Skip to Content
Welcome to the Novantra documentation.
GuidesGovernanceModulesAssessments

Assessments

The Assessments module is where your organization actually evaluates things. A control self-assessment, an internal audit, a third-party review, a certification test, a vendor due-diligence review, a risk assessment, an obligation gap analysis: all of these are assessments. They have a methodology, a subject they’re assessing, test procedures, samples, results, and conclusions.

This module is deliberately generic. The same record shape handles a quick self-assessment and a full external audit, because both are “evaluating a subject against a methodology and capturing what was found.” Different framework’s audit methodologies, different internal audit approaches, and different self-assessment styles all use the same machinery.

When you would reach for this

You set up assessments when:

  • A control needs to be evaluated for whether it’s operating as designed.
  • A risk needs to be reassessed because conditions have changed.
  • An obligation needs a gap analysis to see where you stand.
  • A third party needs to be assessed for due-diligence purposes.
  • An asset needs a readiness or security assessment.
  • A program needs a periodic management review.
  • An auditor is coming and you need to capture their test work, samples, and conclusions inside Novantra so the audit trail lives where the rest of governance lives.

You don’t reach for this when collecting evidence (Evidence), filing findings the assessment surfaces (Findings), or recording exceptions (Exceptions). Assessments is the evaluation activity; those other modules are what the activity produces.

What lives in an assessment

A single record type with rich embedded structure:

Assessment carries:

  • A title and a stable key you pick, plus a description of the scope.
  • A status: planned, in-progress, completed, superseded, etc.
  • The subject being assessed (a control, a risk, an obligation, an asset, a program, a vendor engagement, etc.).
  • A methodology snapshot capturing what approach was used (the framework’s test methodology, an internal SOP, a third-party’s audit program).
  • A question and response set when the methodology is questionnaire-based.
  • A test procedure set and test steps for procedural methodologies.
  • A sample set and sample results when sampling is part of the methodology.
  • Result snapshots scored against an evaluation model (effectiveness, maturity, score, rating, readiness, gap rating, whatever the methodology produces).
  • An assessor and a reviewer (responsibility assignments).
  • Conclusions with rationale.
  • Links to evidence claims it relied on, findings it generated, exceptions it noted.

A worked example: a renewable-energy operator runs its quarterly control assessments

A renewable-energy operator runs wind and solar generation assets across multiple sites. The operations governance team runs quarterly control self-assessments across operational technology security, environmental compliance, and physical access. Their internal audit team runs deeper third-party-style audits once a year. Both populations of work live in Assessments.

The head of internal controls, Ola, sets up Assessments like this.

Step 1: methodology templates. For the quarterly self-assessments, Ola defines a standard methodology snapshot used across every control: the test procedures (review the control’s evidence claims, walk the procedure with the control owner, sample three recent operational events to verify the control fired correctly), the questionnaire (10 questions about design effectiveness, 8 about operating effectiveness), and the scoring model (a 4-tier effectiveness rating from the canonical evaluation model).

Step 2: scheduled assessment creation. Every quarter, the operations governance team creates one assessment per in-scope control. Each new assessment:

  • Subject: the control being evaluated.
  • Methodology snapshot: a copy of the standard methodology at that moment.
  • Status: planned, assigned to the control owner as assessor and to the operations governance lead as reviewer.

Step 3: conduct the assessment. The assessor records:

  • Walkthrough notes in the methodology snapshot.
  • Responses to each questionnaire question.
  • Three sampled events per control with results (pass / fail / partial).
  • Per-procedure step outcomes.
  • The effectiveness rating, scored against the canonical model.
  • Conclusions and any noted exceptions.

Step 4: review and close. The reviewer accepts or pushes back. If pushed back, the assessor revises. Once accepted, the assessment moves to completed. The control’s compliance projection updates based on the assessment result. Any failed samples or material concerns become Findings automatically routed for remediation.

Step 5: annual third-party audit cycle. When the external auditor arrives, Ola sets up assessments for the audit scope. Each assessment uses the auditor’s own methodology snapshot (capturing the framework-specific audit program), test procedures and samples driven by the auditor, and conclusions signed by the audit partner. The audit work happens inside Novantra, so the trail of test steps, samples, evidence reviewed, and conclusions is captured natively rather than living in the auditor’s separate workpapers.

After a year, the assessment register shows:

  • The full chronological history of every control’s quarterly self-assessment.
  • The annual third-party audit with its samples and conclusions.
  • Cross-links to every evidence claim that informed the assessments and every finding that was raised from them.

What you’ll see in the product

Assessments lives under Governance → Assessments in the workspace.

The Assessments list is filterable by subject module (controls, risks, obligations, vendor engagements, assets), status, assessor, reviewer, methodology, and date range. Sort by completion date to see what’s recently been assessed; sort by scheduled date to see what’s upcoming.

Inside an assessment, you see:

  • The subject (with deep link).
  • The methodology snapshot, the question/response set, the test procedures and steps, the samples and sample results.
  • The result snapshots and conclusions.
  • The assessor, reviewer, and audit trail.
  • Linked evidence claims (what the assessment relied on).
  • Linked findings (what the assessment produced).
  • Linked exceptions (waivers the assessment noted).

The page is intentionally dense for an audit-grade record. Different methodologies surface different sections; questionnaire-only assessments don’t show sampling tabs, and so on.

Every change is captured in the workspace Audit Log and the assessment’s own activity history.

Methodology snapshots

A methodology snapshot is a flexible JSON-shaped capture of how the assessment was performed. Use it for:

  • The framework or standard’s audit program text.
  • The internal SOP that defines the self-assessment.
  • The third-party assessor’s program if they ran the work.
  • Walkthrough notes, scope definitions, and inclusions/exclusions.

Snapshots are immutable for completed assessments: the methodology that was used at that moment is preserved exactly, even if the organization later updates its methodology template.

Sampling

For methodologies that rely on sampling (testing a subset of events, transactions, records), assessments capture:

  • The sample frame (how the population was defined).
  • Each sample item with its identifier and result (pass / fail / inconclusive).
  • The sample size rationale.

This makes sampling-based audit work fully reviewable without leaving Novantra.

Common workflows

Running a control self-assessment

  1. Assessments → New assessment. Subject: the control. Methodology: the standard self-assessment template.
  2. Assign yourself (or the control owner) as assessor.
  3. Walk the methodology: questionnaire, test procedures, samples.
  4. Score the result against the canonical evaluation model.
  5. Submit to reviewer. Reviewer accepts or returns.
  6. Completion automatically updates the control’s compliance projection.

Hosting a third-party audit

  1. Assessments → New assessment. Subject: the program, control, or obligation in scope.
  2. Methodology snapshot: paste in the auditor’s audit program.
  3. Assessor: the audit partner. Reviewer: your internal audit liaison.
  4. The auditor conducts the assessment inside Novantra: test steps, samples, conclusions.
  5. Completion locks the assessment; findings are routed to remediation.

Reassessing after a finding

  1. After a finding is closed, create a new assessment of the original subject with a methodology referencing the remediation.
  2. New assessment supersedes the old one (link via methodology snapshot).
  3. The subject’s projection refreshes to reflect the new result.

Tracking assessment cycles

  1. Filter Assessments by status: planned to see upcoming work.
  2. Filter by completion date in the past quarter to see what was done.
  3. Sort by subject to find any subject without a recent assessment.

Looking for the API?

See Assessments API reference for the v1 REST endpoints to list and inspect assessments from an external system.

  • Controls - the typical subject of an assessment.
  • Risks - risk assessments live here.
  • Obligations - obligation gap assessments live here.
  • Evidence - assessments cite evidence claims.
  • Findings - assessments generate findings.
  • Exceptions - assessments may note exceptions.
  • Evaluation Models - assessment results score against these models.
  • Assurance - assurance engagements wrap multiple assessments together.
Last updated on
EvidenceFindings