As an auditor within the KCM Governance, Risk, and Compliance (GRC) platform, you may have access to the organization’s evidence repository for compliance controls, and details about internal policy acknowledgments. This article provides instructions for navigating the console as an auditor. Before you begin navigating the console, we recommend reviewing our KCM GRC: Glossary of Compliance Terms article for commonly used terms.
See the sections below to learn more about using the KCM GRC platform for auditing purposes.
- Detailed Compliance Reports
- Summary Compliance Reports
- Policy Management Reports
Access and Login
First, the organization will create an account for you. You will receive an email invitation to confirm your account. Use the activation code to set your password and gain access to the platform. Once you have confirmed your account and set your password, you’re taken to the login page (shown below).
Upon login, you are presented with the Metrics section. This page contains reports that have some of the details that you may need for your audit. If you navigate away from this section, you can always return by clicking Metrics from the left navigation panel.
The Metrics page contains three sections: Detailed Compliance Reports, Summary Compliance Reports and Policy Management Reports. Review the following three sections to learn more about each of the reports you may be able to access.
Detailed Compliance Reports
Under the Detailed Compliance Reports section, you’ll find a report for each scope you may need to access for your audit. To view this report, click on the scope name.
These reports provide a detailed overview of the important pieces of a scope, as outlined below.
- Each requirement included in the scope
- The control(s) mapped to the requirement
- The frequency of the control's task schedule
- The email address of the Assignee/User Responsible for the task
- The email address of the Approving Manager for the task (if applicable)
- The status of current (Active/Open) and previous (Closed) tasks
You can refine what requirements are included in the report by setting filters in the top-left area. Filtering is based on the start, end, or due dates of the tasks that the organization has created for controls.
You can also interact with tasks from the Detailed Compliance Report. To interact with the task, click on the task name and a task window will appear. The details included in the task window are outlined below.
- The task status appears in the top right-hand corner of the task window.
- Control Description: A description of the control that the task was created for.
- Supporting Evidence: This section contains the evidence for the task. You can view the name of the attachment or DocuLink, the email address of the individual who submitted the evidence, and the date it was submitted. If the organization does not have evidence for the task, the following message will appear in the section: "This task currently has no supporting evidence."
- To the right of the Date Created column, click on the download icon to view the evidence on your local device (if applicable). Or click on the link icon to view evidence that is hosted outside of KCM.
- Task Information: This section lists information on task dates and who is responsible for the task.
- Notes: Here you can see communication between KCM GRC users. The messages may include information about the task, evidence, or control that relates to the task. You also have the option to leave a note on the task. After you have typed in your note, click the Save Note button to attach the note to the task.
- Click anywhere outside the task window to return to the Detailed Compliance Report page.
Summary Compliance Reports
Under the Summary Compliance Reports section, you'll find a report for each scope that you may need to access for your audit. The purpose of the Summary Compliance Report is to provide an overview of a scope's requirements, and controls and the status of their associated tasks. To view this report, click on the applicable scope name.
As an alternative to viewing the report in the console, you can use the Export Results to CSV button at the top-right of the page to download a CSV file of the report. The CSV will consist of the scope requirements that have mapped controls and tasks scheduled for the controls.
From the Summary Report page, you can refine what requirements are included in the report by setting filters in the top-left area, as shown below. Filtering is based on the start, end, or due dates of the tasks that the organization has created for controls.
- From: Use the drop-down menu to specify whether you want to start the filtering of tasks by their Start Date, End Date, or Due On date. Then, click the date field to select a calendar date to start from.
- To: Use the drop-down menu to specify whether you want to end the filtering of tasks by their Start Date, End Date, or Due On date. Then, click the date field to select a calendar date to end on.
- Click Apply Filters to apply your task specifications.
- Use the Reset Filter button to remove the filter you've put in place.
If you use the Export Results to CSV button while a task filter is in place, the CSV will only contain requirements and controls that have tasks applicable to the filter.
- The Compliance % column will contain either a percentage or one of these four tags: No Controls, No Tasks in Range, No Tasks Scheduled, or No Tasks Due. The details of each tag are defined in this report key, as shown in the screenshot above.
- All requirements included in the scope will be listed in this report. The requirements are broken into sections based on top-level requirement IDs. All subsequent requirements are contained within. There is a header row for each different top-level requirement ID.
For example, in the image above, the first header row is PCI DSS 3.2.1. All requirements with a requirement ID beginning with "1." (e.g., 1.1, 1.1.1, 1.1.2, etc.), are found beneath this header. The next header row is PCI DSS 3.2.2. All requirements with a requirement ID beginning with "2." (e.g., 2.1, 2.1.1, 2.2, 2.2.1, etc.), are found beneath this header.
- Self-Assessment: The status the organization has optionally set for each requirement is noted by one of the symbols in the table below.
Met Not Met No Answer Not Applicable
- Compliance %: The measure of completion for the tasks(s) scheduled for each control.
Compliance percentage is calculated by adding the number of tasks that have a Close Late, Awaiting Approval, Satisfied, or Acknowledged status, then dividing that number by the total number of tasks for that control (including tasks in Failed or Past Due status). The tasks in Active status are not included in this calculation.
- Expand/Collapse: Requirements that have controls mapped to them will include an expand arrow in this column. Use the expand/collapse arrow to view or hide the control.
Policy Management Reports
This section will links to the in-console reports for each of the policy management campaigns the organization has created. Policy management campaigns show end-user acknowledgement of the necessary internal policies. Click on the policy campaign name to view this report.
Under the Overview tab, the Campaign Completion Percentage displays the User Acknowledgement Activity in a dated line graph, as shown below.
This graph shows the percentage of users who have acknowledged the policy or policies over time. The Progress bar toward the top of the page represents the current progress of the entire campaign, and displays a ratio of how many users have acknowledged their policy out of the total number of users in the campaign.
The Campaign Details portion of this page describes the details of the campaign, as outlined below.
- Status: Depicts an active or inactive campaign.
- Start Date: The date the campaign began.
- End Date or Duration of the Campaign: The timeframe in which users must acknowledge the policy.
- Users: Displays how many users are enrolled in the campaign.
- Groups: Describes which user groups have been enrolled in the campaign. Organizations utilize groups to assign policy campaigns to specific groups of people or departments.
- Auto-Enroll: This checkbox indicates that new users will automatically be enrolled in the policy campaign when they're added to the groups that are assigned to this policy campaign.
- Scheduled Notifications: Lists the scheduled alerts that users received throughout the policy campaign.
Another section within the Policy Management Report is the Users Tab. This section shows you which users have been enrolled in the campaign.
Another way to view the policy campaign details is to navigate to the Policy Management module. This module allows the organization to create campaigns consisting of policy agreements assigned to user groups. The organization can create these groups based on the parameters that best suit their needs, such as office location, department, job role, start date, etc.
As an auditor, you are able to access the Policy Management module by clicking Policies or Reports from the menu on the navigation panel.
This section lists the policies that the organization has uploaded for their policy management campaigns.
One this screen, you can view the following information related to each policy:
- Name: The policy name
- Type: The type of file that has been uploaded
- Campaigns: The name of the campaign(s) that the policy has been assigned to
- Version: The policy version number
- Date Created: The date when the policy was uploaded to the console
- Last Updated: The date when the policy was last updated
Additionally, you can view the policy document by clicking the paper icon () on the far right. The policy will be reviewable as a PDF.
To access policy reports, click Policy Management, then Reports from the left navigation panel. Similar to the Metrics section, you can view reports on each policy the organization has assigned for acknowledgement. To review these reports, click on the policy name. You will see the Overview and User tabs that are also found in the Metrics section of the console, as described in the Policy Management Reports section above.
Evidence is provided by the organization to satisfy tasks, in order to support a requirement’s control. The Evidence Repository section is a file and/or URL repository where the organization stores their evidence which supports that their controls are in place and operating as they should. You can access this section by clicking Evidence Repository from the left navigation panel.
From the View All Evidence page, you can evaluate information related to each piece of evidence, as shown below.
- Name: The name assigned to the evidence that was added or uploaded.
- Data Created: The date when the evidence was added to the organization's repository.
- Created By: Displays the name of the individual who uploaded the evidence.
- Control Name: Depicts which control the evidence is associated with.
- Requirements: Lists the regulatory requirement that the evidence satisfies.
- View Control/Task: Click the Control or Task button to view the control or task that the evidence is associated with.
- Depending on how the organization uploaded the evidence to the repository, click the link () icon to view the evidence from the DocuLink or click the download () icon to download the file.
At the top right of the Evidence Repository, you have options to go back to your previous screen; export the repository into a CSV file; and change your view from displaying 100 to 500 lines of evidence.
The information on the View All Evidence screen is also available for review when exporting the repository to a CSV file.