Restricting the Type of Evidence Allowed for Compliance Controls
Users can submit evidence to the KCM GRC platform by uploading a file or by proving a "DocuLink" to your externally-hosted evidence. For more information about evidence types, please reference our KCM GRC: Glossary of Compliance Terms article. There are multiple options for limiting and defining which types of evidence you want your users to provide for your compliance controls.
See the sections below to learn more.
Option 1: Account-level Setting
If you only want to allow one type of evidence submission across your entire account, use the account-level setting. For example, if your organization stores evidence on an internal server, you can disable file uploads for your account.
- To limit the type of evidence that a user can submit at the account-level, click on Settings in the top right corner. Then, click Account Settings from the drop down menu.
- On the View Account page, click on the Account Settings tab.
- Scroll down to the toggle switches for Document Upload Allowed and Doculink Allowed setting options. In the example below, a user would be allowed to upload documents, but not add DocuLinks.
- Once you have made your selections click the Save button at the bottom of the screen.
Option 2: Scope-level Setting
If you want to specify what type of evidence your users can provide for a specific scope, use the scope-level evidence settings. You can modify the scope-level setting when creating a new scope or by updating a scope. Review the sections below to learn more about these options.
Create New Scope: Evidence Settings
You can limit the type of evidence a user is able to submit when creating a new scope.
- To create a new scope, click Compliance > Scopes > View Scopes from the left navigation panel.
- Click on the Create New Scope button on the right side of the screen.
- Give your scope a name and a description. Below the description you can select the evidence type(s) that will be allowed for the scope.
- Using the drop-down menus under Doculink Allowed and Document Upload Allowed, select Allowed, Not Allowed or Account Default. Selecting Account Default ensures that the scope follows the account-level setting, as described above.
- Once you have selected the evidence types allowed for the scope, click the Create Scope button at the bottom of the screen.
To learn more about creating scopes, please reference our KCM GRC: Getting Started with the Compliance Management Module article.
Update Scope: Evidence Settings
You can change the scope-level evidence settings at any time. Follow the steps below.
- Navigate to the View Scope page and click the scope name. From the Overview tab, click the Update Scope button, as shown below.
- Using the drop-down menus under Doculink Allowed and Document Upload Allowed, select Allowed, Not Allowed or the Account Default. Selecting Account Default ensures that the scope follows the account-level setting, as described above.
- Once you have selected the evidence types allowed for the scope, click the Update Scope button at the bottom of the screen.
Option 3: Task-level Setting
When creating a task schedule you can limit the type of evidence a user can provide to satisfy a control. Follow the steps below to restrict evidence types at the task-level.
- Navigate to the View Scope page from the left navigation panel (Compliance > Scopes > View Scopes) and click the scope name.
- From the Controls tab, click the control name, as shown below.
- From the Overview tab on the View Control screen, click the Create Task Schedule button.
- Create your task schedule as you normally would. Then, using the Evidence Required drop-down menu, select No Requirement, DocuLink Required, File Upload Required or File Upload or Doculink Required. Some of these options may not be available, based on your scope-level settings, as described above.
- When you've finished making your task schedule selections, click the Create Task Schedule button.
For more information about creating tasks and task schedules see our KCM GRC: Working with One-Time Tasks, Task Schedules, and Effective Date Range article.
Frequently Asked Questions
Below are some commonly-asked questions about limiting the type of evidence a user is allowed to upload. If you don't see the answer you need, submit a ticket to our Support team.
Question: Do scope-level settings override account-level settings?
Answer: Yes. For example, if you allow DocuLink uploads in your Account Settings, but mark DocuLinks as "Not Allowed" within the scope, users will not be able to provide DocuLinks as evidence for tasks associated with the scope.
Question: Does the task schedule setting override the scope-level setting?
Answer: No. If you have limited the type of evidence to be submitted by users at the scope-level, you will not be able to adjust this at the task-level. For example, if you have disabled file uploads at the scope-level, you will not be able to select file uploads as an evidence type when creating the task schedule. However, if you have not limited the type of evidence at the scope-level, you can then limit the evidence types at the task-level.
Question: If a control is mapped to two scopes, does a Scope-level setting override a conflicting Scope-level setting if a control is mapped to two scopes?
Answer: If a control is mapped to two scopes and one scope does not allow an evidence type and the other scope does allow the evidence type– the allowance will override (the user will be able to submit that evidence type for the control take mapped to both).