HOPEX Integrated Risk Management -

Internal Control

Training Handout

Page 1
 Introduction

• Purpose of this guide

oThis document is to be used as a training support for the Internal Control features of the
HOPEX Integrated Risk Management Solution.

• Document reference
oIC Version: 1.0

Page 2
 Training Objectives

●Discover the standard features of HOPEX Internal Control Solution

●Discover standard profiles available
●Understand MEGA's internal control methodology

Page 3
 Organizations Achieving Objectives

●Organizations make changes through transformation plans.

●They set and achieve objectives at certain points of a transformation plan.
●The organization must encourage conduct and events that support its
objectives and prevent anything that threatens meeting those objectives.
●Organizations must respond appropriately to desirable and undesirable
conduct, conditions and events.

Page 4
 Objectives of Controls

●All controls have the general objective of discouraging, finding, or correcting

errors and irregularities.

●With the growing availability of technologies and with a great range of

analysis techniques available, the way we structure controls can offer so much
more than detection of errors

●We can use a system of various control types based on risk assessments and
analyses to increase an organization’s confidence in its actions.

Page 5
 Designing controls

● When designing controls, some assumptions about each implemented control

on an organization must be considered. Notably, the Control:
o is used as it was intended
o is maintained once implemented
o implementation is as designed
o is located properly in the process flow
o should have clear and useful warning signs
● Warning signs must be based on possible failing scenarios.

Page 6
 Course Content

I. Introduction to HOPEX solutions  The Internal Control

II. Managing the control library solution
III. Control execution  HOPEX interface
IV. Control assessment  Profiles
V. Remediation

Page 7
 The Internal Control solution

Control management and execution

• Managing the control library
• Control execution

RM
IC
Testing and remediation Control assessment
• Control assessment campaign and
• Test plan Compliance session
• Work program
• Test execution • Assessment levels

Unique repository

Page 8
 The Internal Control solution

Execution

Definition Assessment Remediation Report

Testing
(execution
and
assessment)

Page 9
Course Content

I. Introduction to HOPEX  The internal control solution

II. Managing the control library  HOPEX interface
III. Control execution  User roles
IV. Control assessment
V. Remediation

Page 10
 HOPEX interface

●HOPEX is a Web application.

Connection page:

Page 11
 HOPEX interface
Desktop Intuitive menus, following business logic

Navigation panes

Page 12
 HOPEX interface
●Business objects are presented in lists.
●It is possible to filter, order and group.

Page 13
 HOPEX interface

● HOPEX is a multilingual tool.

Page 14
 Course Content

I. Introduction to HOPEX  The internal control

II. Managing the control library solution
III. Control execution  HOPEX interface
IV. Control assessment  Profiles
V. Remediation

Page 15
 Main Tasks for the Control Manager

●Assess the best option to take into consideration the risk appetite in the
strategic decision making.
●Provide relevant information to support management decisions.
●Assess the current state of the controls to capture what is done well and
identify where there are risks.

Page 16
 Profiles

● Various profiles are delivered with the HOPEX IC Solution

Internal Control Director Internal Controller GRC Contributor

(GRC Manager) (HOPEX Explorer)

Page 17
 Rights by profile

Internal Control
Internal
Director GRC Contributor
Controller
(GRC Manager)
Defines controls Defines controls
Executes controls
Prepares campaigns Prepares campaigns
Answers assessment
Validates campaigns questionnaires
Prepares test plan

Executes Tests Executes tests

Creates work program

Creates issues Creates Issues

Creates action plans Creates action plans

Validates action plans Validates action plans

Follows up action plans Follows up action plans

Page 18
 Managing the control library

Page 19
 Course Content

I. Introduction to HOPEX solutions  Control creation

II. Managing the control library  Contextualization
III. Control execution  Reporting
IV. Control assessment
V. Remediation

Page 20
 Control creation
●The internal controller and the internal control director create
controls

Page 21
 Control characteristics

The owner is the person in

charge of execution

If selected, the control

appears in the list of key
controls

Corrective , Detective,
Preventive

Automatic, Manual, Semi-

Automatic

Page 22
 Control Characteristics

● Controls should be like a “light switch”: mechanical, consistent, and simple

● The control design should be simple, so the control can be easily placed in a process flow
● It should be easy to install, implement and maintain
● A correctly designed control exist when each user interacts the same way with it and gets
the same result
● Well-designed controls can provide assurance against a set of criteria

Page 23
 Control characteristics

● The different pages enable access to:

o Characteristics
o Execution
o Test
o Deficiencies
o Assessment
o Implementation/Remediation (Action Plans)
o Reports

Page 24
 Control RACI
●Under section RACI, responsibilities relating to control can be
defined.

Responsibility Meaning
Responsible Responsible for execution and assessment of control and actions required

Accountable Determining action progress

Consulted Consulted as first priority before an action or decision.

Informed Must be informed after an action or decision.

Page 25
 Control RACI
● There can be several responsible users for a control in different
entities.

Page 26
 Course Content

I. Introduction to HOPEX solutions  Control creation

II. Managing the control library  Contextualization
III. Control execution  Reporting
IV. Control assessment
V. Remediation

Page 27
 Contextualization
● Controls can be attached to different elements of the business
repository to which they relate, for instance:

o Entities
o Processes
o Control types
o Requirements

Page 28
 Course content

I. Introduction to HOPEX solutions  Control creation

II. Managing the control library  Contextualization
III. Control execution  Reporting
IV. Control assessment
V. Remediation

Page 29
 Library menus
●Menus enabling easy consultation of controls are accessible from
drop-down lists:

All controls : lists all controls

Key controls: lists key controls

Page 30
 Control navigation trees
●Navigation trees are available to view controls by context.

Page 31
 Exercise1

Managing The Control

Library

Page 32
 Course Content

I. Introduction to HOPEX solutions  Defining control steps

II. Managing the control library
III. Control execution
IV. Control assessment
V. Remediation
 Steering calendar
 Control execution
 Reporting

Page 33
 Contextualize the Control
● To carry out a Control execution campaign, it is necessary to
previously record the following information for its
contextualization:
o Controls to be evaluated
o Calendars
o Responsible associated to the Control and its Assignment location (Person
who will answer the questionnaires)
o Process associated with the Control to be evaluated, which must be directly or
indirectly (higher Processes) associated to the same Org-Unit assigned to the
Responsible

Page 34
 Control steps

● Before planning control execution, its execution steps must be defined. There are
two types:
o Inherited control steps (applicable to all controls without exception)

o Specific control steps, defined for a specific control

● Steps are defined in the Execution page of the control.

Page 35
 Control steps
●Control Step properties page:

Step name

Step description

Page 36
 Course Content

I. Introduction to HOPEX solutions  Defining control steps

II. Managing the control library
III. Control execution
IV. Control assessment
V. Remediation
 Steering calendar
 Control execution
 Reporting

Page 37
 Recurrence and steering calendar
● Having defined elements of the control, its execution
periodicity must be defined.

● To do this, steering calendars are defined:

o Daily
o Monthly
o Weekly

Page 38
 Control execution

● Controls are executed periodically in their contexts (process,

entity).

● Execution is presented in the form of questionnaires created

based on control steps.

Page 39
 Control execution

●Controls are executed in sessions.

●Sessions are grouped in campaigns and comprise a set of controls to be assessed on the
same date.
●Campaigns are automatically started from defined dates.

Page 40
 Course Content

I. Introduction to HOPEX solutions  Defining control steps

II. Managing the control library
III. Control execution
IV. Control assessment
V. Remediation
 Steering calendar
 Control execution
 Reporting

Page 41
 Campaigns

●Campaigns are created from the Campaigns menu in the Control Execution navigation
pane.

Page 42
 Campaign

Campaign name

Control execution by default -

Generates questionnaires based on
inherited and specific steps.

Campaign owner

Calendar enabling fixing of begin and

end dates.

Page 43
 Campaign

Enables definition of assessment

campaign scope. In this case the
set of controls of the World@Hand
entity will be assessed.

A report is generated. It indicates:

• Campaign begin and end dates
• Campaign responsible
• Number of objects to be
executed

To complete campaign declaration,

click OK.

Page 44
 Campaign
●Having been declared, the campaign can be started.

●The campaign starts automatically according to specified dates and

sends check-lists according to the steering calendar.

Page 45
 Campaign
●The check-list calendar is available in the Automatic Execution tab
of the campaign.

Page 46
 Check-lists
●The Contributor receives check-lists (My control execution check-
lists).

Page 47
 Check-lists
●Contributors can complete the check-lists.
●If the contributor discovers the check-list has been incorrectly
assigned to him, he can return it to the person who is responsible for
the session.
● The check-list will be reassigned to the correct person.

Page 48
 Course Content

I. Introduction to HOPEX solutions  Defining control steps

II. Managing the control library
III. Control execution
IV. Control assessment
V. Remediation
 Steering calendar
 Control execution
 Reporting

Page 49
 Execution follow-up reports
●Different reports are available.

Page 50
 Execution session follow-up

●This report enables execution session follow-up.

Page 51
 Execution session statistics
●This report enables analysis of distribution of execution session
replies.

Page 52
 Exercise 2

Executing Controls

Page 53
 Course Content

I. Introduction to HOPEX solutions  Direct assessment

II. Managing the control library  Assessing controls by
III. Control execution questionnaires
IV. Control assessment
V. Remediation

Page 54
 Direct assessment

●Controls can be directly assessed in terms of design and efficiency

by unique or multiple methods.

Page 55
 Simple direct assessment
●In the properties of a control, under the Assessment tab:

Adequate, Inadequate

Efficient, Deficient

Date

Page 56
 Simple direct assessment
●Assessments can be consulted under the control Assessment
Results section(Assessment page).

Page 57
 Multiple direct assessment
●From the Control Multiple Assessment Table tile.
●All controls to be assessed within a specific entity must be
connected.

Page 58
 Multiple direct assessment

●This table gives a better overview and saves time.

Page 59
 Course Content

I. Introduction to HOPEX solutions  Direct assessment

II. Managing the control library  Assessing controls by
III. Control execution questionnaires
IV. Control assessment
V. Remediation

Page 60
 Assessment by questionnaires

●Assessment questionnaires can be sent via campaigns.

●Questionnaires are sent to the appropriate persons.
●Respondents can answer questionnaires or reassign them.

Page 61
 Assessment by questionnaires
●Campaigns are created from the Campaigns list.

●Before creating campaigns, check that:

o Controls are connected to precesses
o Processes are connected to entities
o Control responsible users are correctly defined

Page 62
 Assessment campaign definition

Control assessment

Calendar enabling definition of

begin and end dates.

Page 63
 Assessment campaign definition
●Controls are selected in their context with the tree of Entities >
Processes > Controls.

Page 64
 Assessment campaign definition

A report is generated. It indicates:

• Campaign begin and end dates
• Campaign responsible
• Number of objects to be assessed

To complete campaign declaration,

click OK.

Page 65
 Campaign deployment
●When the campaign has been created, it can be deployed:
o Now
o As soon as possible (after dispatch)
o At a later date

●Deployment enables calculation of the possible measure contexts

for the campaign.

Page 66
 Defining assessment scope
●You can:
o Define assessment scope from the Effective Scope page.
o Invalidate elements to be excluded.
o Modify respondents

Page 67
 Creating sessions
●Assessment sessions need to be created.

Page 68
 Campaign planning

●When campaign scope has been defined and assessment sessions created, you can plan the
campaign.
●This consists of indicating in which sessions the controls of each process and each entity
should be assessed.

Note: The same controls can be assessed in several assessment sessions.

Page 69
 Campaign planning
●From the Planning tab of the campaign:

Page 70
 Deploying sessions
●Session deployment consists of preparing sending of
questionnaires to users.
●Deployment can be executed:
oNow
oAs soon as possible (after private workspace dispatch)
oOn a scheduled date

Page 71
 Session scope

●Deployment enables calculation of possible assessment nodes for the session.

Page 72
 Session scope
●It is possible to modify respondents and delete elements to be
assessed.
●If scope is satisfactory, the session can be validated, enabling
generation of questionnaires.

Page 73
 Starting the session

●To send questionnaires to addressees, it is necessary to Start the

session.

●Respondents are notified by e-mail.

Page 74
 Assessment questionnaires

●Respondents can consult questionnaires from the "My assessment questionnaires" pane of
the Home tab.
●The can reply to questionnaires and submit answers, or request redirection of the
questionnaire if it is not for them to answer.

Page 75
 Session follow-up
●Two menus on the session properties page enable session follow-up
and statistics.

Page 76
 Session follow-up
●"Execution session follow-up" presents different charts concerning
session progress:
o Percentage of completed questionnaires
o Percentage of validated questionnaires
o Distribution of questionnaires:

 by status
 delegated/not delegated
 by respondent and status
by object and status

Page 77
 Session statistics
●"Execution session statistics" enables analysis of distribution of
assessment session replies.
A tree displays:

o In rows: questions/answers, together with respondents

o In columns: for each question/answer:

number of respondents
 controls to which the answer relates

●This tree indicates who has answered what to which question.

Page 78
 Exercise 3

Assessing Controls

Page 79
 Course Content

I. Introduction to HOPEX solutions  Issue management

II. Managing the control library  Action plan management
III. Control execution
IV. Control assessment
V. Remediation

Page 80
 Issue management
●Issues are identified from control assessment questionnaires.
●Their analysis enables implementation of the appropriate corrective
actions in the form of action plans.
●Action plan follow-up is simplified by production of reports.
●Issues are created automatically at control assessment when
controls are considered unsatisfactory.
●They can also be created manually.

Page 81
 Issue characteristics

Assessment
Generic
Testing

Very high
High
Medium
Low

Page 82
 Issue characteristics
●The issue can be qualified and connected to Testing activities,
Questionnaires, Origin Assessment Nodes, Controls.

Page 83
 Issue remediation
●To remediate the issue, you must create an action plan.
●Action plans can be set up to improve or correct a control
considered unsatisfactory.
●The issue is considered remediated when the action plan is
completed.

Page 84
 Issue follow-up
●A report enables issue follow-up. It indicates breakdown of issues
(remediated, non-remediated, without action plan).
●Different filters are proposed (process, entity, begin date, end date)

Page 85
 Course Content

I. Introduction to HOPEX solutions  Issue management

II. Managing the control library  Action plan management
III. Control execution
IV. Control assessment
V. Remediation

Page 86
 Action plan characteristics
Specified by default with the name of the
user who created the action plan

User responsible for action plan validation

when all actions have been completed.

Low, Medium, High, Critical

Global, Local

Audit, Compliance, Event, Risk, RFC, Other.

Corrective, Preventive

Used for sending reminders to the person

responsible for an action plan so that they
can indicate action plan progress.

Page 87
 Action plan characteristics

The user defined as action plan Responsible is

responsible for definition of actions to be carried
out and their execution.

Estimate expressed in man-days of

action plan implementation workload.

You can connect objects of risk, process, control,

entity or application type.

The owner of the action plan must define actions

enabling execution of the action plan. The owner
can create actions and assign these.

Page 88
 Action characteristics
●Actions are action plan units.

Low, Medium, High, Critical

Responsible for the action as

specified by the creator of the
action.

Page 89
 Action plan workflows
●When the action plan has been created with its actions, the
workflow can be started.
●Two workflows are available according to the business role of the
user.
●These two workflows depend on the required approach:
o Top-down
o Bottom-up

Page 90
 Bottom-up workflow
●In a "bottom-up" approach, the action plan must be validated to
enable implementation.
●This is the case when control assessment questionnaire respondents
propose an action plan: they must submit it via the workflow.

Page 91
 Top-down workflow
●In the framework of a "top-down" approach, the action plan is
created by a responsible user.
●Internal controllers executing tests use this approach: the action plan
does not require validation.

Page 92
 Action plan progress
●When the action plan has been started, the responsible user can
create progress states to indicate its progress.

Page 93
 Action plan report

●Reports on action plan progress are available under the Progress Report tab.
oActions Gantt chart
oProgress history

Page 94
 Closing action plans
●The action plan responsible can Terminate the action plan, which
will enable placing of a final status.
●An e-mail is sent to the approver to inform him of the action plan
to Close.

Page 95
 Action plan management

The approver will:

●Reopen the action plan if necessary.
●Close the action plan if he considers it can be closed. All attached
actions are then closed.

Page 96
 Action plan follow-up

●An action plan follow-up report is available in the navigation pane.

●It presents action plans by:

o Status
o Progression
o Priority
o Category
o Nature
o Processes
o Entity

Page 97
 Exercise 4

Remediation

Page 98
98
 Conclusion

●For every organization, it is important to implement measurements that

protect the organization´s financials, data and processes in accordance to the
regulations established by the governments or other entities.
●Internal controls establish a guide for how the organization handles
administrative, operative and managing tasks.
●Organizations that handle controls well are more likely to avoid fraud, and
thus protect their reputation.

Page 99
 mega.com @mega_int
Page 100