This guide will take you step by step through the process of creating a framework and controls in SimpleRisk then using the Assessment Extra creating a questionnaire to audit that framework. At the end we will also cover a few ways to report based on the findings.
Step 1: Creating your Framework and Controls
First, we need to create the framework we intend to audit. We start by going to the “Governance” menu at the top of SimpleRisk. We will then see a page like this.
Now we will need to click the “+” located next to the “Active Frameworks” tab to create a new governance framework. For the purpose of this guide I will just create an “Example Framework”.
Next we head over to the “Controls” tab found near the top of this page. Your controls page should look like the following
Much like before to create a new control we will click the “+” found near the Controls tab at the bottom of the screenshot. You may customize your controls to fit your needs and if you find yourself lacking a value in a drop down menu you may edit the dropdowns in the ”Configure” menu at the top followed by “Add and Remove Values” on the left.
I’ve created 3 example controls for the purpose of this guide and we will disclose more on this a little later in the guide.
Step 2: Creating and taking an Audit Questionnaire
Now that we have our governance framework and some controls to audit we will now cover how to create an assessment questionnaire using the Assessment Extra. If you do not have this extra you will be unable to continue, if you feel you should have access to this extra and don’t please contact us at email@example.com.
First, we need to define a contact we would like to send our assessment to if it hasn’t been already. To do this we go to “Assessments” at the top and then find “Assessment Contacts” on the left. Now click the “Add” button at the top right and fill out the details of your contacts.
The next step is to create questions to add to audit questionnaire. So now we need to move to the “Questionnaire Questions” menu found on the left. Here you will see a repository of all the questions currently defined in the system. By default, you will see the questions that make up the 4 stock available assessments.
Now to add a question click the “Add new question” button at the top right. Here you should see the following.
We should now title this question at the top. This will also be the question shown to the user taking the assessment. We suggest trying to keep the use of terms as close to the control as possible for the most accurate results. In some cases, simply adding the words “Do you/ Does your organization” to the beginning of your control can be quite effective.
Next, we should mark this as a compliance audit by checking the box of the same name. This will cause a new dropbox called “Mapped Controls” to appear where we can search for and select the control we wish to audit. We can also elect to allow users to upload supporting documentation when necessary with the “Has File” checkbox.
We can now start adding answers in the bottom section. You may add as many answer choices as you like adding them using the “+” found at the bottom right. Any answer that has the “Fail Control” box checked will do as implied and fail the audit test resulting from that question. Any answer that does not have the box checked will be treated as a pass.
Once you have completed the details of the question you may click “Add” at the top right to save it to the system.
You may also create sub-questions or sub-templates. In each answer section there is a dropdown for each feature. Select the sub-template or question from the appropriate dropdown and that question or template will be presented when that answer is given.
Step 3: Creating your Questionnaire Template
By this point you should have your framework defined, controls created, added some assessment contacts, and started making questions. Now we can combine those questions into a reusable template. This step is rather short we will start by clicking the “Questionnaire Template” menu on the left in the Assessments module.
Next we click the “Add” button at the top right. On this page use the searchable dropdown to select all of the questions you wish to ask, drag and drop them into your order of choices, and finally give a name to your template that’s easy to remember. Please note that you do not need to list any questions that will appear as sub-question only the question that triggers them is required. Once you have completed your template click “Add” at the top right. Below is an example.
Step 5: Creating, Sending, and Receiving the Questionnaire Audit
We have almost reached the finish line at this point and all we have left to do is combine our template with a contact or multiple contacts and multiple templates into a single questionnaire. Your questionnaire can be reused and you may even elect to pre-populate it with the answer from the last time it was taken.
Head to the “Questionnaires” menu on the left. Here click “add” at the top right and you will be brought to a fairly straight forward page where we can name our questionnaire, give any specific instructions for this questionnaire, and finally determine who will receive what template. You may elect to send a single template to multiple people or if the need suits you could also choose to send multiple versions of the same template to different people or even the same if you needed all within a single questionnaire.
Once you have completed the form don’t forget to click “Add” again at the top right. Our example for this exercise is pictured below.
Now we click back into the previous “Questionnaires” menu and we will see our questionnaire ready to be sent. It should also be stated once a questionnaire has been sent you may duplicate it or view its details but you cannot change what template it sends or who receives it as this would skew the data that is gathered and could cause confusion when viewing results. So be sure to check the questionnaire is exactly as you want it to be before sending it for the first time.
A screenshot from our example is posted below and all that is left for this section of the step is to click “Send”. This is also where you will be presented with an opportunity to pre-populate any answers that were given on a previous run of the questionnaire. In our example this has not been done so we will simply answer “No”.
Assuming you have configured your environment and SimpleRisk to be able to send e-mails your recipient should have received an e-mail like this.
Click the link now to begin the audit assessment. Below is a screenshot of the assessment filled out and ready to complete.
Step 6: Reviewing the audits
So, at this point we should have some questionnaire results to review. In the Assessments module will now go into the “Questionnaire Results” page to dive into the information gathered.
On this page you will see a list at the bottom of all the questionnaire results that have been gathered and across the top you will see several filters for narrowing down the questionnaires shown. An example of this page can be found below.
Simply click the name of the questionnaire you wish to review the results of said questionnaire. In this case since we attached these questions to controls we will want to click “Control Audit” at the top right see the results. A screenshot of the results is posted below.
These steps have outlined the use of the SimpleRisk Assessment Extra for control audits. We created a framework, gave it some controls, created a contact, added some questions, made a template, sent the template as a questionnaire, and finally reviewed the results. If you have found any instructions to be incorrect or lacking detail please contact us at firstname.lastname@example.org