Navigating the KCM GRC Platform as an Auditor
When an organization requests that you log in to their KCM Governance, Risk, and Compliance (GRC) platform as an auditor, you may have access to some or all of the following items: the organization's compliance and security controls, the evidence that has been submitted for these controls, the organization's internal policies, and reports for employee acknowledgment of these policies.
This article provides instructions for navigating the KCM GRC platform as an auditor. Before you begin navigating the console, we recommend reviewing our Glossary of Compliance Terms article for commonly-used terms in KCM GRC.
See the sections below to learn more about using the KCM GRC platform for auditing purposes.
Jump to:
Access and Login
Metrics
Policy Management
Documents
Access and Login
After the organization creates an account for you, you will receive an email invitation to confirm your account. Use the activation code in the email to confirm your account. Then, create a password and log in to your account.
Once you've logged in, you're brought to the Metrics page. The Metrics page contains reports that have some of the details that you may need for your audit. See the next section for details about these reports.
Metrics
The Metrics area of your account contains three sections: Detailed Compliance Reports, Summary Compliance Reports, and Policy Management Reports. See below for more information about these reports.
- The Detailed Compliance Reports section contains a report for each of the scopes that you may need to review for your audit. Detailed Compliance Reports contain the requirements, controls, tasks, and evidence for that scope. Click on a scope name to open the report.
- For details about the information in this report, see the Detailed Compliance Reports section of our Metrics Reporting Guide.
- The Summary Compliance Reports section contains a report for each of the scopes that you may need to review for your audit. Click on a scope name to open the report.
- For details about the information in this report, see the Summary Compliance Reports section of our Metrics Reporting Guide.
- The Policy Management Reports section contains a report for each policy acknowledgment campaign that you may need to review for your audit. Click on a campaign name to open the report.
- For details about the information in this report, see the How to Create and Manage Policy Campaigns article.
Policy Management
From the Policy Management area of your account, you can review the policies that the organization has uploaded as well as the reports for policy campaigns. Policy campaigns are used to distribute and track employee acknowledgments of the organization's policies.
To view the organization's policies, from the navigation panel, click Policy Management > Policies, as shown below.
Click the drop-down menu below for details about the Policies page.
The Policies page lists the policies that the organization has uploaded for its policy management campaigns. See the details outlined below.
- Name: The name of the policy.
- Type: This column shows the type of policy and will either say Document or Doculink. Document is shown if the policy was uploaded directly into the KCM GRC platform. Doculink is shown if the policy is located externally from the KCM GRC platform and the policy was added to KCM GRC as a link.
- Campaigns: The name of the campaign or campaigns that the policy has been assigned to.
- Version: The policy's version number.
- Date Created: The date when the policy was added to KCM GRC.
- Last Updated: The date when the policy was last updated in KCM GRC.
- If the policy is a link, click the link icon (
) to view the policy in a new tab.
- If the policy is a document, click the document icon (
) to view the policy in PDF format, in a new tab.
To view the organization's policy campaign reports, from the navigation panel, click Policy Management > Reports, as shown below.
Please note that the Reports page shows the same Policy Management Reports that you can view from the Metrics page. See the Metrics section above for details.
Documents
From the Documents area of your account, you can do the following:
- Review the evidence that the organization has submitted for a control task. This evidence is submitted to prove that they are meeting a requirement.
- For each piece of evidence, you can open and review the following items:
- The task that the evidence was submitted for.
- The control that the task was created for.
- The requirement or requirements that are mapped to this control.
- For each piece of evidence, you can open and review the following items:
- Review the control documents that have been attached to controls.
- Typically, control documents describe the evidence that needs to be submitted for the control.
The Documents page contains three tabs: All, Evidence, and Control Documents. The All tab contains everything from the Evidence and Control Documents tabs. The All tab also contains the same policies that can be viewed from the Policy Management and Metrics areas of your account.
Click the tabs below to learn more about the Evidence and Control Documents tabs on the Documents page.
- Click the arrow in the first column to expand the row to show the requirement that is associated with this evidence.
- Requirement ID: Requirement IDs are used in the KCM GRC system to identify and order the requirements in a scope. Typically, requirement IDs reflect the section identification or other identification characters that are used in the applicable regulatory framework that was published by the governing agency.
- Requirement Name: The name of the requirement that is mapped to the control that is listed under the Control Name column (see item 3., below).
- Requirement Description: A description of the requirement. Typically, the requirement description reflects the verbiage that is used in the applicable regulatory framework that was published by the governing agency.
- Name: The name that was added to the evidence file or link when it was submitted for the control task.
- Control Name: The name of the control that the evidence and task are associated with. Click the control name to open and review the control.
- Task: Click the Task button to open and review the task that the evidence was submitted for.
- Date Created: The date that the evidence was submitted for the task.
- If the evidence is a file, click the download icon (
) to download and review the evidence.
- If the evidence is a link, click the link icon (
) to review the evidence in a new tab.
- Name: The name that was added to the control document when it was submitted for the control task.
- Control: The name of the control that the control document was added to. Click the control name to open the control.
- Date Created: The date that the control document was added to the control.
- If the control document is a link, click the link icon (
) to review the evidence in a new tab.
- If the control document is a file, click the download icon (
) to download and review the evidence.
Comments
0 comments
Article is closed for comments.