Is there a good way to relate a single audit to many controls?
Currently, each audit can only be linked to one control, in a one-to-one relationship. Is it possible to have it where you relate multiple controls to a single audit. Where there is only one audit that is linked to multiple controls. Or, a “bulk audit” function where you could take a single audit and have the same audit methodology, results, and all the other fields from the audit form copied to many controls? This would end up with individual audits for each control, but you only have to enter it one time.
I can see several cases where this would be beneficial:
- An internal audit: As it currently stands, I don’t see a way to record that an internal audit occurred and validates many controls with a Pass/Fail. Even in the latter option where the same results are copied to many controls in a “bulk” audit scenario, you could bulk audit all the successful controls then do individual audits for the ones with non-conformities.
- “Detailed” controls: Some compliance standards are inherently suited to “detailed” controls instead of “broad” controls. In this case, if a company is addressing five different password-related controls with five different controls, you would have to audit each individually and upload evidence five times, versus being able to apply a one-to-many, and eliminate the duplicate work.
- Similar controls that are audited at different frequencies: For instance, If I have a backup verification procedure to check local backups monthly and redundant backups quarterly. On the month I’m doing a Local and redundant check, I have to create two separate audits, even though they are performed at the same time and have the same evidence attached, instead of being able to apply one audit to both controls.
I would love to hear if this is feasible. Because, as an organization with existing ISO and NIST programs we’re trying to integrate into eramba, this is taking up a lot of our time.