Well, that certainly changes the response when you have regulators involved (as overcaffeinated is their baseline, and I agree, don’t poke the bear on informing them of such).
I think the difficult thing here is when you’re working within the structure of the “problems vs solutions principle” within eramba, the audits are a component of the solutions (controls) which get abstracted from the problems (the requirement to have an audit on some schedule - Compliance).
When you say “ISO Control” - I assume you mean “ISO Requirement” as they are not your controls (solutions) - ISO is a problem that your controls solve. The other differentiation is that for controls - I agree, those should be owned by the departments along with the maintenances, but the audit portion of controls is what GRC/Internal Audit should own.
The other thing that gets tricky with the “3 year plan” if your plan is to actually rotate across all controls (instead of doing the same set of audits every 3 years), the audit scheduling configuration isn’t going to be helpful as it assumes that if you’re auditing, it’s minimally an annual thing. There’s also not a direct relationship from the Compliance Analysis page to audits performed - you can call back controls and you can call back controls with issues to that page.
However, if you head over to the Internal Controls page, you should be able to build a filter that pulls in a compliance framework, the mapping to controls, and then things like the next audit date for the controls on a single page. This accounts for the probability that you’ll have multiple controls for some requirements and the next audit date for those controls may be at different times. There’s also a built in system status that is “Control without Audit Plan” that will call out any that are missing.
Now, to solve the 3 year frequency, part of your audit process will be to create the audit item for the next time it is scheduled manually as opposed to letting the system schedule. If you complete Audit A now, and next one is in 3 years, then create the item with that future planned start date. Once all of those are entered you can report on all planned future audits from either the Controls or Audits page and they should appear in the dashboard calendar widget.
I also think it would make sense to create an annual review/3 year plan reconciliation control where you go through and clean everything up above, then attach the outputs of the filters as evidence of the maintenance which would be what you demonstrate to the regulators as opposed to trying to show them on the live system.
The above takes into account how eramba handles the concept of audits - as of right now, there’s not really a thing to do an “audit” of a “problem” (i.e. all ISO requirements). The closest you might get there is via the online assessment module where you can create an assessment that comprises of the ISO requirements and work through it that way, however, there’s no linkage back to the Compliance or Controls modules. This may be the more efficient way to “audit to the problem” though.
Afterthought - you can add some custom fields to the Compliance Analysis module and use those to document the audit strategy for each control and report on that to replace excel (and perhaps, have a maintenance to review/update that, tied in with the annual suggestion above).
Hopefully this is helpful - at this point its starting to sound like incoherent rambling on my part!