Report tags

TagTypeDescription
${partition.name}Single line text stringName of the client/partition.
${partition.company_number}Single line text stringCompany Registration Number of the client/partition.
${partition.reference_number}
Single line text stringReference number assigned to the client/partition.
${project.name}Single line text stringName of the project.
${project.description}Multi line text stringDescription of the project found under the Basic info tab.
${project.start_date}Single line text stringStart date of project period.
${project.end_date}Single line text stringEnd date of project period.
${project.schedule_message}Multi line text stringScope description of project.
${project.interviewers}TableA table of all project responsibles including name, email address, and phone number.
${project.contacts}TableA table of all project contact persons including name, email address, and phone number.
${project.conclusion}Multi line text stringManagement summary of the project found under the Reporting tab.
${project.tasks}TableA table containing all control tasks in the project with the following content: Control objective name and description, Control reference, Control description, Performed tests, and Conclusion.
${project.tasks.text}Multi line text stringAll control tasks in the project with the following content: Control objective name and description, Control reference, Control description, Performed tests, and Conclusion.
${project.tasks_paper}TableA table containing all control tasks in the project with the following content: Control reference, Control description, Control notes, list of attached documents, and Conclusion.
${observation.all}Multi line text stringAll observations with names and description ordered by impact.
${observation.very_high}Multi line text stringNames and description of all observations with very high impact
${observation.high}Multi line text stringNames and description of all observations with high impact
${observation.low}Multi line text stringNames and description of all observations with low impact
${observation.very_low}Multi line text stringNames and description of all observations with very low impact
${measures.all}Multi line text stringAll measures (name and description) grouped under Sections (name and description) that has been added to the project under the System description tab.
${measures.all.table}TableAll measures (name and description) grouped under Sections (name and description) that has been added to the project under the System description tab.

Reporting on global audit assessment

When you are ready to generate a report based on a performed global assessment, you go to the “Reporting” tab on the specific project.

When you are ready to print the report, click on the green “Generate new report” button in the right side of the page. After a few second a document will appear, which you can download to your own device.

You can edit the document locally and upload it again here to be stored in the project.

If you want to create or change the current report template, you can follow our guide here.

Security Measure Description task

The purpose of this task is for you to provide the description of the Security measures (or IT general Controls) of your organisation. It is important that we base this assessment on your own descriptions. In the example below you can see an example of relevant sections and underlying paragraphs. You may have Sections with content available in this task as examples to edit upon or delete and create your own. – Or you may have a clean/empty sheet to start from.

Categories/Sections

You may use the Section as main Headline (e.g. Access control) and its underlying Category Description as main paragraph. (e.g. “The way the granting of access is handled is described in a policy document. The policy is part of our IT security policy.”

You can use any existing Category options or create new ones by clicking on the “+”-button to the right of the dropdown menu.

Measures/Sub-Headlines

When the Section/category is created, you can add underlying Security measures (which will function as Sub-paragraphs) by clicking on the “+Add measures” button on the specific Section/Category.

When you add a Measures, the Measure Name will function as Sub-headline E.g. “Periodical re-certification of access rights” and the Measure Descriptions will function as Sub-paragraph e.g. “Periodically, i.e. once a year, we review the internal systems of the company including user profiles and access levels to ensure that the procedure related to the termination of employment is followed and that the customers’ data cannot be accessed by former employees of XX A/S.

See the example below.

It is important that we receive your descriptions in this form, since then we can easily store them and re-use it for next year’s review/assessment. It can also be used for your own IT control management if you gain access to the Complyon GRC platform yourself. This way we provide synergies between your IT audit and your ongoing IT security management system.

Click “Complete” when you’re done.

Create a new audit project

First, Go to the Partition (Entity) that you want to perform the global assessment (audit) on.

Go to “Projects” and “Assessment Projects” in the main menu to the left of the front page. Then Click on Start Proejcts in the upper right corner.

Then Choose between Existing project or Create new proejct. Choose, existing project if you want to copy earlier projects or projects that are actively running on this partition(customer). Choose create new project, if you want to create a new assessment based on your available templates.

Create new project

Fill out the basic info of the project

You can insert your own Project description , e.g. “This assessment template is used for all medium size clients (xxx-xx amount of employees) that wants a ISAE3000 audit” or you could choose to state a more external text such as:

“This revised assurance standard deals with assurance engagements other than audits or reviews of historical financial information. In revising ISAE 3000, the ……”

Choose between Continuous and One-time projects

Choose continuos if you want to the project to run each year or in other intervals.

Type

Choose between contextual, Global or Business impact.

Choose contextual if you want to perform the assessment in context of specific assets (processes, activities, systems, contracts).

Choose Global if you want the assessment to be performed without context to any specific assets (This would be ideal for an IT audit assessment)

Choose business impact if you want to perform the assessment in context of a Process and incorporate a impact dropdown in the assessment tasks (Very high, High, Low, Very Low) as well as an RTO and RPO assessment.

Project Responsible

Choose the person that you want to be responsible for the overall project.

Tags

If relevant, you can add tags to the project, that you can use to filter and search through many projects. E.g. “SME” “High Priority” etc. It is not mandatory to use tags here.

Scope

Now that you created the basic information of the (mother)project, you can go to the “Scope” tab and fill out the task responsibles.

The default task assignees are the ones that are supposed to perform the assessment (audit) task. This may be the auditor.

The default documentation collection task assignees are the one that are supposed to perform the documentation tasks. This may be the end-client or the organisation representative that has knowledge about the defined policies and procedures. There can be a documentation task for each audit question.

The measure task assignees are the one that is supposed to answer questions about Descriptions of General IT controls /Security measures.

Schedule

Here, you can schedule the intervals that you want the future projects to run by. Note that if you set the start date some time in the future, the (child)project will only then appear in the section “Projects” below. It is however possible to start the project early manually, by clicking the “Run project manually” button.

Here you will also see historic and future child projects as their start date arrives. The first project would in this example be “ISAE 3000 (1)” – The next one that starts one year from now, will be “ISAE 3000 (2)” etc.

Open the new (child) project.

Click on Title of the child project to edit details about this project. (in the example above it would be “ISAE 3000 (1)”.

Measures

Go the tab “Measures” to edit security measure assignee or to add security measure descriptions from the settings (those that has Assessment Scope in their Category)

Click on the “+Add section” button in the upper right corner. See an example below. You can do this if you want to show the security measure task receiver (end client) an example. They can the delete the example and create measures that correspond to their own organisation.

If the Client do not need or want examples, this step can be skipped entirely.

Tasks

Go to the “Task” tab to view the total list of assessment tasks.

Here you can see the status on both task (audit task) and documentation task individually.

As an auditor you can open up each task by clicking on the pencil button and perform the audit task.

You can reach the documentation task through the audit task as well.

Not that on this page you can also re-assign tasks to alternative auditors or end-client representatives. (To the right of the pencil-button)

If you click on the Trash-can button you will only remove the task from this project, and not from the assessment template. If you accidentally deleted a task and want to add it again, do this by clicking on the “+Add tasks form template” button. This is also usefull if the template has been updated since the project was created.

Attachements to ZIP

You can download all documents uploaded by both measure, documentation and audit task assignees by clicking the “Download attachments to ZIP” button in the upper right corner.

Observations

Go to the “Observations” tab, if you want to create any specific observations and relate them to specific tasks.

These can be used in the reporting – e.g. with a specific chapter for high impact observations or such.

Reporting

Create or edit description of Security measures

First, go to a partition, where you want to store a standard list of security measures (System description section in audit report). If you do not already have a partition dedicated to for security measure templates, it is recommended that you create a new partition for this purpose.

What is Description of Security measures/ IT controls?

The description of security measures is the Client’s own formally description of the Security measures (or general IT Controls) defined in the organisation to ensure adequate control of the IT systems supporting the business.

In the final audit report, you may have a dedicated section for System description, that sets the scope for the IT audit and becomes the basis for what is tested and assessed during the audit.

What is the purpose of creating standard security measures in a dummy partition?

On the long term it is effective for the customer to have their general description of security measures documented in their own partition, since this information can be re-used in future assessment, where they can review the existing content. Also, the client has the opportunity to bring each security measure in context of specific activities, systems or contracts if they choose the purchase their own License to the platform and maintain their processing activities, systems, contracts in the Complyon platform. they can then re-use security measures used in the IT audit when they assess risks and implement actual controls through the Complyon platform.

For the auditor, it can be effective to maintain a master list of security measure descriptions on one partition, and copy these to relevant customers/partitions. This is gives the auditor an opportunity to send out the standard descriptions in the documentation collection task, so that less mature customers that wishes examples of these descriptions to read through and edit into their own words. If the customer is not interested in any description examples, this step can be skipped entirely.

Create standard descriptions of security measures

Go to the Measure section under Settings, or use the shortcut here.

click on the green “create new measure” button in the upper right corner.

Write the name of the Security measure in the name field, and Choose a relevant Category – or create a new Category by clicking on the “+”-button..

When you create a security measure category for the purpose of including them in the audit assessment, it is important to choose the scope “Assessment”. Then the Category and the underlying security measures will be available in assessment projects. It is also possible to include other scopes such as, Activity, System and Contracts. This will make the measures available on specific assets (e.g. a system). Note that creating a Category named Introduction could be relevant for use in Assessments for reporting purposes. It is not mandatory to create any underlying Security measures to a Category.

Note, that in the end-report, the Category will appear as a Headline and the underlying description of the Category as main paragraph. The Security measure will appear as a “sub-headline” and the description of the Headline will be “Sub-paragraphs”.

Example:

Introduction (Category)

The objective of this description is to provide information to XXX A/S customers and their auditors concerning the requirements laid down in the international auditing standard for assurance reports on the controls at a service organization (Category description)

Access management (Category)

The way the granting of access is handled is described in a policy document. The policy is part of our IT security policy. (Category description)

  • Periodical re-certification of access rights (Security measure)
    • Periodically, i.e. once a year, we review the internal systems of the company including user profiles and access levels to ensure that the procedure related to the termination of employment is followed and that the customers’ data cannot be accessed by former employees of XX A/S. (Security Measure Description)
  • Role based access to customer data (Security measure)
    • Access to customer data is managed through user profiles. Our customers may create and revoke access to user pro- files as they see fit, including to XX’s staff members and other external parties. XX retains a super user that may be used to provide professional service e.g. creating new clients, adding new modules to an existing client, extracting data based on customer requests, counting licenses, etc. (Security Measure Description)

etc…

When your standard Security Measure description is done, you can start copying them to other partitions. See here how to.

You can see how the Security measures can included in a global assessment project here, or how it looks from the the security measure task receivers perspective here.

Global Assessments (Audit)

What is a global assessment project?

A global assessment is one out of three assessment types that you can currently run through the Assessment module in the Complyon Platform. In contrary to the Contextual and Business impact assessment, the Global assessment can be performed without context to specific assets. This type of assessment is ideal for IT Audits or Data protection GAP analysis, since these can be performed on a high level and can include:

As an external auditor or advisor, you can follow the below guide if you need help to navigate through the systems in the different steps.

One-time configuration steps:

Main operational steps after configurations

Create new assessment report template

On a Global assessment template you can upload a report template that will be used when you generate the final assessment report. This must be a Microsoft Word (.docx) in which you define Headlines, standard text, company specific colors, logos and images, that you always want to be included in the report. Anywhere in the report you can put in pre-defined tags representing specific fields on the Complyon platform and thereby extracting various kinds of Partition/Client information and other information from the project or assessment like assessment description, assessment task input etc.

How do I create a tag in the report?

Before uploading your Word template, you can add tags throughout the document on the locations where you wish the content to be populated into the report. A tag is indicated by a dollar sign $ and a field name enclosed by curly parentheses {}. Examples of tags:

${name.of.the.field}

Example:

Typing this in the report template:

This ${project.name} report is for ${partition.name}. ${project.description}.

Results in this in the generated report:

“This ISAE 3000 report is for Acme Inc. This revised assurance standard deals with assurance engagements other than audits or reviews of historical financial information. In revising ISAE 3000, the ….”

When you are happy with your standard report, you can save it and upload it under the Basic info tab of the assessment template.

If you do not upload any template, the report will be generated with Complyon’s standard global auditor report. You can use this standard report or use it as a basis for your own.

Available tags

Tags that can be added throughout the Microsoft Word template (.docx):

  • ${partition.name}
  • ${project.name}
  • ${project.description}
  • ${project.conclusion}
  • ${measures.all}
  • ${observations.all}
  • ${project.tasks}

What are measures?

Here you can add, edit and delete measures as well as add measures in bulk on activities, systems or contracts.

Measures can be addedd four places in the system:

  • Activities: Organizational security measures
  • Systems: Technical security measures
  • Contracts: Contract measures
  • Assessments: Global assessments projects (Measures can be defined/identified as part of an external IT audit project and thus function without context to Activities, Systems or Contracts. Measures created/identified as part of an IT audit, can afterwards be linked to specific Activties, Systems and Contracts.

Measures can be information you would like to add, e.g., organizational measures are included in the art. 30 (ROPA) report and could include e-learning for employees, business continuity plans or relevant policies and procedures, whereas technical measuers can be encryption, two-factor-authentification or physical security measures and contract measures can be a date for autorenewal, the monetary value of a contract or weather the contract is subject to specific terms.

Create a new measure

If you are an administrator you can create new measures. To create a new measure, go to settings > Measures > ‘+Create new measure’ in the top right corner. Insert the following information:

Name: Write a name suitable for the measure, e.g., E-learning for employees

Category: Select a a category in the drop-down menu. The category determines which type of security measure you are creating by leaning on a specific scope (activity, system and/or contract).

If no category suits the measure you are creating, you can create a new category by clicking on ‘+’ next to the the category field, write a name and chose a scope and click on ‘Save’. You are able to chose multiple scopes. If you create a measure with a category that is e.g., scoped to systems and contracts the measure will only be available in the drop-down menus on systems for technical security measures and on contracts for contract measures.

If you choose the scope “Assessment” this will enable you to perform Assessment projects in context of the measure. This is useful if you want to setup a continuous update process of your security measures. It can also be effective if your external IT auditor uses the Complyon platform to perform an audit in your organisation. (This can save time for both you and the auditor)

Description: Write a description that explains the details of the measure.

Value: Select if the measure should have a value. If you chose ‘None’ the measure will simply be an added information to your activity, system or contract. If you chose ‘Date’ the measure will show a date-picker when added to activities, systems or contracts. If you select Number you must select a currency and users will be prompted to select a number when adding the measure to an activity, system or a contract. If you select drop-down you can either chose a yes/no drop-down or you can create your own drop-down menu by chosing ‘Select’ and ‘Add select options’. Custom drop-down menus can e.g., be used to create measures such as: Organizational security measure – Privacy policy – What is the implementation status on the privacy policy on the activity? Drop-down select – fully implemented, partially implemented, not implemented.

Once the measure has been created it will be added to your list of measures. The list can be filtered by navigating in the Measure Category list on the left side or they can be searched for in the search bar in the top right corner.

Edit or add a measure to activities, systems and/or contracts

You can edit or insert a measure on several activities, systems and/or contracts at the same time from settings. To do this, find the measure you want to edit or add by either navigating through the measure categories in the list on the left side or by using the search bar.

When you have found the correct measure, click on the ‘edit’ icon (pencil) on the right if you want to edit the name, category or decription of the measure.

Click on the name of the measure if you want to upload a document that related to the measure, insert a link on the measure or if you want to bulk-upload the measure to activities, systems and/or contracts (depending on the scope of the measure category). You can navigate to the scopes by clicking on the tabs besides ‘Basic info’ and clicking on the button in the top right corner ‘+Add Activity/system/contract’. Chose the relevant activities, systems and/or contracts and click on ‘Add’. The measure will now automatically appear on the chosen activities, systems and/or contracts. If the measure requires a value to be set, the measure will be colored red in the context until a user has clicked on the ‘Edit’ button and selected a value.

Delete a measure

Find the measure you want to delete either by navigating to it from the measure category list to the left or by using the search bar. Once you have found the measure click on the trashcan icon to the right and then on ‘Confirm’.

Create a new global assessment template (for auditors)

Here you create a new assessment template that you can use to run multiple projects on multiple partitions/clients using the same template, that only needs to be created once….

Create new template

Click on “+Create assessment template” in the upper right corner if you want to create a new one. (You can also edit existing ones by clicking on the pencil-button for each existing template.

Write the name of the Assessment-template in the “Name” field. – And describe the purpose of the assessment template or which types of clients you want to use it for (this field is for internal use).

Choose the Global Assessment type if you want to create an audit assessment (or another assessment that does not need be in context of a specific System, Process, Activity or Contract.)

Press “Save”.

Edit existing template

To start creating tasks in the template, you must find the new template in the front page of assessment templates, and click on the template-name to open and edit the template.

Description

When you edit your template, the first sheet you are met with is Basic info, where you can insert your own description of the assessment template, e.g. “This assessment template is used for all medium size clients (xxx-xx amount of employees) that wants a ISAE3000 audit” or you could choose to state a more external text such as:

“This revised assurance standard deals with assurance engagements other than audits or reviews of historical financial information. In revising ISAE 3000, the ……”

Include measure mapping (system description examples)

Here, you can choose whether you want this template to include measure mapping or not. If you choose “Yes” to this question, the template will include specific tasks regarding the system description chapter. This allows you to send out an example of system description (descriptions of security measures in the organisation), which the client can see as an example, edit into their own words or replace with their own formally descriptions altogether and send in as a task to the assessment responsibles. Later on the auditor can extract the client’s answers regarding this directly to the end report.

Upload Report Template

Assessment tasks

On the Questionnaire sheet you can create your assessment tasks for the template.

How to create new assessment tasks

Click on the green “+create new assessment task” button in the upper right corner to create a new task in the template.

In the first overlay, fill out the basic info of the first task.

First, write the title of the task, which is what is also presented to the client.

Next, you can type in a reference such as a unique number for this task, that you can reference to in the end-report as well. This field is not mandatory.

Then, choose a category for the specific task. The purpose of dividing tasks into categories is to make a long list of tasks more easy to read, but also to give you more reporting options.

Create new Categories

You can create new task categories by clicking on the “+” button to right of the drop down box. Write a Name and Description. The description field is not mandatory, but may be useful to extract in in the report later on if you think this is relevant.

Framework controls

In the next step of the creation of the assessment task, you have the option to relate the task to one or more framework controls. This requires that you have uploaded or created any Frameworks in Settings here.

The purpose of relating an assessment task to framework controls is, that you report on the status of implementation of one or many frameworks at the same time.

Documentation collection task

Next, Choose if you want to include “documentation collection” in this assessment task. Documentation collection in this context means that you add “first step”, which is a specific task directed to the end-client, where they are asked to describe a specific control (e.g. Ensure instruction data processor) and where the end-client can upload the formally described policy or procedure they have in place for this control.

If you answer “No” to Documentation task and click “Next”, you will only create a Auditor assessment task to be performed by the auditor.

If you answer “Yes” to Documentation task, the overlay will expand, for you to design the documentation task in question. See the example below.

The documentation collection task description is what is presented to the client.

You can choose to upload a document, that will be included in the documentation task. This could be an example of a procedure or a guideline you want to include. It is not mandatory to include a document in the task.

In the Allow comments dropdown box, you must choose if it should be optional or mandatory for the client to fill out the control description field.

See the userguide for Documentation collection task, for an example of how this task looks from the receivers (end-client) perspective.

Assessment task

In this step of the assessment task creation, you can define the audit task directed to the auditor (or the one performing this assessment).

In the Task Description field, you may write the question that this task should be based on. See an example below on the area of Data Processor controls.

You can upload a document that the auditor should receive. This could be a guideline of how to test, interview or assess this audit control. It is not mandatory to upload any documents here.

Allow Response, refers to …….

Allow Notes, refers to a field in the audit task with the purpose for internal notes, that are not meant to be extracted to the end-report.

Allow control description, refers to the field where the end-client’s own description of the control is written (or copied from the documentation collection task.)

Allow performed test: Choose optional or mandatory if you want to include a field to document any tests related to this audit task. Choose No if you want to exclude this field entirely.

Allow conclusion Choose optional or mandatory if you want to include a field to document conclusions related to this audit task. Choose No if you want to exclude this field entirely.

Allow attachments: Choose optional or mandatory if you want the auditor to be able to attach documentation related to this audit task. Choose No if you want to exclude this option entirely.

See the userguide for Perform Assessment task, for an example of how this task looks from the performing auditors perspective.

Complete the assessment Task

Finish the task by clicking save, and your task will appear on the questionnaire sheet of your assessment template.

Note that you can change the order of the tasks by using the drag and drop functionality.

Create new partition (client)

Here you can create a new partition (Client), if you need to start an audit assessment for a client, that does not already have a partition in the Complyon platform. (You can search for the client in the partition search field in the upper left corner)

  • First make sure you are located on your master client (in the below example the master client is “Auditor hosting” as apposed to the partition to right.

Next go to Partitions under settings (Or use the shortcut here)

Click on create new partition in the upper right corner.

Fill out the master Data for your new partition (client) – Company umber is the CVR number.

Add the users to the parttion (both internal task receivers and project owners and task receivers from the client’s side)

Click and search on the select users to add and choose the relevant user. If the user (both internal or external) is not yet created in the Complyon system you can do this here by following this guide

Click the green “+Add” button to add specific internal and external users, so that they can be appointed to tasks etc. in this partition.

Choose the relevant user role

Select Partition Admin for internal auditor or consultants that needs to perform the assessment. And select “Member” role for the client who needs to receive documentation tasks and answer questions during the assessment. You can read more about the different roles here