Understanding control statuses helps you track compliance health at a glance. Controls move between statuses based on evidence freshness and findings.
Control Statuses
- Pending: No evidence linked yet.
- Valid: Evidence is present and within its required frequency.
- At Risk: Evidence is approaching expiry based on the control’s frequency.
- Failing: Evidence has expired (out of frequency) or failed checks.
Learn more about controls and evidence here:
What Drives Validity
- Evidence Expiry: Evidence must be refreshed according to the control’s set frequency (e.g., daily, quarterly, annual).
- Integrations: If a linked integration (e.g., AWS, Jira, Confluence, GitHub) cannot pull valid data (e.g., because an endpoint has turned off their anti-malware), the control will move to Failing.
- AI Evidence Review (if enabled): Runs checks against criteria you configure (pass/fail). Flags issues like missing attachments, misaligned mappings, or outdated files among other things.
- Manual Findings: Control owners/auditors can log findings: Issues (major), Recommendations (minor), Considerations (OFIs; do not affect validity).
- Learn more about findings here: Manual Findings: Reporting Findings
When the validity of evidence moves to at risk or failing a Findings tab will appear on the right hand sidebar. You can click this tab to view the issue.
Need Help?
Still have questions? Reach out to our support team via the Support Center — we’re happy to help.