Feature - Bulk Auditing

mtaylor · March 13, 2020, 9:32pm

Is there a good way to relate a single audit to many controls?

Currently, each audit can only be linked to one control, in a one-to-one relationship. Is it possible to have it where you relate multiple controls to a single audit. Where there is only one audit that is linked to multiple controls. Or, a “bulk audit” function where you could take a single audit and have the same audit methodology, results, and all the other fields from the audit form copied to many controls? This would end up with individual audits for each control, but you only have to enter it one time.

I can see several cases where this would be beneficial:

An internal audit: As it currently stands, I don’t see a way to record that an internal audit occurred and validates many controls with a Pass/Fail. Even in the latter option where the same results are copied to many controls in a “bulk” audit scenario, you could bulk audit all the successful controls then do individual audits for the ones with non-conformities.
“Detailed” controls: Some compliance standards are inherently suited to “detailed” controls instead of “broad” controls. In this case, if a company is addressing five different password-related controls with five different controls, you would have to audit each individually and upload evidence five times, versus being able to apply a one-to-many, and eliminate the duplicate work.
Similar controls that are audited at different frequencies: For instance, If I have a backup verification procedure to check local backups monthly and redundant backups quarterly. On the month I’m doing a Local and redundant check, I have to create two separate audits, even though they are performed at the same time and have the same evidence attached, instead of being able to apply one audit to both controls.

I would love to hear if this is feasible. Because, as an organization with existing ISO and NIST programs we’re trying to integrate into eramba, this is taking up a lot of our time.

Thanks.

eramba · March 14, 2020, 11:42am

There is no such feature in eramba, but you already know that i guess ! i tried going trough your points but honestly we dont see much the point. For the time being we’ll leave this as it is.

Regards

jnitterauer · March 21, 2020, 6:05pm

A better feature would be the ability to have one control linked to multiple audits groups so that a particular control could cover the same audit but that one instance would have multiple copies all serviced by different service owners. Each service owner might perform a routine collection of evidence but allowing only one audit on a control limits who can contribute to that.

I’ll clarify w/ Esteban next week.

kevin.salisbury · April 15, 2020, 4:25pm

I agree with mtaylor - it seems we could link audit results the way you link a risk to control(s) ? But I have an alternate idea that would still save significant time for the user and eRamba developer. Instead of adding more features to eramba for linking, we add a new Bulk Audit Import feature. This import feature would allow import of the audit(s) via CSV import from a spreadsheet template. The template would allow the user to bulk import audit records and link to control, etc.So even if we had to copy and paste multiple audit result rows into a spreadsheet and edit each control, that’s far faster than manually performing all the audit work inside the eRamba gui…

kevin.salisbury · April 15, 2020, 4:26pm

Ah - I just saw this jnitterauer. This would be nice as well. But I still suspect a CSV/XLS import would help…

eramba · April 16, 2020, 3:36pm

that is doable: https://github.com/eramba/eramba_v2/issues/2562