Defining narratives

Define narratives to provide a description of the business process or area under review, attach supporting files, and reference associated controls.

What is a narrative?

A narrative is a description of a business process or area under review. Narratives are also known as policies, IT policies, process narratives, process descriptions, or control guides.

Before you start

Before you can define narratives, you need to:

  1. Create a project or framework.
  2. Define objectives in the project or framework.
Note

Depending on your organization's configurations, objectives may also be called sections, processes, cycles, functional areas, application systems, risk categories, or another custom term.

How it works

You can type up a narrative, or attach a narrative as a file (such as a Microsoft Word document or flowchart). You can add multiple narratives to a single objective, and attach supporting files within each narrative.

A narrative can be associated to many controls and a control can be associated with many narratives.

Note

Narratives are only available in projects and frameworks associated with an Internal Control workflow.

Example

Crisis management narrative

Scenario

One of your responsibilities as an Audit Manager is to write narratives that describe each business process. In collaboration with a process owner, you recently defined an objective called Recover within a project that focuses on cybersecurity. You now need to construct a narrative that describes this business process.

Process

You navigate to the Narratives tab in the project, and add a new narrative. After writing the narrative, you attach a few supporting files, reference the associated controls, sign-off on your work, and assign a member on your team as the next reviewer of the narrative content.

Result

Your draft narrative reads as follows:

Title Crisis Management

Description A communications strategy has been developed to ensure there are appropriate statements for internal and external communication and processes for ensuring communication to all staff in the case of an emergency. The strategy includes reference to procedures for regular communications with partner organizations and other interested parties.

Formal reporting and situation updates may also be required in the lead up to and during a disruption to create a local or regional overview of effects across Pied Piper Inc.

The main aims of the strategy are to:

  • Deliver relevant messages about the incident to the relevant stakeholder groups
  • Utilize relevant media channels to reassure and inform the public and patients
  • Ensure that messages are timely and relevant to the target audience

Below are the crisis handling steps:

  1. Document everything. This effort includes every action that is performed, every piece of evidence, and every conversation with users, system owners, and others regarding the incident.
  2. Analyze the evidence to confirm that an incident has occurred. Perform additional research as necessary (e.g., Internet search engines, software documentation) to better understand the evidence.
  3. Notify the appropriate people within the organization. This should include the chief information officer (CIO), the head of information security, and the local security manager. Use discretion when discussing details of an incident with others; tell only the people who need to know and use communication mechanisms that are reasonably secure. (If the attacker has compromised email services, do not send emails about the incident.)

The sign-off information is captured below the narrative:

Permissions

Professional Managers and Professional Users can define narratives. Contributor Managers, Contributor Testers, and Contributor Users can update and delete narratives.

Add a narrative

Add a new narrative to describe an objective.

Notes

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
  1. Do one of the following:
    • To define a narrative in a project:

      1. Open the Projects app.

      2. Open a project, and click the Fieldwork tab.
    • To define a narrative in a framework:
      1. Open Frameworks.
      2. Open a framework, and click the Sections tab.
  2. Click Go To beside the appropriate objective, and select Narratives.
  3. Click Add new narrative.
  4. In the Title text box, enter a descriptive name for the narrative.

    The maximum length is 60 characters.

  5. Click Save.

    Result The narrative is added.

Update a narrative and attach documentation

Provide additional information in a narrative, upload supporting files, and reference associated controls.

Notes

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
  1. Do one of the following:
    • To update a narrative in a project:

      1. Open the Projects app.

      2. Open a project, and click the Fieldwork tab.
    • To update a narrative in a framework:
      1. Open Frameworks.
      2. Open a framework, and click the Sections tab.
  2. Click Go To beside the appropriate objective, and select Narratives.
  3. Click edit beside the narrative you want to update.
  4. Update narrative information:
    1. Update the title of the narrative in the Title text box.
    2. Update the details of the narrative in the Description rich text editor.
      Note

      Citation Mode is not available in framework narratives. For a list of rich text editors that support Citation Mode, see Pages and rich text editors where Citation Mode is available.

      Note

      Rich text fields cannot exceed 524,288 characters.

      Tip

      To enable spell check on rich text fields, do one of the following:

      • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
      • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words
    3. Click Save.
  5. Under Supporting Files, upload any necessary files.

    For more information, see Working with attachments.

    Note

    For security reasons, Diligent One does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  6. To reference controls in the narrative, click Select a(n) Control or Edit associations, define the appropriate associations, and click Save.

    You can reference up to a maximum of 100 controls per narrative.

    Result The narrative is updated.

Delete a narrative

Permanently remove a narrative.

Notes

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
  1. Do one of the following:
    • To delete a narrative in a project:

      1. Open the Projects app.

      2. Open a project, and click the Fieldwork tab.
    • To delete a narrative in a framework:
      1. Open Frameworks.
      2. Open a framework, and click the Sections tab.
  2. Click Go To beside the appropriate objective, and select  Narratives.
  3. Click edit beside the narrative you want to remove.
  4. Click Delete Narrative  at the bottom of the page.
  5. Click OK in the confirmation dialog box.

    Result The narrative is permanently removed.