Step 7 - Create Evidence Records & Automate Evidence Collection

How to Set-up and Launch the Evidence Collection Process

Evidence collection should be a year-round exercise to ensure that your controls are being implemented effectively across the organization. C1Risk enables continuous monitoring of controls via automated evidence collection. 

Evidence Owners require only General User licenses on the C1Risk platform to enable anyone in the company who needs to provide evidence to access the platform. For more information on General User licenses and volume discounts, contact your account manager. 

API Integration

Evidence can be collected by request of an evidence owner, or via API Integration. 

Evidence owners can receive email notifications (white-labeled) or via integration with communication or productivity tools, such as JIRA or SLACK. 

C1Risk is also a REST API platform, which enables data collection from most modern business systems via integration. 

For more information on API integration, please contact your account manager. 

Mapping Evidence to your Regulation or Standard

Once your evidence records have been created, you can map them to the Obligation via an internal control.  C1Risk enables a “one to many” mapping option for both internal controls to evidence (map multiple internal controls to a single evidence request) or evidence items (map multiple evidence items to a single internal control). (See Training)

Creating and Evidence Collection Record

Evidence records are used to launch Document Requests, which notify evidence owners that they must provide information for compliance.

Notifications can be sent immediately or scheduled for the future. An automated frequency can thereafter be established to send Document Requests to evidence owners:

1. Daily
2. Weekly
3. Monthly
4. Quarterly
5. Semi Annually      
6. Annually

Notifications can be sent to a primary and multiple additional contacts (EG. The HR Director may be copied on a request to the HR Manager to ensure that leadership is aware of any data being provided to the compliance team).

A due date can also be established for the evidence to be provided. Escalation will occur in two forms past the due date.

1. The Manager (where appropriate) will be notified.
2. Notifications of expired requests will be sent to the evidence owner on a daily basis.

Populating the Evidence Record Fields

The Evidence Record contains the following information fields, used for the following:

1. Establish a clear description of the information needed for the evidence owner.

2. Establish the frequency that the evidence needs to be collected.

3. Automate the notification of evidence collection process.

4. Establish a review protocol

Please see below for a detailed description and best practices for populating each field. 

Evidence Name

Use a name that is familiar and consistent and helps the evidence owner easily identify the relevant information to provide.

Evidence Description

Similarly, the description is provided to the Evidence owner, so should be written as to assist the evidence owner in identifying the information necessary to provide.

Note also that the evidence description should not mention time specific time periods to avoid confusion or the need to update future document request notifications.

Asset/Internal Controls

Assets and (additional) Internal Controls can be mapped to evidence records here.

• Select the “+” sign to create a new Asset.
• Select the     to look up an existing Asset or Internal Control

Setting the Evidence Start Date / End Date

The Evidence Start Date and End Date reflect the acceptable period (provided by the external auditor) for creation of the evidence. 

Once you have established the Start / End Dates, the system will automatically launch a notification for evidence collection to the evidence owner(s) on the End Date selected. 

Tips for Setting up the Start Date / End Date

Typically, your external auditor requires the latest version of a document and/or evidence to have been created within a certain timeframe to be acceptable for use as validation of an implemented control. 

1. The Start Date allows you to control and limit the period within which evidence must be created/produced. Typically, this does not extend prior to the year of the current Audit Period. 
2. The End Date ensures that the notification is sent in a timely manner and allows the evidence owner enough time to provide the required evidence, as well as for the compliance team to review and approve the evidence prior to providing it to an external auditor.

NOTE: For first-time users setting who are collecting evidence for the first time on the C1Risk platform, we recommend scheduling the END DATE in advance of your external audit period and create sufficient time to a) train end-user evidence providers to use the platform to provide evidence and b) provide the compliance team sufficient time to review and approve evidence and/or work with end-users to ensure the correct evidence is in place. 

Establishing the Frequency of Collection (Cadence)

The initial Start Date /End Date might not be the same as the subsequent collection period. The Request Frequency automatically establishes the correct collection period based upon the initial End Date.

For example:  

STEP ONE: Initial Set up

1. Initial Start Date: January 01, 2023
2. Initial End Date: June 30, 2023
3. Collection Frequency: Quarterly

STEP TWO: After Automation (System will automatically change to)

1. Start Date: July 01, 2023 (the day after the initial End Date)
2. End Date: September 30, 2023 (Quarterly/3 months from the previous end date/new start date)
3. The process will repeat on a quarterly basis. 

Note: When establishing a frequency for evidence collection, the Start Date and End Date will automatically update based upon the frequency selected.  

Adding Evidence Owners 

1. You can assign one or more team members to receive Document Request Notifications using the Primary Contact / Additional Contact fields. This enables you to copy leadership or provide groups/teams with the ability to collaborate on providing evidence for compliance.  
2. Note that you can add one a single Primary Contact (typically the person who is responsible for providing the evidence) and multiple additional contacts (team leaders, assistants, stakeholders). 
3. Primary and Additional Contacts can be Administration or General Users on the platform. To add Users at any time to the platform, contact support, please contact our support team: https://c1risk.freshdesk.com/support/tickets/new

How to Set up the Evidence Review Process (optional)

The final step in setting up the evidence collection process is to establish your desired review protocols. 

While review is optional in the platform, C1Risk recommends adding review as a step to the process as it enhances the options to collaborate with evidence owners if/when supplemental evidence is needed or there are issues with the information provided. 

The C1Risk platform always provides the following approval rule options:

Approval Rule Table

1. In the Evidence Record, in the Approval Process Section, choose ‘Yes’ for Approval Required.

2. Add the reviewers using the drop-down menu.

3. Choose the approval rule (see table above).