When users complete Account Reviews they mark things Not OK and I’m Not Sure. In the past, I worked to resolve the issues, then changed them to OK and Tagged them as Resolved. Now I’m starting to use the Findings feature to track and resolve issues.
What is the benefit or issue of leaving things marked Not OK and I’m Not Sure? It seems I should leave the review feedback as it was submitted unless its determined to be an issue, or perhaps an I’m Not Sure is answered and everything is now OK to change that to OK.
Is there some guidance on the benefits or issue around leaving all these Not OKs or removing them as they are resolved?
Putting on my auditor hat, it could be seen two different ways.
One of the auditor questions will be whether items identified by the access review were appropriately investigated and resolved. Leaving something as Not OK but linked to a resolved finding can demonstrate that action was taken. However, it also leaves you the risk of missing the linkage of an object and ending up with an audit finding.
Some auditors will eat their hat if they get documentation of a user access review and it has “Not OK” all over it because they don’t always think there’s method to the madness. They’re less likely to pry into something that shows everything is awesome (though, some auditors will pry into an everything is awesome report as they may think that it was just rubber stamped).
That being said, I would think it’s fine to go either route, just make sure you’re consistent…
Thanks for the perspectives. As I get more sophisticated in eramba and begin to use Findings, it actually gives me a direct link to the items, and a way to track them within the system, rather than via emails outside. To your “be consistent” point, I’m in transition, which raised the question of how others are managing things like this.
Having Not OKs could be a way for me to demonstrate to management that the control I’m reviewing may not be effective enough as designed… even though we are resolving the issues when found.
