Skip to content

Declarations and Reviews

Declarations and reviews are written statements used to describe a control’s compliance status. As declarations and reviews are the primary actions which drive a control towards its outcome, they form the engine of the compliance process in Governance Studio.

Declarations are typically made by those responsible for implementing a control — such as an engineer, project manager, or security lead. Reviews are typically made by those responsible for validating the implementation is satisfactory — such as an internal auditor or compliance lead.

Optionally, users can upload attachments to a declaration or review to support their statement.

To uphold the integrity of the compliance process, declarations, reviews, and any associated attachments cannot be edited after being submitted.

Key actions associated with declarations and reviews include:

A declaration is a statement describing how a control has been implemented.

Declarations can only result in two statuses: In Progress or Ready for Review.

  • An In Progress declaration indicates the control has not yet been implemented.
  • A Ready for Review declaration indicates the control is ready for auditor to review.

To create a declaration:

  1. Navigate to the Project Dashboard and select an applied policy
  2. Select the control you wish to declare against
  3. Select Add New and choose either In Progress or Ready for Review
  4. Enter a Subject Line and a Statement describing how the control has been implemented
  5. Optionally, upload attachments to support your statement
  6. Select Submit

A review is a statement describing whether a control’s implementation is satisfactory.

Reviews can only result in four statuses: In Review, Compliant, Non-compliant, or Not Applicable.

There are two categories of reviews:

  • Comment reviews: allows auditors to submit non-determinative feedback regarding the implementation of a control.
    • A General comment is used for neutral input without necessarily signaling approval or concern with the control’s implementation.
    • An Accepted comment expresses agreement with the control’s implementation.
    • A Questioned comment flags potential issues or uncertainties with the control’s implementation.
  • Outcome reviews: allows auditors to make a determinative assessment regarding the the implementation of a control.
    • A Compliant review indicates the control’s implementation is satisfactory.
    • A Non-compliant review indicates the control’s implementation is unsatisfactory.
    • A Not Applicable review indicates the control does not require implementation.

To create a review:

  1. Navigate to the Project Dashboard and select an applied policy
  2. Select the control you wish to review
  3. Select Add New and choose In Review, Compliant, Non-compliant, or Not Applicable
  4. Enter a Subject Line and a Statement describing your assessment
  5. Optionally, upload attachments to support your statement
  6. Select Submit

Note: reviews cannot be made while a control is Not Started or In Progress.

Optionally, users can upload attachments to a declaration or review to support their statement. Below are some best practices to guide your use of attachments.

  • Be aware of attachment access. Every attachment you upload is viewable by all other members of your project. Additionally, the file itself will be included in the .zip of the policy’s report. Attachments cannot be edited or deleted after being submitted.
  • Attach the smallest useful file. Upload the specific file that supports your statement rather than a broad export. A targeted attachment is easier for a reviewer or auditor to assess.
  • Explain your evidence. In your statement, describe what each attachment proves and how it satisfies the control, so a colleague or auditor can assess it without prior context.