Skip to main content
Version: 1.0.0

Report and KPI Assumptions

This page explains interpretation rules that administrators should understand before using dashboards, KPIs, reports, and workflow outputs for management decisions. It is a customer-facing guide for reading results correctly, not a technical limitation list.

1. Reports Depend on Source Data

Reports summarize source records. If a number looks wrong, check the related source module first.

Common causes:

  • missing owners
  • stale statuses
  • missing due dates
  • outdated risk scores
  • duplicate records
  • incomplete evidence
  • filters that do not match the intended scope

2. Compliance Score Assumptions

Compliance results depend on control status, assessment completion, evidence quality, and selected scope.

Important assumptions:

  • A completed response is not always a compliant response.
  • Non-assessed controls may affect interpretation differently from non-compliant controls.
  • Evidence quality should be reviewed before relying on score movement.
  • Framework, period, department, or owner filters can change the visible score.

3. Risk Score Assumptions

Risk scoring uses likelihood and impact values. Administrators should distinguish between inherent and residual risk.

Important assumptions:

  • Inherent risk reflects exposure before treatment.
  • Residual risk reflects exposure after treatment or controls.
  • Lower residual risk should be supported by treatment evidence.
  • Critical risk reporting normally depends on residual risk.
  • Accepted risks still require review based on acceptance conditions.

4. KPI Assumptions

KPI values are useful only when source data and thresholds are maintained.

Important assumptions:

  • Green, yellow, and critical thresholds must match management appetite.
  • Some KPIs are better when lower; others are better when higher.
  • A red KPI may indicate true performance risk or poor data quality.
  • KPI movement should be explained before executive reporting.

5. Evidence Assumptions

Evidence proves the control, remediation, policy, or review statement.

Important assumptions:

  • Evidence should match the review period.
  • A screenshot may not be enough without context.
  • Draft documents should not prove approved policies.
  • Closure should not happen without evidence when evidence is required.

6. Permission Assumptions

Access should follow least privilege.

Important assumptions:

  • Viewing a record does not mean the user can approve it.
  • Approval should be separated from submission when independence is required.
  • Delete access should be limited.
  • Inactive users should not own active records.

7. Scheduled Report Assumptions

Scheduled reports should be used only for stable recurring needs.

Important assumptions:

  • Recipients must be authorized to receive the content.
  • Filters should be reviewed periodically.
  • Reports without a clear owner or purpose should be removed.
  • Scheduled reports do not replace source record review.