Enabling Automatic Generation of Findings for Questionnaires

Important: The Control Standards application must be licensed for findings to be generated for core questionnaires.

You can configure a questionnaire to generate findings automatically when a user answers one or more questions incorrectly. By default, findings are created for a questionnaire record when the value in the Submission Status field changes to Submitted. You can change this default condition, or you can create additional conditions that trigger findings creation. For example, you can generate findings when a questionnaire record is submitted and when it is approved. All defined conditions must be met in to trigger findings creation.

Note: A finding is created only once for each incorrectly answered question. So if a finding is created for a question when the questionnaire is submitted, and that same question is still incorrectly answered when the questionnaire record is marked Approved, the system does not create another finding for that question.

As an optional step, you can create static or dynamic content that the Description field displays in all findings generated for the questionnaire.

By default, each finding generated by the system is populated with the following:

  • Question that was incorrectly answered.
  • Incorrect answer the user selected.
  • Specific target of the assessment.
  • Questionnaire record in which the question was incorrectly answered.
  • Authoritative source related to the question that was incorrectly answered (if applicable).
  • Control standard related to the question that was incorrectly answered (if applicable).

The prepopulation of Findings records enables you to report on areas of non-compliance by target, questionnaire, question, authoritative source, and control standard. As you remediate findings, you also can monitor areas of improvement in your compliance posture.

Note: You can add the Findings application to the same solution as your questionnaire to access the Findings application from the Navigation Menu for the purposes of searching and managing records.

Enable automatic generation of findings for a questionnaire

  1. From your questionnaire, go to the Properties tab and select Enable automatic generation of findings based on the answers.

    Note: If you do not enable findings for a questionnaire, the Quantitative Summary section within individual questionnaire records are not included in the Findings column.

  2. Go to the Configurations tab > Findings tab.
  3. In the Findings Generation Condition section, define the conditions within the assessment target that will cause the findings to be automatically generated.
    1. In the Field To Evaluate column, select the field to evaluate for one or more specific values.
    2. In the Operator column, select the filter operator.
    3. In the Value(s) column, select the values for the condition.
    4. If you have created more than one condition, you can apply advanced logic to your search criteria.

      Note: To create additional conditions, click Add new.

  4. In the Findings Message section, enter the default text that the Description field of Findings record displays. The default text can include up to 10 dynamic elements, either by inserting the elements into the text using the Available Fields dropdown above the text editor, or by manually entering the elements. You can modify the default text using (a combination of) the following types of dynamic elements:

    • By default, the Description field within individual Findings records include Question specific elements. Archer populates these elements with information about the incorrectly answered question.

      • Archer supports the following dynamic question elements:

        • [Question Name]. This element is the question label, not the question text. For example, the question name might be "Encryption 1" for the following question text: "Is strong encryption used for restricted information?"
        • [Question]. This element is the question text, such as "Is sensitive cardholder data securely disposed of when no longer needed?"
        • [Answer]. This element is the incorrect answer the user provided, such as "No, we do not dispose of cardholder data."
        • [Weighted Score]. This element is the weighted score for the question, which the system generates by multiplying the question weight and the numeric value associated with the incorrect answer.

      • For example: The question "[Question]" was answered incorrectly: Question: [Question Name] Answer: [Answer] Question Risk Score: [Weighted Score]

    • Archer populates application specific elements with information about the target application of the questionnaire. Only publicly shared fields are available for these elements. Application specific elements must start with a "[Field:" tag, followed by the target field name, and ended with a closing "]" bracket.

      • These dynamic elements support the following field types from the target application:

        • Cross Reference

        • Date

        • Numeric

        • Record Status

        • Text

        • Tracking ID

        • Values List

      • For example: The facility, [Field:Facility Name], has a new finding ready for review. The last assessment for this facility was on [Field:Last Assessment Date], which received a Risk Rating of [Field:Last Assessment Risk Rating]. The next assessment will be on [Field:Next Assessment Date].

    • When using Dynamic elements in the Findings Message:

      • Important: Dynamic elements do not honor field-level permissions. Users without the proper permissions may be able to view any field used in the message.

      • Archer only validates dynamic elements when the elements are inserted into the message using the Available Fields dropdown.

      • Using square brackets ('[' and ']') around 1 or more characters counts towards the maximum number of allowed placeholders.

      • When a questionnaire is copied, the Findings Message reverts to the default template that only includes the question specific elements.