Scenario:
Acme uses a Pentesting Solution that is operated by five different teams. Each team runs the same type of scan, follows the same remediation process, and adheres to the same scanning standards (i.e., tool configuration and procedures).
Question:
Do I need one Internal Control, or five—one for each team?
Answer:
Eramba defines Internal Controls as repeatable processes—structured steps that are executed consistently, regardless of who carries them out. A control can be executed by one or multiple teams in parallel. It can apply to a single system or thousands, as long as the process remains the same.
In this case, since all five teams are following the same process with identical settings and remediation steps, one Internal Control is sufficient. That control can be owned jointly by all five teams (e.g., assigned to five different groups in Eramba). When the control is tested, the evidence can include scan results from all five teams. If one team fails to follow the process, the control might fail the audit—because you’re evaluating the process, not the individual teams.
However, if your objective is to assess each team individually and hold them accountable for deviations, then you would define five separate controls—one for each team. Each control would be tested independently, and audit results would reflect the performance of each specific team without impacting the others.
There is no universally “correct” answer. GRC is a management discipline that must adapt to the structure, culture, and needs of your organization. The right choice depends on whether you prioritize process consistency or individual accountability.