evidence for the request
- Use policies are evidence by mapping the policy to the request
- Add all evidence from from an automation sequence
- Add existing evidence to the request
- Log new evidence to the request
- Request evidence from colleagues
- Mark a request as complete, and mark requests as incomplete
If you've been collecting evidence all year (as all good compliance managers do), using the evidence you've collected is the easiest way to fulfill a request. Aside from not having to go through the effort of collecting new evidence, Comply makes it simple to find the right evidence by using the mapping of the evidence to a control, framework, condition or other filters to suggest the evidence that fulfills the request.
To attach existing evidence to a request click into the specific request
Next you're going to Click "(+) Add to Request"
And then select "Evidence Items"
Next, you'll select the evidence that are relevant for the request. Use the "Filter Results" button to narrow down the list to make the applicable evidence easier to find. If you've already attached controls to the request Comply will automatically suggest evidence from those controls.
Sometimes the request is about ensuring that regular checks have been done, so all of the evidence from an automation is what you need to provide. Comply makes it simple to find and add all the evidence from an automation sequence.
Clicking the "Add Evidence" button will bring up a link to "Automation Sequence" click that.
This will bring up a screen where you can filter your evidence to find the artifacts you want to add to the request.
To log new evidence to a request simply click on the "Add Evidence" button then "Evidence Items".
This will bring up a modal to add evidence and in the bottom left is the ability to Log a new piece of Evidence.
The following fields are required:
- Name: Give this evidence item any kind of name, such as "Evidence of security in job descriptions."
- Type: This is a free text field that you can use to keep your evidence organized. Add any tag you want here, or select from existing entries that you've used before.
- Condition: Normally, you'll log manual evidence as "OK." This means you're attaching normal, conforming evidence in support of your control. However, you may sometimes want to use Comply to keep track of control deviations, such as nonconformities and exceptions, or to flag evidence that requires attention for other reasons ("Needs Attention.")
Optionally, you can also:
- Upload supporting attachments: We support .pdf, .jpg, .png, .xls(x), .doc(x), .csv, and .zip up to 50 MB.
- Add notes: Any comments you may want to keep for later about the evidence.
Get help from colleagues. Create (and automatically assign) Evidence Request Tickets directly from the Audit page to get the evidence needed from control owners.
Clicking on the "Evidence Request" button with generate a ticket creation flow.
From this modal you can create a new one-off ticket for the request where you can assign this to colleagues to have them fulfill the request for you. Add a reviewer, if someone needs to approve the evidence submitted you can add them which puts a hold on the completion of the ticket until it's reviewed. You can also send the ticket to Jira; send your request to a colleague who uses Jira, they can upload evidence directly to their Jira ticket and it will get pulled into Comply and the ticket will be closed.
Colleagues will get an email notification of the ticket being assigned to them and links to login to see more information and complete the request.
Sometimes a request is just wanting to know that you have a good policy around a particular situation, and Comply makes it easy to prove this by attaching the policy to the request.
After clicking "Add to Request" choose "Policies"
Then select the policy for that request
Responses and comments are ways to provide more information about the request and fulfilling it to colleagues and auditors.
Use Responses when you want to add more context or details for the auditor. They will be included in the export for auditors to see. Your internal team can see these responses as well.
Use Comments when you just want to communicate and collaborate with internal stakeholders and colleagues. Comments are only visible in the Comply platform.
When you've collected the evidence you need to fulfill the request you can click the "Complete Request" button which will increment the progress indicator in the top right towards your Request items completion.
And if you've received new information that a previously "completed" request items wasn't actually complete you can click "Mark as Incomplete" on that item to revert it back to an incomplete state and decrement the Request Items progress indicator.
Updated about 1 year ago
Learn how to export your completed request list to deliver to auditors and wrap an audit