When an organization requests that you log in to their KCM Governance, Risk, and Compliance (GRC) platform as an auditor, you may have access to some or all of the following items: the organization's compliance and security controls, the evidence that has been submitted for these controls, the organization's internal policies, and reports for employee acknowledgment of these policies.
This article provides instructions for navigating the KCM GRC platform as an auditor. Before you begin navigating the console, we recommend reviewing our Glossary of Compliance Terms article for commonly used terms in KCM GRC.
See the sections below to learn more about using the KCM GRC platform for auditing purposes.
Access and Login
After the organization creates an account for you, you will receive an email invitation to confirm your account. Use the activation code in the email to confirm your account. Then, create a password and log in to your account.
Once you've logged in, you're brought to the Metrics page. The Metrics page contains reports that have some of the details that you may need for your audit. See the next section for details about these reports.
Metrics
The Metrics page on your account contains three sections: Detailed Compliance Reports, Summary Compliance Reports, and Policy Management Reports. See the below screenshot and list for more information about these reports.
- The Detailed Compliance Reports section contains a report for each of the scopes that you may need to review for your audit. Detailed Compliance Reports contain the requirements, controls, tasks, and evidence for that scope. Click on a scope name to open the report.
- For details about the information in this report, see the Detailed Compliance Reports section of our KCM GRC Metrics Reporting Guide.
- The Summary Compliance Reports section contains a report for each of the scopes that you may need to review for your audit. Click on a scope name to open the report.
- For details about the information in this report, see the Summary Compliance Reports section of our KCM GRC Metrics Reporting Guide.
- The Policy Management Reports section contains a report for each policy acknowledgment campaign that you may need to review for your audit. Click on a campaign name to open the report.
- For details about the information in this report, see the How to Create and Manage Policy Campaigns article.
Policy Management
From the Policy Management area of your account, you can review the policies that the organization has uploaded as well as the reports for policy campaigns. Policy campaigns are used to distribute and track employee acknowledgments of the organization's policies.
To view the organization's policies, from the navigation panel, click Policy Management > Policies, as shown below.
Click the drop-down menu below for details about the Policies page.
The Policies page lists the policies that the organization has uploaded for its policy management campaigns. See the details outlined in the screenshot and list below.
- Name: This column displays the name of the policy.
- Type: This column displays the type of policy, which will be either Document or Doculink. Document is displayed if the policy was uploaded directly into the KCM GRC platform. Doculink is displayed if the policy is located externally from the KCM GRC platform and the policy was added to KCM GRC as a link.
- Campaigns: This column displays the name of the campaign or campaigns that the policy has been assigned to.
- Version: This column displays the policy's version number.
- Date Created: This column displays the date when the policy was added to KCM GRC.
- Last Updated: This column displays the date when the policy was last updated in KCM GRC.
- Link icon: If the policy is a link, you can click the link icon to view the policy in a new tab.
- Document icon: If the policy is a document, you can click the document icon to view the policy in PDF format and in a new tab.
To view the organization's policy campaign reports, from the navigation panel, click Policy Management > Reports, as shown below.
Please note that the Reports page shows the same Policy Management Reports that you can view from the Metrics page. See the Metrics section above for details.
Documents
From the Documents area of your account, you can do the following:
- Review the evidence that the organization has submitted for a control task. This evidence is submitted to prove that they are meeting a requirement.
- For each piece of evidence, you can open and review the following items:
- The task that the evidence was submitted for.
- The control that the task was created for.
- The requirement or requirements that are mapped to this control.
- For each piece of evidence, you can open and review the following items:
- Review the control documents that have been attached to controls.
- Typically, control documents describe the evidence that needs to be submitted for the control.
The Documents page contains three subtabs: All, Evidence, and Control Documents. The All subtab contains everything from the Evidence and Control Documents subtabs. The All subtab also contains the same policies that can be viewed from the Policy Management and Metrics areas of your account.
Click the tabs below to learn more about the Evidence and Control Documents subtabs on the Documents page.
- You can click the arrow in the first column to expand the row to show the requirement that is associated with this evidence.
- Requirement ID: This column displays the requirement ID. IDs are used in the KCM GRC system to identify and order the requirements in a scope. Typically, requirement IDs reflect the section identification or other identification characters that are used in the applicable regulatory framework that was published by the governing agency.
- Requirement Name: This column displays the name of the requirement that is mapped to the control that is listed under the Control Name column discussed in item 3, below.
- Requirement Description: This column displays a description of the requirement. Typically, the requirement description reflects the verbiage that is used in the applicable regulatory framework that was published by the local governing agency.
- Name: This column displays the name that was added to the evidence file or link when it was submitted for the control task.
- Control Name: This column displays the name of the control that the evidence and task are associated with. You can click the control name to open and review the control.
- Task: You can click the Task button to open and review the task that the evidence was submitted for.
- Date Created: This column displays the date that the evidence was submitted for the task.
- Download icon: If the evidence is a file, you can click the download icon to download and review the evidence.
- Link icon: If the evidence is a link, you can click the link icon to review the evidence in a new tab.
- Name: This column displays the name that was added to the control document when it was submitted for the control task.
- Control: This column displays the name of the control that the control document was added to. Click the control name to open the control.
- Date Created: This column displays the date that the control document was added to the control.
- Link icon: If the control document is a link, you can click the link icon to review the evidence in a new tab.
- Download icon: If the control document is a file, you can click the download icon to download and review the evidence.