Auditmation™

Headquartered in Austin, TX, Neverfail delivers Continuous IT Controls and Availability solutions to some of the most highly recognizable brands in the world. More than 5,000 customers in over 60 countries depend on Neverfail to reduce risk through zero trust compliance and continuity solutions without the worry, time, or cost of traditional methods.

The integration solution described in this document brings automation to compliance management operations conducted on the Archer platform. The Auditmation™ Integration automates the collection of evidence and makes all collected evidence readily accessible and trackable in the Archer environment. It facilitates Archer-initiated Audits/Control Evaluations by automatically selecting the relevant evidence and mapping records to save time and reduce user error. This integration includes a suite of On-Demand Applications (ODAs) to simplify the deployment of requisite infrastructure for existing and new Archer users.

On this page

Release history

Last updated: November 2021

Overview of Auditmation™

Evidence features

  • Expansive catalog of source system Connectors

  • Machine and human readable with immutable chain of custody

  • Centralized repository, time and date stamped and reviewable across any look-back period

  • Multi-framework, product, and audit support with control mapping

  • Standardized against any auditor ERL

Evidence benefits

  • Increase audit scale and shorten audit cycles without operational disruption

  • Evidence readiness with no dependency on people, process, or tools

  • Single source of evidence truth

  • Empower staff and reduce audit fatigue

  • Real-time audit readiness

Integrated features and benefits

With the Auditmation™ Integration, you will be able to:

  • Ensure that relevant evidence is consistently collected and delivered where you need it

  • Easily determine which controls and frameworks are satisfied by the automatically collected evidence

  • Define your desired audit scope and easily evaluate controls with the collected evidence

Specifically, On-Demand Application (ODA) structures in your Archer environment will accommodate Auditmation™-originating evidence, control types, audits, and control assessments. The decision to exclusively use ODAs to support this integration was strategic. The standalone Auditmation™ ODAs used to deliver evidence eliminate the need for you to:

  • Extend existing applications with custom fields to support the integration

  • Listen to Archer events reporting a trigger condition in a workflow

  • Extract records manually in one or more applications

  • Link the evidence records to other records in other applications

This design decision ensures that the EaaS solution can be deployed in any context (i.e., new or established Archer accounts with implementations that leverage existing applications or not).

Prerequisites (ODA and system requirements)

Components

Prerequisites

Archer Solution Area(s)

  • Archer IT & Security Risk Management

  • Archer Public Sector Solutions

  • Archer Regulatory & Corporate Compliance Management

Archer Use Case(s)

An Archer use case that contains the Authoritative Sources and Master Controls applications.
The Authoritative Sources application is included in the following Archer use cases:

  • Archer Policy Program Management

The Master Controls application is included in the following Archer use cases:

  • Archer IT Controls Assurance

  • Archer PCI Management

  • Archer Controls Assurance Program Management

  • Archer Assessments & Authorization

Archer Applications

Authoritative Sources & Master Controls

Uses Custom Application

No

Requires On-Demand License

Yes. 5 On-Demand Licenses are required.

Archer Requirements

This offering has been developed for and validated on Archer Platform release 6.9 SP3 HF1 and later.

Partner/Vendor Requirements

Valid License is required.

Operating System

Windows Server 2012 R2 or Archer SaaS

Database Server

Microsoft SQL Server 2014 (64-bit) or Archer SaaS

Services Server

Java Runtime Environment (JRE) 8 (64-bit) or Archer SaaS

Additional resources

The following additional resources are available for this offering:

Auditmation™ components

Architecture diagram

At a high level, the Auditmation™ Integration is comprised of two parts:

  • On one end, the Archer platform provides customers with a configurable workflow environment to define their governance model and regularly evaluate their controls.

  • On the other end, the Auditmation™ platform uses Robotic Process Automation (RPA) to collect the required evidence from the customers’ systems, and then deliver it seamlessly to the Archer platform.

On the Archer platform, customers operate in dedicated tenants. Within their tenant they have access to various out of the box and custom (On-Demand) applications. Customers can customize the application fields that are displayed for their own use case.

To delivering the evidence collected by the Auditmation™ platform, Auditmation™ provides a suite of On-Demand Applications (detailed above) that must run in each customer tenant.

On the Auditmation™ platform, there is:

  • A management layer for the Auditmation™ personnel

  • An orchestration layer that handles both the Auditmation and Deployment tasks as well as RPA operations

The orchestration layer communicates with:

  • Customer-controlled execution environments for zero-trust access to evidence-producing systems

  • Repositories that store evidence and chain-of-custody data

To support the integration with the Archer platform, we will also have:

  • An Auditmation™ client application known as Compliance Bridge to allow Archer customers to order and manage Evidence Collection subscriptions

  • An Auditmation™ adapter for Archer that will sit between Compliance Bridge and the Archer platform

Compliance Bridge communicates programmatically with the Auditmation™ platform on one side and with the Auditmation™ adapter for Archer on the other side, while the latter handles the communication with the Archer platform.

Graphical user interface, application Description automatically generated

Swim lane diagram

The Auditmation™ Integration process begins when a user creates an Audit in the Auditmation™ Audit ODA. The Audit creation will include details including the controls in question and date period, with records linked cross-referentially to the Auditmation™ Control Evaluations ODA. The creation of a new audit record will trigger an email sent to Auditmation™’s backend. This email contains the contextual information required for Auditmation™’s Robotic Process Automation engine to begin collecting relevant evidence pieces. Once the collection of evidence satisfying the Auditis complete, the Auditmation™ deployed integration adapter will begin to generate records detailing metadata, a share link to the evidence, and a chain of custody within the Auditmation™ Evidence ODA. This evidence may be cross-referentially linked to source systems (products) and evidence types, with corresponding records in the Auditmation™ Products & Evidence Type ODAs.

Diagram Description automatically generated

Applications

Application

Description

Auditmation™ Evidence

The Auditmation™ Evidence application contains the evidence record metadata that will automatically be loaded after having stipulated the requirements of your engagement. Fields exist to describe the evidence name, file type, file size, share link, chain of custody link, and any cross references to evidence types/products.

Auditmation™ Evidence Types

The Auditmation™ Evidence Types application contains the evidence types that will apply cross-referentially to evidence records for mapping purposes with control evaluations and audits.

Auditmation™ Products

The Auditmation™ Products application contains the products that will apply cross-referentially to evidence records for mapping purposes with control evaluations and audits.

Auditmation™ Audits

The Auditmation™ Audit application contains the audit projects that represent the top-level data structure of your compliance engagement. Audits will apply to a given Authoritative Source & set of Master Controls, assessed with Auditmation™ Control Evaluations which will be cross-referentially connected to NF Evidence, NF Evidence Types, and NF Products.

Auditmation™ Control Evaluations

The Auditmation™ Control Evaluations application contains assessments of controls in the scope of an audit engagement. Records in the Auditmation™ Control Evaluations applicationwhich will be cross-referentially connected to NF Evidence, NF Evidence Types, and NF Products.

Personas and access roles

The following table describes the functions that make up the application’s organization roles. Depending on the organization of your company, these functions and responsibilities may vary.

Function

Description

Admin

Maintains the Application and Owners.

Owner

Creates Audit records in Auditmation™ Audit ODA, selects relevant controls from Authoritative Sources/Master Controls, and reviews Auditmation™ Evidence records.

Installing Auditmation™

Installation overview

Complete the following tasks to install the offering.

Task 1: Prepare for the installation

  1. Ensure that your Archer system meets the following requirements:

    • Archer Platform version 6.9 SP3 HF1

  2. Obtain the Data Dictionary for the ODA by contacting your Archer Account Representative or calling 1-888-539-EGRC.The Data Dictionary contains the configuration information for the use case.

  3. Read and understand the "Packaging Data" section of the Archer Help.

Task 2: Install the package

Installing a package requires that you import the package file, map the objects in the package to objects in the target instance, and then install the package. See Installing the Application Package for complete information.

Task 3: Test the installation

Test the application according to your company standards and procedures, to ensure that the use case works with your existing processes.

Installing the package

Task 1: Back up your database

There is no Undo function for a package installation. Packaging is a powerful feature that can make significant changes to an instance. Archer strongly recommends backing up the instance database before installing a package. This process enables a full restoration if necessary.

An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. New objects created by the package installation must be manually deleted.

Task 2: Import the package

  1. Go to the Install Packages page.

    1. From the menu bar, click Admin menu.

    2. Under Application Builder, click Install Packages.

  2. In the Available Packages section, click Import.

  3. Click Add New, then locate and select the Auditmation™ package file that you want to import.

  4. Click OK.

The package file is displayed in the Available Packages section and is ready for installation.

Task 3: Install the package

All objects from the source instance are installed in the target instance unless the object can not be found or is flagged to not be installed in the target instance. A list of conditions that may cause objects not to be installed is provided in the Log Messages section. A log entry is displayed in the Package Installation Log section.

  1. Go to the Install Packages page.

    1. From the menu bar, click Admin menu.

    2. Under Application Builder, click Install Packages.

  2. In the Available Packages section, locate the package file that you want to install, and click Install.

  3. In the Configuration section, select the components of the package that you want to install.

    • To select all components, select the top-level checkbox.

    • To install only specific global reports in an already installed application, select the checkbox associated with each report that you want to install.

Note: Items in the package that do not match an existing item in the target instance are selected by default.

  1. In the Configuration section, under Install Method, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list.

Note: If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package.

  1. In the Configuration section, under Install Option, select an option for each selected component. To use the same Install Option for all selected components, select an option from the top-level drop-down list.

Note: If you have any custom fields or formatting in a component that you do not want to lose, select Do not Override Layout. You may have to modify the layout after installing the package to use the changes made by the package.

  1. To deactivate target fields and data-driven events that are not in the package, in the Post-Install Actions section, select the Deactivate target fields and data-driven events that are not in the package check box. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for clean up post-install.

  2. Click Install.

  3. Click OK.

Task 5: Review the package installation log

  1. Go to the Package Installation Log tab of the Install Packages page.

    1. From the menu bar, click Admin menu.

    2. Under Application Builder, click Install Packages.

    3. Click the Package Installation Log tab.

  2. Click the package that you want to view.

  3. In the Package Installation Log page, in the Object Details section, click View All Warnings.

Using Auditmation™

Task 1: Contact Auditmation™ for standard Auditmation™ onboarding

Auditmation™ will conduct (or assist with the execution of) the following onboarding operations for each customer wanting to use this solution:

  • Creation of an “Auditee” account on the Auditmation™ platform

  • Deployment and setup of a dedicated instance of Workflow-IQ for task, approval and file storage operations on the customer side

  • Provisioning of a customer-controlled execution environment

  • Provisioning of a customer-controlled evidence repository

  • Deployment, registration, and initialization of a dedicated instance of Compliance Bridge

  • Deployment, registration, and configuration of a dedicated instance of the Auditmation™ adapter for Archer

User: Admin

  1. After having installed the Auditmation™ Integration package according to the instructions above, please contact the Auditmation™ sales/onboarding team to get started. Email sales@auditmation.io or call1 (888) 988-8647. For technical support questions, please seesupport@auditmation.io.

  2. The Neverfail team will work through the above onboarding operations with you directly.

  3. Go to the Manage Users page.

    1. From the menu bar, click Admin menu.

    2. Under Access Control, click Users.

  4. Click Add New.

  5. Create a new user with a role of Owner and assign the “Executives” group roles to that user.

  6. Click Save.

Task 2: Audit creation

User: Owner

  1. Using the newly created user with the “Owner” role, go to the Neverfail Audit ODA page.

    1. From the menu bar, click the plus button in the upper right to add a new audit record.

    2. From the screen that appears, provide details relating to your use case, including details like audit record name, audit look back period, and auditee name.

    3. Click on the “Add New” or “Lookup” buttons for Neverfail Products. Either create a new product or select one (or more) pre-existing products to link to the audit.

    4. Click on the “Add New” or “Lookup” buttons for Neverfail Control Evaluations. Either create a new control evaluation or select one (or more) pre-existing controls evaluations to link to the audit.

      • If you create a new control evaluation, provide name, period, due date details. Link one or more controls to the new control evaluation through the Master Controls ID search function.

    5. Review the control evaluations(with cross-referenced control codes sourced by the Master Controls application) and Neverfail Products in the scope of an audit to ensure the details are correct.

    6. Select Save & Close.

  2. The creation of the new Audit record will now asynchronously trigger an email to be sent to Neverfail’s backend containing the relevant metadata provided by the user in the step above. This will kick off robotic evidence collectors to go and fetch evidence which may satisfy the requested control evaluations. If relevant evidence is found, the integration will generate a new record in the Neverfail Evidence ODA.

Task 3: Evidence review

User: Owner

  1. Go to the Neverfail Evidence ODA page.

  2. Review the evidence that was delivered by Neverfail to see if it meets the needs of the Audit & Control Evaluations in question

  3. Click through to cross-referenced Products, Evidence Types, Control Evaluations, & Audits.

Certification environment

Date tested: October 2021

Product Name

Version Information

Operating System

Archer Suite

6.9 SP3 HF1

Virtual Application