Tasks and Controls
Understand how automation tasks relate to controls and manual tasks
Tasks and Controls
Understanding the relationship between tasks, controls, and automations is key to using the system effectively.
What Are Tasks?
Tasks are individual work items with:
- Summary: What needs to be done
- Description: Details and context
- Assignee: Who is responsible
- Due Date: When it needs to be completed
- Status: New, In Progress, or Done
- Linked Entity: Often a control, but can be registry, risk, asset, etc.
Two Types of Tasks
Manual Tasks
Tasks you create directly when specific work is needed.
Created by: You or team members When: Immediate or specific future need Examples:
- "Implement MFA for new application"
- "Update firewall rules for server migration"
- "Complete audit finding remediation"
How to create: Click "Create Task" or use Tab 2 (Task) in the 3-tab dialogue
Automated Tasks
Tasks created automatically by automations on a recurring schedule.
Created by: Automation system When: Based on recurrence schedule (weekly, monthly, etc.) Examples:
- "Monthly Access Control Review - January 2024"
- "Quarterly Risk Assessment - Q1 2024"
- "Annual Policy Review - 2024"
How they're created: Automation workflow runs on schedule
Key Differences
| Aspect | Manual Tasks | Automated Tasks |
|---|---|---|
| Creation | You create them | Automation creates them |
| Timing | When you want | On fixed schedule |
| Recurrence | One-time | Repeating |
| Consistency | Variable | Identical format each time |
| Purpose | Specific work | Regular reviews |
How Automations Create Tasks
The Process:
Automation runs on schedule
- Based on recurrence rule (e.g., "1st of each month")
Checks advance notice
- Creates task N days before due date (default: 14 days)
- Example: For Feb 1 due date, task created Jan 18
Creates the task
- Summary: From automation name/template
- Description: From automation description
- Assignee: Based on rules or manual assignment
- Due Date: Calculated from schedule
- Linked to: The control/entity automation is attached to
Links to control
- Task automatically references the control
- Appears in control's evidence table
- Counts toward automation health metrics
Understanding Advance Notice
Advance notice is the number of days before the due date that the task is created.
Example with 14-day advance notice:
- Automation schedule: Monthly on the 1st
- Next due date: February 1st
- Task created: January 18th (14 days before)
- You have from Jan 18 - Feb 1 to complete it
Why advance notice matters:
- Gives time to plan and prepare
- Allows for vacation/busy periods
- Prevents last-minute rush
- Improves completion rates
Typical advance notice:
- Simple tasks: 7-10 days
- Standard reviews: 14 days (default)
- Complex assessments: 21-30 days
- Annual reviews: 45-60 days
How Tasks Link to Controls
Every task can be linked to one "locus of work" (where the work happens):
Link Types:
- Control: Task reviews or implements a control
- Registry: Task updates a registry (assets, vendors, etc.)
- Risk: Task assesses or mitigates a risk
- Asset: Task relates to a specific asset
- Vendor: Task involves vendor management
- Incident: Task addresses an incident
Why linking matters:
- Context: You see exactly what the task is about
- Evidence: Completed tasks serve as control evidence
- Tracking: All tasks for a control appear in one place
- Reporting: Easier to demonstrate compliance
Viewing Tasks for a Control
From Control Detail View
- Open the control
- Go to "Linked Items & Evidence" section
- Tasks appear in the table with:
- Task summary
- Status (New, In Progress, Done)
- Assignee
- Due date
- Source (Manual or Automation name)
From Tasks Page
- Go to Tasks page
- Filter by the control
- See all tasks (manual + automated) for that control
Managing Tasks Created by Automations
Can You Edit Them?
Yes! Automated tasks can be edited just like manual tasks:
- Change assignee
- Adjust due date
- Update description
- Mark as complete
Can You Delete Them?
Yes, but consider:
- Deleting doesn't stop future tasks from being created
- If the automation is wrong, fix the automation instead
- Deleted tasks don't count toward health metrics
Should You Change Due Dates?
Sometimes:
- Team member on vacation: Extend due date
- Urgent priority: Move up due date
- Process changed: Adjust to match reality
But remember: Automation will create the next task on the original schedule, not based on your adjusted date.
When Automations and Manual Tasks Overlap
Scenario: You have a monthly automation for access review, and you also create a manual task for immediate access review.
Result: Both tasks exist - that's fine!
- Automation task: Regular, scheduled review
- Manual task: Immediate, specific concern
Best practice: Complete both, or note in the automation task if the manual task addressed the concern.
Task Completion and Control Evidence
How Completed Tasks Help
When you mark a task "Done":
- It counts as evidence for the control
- Improves automation health metrics
- Shows auditors regular review activity
- Demonstrates compliance commitment
Evidence Value
Manual tasks: Prove specific work was done Automated tasks: Prove consistent, regular oversight
Together, they create a comprehensive evidence trail.
Common Scenarios
Scenario 1: Monthly Control Review
Setup:
- Control: "Access Control Management"
- Automation: "Monthly Access Review" (1st of each month)
- Advance notice: 14 days
What happens:
- Jan 18: Task created "Monthly Access Review - February 2024"
- Jan 18-Feb 1: Team reviews access lists
- Feb 1: Task marked done
- Feb 15: Next task created "Monthly Access Review - March 2024"
Scenario 2: Emergency Change to Control
Setup:
- Same control and automation as above
- Urgent need: Implement new access restriction immediately
What you do:
- Create manual task: "Implement emergency access restriction"
- Assign to security team
- Complete immediately
- The monthly automation continues on schedule separately
Result: Control has both immediate action (manual task) and regular review (automated tasks).
Scenario 3: Automation Frequency Change
Setup:
- Automation changed from monthly to quarterly
- Several monthly tasks already created and in progress
What happens:
- Existing tasks: Remain unchanged, complete them
- Future tasks: Created quarterly after the last monthly task completes
- No duplication, smooth transition
Task-Based Compliance Reporting
Using tasks for compliance reports:
For Auditors:
- "Show me all access review tasks for the past year"
- Filter by control + date range
- Completed tasks prove regular reviews
For Management:
- "How many compliance tasks completed this month?"
- Task completion metrics by team/person
- Trend analysis over time
For Process Improvement:
- Which tasks take longest to complete?
- Which controls have most overdue tasks?
- Where do we need more resources?
Best Practices
Keep Manual and Automated Tasks Separate in Purpose
- Automated: Regular, predictable reviews
- Manual: Specific, one-time actions
Complete Tasks Promptly
Overdue tasks hurt automation health and create compliance risk.
Use Task Descriptions Well
Explain what needs to be done, provide context, link to resources.
Link Tasks to Controls
Always associate tasks with the relevant control/entity for better tracking.
Review Old Tasks Periodically
Clean up completed tasks older than retention period to keep the system tidy.
Monitor Task Workload
If assignees are overwhelmed with automated tasks, reduce automation frequency.
Next Steps
- Explore common automation workflows
- Learn more about managing automations
- Understand automation health status