How Do I Create Control Tasks?
When using your KnowBe4 Governance Risk and Compliance (KCM GRC) platform to manage your compliance or risk management efforts the Task feature will be used on a frequent basis. Tasks allow you to continuously and automatically monitor the compliance or risk management controls your organization has in place.
See below for explanations of KCM GRC Tasks in relation to applicable KCM GRC modules:
Tasks in reference to the Compliance module: Tasks provide the ability to collect evidence in order to provide proof that your organization has the proper controls in place to meet the necessary requirements.
Tasks in reference to the Risk Management module: Tasks provide the ability to track efforts made toward the internal controls your organization has in place to reduce the risks faced by your organization.
See the sections below to learn more about creating tasks and automating a task schedule.
Jump to:
Prerequisites
What Are the Different Types of Tasks Available for My Controls?
Navigating to the View Control Page
- Creating a One-Time Standard Task
- Creating a One-Time Advanced Task
- Creating a Task Schedule (with optional EDR)
Prerequisites
Before creating tasks for your compliance controls, you'll need to do the following:
- Create one or more Scopes in your KCM GRC platform. Scopes contain:
- The requirements of the framework or governance to which you must comply (or the general requirements of a project).
- The Controls your organization has in place in order to meet the Scope's Requirements.
- Add the appropriate users to your account so you can assign the following roles for tasks:
- User Responsible
- Approving Manager (optional)
- If you plan to use Effective Date Range (EDR) for task schedules, be sure your organization is in agreement with the default Effective Date Range Settings found in your Account Settings. These settings define the amount of time–after the task's end date–that users can submit evidence for controls.
Note: The Effective Date Range Settings settings are not retroactive. If you change your EDR Settings after creating task schedules using EDR–the evidence due dates will not be updated.Tip: When necessary, you can override the account-level EDR due date settings (found under Account Settings) and specify a due date at the control-level, instead. You'll specify the due date override when creating a task schedule for the control. See the Creating a Task Schedule (with optional EDR) section below to learn more.
For more information on adding users and creating scopes, requirements, and controls, please see our Getting Started with the KCM GRC Platform article.
What Are the Different Types of Tasks Available for My Controls?
The following is true for all types of tasks created in KCM GRC:
- Assign a User Responsible for submitting evidence
- Assign an Approving Manager to approve evidence (optional)
- User Responsible automatically receives task reminder emails (see: What is the KCM GRC Task reminder email schedule?)
- Approving Manager receives an email notification once evidence is provided and once the task has reached a Past Due status
See below for a description of the task scheduling options available in your platform:
- Standard One-Time Task: These tasks only occur once, with a due date that you'll specify.
A one time task may be appropriate when:
- A task only needs to occur once or on an as-needed basis.
- An unexpected incident occurs outside of the control's normal task schedule, and this incident needs to be recorded.
- You're onboarding with your KCM GRC platform and your compliance efforts are currently up to date, but you want to track current efforts so they can be referenced at a later time.
- Advanced One-Time Task: This is similar to the standard one-time Task, except the advanced task allows you to specify a date range for the collection of evidence–rather than a single due date. An advanced one-time task is a similar concept to task schedules with EDR. For more information, see the Task Schedule with Effective Date Range (EDR) description, below.
- Task Schedule: This is the most commonly used option for recurring tasks. The task will automatically reoccur based on the frequency of the task schedule. Decide which frequency is appropriate based on how often your organization needs to submit new evidence for the control.
- Task Schedule with Effective Date Range (EDR): This is similar to a regular task schedule, except using EDR tracks a date range for the collection of evidence, rather than a single due date.
For example, with specific compliance frameworks, if an auditor cannot verify the effectiveness of a control, they may request an expanded sample size to show the operating effectiveness of the control over a greater period of time. When using EDR, the auditor can see that the control evidence has been collected during the specified time period and not just submitted prior to the due date of the control task (see this tip for more info).
See the Creating a Task Schedule (with optional EDR) section below to learn more about specific EDR settings.
Navigating to the View Control Page
Once you've added your organization's controls to your KCM GRC platform (see Prerequisites, above), you'll need to create either a one-time task or a task schedule for the applicable controls.
In your KCM GRC account, you have two primary areas from which you can work with your controls. To decide which area may be more beneficial to your workflow, consider the types of requirements you'll be working toward, and whether your organization's controls are "scope-specific", or if they will be used for requirements across multiple scopes:
- If your controls will be used for (mapped to)–multiple requirements, across multiple scopes–as best practice, we recommend working from the Controls Library area of your account.
- If your controls are specific to one requirement–and therefore to one scope–as best practice, we recommend working from the Controls tab within your Scope.
Creating Tasks from the Controls Library
Follow the steps below to navigate to the Controls Library area of your account.
- From the navigation panel on the left-hand side of your account, click Controls.
- From the Controls Library table, click on any control name to create a task for the control.
See the How Do I create a Task? section below for instructions on creating one-time tasks or task schedules. See the descriptions above to learn more about your task options.
Creating Tasks from a Scope
Follow the steps below to navigate to the Controls tab within your Scope:
- From the navigation panel on the left-hand side of your account, click Compliance > Scopes > View Scopes.
- Click on the name of the Scope containing the Controls you'll be working from.
- From the View Scope Page click the Controls tab.
- Here you'll find all of the controls that are mapped to requirements within the scope. Click on any control name to create a task for the control.
See the How Do I create a Task? section below for instructions on creating one-time tasks and task schedules. See the descriptions above to learn more about your task options.
How Do I Create a Task?
After deciding if a one-time task or a task schedule is the best fit for your control, see the following sections for instructions:
- Creating a One-Time Standard Task
- Creating a One-Time Advanced Task
- Creating a Task Schedule (with Optional EDR)
Creating a One-Time Standard Task
After you've navigated to the View Control page from either the Controls tab or your Controls Library, follow the steps below to create a standard one-time task.
- From the Task Schedule section of the View Control page, click the New One Time button.
- With the Standard One-Time Schedule tab selected, add the details outlined below:
- User Responsible: Select the individual responsible for submitting the evidence needed for the task.
Note, you can only select users who have been granted permissions to applicable Scope. See our User Types article for more information. - Manager Responsible (optional): Select a manager responsible for reviewing evidence and approving the task. The Manager Responsible is notified once evidence has been submitted to the task.
Note, if you select a Manager Responsible the task cannot be closed until the evidence has been approved. - Due: Task evidence should be submitted on or before this date.
Note, the due date must be at least one day after the date the task is created.
- User Responsible: Select the individual responsible for submitting the evidence needed for the task.
Creating a One-Time Advanced Task
After you've navigated to the View Control page from either the Controls tab or your Controls Library, follow the steps below to create an advanced one-time task.
- From the Task Schedule section of the View Control page, click the New One Time button.
- With the Advanced One-Time Schedule tab selected, add the details outlined below:
- User Responsible: Select the individual responsible for submitting the evidence needed for the task.
Note, you can only select users who have been granted permissions to the applicable Scope. See our User Types article for more information. - Manager Responsible (optional): Select a manager responsible for reviewing the evidence and approving the task. The Manager Responsible is notified once evidence has been submitted to the task.
Note, if you select a Manager Responsible the task cannot be closed until the evidence has been approved. - Both the Starts On and Ends On parameters allow you to define a date range in which evidence should be collected for the control.
For auditing purposes, this may be considered the date range in which the control should be implemented and effective.
- Starts On: The start date of the time period for which evidence should be collected.
In other words, consider this the opening date of the date range in which this control should be implemented and effective.
Note, the user will receive their first task reminder notification on this date. - Ends On: The end date of the time period for which evidence should be collected.
In other words, consider this the closing date of the date range in which this control should be implemented and effective.
Note, the Ends On and Due dates can be the same.
- Starts On: The start date of the time period for which evidence should be collected.
- Due: Task evidence should be submitted on or before this date.
Note, the due date must be at least one day after the date the task is created.
- User Responsible: Select the individual responsible for submitting the evidence needed for the task.
Creating a Task Schedule (with Optional EDR)
After you've navigated to the View Control page from either the Controls tab or your Controls Library, follow the steps below to create a task schedule.
- From the Task Schedule section of the View Control page, click the Create Task Schedule button.
- Add the details outlined below:
- Use Effective Date Range:
- NO: The task will automatically reoccur at the next applicable interval, based on the frequency chosen (see #2, below).
- YES: EDR allows a date range for the collection of evidence, rather than a single due date. The date ranges for evidence collection vary based on the task frequency.
For example, if you create a task schedule using EDR at a weekly frequency, users will have 7 days from the start date to collect evidence (for more information see #6, below). See our description of EDR above, to decide if this task type is best for your organization's controls.
Tip:
If you use EDR for auditing purposes, the date range to submit the control evidence is reflected in the Task Gantt Chart, under the Metrics section of your account. The Gantt Chart is available to Auditor users for auditing purposes.
- Frequency:
- If not using EDR:
- The frequency determines how often the control task should occur (how often evidence must be submitted).
For example, if you create a monthly task schedule, the task will be "open" for one day, on the same day of each month.
- The frequency determines how often the control task should occur (how often evidence must be submitted).
- If using EDR:
- The frequency determines: (1) The length of the date range in which evidence should be collected for this control, and (2) how often the task should occur in the task schedule.
For example, if you create a task schedule with a "monthly" frequency, using a start date of January 15th, the task will be "open" until February 14th, and the next task will start on February 15th.
- The frequency determines: (1) The length of the date range in which evidence should be collected for this control, and (2) how often the task should occur in the task schedule.
- If not using EDR:
- User Responsible: Select the individual responsible for submitting the necessary evidence for this task.
Note, you can only select users who have been granted permissions to the Scope. See our User Roles article for more information. - Manager Responsible (optional): You have the option to select a manager responsible for reviewing evidence and approving the task. The Manager Responsible is notified once evidence has been submitted for the task. If you select a Manager Responsible the task cannot be closed until the evidence has been approved.
- Evidence Required: Choose one of the following options to specify which method of evidence submission is required of the User Responsible.
- DocuLink Required
- File Upload Required
- File Upload or DocuLink Required
- No Requirement (evidence is not required for this task)
- Start Date:
- If not using EDR:
- The task's Start Date also serves as it's end date and due date.
Task evidence should be submitted on or before the due date.
The task schedule Frequency (see #2, above) determines when the next task will occur under the task schedule.
- The task's Start Date also serves as it's end date and due date.
- If using EDR:
- Together, the Start Date and Frequency (see #2, above) determine the task's end date and default due date.
For example, if you create a task schedule on January 1, 2020, at a "weekly" frequency, the following will apply:- The task's end date will be 6 days from the January 1st start date (end date: January 7, 2020).
- The default due date for submitting task evidence will be 3 days* from the end date (default due date: January 10, 2020).
*3 days is the KCM GRC default for the Weekly Frequency: Due Date setting under the Effective Date Range Settings (click to view). Your account's EDR settings may be different. Find these under the Account Settings area of your KCM platform.
- The start date of the next task in the task schedule will be on the 7th day from the previous task's start date (next start date: January 8, 2020).
- The User Responsible should collect evidence between the start date and end date for this instance of the task schedule (January 1, 2020 - January 7, 2020).
- The User Responsible should submit task evidence on or before the due date for the task (January 10, 2020). The task's default due date is determined by the Effective Date Range Settings found in your Account Settings.
Tip: Using the Due After Override field (explained below), you can override the account-level EDR settings on an as-needed basis.
- Together, the Start Date and Frequency (see #2, above) determine the task's end date and default due date.
- If not using EDR:
- Due After Override (optional): Use this option if you'd like to override the default due date (date range) to submit evidence for this control task. The amount of time you specify determines how long after the task's End Date–that the user will have to submit evidence. If you do not specify a Due After Override time frame, the default date range (found under your Account Settings) will be used.
Add a numerical value to the first field, then, select day(s), week(s), month(s), or year(s) from the drop-down menu.
If the due date override feature is in use, you'll see these details on the Task Schedule portion of the View Control page (click to view).
- Use Effective Date Range:
Comments
0 comments
Article is closed for comments.