¶ Introduction
A compliance framework includes conforming to requirements. In an organization it is achieved by taking into account applicable requirements (defined by laws, regulations, contracts, strategies and policies), assessing the state of compliance, costs and risks of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
Compliance data is defined as all data belonging or pertaining to enterprise or included in the law, which can be used for the purpose of implementing or validating compliance. It is the set of all data that is relevant to a governance officer.
The Compliance system contains the Compliance/accreditation requirements linked to the company policies, Standard Operating Procedures (SOPs) and appropriate checklists.
All the reporting is visible within the system and can be accessed as pre-defined reports which can be fed to the corporate level for monitoring and control of compliance.
The Dynamics 365 Compliance module provides the user with the ability to capture all the information required to manage the above. The flow is depicted below.
For a more formal approach the user can activate the “Internal audit focus” on the parameters form. Do this by adding a user group in the Internal audit field, Compliance bullet tab. This will then add a dedicated object – “Audit project”. See the Wiki page for Internal audits.
¶ Navigation
¶ Specific setups
¶ Step 1: Parameters
¶ Step 1.1: Quality tab
In order to create a Nonconformance, Quality management has to be enabled
Go to: GRC > Setup > Governance, Risk and Compliance parameters
- Open the Quality tab
- Under the Quality management field group, select Yes for using quality management
The Item number and Problem type fields have to be populated
Go to: GRC > Internal audit > Setup for internal audit > Problem types
- Select the relevant Problem type
- On the Action pane, click on the Non conformance type button
- Select the relevant Non conformance type
¶ Step 1.2: Compliance and audit tab
Users can select rules to be used when internal controls (such as ISO clauses) are audited and scored for effectiveness and conformance.
Go to: GRC > Setup > Governance, Risk and Compliance parameters
- Click on the Compliance and audit tab
In the example above, the Top threshold for yellow indicator is set on 6 and the Bottom threshold for yellow indicator is be set on 4 because the Expected score is 10.
To enable Internal audit functionality, users will have to be a member of the selected user group.
Under the Scoring mechanism Fast tab, you can do the following:
1. Use the simple Yes/No tick box for compliance scores
- If Yes is selected: On the Compliance scores form, the user can tick the box in the Compliance field if the selected clause is compliant.
2. Use Compliance dropdown
- If Yes is selected: On the Compliance scores form, the user has the option to manually change the scale of compliance by selecting a value from the dropdown list.
|
|
3. Choose to Use manual scores
- If Yes is selected: The Actual score field as well as the Actual % field will be visible on the Compliance scores form.
This is useful for RAG (Red, Amber, Green) type scoring.
¶ Step 1.3: Notifications tab
Users select email templates to use for sending email notifications.
From a compliance perspective, users will create and link an email template here for audit notifications, for example an engagement letter to be sent to a department to notify them of an upcoming audit.
¶ Step 1.3.1: Setup Email templates
Go to: Organisation administration > Setup > Organisation email templates
- In the Action pane, click on the New button
- Enter a unique Email ID
- Enter a brief Description of the email
- In the Sender email field, enter the email address of the sender
- Expand the General fast tab
- Select the Default language code from the dropdown list
- Select the relevant Priority from the dropdown list
- Under the Email message content fast tab, click on the New button
- Select the relevant Language from the dropdown list
- In the Subject field, enter the subject for the email that is to be sent
- If the email has a body, make sure to tick the Has body tick box
- Click Save
¶ Step 2: Setup Case categories
Remember to setup a Case category of type Audit to use when recording an audit issue.
Go to: GRC > Governance > Setup for governance > Case categories
- On the Action pane, click on the New button
- Enter the Case category and a brief Description
- Select the relevant Category type from the dropdown list
¶ Step 2.1: Setup Case category type security
By selecting roles for the Case category type security, only users with these roles assigned to them, will have the privilege to create a New contract request/Request for contract review.
Go to: Organisation administration > Setup > Cases > Case category type security
- Select the Case category from the dropdown list
- Select the required role/s from the Available roles list
- Click on the right pointing arrow button to move the selected role/s to the Selected roles list
¶ Step 3: Create Base data or Lookup data
Ensure Dynamics 365 GRC module Base data or Lookup data are created as follows:
Please note that Dynamics 365 includes a Content Wizard that creates relevant static data and information for the user. This includes, amongst others, a generic list of Hazards.
Alternatively, users can manually create the base data.
¶ Step 3.1: Setup Control effectiveness
Go to: GRC > Risk > Setup for risks > Control status and effectiveness
- Click on the Control effectiveness tab
- Click New
- In the Score field, select the risk score level from the dropdown list
- In the Description field, enter a user definable description for the control score level
- In the Guide field, enter detail for the description
- In the Range field, enter the upper value of the score range
¶ Step 3.2: Setup Risk configuration
Users can define risk categories. One of these, Inherent risk, is used in the Compliance function setup.
The inherent risk ratings that are defined on this form will be used in the Compliance function form when the risk % is entered per clause line.
Further down the line, users can use these to filter and audit high risk clauses or controls.
Go to: GRC > Risk > Setup for risks > Risk configuration
- Click on the Inherent risk tab
- Click New
- Select the Inherent risk from the dropdown list
- Enter a brief Description of the inherent risk
- Enter the range of the risk Rating
- Enter the Rating percentage
- Click Save
¶ Step 3.3: Setup Compliance group
Compliance groups, group individual Compliance functions together and carry rules for time-based audits, i.e. scheduling of future audits.
Go to: GRC > Compliance > Setup for compliance > Compliance group
- On the Action pane, click on the New button
- In the Group field, enter the Auditable entity group name
- In the Description field, enter a brief description of the Auditable entity group
- In the Period field, select the frequency value for scheduling purposes
- The Next scheduled start date, Last schedule run date and Last schedule completed fields are displayed, indicating dates of the last applicable schedule
Related functions to be audited will automatically be displayed in the bottom grid.
¶ Step 3.4: Setup Audit types
Users must define types of audits. This is imperative as the type of audit will guide D365 GRC to add or remove functionality. In specific internal audit functions differ from compliance type (ISO etc.) audits.
Go to: GRC > Compliance > Setup for compliance > Audit type
- Click New
- Enter a unique Audit type ID
- Enter a brief Description of the Audit type
- For Compliance audits the Manual audit box must not be ticked
- In the Team field, select the team that will be responsible for the selected audit type
- Select the relevant Job plan from the dropdown list
- Select the relevant Budget from the dropdown list
- Indicate which scoring method should be used (Columns 1 to 4 in the screenshot below)
- The Dropdown column gives the user the option to choose one of the following two enums when scoring:
| Evaluation | Compliance |
|---|---|
|
Blank Major NC Minor NC Observation Strength |
Blank Full Partial Not applicable Zero |
- Select the relevant Email template from the dropdown list
- Select the relevant Declaration rules from the dropdown list
- Click on the Save button
- If a team is not selected here, individual compliance clause lines cannot be assigned to a Planned user to audit (See Step 4.3 below)
- If no scoring method is specified on the Audit type, the scoring method specified on the Parameters will be used
- These values default to the scope of the Area of compliance
¶ Step 3.5: Setup Audit findings category
Go to: GRC > Compliance > Setup for compliance > Audit findings category
- On the Action pane, click on the New button
- Enter the unique Category ID
- Enter a brief Description for the findings category
The Audit findings category can be selected on the Non-conformances under the Findings menu item
¶ Step 3.6: Setup GRC actions and questions (Declarations)
Go to: GRC > Setup > GRC actions and questions
- On the Action pane, click on the New button
- In the Question ID field, enter the unique question ID
- In the Source field, select IAF
- In the Action field, select Declaration
- In the Answer type field, select Yes/No declaration from the dropdown list
- Select the relevant Negative outcome from the dropdown list
- In the Question text field, enter the wording of the declaration
The Question text is the text that is displayed on the Declaration of interest dialogue on the Audit file.
A question must have an Answer type:
- Yes/No declaration – this will display the Question text with a tick box on the Declaration of interest dialogue
The response to the question is set by the Negative outcome setting:
- Force entry – The Declaration of interest dialog will not be able to be closed if this field is not completed i.e. a Tick is required in the tick box
- Warning – this will give a warning if there is no input against the question, but will allow the action to continue
- Ignore – the action can continue if there is no response to the question
¶ Step 3.7: Setup Teams
The audit team, including specialists engaged to assist with the audit, is required to collectively possess the knowledge, skills, and experience necessary to carry out the audit effectively.
Selecting audit team members is an important part of the preparation stage.
Go to: HSE > Setup > Work force > Teams
- On the Action pane, click on the New button
- Enter a Name for the team
- Select the relevant Team type from the dropdown list
- Under the General Fast tab:
- Enter a brief Description of the Team
- Select the relevant Administrator for the team from the dropdown list
- Indicate whether the team is Active
- Expand the Team members Fast tab
- In the Button strip, click on the Add team members button
- Select the names that you want to add to the team
- Click Add
- If required, a Team leader can be selected
¶ Daily use
¶ Step 4: Create the Compliance function
 |
Start with the lower level, referred to as Compliance functions and the related
Clauses (i.e., requirements placed on an organization)
Then go back to the top: Area of Compliance |
¶ Step 4.1: Clauses
The Clauses Fast tab contains the requirements (things to be checked and scored during the audit). They form the lowest level of the Area of Compliance. When doing fieldwork, users will score and mark whether the requirements have effectively been met.
Users can add an Inherent risk percentage against each line.
Go to: GRC > Compliance > Compliance function
- Click New
- Under the General Fast tab:
- Enter the compliance Function name
- Enter a Description of the compliance function
- Select the ISO Standard from the dropdown list (if applicable)
- Enter the Risk rating %
- Select the level of Impact and Likelihood from the dropdown lists
- Under the Clauses Fast tab:
- Click Add
- Enter Section and Clause numbers
- Enter a clause Description
- Enter the user defined inherent Risk%
¶ Step 4.2: Calculate header inherent risk
- On the Compliance function form, on the Action pane, click the Calculate inherent risk button
The two calculation options are explained:
- From Risk register lines:
The inherent risk rating which corresponds with the Risk register lines, is used for this calculation
- From Clause lines below:
The average of the risk in the Clause lines corresponding with the selected Compliance function, is displayed in the Risk rating% column when this calculation function is selected
Where a risk register does not exist, the inherent risk will be calculated by using the data in the Impact and Likelihood columns as factors
When a Compliance audit is selected on the Operational risk register lines, under the Associations Fast tab, the details are displayed under the Risk Fast tab
¶ Step 5: The Area of compliance
¶ Step 5.1: Create the Area of compliance
Go to: GRC > Compliance > Area of compliance
- On the Action pane, click on the New button
- Enter the following on the Create area of compliance dialog:
- Enter a name for the Area of compliance
- Enter a Description for the area of compliance
- Select the relevant Audit type from the dropdown list
- Select the relevant Employee responsible from the dropdown list
- Select the relevant Site from the dropdown list
- Click on the OK button
¶ Step 5.2: RACI details
A responsibility assignment matrix describes the participation by various roles in completing tasks or deliverables for an audit.
- Employee responsible (Assessor): Those who do the work to achieve the task. There is at least one role with a participation type of responsible, although others can be delegated to assist in the work required. Worker ultimately responsible for this audit.
- Employee accountable: The one ultimately answerable for the correct and thorough completion of the deliverable or task, and the one who delegates the work to those responsible. In other words, an accountable employee must sign off (approve) work that the responsible employee provides.
- Employee consulted: Those whose opinions are sought, typically subject matter experts, and with whom there is two-way communication.
- Employee informed: Those who are kept up to date on progress, often only on completion of the task or deliverable, and with whom there is only one-way communication.
An email can be sent to the selected workers under the RACI field group, if they have a Primary email address
¶ Step 5.3: Scope
The scope of a compliance audit is a statement that specifies the focus, extent, and boundary of a particular area. The scope can be specified by defining the physical location of the compliance audit, the organizational units that will be examined, the team and activities that will be included, as well as the budgeted time proposed to execute the audit.
In the Header view:
- The Manager field is populated with the manager of the selected Department.
- The Hours field is populated with the hours setup on the selected budget.
In the Lines view:
- In the Teams field, select the team that will be responsible for doing the audit on the selected Compliance function
- Under the Requirements and scores Fast tab, in the Planned user field, select the user that will be responsible for auditing the selected clause
The user has to be a member of the Team selected as described above
¶ Step 6: The Area of Compliance (Lines)
¶ Step 6.1: Add the default Compliance functions
- Expand the Compliance functions Fast tab
- Click on the Add button
- Select the required functions and standards from the dropdown list. These were created as Compliance functions in step 4 above
- The values from the base Compliance functions are defaulted in; this includes the important “Period” value that will be used for Scheduling of Audits
- Select the relevant Goal category from the dropdown list (if applicable)
¶ Step 6.2: Create the Requirements and scores
- Expand the Requirements and scores Fast tab
- Click on the Add button
- Enter a Clause number and Description
- Enter the Expected scores and select the Heading
- A bulk change can be made to all the lines by clicking on the Bulk change button in the button strip and entering the required Score and Heading values on the dialog form
- Notes and Comments can be added
- Click Save
If the functions have been setup with ISO section and ISO clause details, these lines will be copied into the grid above.
Also note that the displayed Requirements and scores are linked to the function that is selected in the Functions and standards Fast tab above
If changes have been made to the clauses on the Compliance function form, click on the Refresh button in the button strip to update the lines in the Requirements and scores Fast tab on the Area of compliance
¶ Step 6.3: Create Activities
- On the Action pane, click on the Create activity button
- On the Create activity dialog:
- Select the relevant Category
- Enter a Description for the activity
- Select the Responsible person for the activity
- Enter the Due date for the activity
- Enter the Purpose of the activity
- Indicate the Priority and Sensitivity of the activity
- Choose to create a new Action plan for the activity, or to add it to an existing Action plan
- Click on the OK button
¶ Step 7: Scheduling of Audits
The purpose of a compliance audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively.
Enterprises require scheduled audits (compliance scores) to be created based on user specific frequency rules, or users can create ad-hoc audits
Both these are supported in Dynamics 365 GRC
Go to: GRC > Compliance > Compliance function
- Expand the Scheduling Fast tab
The scheduling Period frequency will be displayed (it can be changed)
The last date when a schedule for this Area of compliance was run is displayed, as well as next date that a scheduled score has to be completed by.
¶ Step 7.1: Run the scheduling
Go to: GRC > Create schedules
- Select the Schedule type from the dropdown list
- Select the Schedule from date
- Select the Schedule until date
- Choose filters such as:
- Site
- Department
- Click OK
The Site and Department must be the same site and department selected on the Area of compliance
Users can ALSO go to the Area of compliance and choose to EXCLUDE certain functions from an audit
Go to: GRC > Compliance > Area of compliance
- Go to the Lines view
- Open the Compliance functions Fast tab
- Choose functions to EXCLUDE when creating schedules
- Click on the Schedule audits button
On the Scheduling dialogue that opens:
- Select the Schedule until date
- Click OK
If the Scheduling period on the Area of compliance is different to that on the Compliance function, a yellow line with a warning message will appear across the screen.
The system will use the scheduling period as set up on the Area of compliance.
¶ Step 7.2: View scheduled results
Go to: GRC > Compliance > Schedules > All audit schedules
The status is important:
- A scheduled audit has to be Approved for it to become an audit
- Only Approved records can be used to create new audit files and allow users to enter audit fieldwork
- When the status is Approved, the Created, Scheduled and Approved buttons will be unavailable to the user
- When the status is Created, the schedule can be deleted
- Approved audits cannot be deleted
- On the Action pane, in the Status group, click the Approved button
- Complete the Create new audit dialog form
- Click OK
Details of a scheduled audit can be changed while the status is Created.
- On the Action pane, in the Work group, click on the Change button
- Enter the new details on the Change record dialog. If a field is left blank, the existing values will stay the same
- Click OK
¶ Step 8: Audit files
Go to: GRC > Compliance > All compliance audit files
- On the Action pane, click New
- On the Create new compliance audit file dialog:
- Enter a Name for the new Audit file
- Enter a Description for the new Audit file
- Select the applicable Area of compliance from the dropdown list
- Select the Audit name from the dropdown list (Only approved audits are on this list)
- Click on OK
On the new Audit file:
- Change the Status to Started
- Do the Declaration of interest
If the last two steps are not done, the Audit file cannot be selected for the posting of scores
- To send an email to users selected under Administration, click on the email icon next to the relevant name
- The selected worker must have a primary email address
It is advisable to create the Audit file before starting with the audit process, as the compliance scores and Findings will be posted into the Audit file
¶ Step 9: Created audits
Go to: GRC > Compliance > All compliance audits
¶ Step 9.1: Buttons on the All compliance audits list page
- Close - Changes the Status of the audit to Closed
- Change assessor
- Do scoring
The following buttons will be disabled when the record is closed:
- Change assessor - Gives the logged in user the opportunity to change the Assessor/Responsible person for the selected audit
- Execute compliance audit - Opens the Fieldwork/scoring form which is populated with the relevant data from the selected audit
- Completed scores - Opens the Completed scores form for the selected audit
- Send email notification - Allows the user to send an email notification for the selected audit (See Step 10 below)
- Print - The user can print the Audit RAG report
- On the All compliance audits list page, select the audit that you have now approved
- On the Action pane, click on the Audit file button
- Select the Audit file that you have just created
- On the Action pane, in the Function group, click on the Declaration button and then click on the Agree button
The Audit file has to have a status of Started before it can be selected for the posting of findings and scores
¶ Step 10: View capacity
The capacity load of the selected audit can be calculated according to the budgeted hours
Go to: GRC > Compliance > Schedules > All audit schedules
- Select the schedule that you want to view the worker capacity of
- On the Action pane, in the Work group, click on the Capacity button
- On the Calculate scheduled capacity load dialog, select required fields to display:
- If No is selected for the Skip zero field, details for all audits will be displayed, including those without budgeted hours
- Choose to view the relevant Department, Team and Owner
- Select the Date from which you want to view the capacity load
- Select the Interval type (length of period) that you wish to view the capacity for
- Click OK
The capacity load of the selected audit can be re-calculated by clicking on the Calculate button on the Action pane
¶ Step 11: Create audits manually
Go to: GRC > Compliance > All compliance audits
- In the Action pane on the All compliance audits list page, click on the New button
- Complete the details on the Create new audit file dialog
- Select the Assessor that will be responsible for the audit
- Click OK
- One audit will be created with schedule of type Manual
- The audit Status will be Approved
- An Audit file for the audit will be created
- One audit can have many audit files
¶ Step 12: Send email notifications
Go to: GRC > Compliance > All compliance audits
- Select the audit that you want to send the email notification for
- On the Action pane, click on the Send email notification button
- On the dialog, select the required radio button
- Click OK
To view all the Audit files for the selected compliance audit:
- On the All compliance audits list page, expand the Related Information pane
There is also a list page view of all the Compliance audit files
Go to: GRC > Compliance > All compliance audit files
A closed Audit file can be re-opened if:
- The user is a member of the Admin user group
- The Audit is open
¶ Step 13: Scoring
Auditors must identify, analyze, evaluate and document sufficient information to achieve the audit engagement’s objectives. This includes assisting the organization in maintaining effective controls by evaluating their effectiveness and efficiency, and by promoting continuous improvement.
Engagement findings and recommendations emerge by a process of comparing what should be with what is. Whether or not there is a difference, the auditor has a foundation on which to build the report. When conditions meet the criteria, applicable test programs would have been marked as “Effective” and as such no findings will be raised. However, in cases where the conditions do not meet the criteria, audit findings will be raised, taking into consideration any issues to be reported verbally based on their materiality.
Audit findings will be raised as and when the individual test programs are completed and reviewed by the audit manager. This is done in two ways; Dynamics 365 can log a formal (more serious) non-conformance or just log an issue via the Issue register.
The results and scores of assessments being done are recorded inside GRC 365.
¶ Step 13.1: To do the scoring
- Only Approved audits via its referenced Area of compliance can be selected.
- The same applies for Site and Department, only those that exist in an approved audit are selectable.
If these have not been specified on the approved audit, the fieldwork cannot be posted.
Go to: GRC > Compliance > Periodic > Compliance scoring
- Select the relevant Audit name from the dropdown list
- The Area of compliance and Site from the selected audit will be displayed
- Select the relevant Department from the dropdown list
- Select the relevant Compliance function from the dropdown list
- If the logged in user is the Planned user as setup on the Area of compliance under the Requirements and scores Fast tab (See Step 4.3 above), the user can choose to only view compliance function clauses that are his/her responsibility by moving the My clauses slider to Yes
- Users can score the lines (Compliance function records) with a yes/no or Full, Partial & Non-compliant dropdown, or do a RAG (Red, Amber, Green) audit
If the Compliance function is not selected, the scoring cannot be posted
The user can choose which columns to see in the left-hand side grid by clicking on the Show button in the Action pane and moving the relevant sliders to Yes
When doing the scoring, users can use the Inherent risk percentage to filter and focus on high-risk clauses
- The General Fast tab:
- Select a Responsible person - This worker is responsible for the activity that was created for the selected clause
- Select a Due date - This is the date on which the activity should be completed
- Select the Audit file that the activity details should be posted to
These values will be used when Activities are created
- The Department selected on the Scoring form header will be used on the Issue register
- If no scoring method is specified on the Audit type, the scoring method specified on the Parameters will be used
¶ Step 13.2: Create non conformance
Findings are the results of an evaluation of the collected audit evidence against audit criteria. Findings can indicate conformity or nonconformity with audit criteria, or opportunities for improvement.
The Compliance function can be linked to external ISO standards and must have a unique name and a description. These Compliance functions form the basis for creating the Area of compliance.
- Open the Findings Fast tab
- Details of non conformances can be entered under the Non conformance Index tab
- To automaticaly create corrections for the non conformance, enter details of the short term solution under the Non conformance Index tab
- Open the Recommendations and strengths Index tab to enter Suggested improvements for the non conformance raised
- On the Action pane, click on the Findings button and select Create a non conformance
- Or, for less critical issues, enter the details under the Issue register Index tab
- On the Action pane, click on the Findings button and select Add to issue register
- Finally, users must Post the score (commit the score to the database as a dedicated and completed score)
- It will then appear under the Completed compliance scores
Results (Compliance column and observations) can be posted to an Audit file
- Expand the Quality assurance Fast tab
- Select the relevant Improvement plan from the dropdown list
The lines from of the selected improvement plan will be displayed
When the fieldwork is posted, a pop-up will ask the user if a checklist should be created form the existing Improvement plan
- Posting of scores (field work outcome and conclusions) are done via the Post button on the Action pane
- Users must choose the Audit file that will carry the results of the fieldwork
When the Audit file is selected, the dialog will change adding a display of the Audit name, Audit type and the name of the Assessor (Responsible Worker on the audit)
If the logged in user is not the same as the assessor associated with the selected audit, a warning will prompt the logged in user to confirm that he/she still wants to continue with the scoring
- Audit files are checked for Declaration done and status of Started
- Users can select to NOT post un-scored lines in order to get an accurate Actual score (See Step 11 below)
- Users have the option to Auto create corrections when the scores are posted
- Click OK and the posting will be committed
¶ Step 13.3: Create an activity
Activity features allow you to create appointments, notes, and tasks.
If you want to send someone a reminder, you can create a task and assign it to anyone in the organization. The task will then show up on their activity list, and also pop up as a reminder in Outlook (if you have the synchronization enabled).
¶ Step 13.3.1: Form the scoring form
- Select the clause that you want to create the activity for
- On the Action pane, click on the Create activity button
- On the Create activity dialog, select the relevant Audit file ID from the dropdown list
- Select the relevant Category
- The Description field is populated with the information entered in the Suggested improvements field under the General Fast tab on the scoring form
- The Responsible field is populated by the person selected under the General Fast tab on the scoring form
- The Due date field is populated by the due date selected under the General Fast tab on the scoring form
- Select the relevant Priority for the activity
- Select the relevant Sensitivity for the activity
- The user has the option to Create a new action plan, OR
- Select the Action plan that you want to add the activity to
- Click OK
¶ Step 13.3.1a: Planned actions
Go to: GRC > All planned Governance, Risk and Compliance actions
- Buttons on the All planned GRC actions list page:
- Go to source entry – Opens the form from which the follow up action was created
- Close – Closes the action and removes the record from the list
- Send email notification – Sends an email notification to the selected worker in the Reviewed by field
- View pie chart – Displays a pie chart of all the planned GRC actions
¶ Step 13.3.2: From the Audit file
Go to: GRC > Compliance > All compliance audit files
- Select the Audit file that you want to create an activity for
- Expand the Conclusion Fast tab
- Open the Activity Index tab
- Enter the Due date for the activity
- Select the Responsible person from the dropdown list
- Enter a Description of the activity
- Select the relevant Priority from the dropdown list
- On the Action pane, click on the Create activity button
- Select the relevant activity from the dropdown list
To view the Activity that was created:
Go to: Common > Activities > All shreq activities
AND
Go to: GRC Workspace > All open actions
¶ Step 14: View recorded details in the Audit file
Go to: GRC > Compliance > All compliance audit files
- Select the relevant audit file
- Open the Header view
- Expand the Findings – Non-conformances Fast tab
- Expand the Findings – Issue Fast tab
- Expand the Related information pane to view the Activities created
- Open the Lines view to see the Completed scores and Scores detail
¶ Step 15: Results and “closing the loop”
Go to: GRC > Compliance > Reports and Inquiries > Completed compliance scores
- Use the Show latest filter to see only the latest scored records
If there is a tick next to a record in the Latest column, it means that the system has done a check on the following and has marked the latest record
- Company (legal entity)
- Audit name
- Area of compliance
- Function
- Site
- Department
- Select a recorded result
The Compliance scores detail form will open, displaying the details of the selected record
Users can choose to record findings:
- Raise a non-conformance inside Dynamics or,
- Report an issue in the Compliance audit issue register if the outcome is less critical and of lesser significance
Note that these outcomes are counted and recorded as findings
To view the average score per Site, based on the Departments under the Site:
- Click on the View summary button in the Action pane
- On the Compliance score summary dialog, enter the From and To dates
- Select the relevant Site from the dropdown list
To view the corrections that were created for the non conformances when the scoring form was posted:
Go to: GRC > Compliance > Findings > Non conformances
- Select the relevant Non conformance
- Open the Audit observation Index tab to view the details
- In the Action pane, click on the Corrections button
- On the Corrections form, enter the Requested date and Planned date
- Below the grid, enter effectiveness verification of action performed in the box provided
- Enter the Date of effectiveness check
- Select the name of the worker checked the correction
- In the Action pane, click on the Mark complete button
- On the dialog that opens, confirm that the non conformance correction is to be marked as completed
To print the Audit correction report:
Go to: GRC > Compliance > Findings > Non conformances
- Select the relevant Non conformance
- In the Action pane, click on the Audit button and select Audit correction report from the dropdown list
The loop is closed in that the last posted score is sent back to the Area of complaince
Go to: GRC > Compliance > Area of compliance
- Select the relevant Area of compliance
- On the Header view, expand the General Fast tab
Based on the threshold values specified under the GRC parameters and on the Audit type, Dynamics will fill in the Compliance indicator value
¶ Reporting
¶ Step 16: Audit findings
While the Audit team collects information and does its observations, they can choose to raise non-conformances or create less critical issues. These are collectively referred to as Audit findings.
Go to: GRC > Compliance > Reports and inquiries > Compliance audit findings
- A list of all Issues that have been created can be viewed: GRC > Compliance > Findings > Compliance audit issue register
- A list of all Non conformances can be viewed: GRC > Compliance > Findings > Non conformances
¶ Step 17: Audit RAG report
Go to: GRC > Compliance > Reports and inquiries > Audit RAG report
- On the Audit RAG report dialog:
- Select the required Area of compliance
- Select the relevant Site
- Select the relevant Department
- Select the relevant Compliance function
- Click OK
OR
Go to: GRC > Compliance > All compliance audits
- On the Action pane, click on the Print button
- Click on Audit RAG report
¶ Step 18: Audit findings per ISO standard report
Go to: GRC > Compliance > Reports and Inquiries > Audit findings per ISO standard report
- Select the Parameters for the report
- Click OK
¶ Step 19: Audit findings per ISO standard graph
Go to: GRC > Compliance > Reports and Inquiries > Audit findings per ISO standard graph
- Select the Parameters for the graph
¶ Step 20: ISO audit report
Go to: GRC > Compliance > Reports and Inquiries > ISO audit report
- Select the Parameters for the report
¶ Step 21: Area of compliance report
Go to: GRC > Compliance > Reports and Inquiries > Area of compliance report
- Select the Parameters for the report
