Internal controls programs run on quarterly survey fatigue. Control owners get a spreadsheet, fill it in under deadline pressure, return it, and the GRC team manually reconciles 200 rows into a heat-map for the board. The cycle takes a quarter. By the time it's done, two control owners have left the company.
Not a TPRM workflow with control-owner labels — a built-in program type with control-owner vocabulary, the CMMI-aligned 1–5 tier ladder, justification and evidence required by default. Recurring annual / semi-annual / quarterly cadence. Prior-cycle pre-population means control owners confirm or update what they said last time, not re-enter from a blank spreadsheet.
No artifact-generation drill the week before the meeting. The maturity heat-map is the same view your team uses operationally. Per-function or per-family rendering. CSV and PDF exports. Longitudinal posture trends auto-generate from the cycle history — your board sees not just where you are but where you've been moving for the last four quarters.
Most ICA tools lock you to one framework — pick NIST CSF and you build NIST CSF, then start over for ISO. Verisq doesn't. Cross-framework propagation means rating a control once surfaces equivalent ratings across all the mapped frameworks for reviewer acceptance. Thousands of mapped pairs across the seeded eight. Drift detection catches divergence over time.
Every rating, every implied-rating acceptance across mapped frameworks, every override, every cycle close — captured in the Decision Audit. The board sees the heat-map; the auditor sees the same data plus the underlying decision trail with reviewer signature, timestamp, and justification on every change.
Internal Controls Assessment is included in RapidRisk Plus and Enterprise.