Unified Compliance Knowledge Base

Mapper Deep Dive

Add Audit Question

How should this Citation be audited?

As the final step for each mandate in a project, the Mapper uses the Citation Audit task to designate how the mandate should be audited. Use the Summary Guidance below as a quick reference for decision-making. For more detailed information, scroll down to review the Detailed Guidance.

Summary Guidance

Task step option	When to select this option	Result
The Citation itself is an audit question	Any of the following applies: The citation is in the form of a question The citation is an audit and/or verification activity (e.g. "Examine documentation to verify roles and responsibilities are documented," "Interview appropriate parties to verify they are notified of security events," "Test security software to verify it is configured in accordance with organizational requirements). The AD or section of the AD is an Audit Guide	In Audit Guidelines generated with UCF Authority Document Builds, the citation itself appears as the Assessment Procedure for its associated Common Control.
There is no audit question	All of the following apply: The audit items associated with the Common Control correctly audit the citation’s mandate (See note below) The citation is not in the form of a question The citation is not an audit and/or verification activity Note: To find and review a Common Control’s UCF Standardized Audit Items, navigate to the bottom of the Research - Common Control Details page of each Common Control.	In Audit Guidelines generated with UCF Authority Document Builds, the Common Control’s UCF Standardized Audit Items appear as the Assessment Procedure for its associated Common Control.
Reference a templated Audit Item from the mapped Common Control	All of the following apply: The audit items associated with the Common Control do not correctly audit the citation’s mandate (See note below) The citation is not in the form of a question The citation is not an audit and/or verification activity Note: To find and review a Common Control’s UCF Standardized Audit Items, navigate to the bottom of the Research - Common Control Details page of each Common Control.	In the Citation Audit task, you will create a unique Audit Item using the UCF Audit Item Template. Then, In Audit Guidelines generated with UCF Authority Document Builds, the unique audit item created above will appear as the Assessment Procedure for its associated Common Control.

Task step option

When to select this option

Result

The Citation itself is an audit question

Any of the following applies:

The citation is in the form of a question
The citation is an audit and/or verification activity (e.g. "Examine documentation to verify roles and responsibilities are documented," "Interview appropriate parties to verify they are notified of security events," "Test security software to verify it is configured in accordance with organizational requirements).
The AD or section of the AD is an Audit Guide

In Audit Guidelines generated with UCF Authority Document Builds, the citation itself appears as the Assessment Procedure for its associated Common Control.

There is no audit question

All of the following apply:

The audit items associated with the Common Control correctly audit the citation’s mandate (See note below)
The citation is not in the form of a question
The citation is not an audit and/or verification activity

Note: To find and review a Common Control’s UCF Standardized Audit Items, navigate to the bottom of the Research - Common Control Details page of each Common Control.

In Audit Guidelines generated with UCF Authority Document Builds, the Common Control’s UCF Standardized Audit Items appear as the Assessment Procedure for its associated Common Control.

Reference a templated Audit Item from the mapped Common Control

All of the following apply:

The audit items associated with the Common Control do not correctly audit the citation’s mandate (See note below)
The citation is not in the form of a question
The citation is not an audit and/or verification activity

Note: To find and review a Common Control’s UCF Standardized Audit Items, navigate to the bottom of the Research - Common Control Details page of each Common Control.

In the Citation Audit task, you will create a unique Audit Item using the UCF Audit Item Template.
Then, In Audit Guidelines generated with UCF Authority Document Builds, the unique audit item created above will appear as the Assessment Procedure for its associated Common Control.

Detailed Guidance

Task Step Option 1: The Citation itself is an audit question

Select this option when any of the following applies:

Criterion 1: The citation is in the form of a question.

Guidance: Review the citation in the Citation Audit task. Is it in the form of a question? If yes, select “The Citation itself is an audit question.”

Example 1: Citation in the form of a question

Criterion 2: The citation is an audit and/or verification activity (e.g. "Examine documentation to verify roles and responsibilities are documented," "Interview appropriate parties to verify they are notified of security events," "Test security software to verify it is configured in accordance with organizational requirements).

Guidance: Review the citation in the Citation Audit task. Does it begin with a verb that mandates performance of an audit activity (e.g. Examine, Test, Observe, Interview)? Furthermore, does the citation require verification against a requirement? If your answer to both questions is “yes,” select “The Citation itself is an audit question.”

Example 2: A citation that is an audit and/or verification activity

Criterion 3: The AD or section of the AD is an Audit Guide.

Guidance: Review the AD you are entering. Check the AD Introduction and the AD Section Introductions, as needed. Often, the AD will make clear whether its citations are intended as audit or assessment procedures. If you find that the AD is an Audit Guide, select “The Citation itself is an audit question.”

Example 3: Context from NIST SP 800-171Ar3 showing that its requirements may be categorized as Audit Guidelines.

Example 4: NIST SP 800-171Ar3 Citation

Example 5: Citation Audit Task for NIST SP 800-171Ar3 citation

Result for citations where “The Citation itself is an audit question” is selected

In Audit Guidelines generated with UCF Authority Document Builds, the citation itself appears as the Assessment Procedure for its associated Common Control.

Assessment Procedures generated in this manner are identified in the “AUDIT ID” column by “✔ Citation” followed by the Authority Document ID.

Example 6: When the Mapping Team selects “The Citation itself is an audit question,” the citation itself appears as the assessment procedure. Note how the NIST SP 800-171Ar3 citation from Example 5 appears in the Audit Guideline.

Task Step Option 2: There is no audit question

Select this option when all of the following apply

Criterion 1: The audit items associated with the Common Control correctly audit the citation’s mandate.

Guidance:

To assess this criterion, review the following:

the citation, as documented in the Citation Audit task and
the Research - Common Control Details page of the Common Control in the Citation Audit task.

Determine whether the audit items found in the Common Control’s Research - Common Control Details page correctly audit the citation’s mandate.

If you determine that the audit items provide sufficient information to audit whether the requirement has been met, this criterion applies.

Example 7: Review the Citation Audit Task when assessing Criterion 1

Example 8: Review the Audit Items at the bottom of the relevant Common Control Details page when assessing Criterion 1

Criterion 2: The citation is not in the form of a question.

Guidance: Review the citation in the Citation Audit task. Is it in the form of a question? If no, then this criterion applies. See Example 7 above.

Criterion 3: The citation is not an audit and/or verification activity.

Guidance: Review the citation in the Citation Audit task. Does it begin with a verb that mandates performance of an audit activity (e.g. Examine, Test, Observe, Interview)? Furthermore, does the citation require verification against a requirement? If your answer to either question is “no,” this criterion applies.

Result for citations where “There is no audit question” is selected

In Audit Guidelines generated with UCF Authority Document Builds, the Common Control’s UCF Standardized Audit Items appear as the Assessment Procedure for its associated Common Control.

For example, in the Audit Guidelines below, the standardized Audit Items for Common Control 1425 are used. Take note of how the Audit Items found in the Research - Common Control Details page in Example 8 above are generated in the Audit Guideline assessment procedure.

Example 8: How citations appear in UCF Audit Guidelines when the Mapping Team selects “There is no audit question”

Task Step Option 3: Reference a templated Audit Item from the mapped Common Control

Select this option when all of the following apply

Criterion 1: The audit items associated with the Common Control do not correctly audit the citation’s mandate

Guidance:

To assess this criterion, review the following:

the citation, as documented in the Citation Audit task and
the Research - Common Control Details page of the Common Control in the Citation Audit task.

Determine whether the audit items found in the Research - Common Control Details page correctly audit the citation’s mandate.

If you determine that the audit items do not provide sufficient information to audit whether the requirement has been met, this criterion applies.

Criterion 2: The citation is not in the form of a question

Guidance: Review the citation in the Citation Audit task. Is it in the form of a question? If no, then this criterion applies. See Example 7 above.

Criterion 3: The citation is not an audit and/or verification activity.

Result for citations where “Reference a templated Audit Item from the mapped Common Control” is selected

In the Citation Audit task, you will create a unique Audit Item using the UCF Audit Item Template. To do this, you will first select “Reference a templated Audit Item from the mapped Common Control” in the Citation Audit Task. Then, you will answer “yes” or “no” to “Do you want to include Audit Question Methods not associated with the Control?”

Example 9: Answer “yes” or “no” to “Do you want to include Audit Question Methods not associated with the Control?”

Answer “No” when: You intend to select only one of the audit items found in the Common Control’s Research - Common Control Details page. This will exclude all unselected options from the Audit Guidelines generated with UCF Authority Document Builds.

Example 10: Select “No” when you would like to select only one of a Common Control’s existing Audit Items.

Answer “Yes” when: You would like to generate a custom audit item. When you select “Yes,” you may choose from a list of audit items generated using the terms in both the Citation and the Common Control.

Example 11: Select “Yes” when you would like to generate a custom Audit Item based on the Citation and the Common Control.

2. Then, In Audit Guidelines generated with UCF Authority Document Builds, the unique audit item selected above will appear as the Assessment Procedure for its associated Common Control. Assessment Procedures generated in this manner are identified in the “AUDIT ID” column by “✔ Defined” followed by the Authority Document ID.