I. Overview of POAM Reporting
The POAM Reporting feature (which stands for reporting issues and risk mitigation) is designed to help you report data to the right stakeholders. While the acronym POAM aligns with standard terminology, you can configure the terminology for your specific program. The ultimate goal of this feature is to provide valuable data sets for metrics and reporting.
The two new reporting features are found under Issue Management > Findings:
- Finding summary by internal control/control family.
- Finding summary by the asset (enterprise assets).
II. Prerequisites: Linking Data to Findings
For findings to be included in the reports and accurately summarized, they must be properly linked to core entities:
- Link to Internal Controls: Every finding should have some connection to internal controls. You must select the controls so that you know how the finding is impacting them.
- Tag with Assets: To obtain findings by asset reports, you must tag the finding with the appropriate asset (e.g., system, vendor).
IMPORTANT: It is essential that every finding has an associated asset and an internal control linked to it to ensure you can generate these reports.
III. Customizing the Control Family Drop-down List
To ensure the "Finding Summary by IC Control Family" report accurately reflects your organization's terminology, you may need to customize the control family list.
- Go to the C1 Risk platform > Administration.
- Select Custom Fields.
- Locate the field called control family. This field is a drop-down list associated with the internal control table entity.
- To change the default values, click edit. You can unselect the default list and add new values for your program.
- After defining this drop-down list, you must go to your internal control list and ensure that you identify the control family for every internal control.
IV. Generating and Reviewing Reports
Both reports are found under the action menu on the top right of the Issue Management > Findings page.
A. Finding Summary by Control Family
When you export this data set, the file will provide a summary of the findings grouped by their associated control family.
Report Content Summary:
- Status of the control.
- The priority of the finding.
- The risk mitigation details.
- Any approval status that is outstanding.
You can drill down into each control family within the report to see further log details of the exact findings included in the analytics.
B. Finding Summary by Asset
When you export this report, you will receive a data set organized by asset.
Report Content Summary:
- A summary for each asset.
- A detailed log of the findings that are associated with that specific asset.
Asset Configuration Note: When configuring the C1Risk platform, you can define various asset types (such as infrastructure, applications, processes, business units, and locations). There can be a many-to-many relationship between assets and findings.
V. Gap Analysis and Data Cleanup
The system provides tools to help you identify missing data connections so you can "clean up your data" and achieve "nice clean reporting".
- Gap Analysis for Internal Controls: A master file lists all findings that do not currently have any associated internal control. This acts as your gap analysis list. You can click on this list to define internal controls and map them, which will help update your summary.
- Gap Analysis for Assets: The system also provides a list of every single finding that lacks an asset mapped to it. You can drill down into this list to clean up the data.
Cleaning up these gap lists ensures that all your findings are properly categorized and reflected in the new reports.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article