Overview of managing issues and remediation
Identify issues, manage remediation plans by assigning actions, and document retesting results to determine whether or not the issue has truly been remediated.
Notes
- Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
- If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
What is an issue?
An issue is a problem, control gap, or exception that has been identified within a project.
You can add issues, and the context for why they were captured, in your workpapers. Adding issues involves:
- assigning issues to owners
- determining outstanding remediation plans
- documenting retesting results against each issue
What is an action?
An action is a specific follow-up measure that is associated with an identified issue.
You can assign actions to owners, and CC additional contributors on actions, in order to define remediation responsibilities. You can also set up reminders for yourself to retest issues or track hours spent on retesting by self-assigning actions.
Working with issues and actions
The table below describes the areas where you can work with issues and actions in the Projects app.
| Area | Description | Information |
|---|---|---|
| Bulk Upload tab | Bulk upload issues to a project. | |
| Issues tab |
Quickly and efficiently add or manage issues in a project. |
Recording issues |
| Issue Tracker | Manage issues for all of the projects within the Diligent One instance. | |
Issues side panel. You can access this panel by clicking  Issues in the Utility Toolbar on context-specific fieldwork pages, or on the Planning tab, or the Results tab in a project.) |
View all, add, and update existing Issues. | |
| Follow-up & Remediation and Retest Information subtabs |
Record remediation plan and retesting information, and assign actions to identify follow-up measures for remediation. |
You can also add, view, and manage issues along with the risks and controls they are associated with in the Assessments application.
Assigning issue and action owners
You can control who has access to issues and actions by assigning any user that has been added to a Diligent One instance as an issue or action owner.
If you need to include additional people to contribute to an action, you can CC them on the action (they do not have to be added as users to a Diligent One instance).
Owners can be assigned based on a regional, business unit, or project-related framework.
Owner types
The ability to access issues and actions depends on your assigned project role. Typically, Contributor Testers or Contributor Users are assigned as owners of issues or actions.
| Owner type | Useful for... |
|---|---|
| Owner | managers that are responsible for issues and actions. |
| Executive Owner | board members and executives that are responsible for issues and actions. |
| Project Owner | project managers that are responsible for issues and actions. |
| Action Owner | individual employees that are responsible for actions. |
Assigning an issue owner
Scenario
You are a CFO that owns an entire project against financial control monitoring. You recognize that one of the issues you identified should be owned by IT. Additionally, the Audit Committee wants to know who is impacted and who owns the remediation of this particular issue.
Process
You assign the Director of IT as a Contributor User in the project. Then, you specify the Director of IT as owner of the issue.
Result
The Director of IT is able to update the issue, define the remediation plan, assign actions to the appropriate department members, and state the time frame for remediation activities to be complete.
The Audit Committee is also able to clearly see who owns the issue remediation, and view the status of remediation activities.
Email notifications
Once you assign a person as an owner of an issue or action, or CC a person to contribute to an action, the person receives an email notification.
Sending recurring reminders
If you need to send recurring reminders about actions, you can configure how often email notifications should be sent to people assigned actions.
For more information, see Sending recurring action reminders.
Recording management recommendations
Issues may or may not be accompanied by management recommendations. Management recommendations give management a direction or course of action. Typically, the recommendation is developed in collaboration with management.
Including or excluding management recommendations
Attestation and assurance audit typically have issues without recommendations in a report:
- Scenario A financial statement audit is being performed to attest to the fairness of presentation of the financial statements and related disclosures.
- Issue The financial statements are being presented fairly.
Performance audits typically have issues with management recommendations in a report:
- Scenario A performance audit of Accounts Payable is being conducted.
- Issue There is a lack of segregation of duties.
- Issue Type Management recommendation
- Recommendation Management needs to segregate critical functions to decrease the risk of fraud.
Recording management responses
Auditors often work with management to ensure that responses to issues are appropriately stated and address root causes.
By assigning issues to the appropriate owner, owners can use the Follow-up & Remediation subtab to enter their own management responses or action plans, state who is responsible, what they will do, and the time frame for completion. Owners can also assign specific actions to the appropriate people, which can be used as follow-up measures associated with an identified issue.
Ultimately, auditors can follow-up with management, retest issues and record any subsequent findings on the Retest Information subtab, including whether or not the issue has truly been remediated, and report back to the audit committee on the status of remediation activities.
Recording a management response or action plan
The following example shows a remediation plan that a Director of IT has drafted in response to this issue:
- Issue Title Disaster recovery protocols not coordinated
- Description There is no coordinated ITDR documentation for effective response to major incidents, such as large scale damage to the infrastructure hosted within the server room (known internally as G1). We would typically expect a recovery sequence to be in place defining a logical technical recovery order of IT systems in priority order taking account of dependencies with other systems. This may include interfaces to other applications and IT infrastructure services such as active directory.
Remediation plan
- Overall Status Open
- Remediation Status Management Remediating
- Remediation Plan A resource will be identified and will be primarily responsible for reviewing the current ITDR plan to ensure that all components required in a ITDR plan is covered and in line with suggested industry best practices. The plan itself will be reviewed twice a year.
- Remediation Deadline 01/04/2019
- Actual Remediation Date 12/20/2018
Action
- Action Title Coordinate a meeting with IT Manager to revise current ITDR plan.
- Owner John Smith
- Due Date Dec 3, 2018
- Status Remediated - Awaiting Verification
Visualizing issues
You can visualize issues within a specific project from the Issues tab, or across all projects in Issue Tracker.
By Issue Type and By Severity charts
From the Issues and Results tabs, you can visualize all issues within a specific project:
Issue Count by Project and Issue Count by Issue Type charts
From the KPI subtab in Issue Tracker, you can visualize issues associated with all of the projects in the Diligent One instance:
Security features
To provide secure and appropriate access to actions, Diligent has implemented a series of security features.
Tokenized URLs
Action links are tokenized URLs that are automatically generated for each action. The tokenized URL contains a combination of lower case, numeric, and special characters.
The tokenized URL is intentionally complex to ensure data access security.
Since the tokenized URL acts like a password, it is important to keep it secure and private. Avoid sharing the tokenized URL with other parties.
Assigned access
Once an action is assigned, an email notification is sent to the intended recipient with a link to access the action.
- If you assign an action to a Contributor Manager, Contributor Tester or Contributor User, the user must click the link in the email and sign in with their Launchpad credentials before they can access the action. Email notifications sent from Projects redirect Diligent One users to the Assessments app. Each card within Assessments has a link back to Projects. Users who are not registered on Diligent One receive a public URL.
- If you assign an action to a non-licensed user, the person is sent a public link via email to access the action.
Expiration of action links
The link to access the action expires if:
- the user assigned the action is removed from the project
- a project is archived or deleted
- an action is assigned to another licensed or non-licensed user
- the action is deleted
- the action is closedNote
If the action is re-opened, you can send a new notification to the appropriate people, which automatically creates a new link to the action.
