First, Go to the Partition (Entity) that you want to perform the global assessment (audit) on.
Go to “Projects” and “Assessment Projects” in the main menu to the left of the front page. Then Click on Start Proejcts in the upper right corner.
Then Choose between Existing project or Create new proejct. Choose, existing project if you want to copy earlier projects or projects that are actively running on this partition(customer). Choose create new project, if you want to create a new assessment based on your available templates.
Create new project
Fill out the basic info of the project
You can insert your own Project description , e.g. “This assessment template is used for all medium size clients (xxx-xx amount of employees) that wants a ISAE3000 audit” or you could choose to state a more external text such as:
“This revised assurance standard deals with assurance engagements other than audits or reviews of historical financial information. In revising ISAE 3000, the ……”
Choose between Continuous and One-time projects
Choose continuos if you want to the project to run each year or in other intervals.
Choose between contextual, Global or Business impact.
Choose contextual if you want to perform the assessment in context of specific assets (processes, activities, systems, contracts).
Choose Global if you want the assessment to be performed without context to any specific assets (This would be ideal for an IT audit assessment)
Choose business impact if you want to perform the assessment in context of a Process and incorporate a impact dropdown in the assessment tasks (Very high, High, Low, Very Low) as well as an RTO and RPO assessment.
Choose the person that you want to be responsible for the overall project.
If relevant, you can add tags to the project, that you can use to filter and search through many projects. E.g. “SME” “High Priority” etc. It is not mandatory to use tags here.
Now that you created the basic information of the (mother)project, you can go to the “Scope” tab and fill out the task responsibles.
The default task assignees are the ones that are supposed to perform the assessment (audit) task. This may be the auditor.
The default documentation collection task assignees are the one that are supposed to perform the documentation tasks. This may be the end-client or the organisation representative that has knowledge about the defined policies and procedures. There can be a documentation task for each audit question.
The measure task assignees are the one that is supposed to answer questions about Descriptions of General IT controls /Security measures.
Here, you can schedule the intervals that you want the future projects to run by. Note that if you set the start date some time in the future, the (child)project will only then appear in the section “Projects” below. It is however possible to start the project early manually, by clicking the “Run project manually” button.
Here you will also see historic and future child projects as their start date arrives. The first project would in this example be “ISAE 3000 (1)” – The next one that starts one year from now, will be “ISAE 3000 (2)” etc.
Open the new (child) project.
Click on Title of the child project to edit details about this project. (in the example above it would be “ISAE 3000 (1)”.
Go the tab “Measures” to edit security measure assignee or to add security measure descriptions from the settings (those that has Assessment Scope in their Category)
Click on the “+Add section” button in the upper right corner. See an example below. You can do this if you want to show the security measure task receiver (end client) an example. They can the delete the example and create measures that correspond to their own organisation.
If the Client do not need or want examples, this step can be skipped entirely.
Go to the “Task” tab to view the total list of assessment tasks.
Here you can see the status on both task (audit task) and documentation task individually.
As an auditor you can open up each task by clicking on the pencil button and perform the audit task.
You can reach the documentation task through the audit task as well.
Not that on this page you can also re-assign tasks to alternative auditors or end-client representatives. (To the right of the pencil-button)
If you click on the Trash-can button you will only remove the task from this project, and not from the assessment template. If you accidentally deleted a task and want to add it again, do this by clicking on the “+Add tasks form template” button. This is also usefull if the template has been updated since the project was created.
Attachements to ZIP
You can download all documents uploaded by both measure, documentation and audit task assignees by clicking the “Download attachments to ZIP” button in the upper right corner.
Go to the “Observations” tab, if you want to create any specific observations and relate them to specific tasks.
These can be used in the reporting – e.g. with a specific chapter for high impact observations or such.