Professional Documents
Culture Documents
Internal Control
Training Handout
Page 1
Introduction
• Document reference
oIC Version: 1.0
Page 2
Training Objectives
Page 3
Organizations Achieving Objectives
Page 4
Objectives of Controls
●We can use a system of various control types based on risk assessments and
analyses to increase an organization’s confidence in its actions.
Page 5
Designing controls
Page 6
Course Content
Page 7
The Internal Control solution
RM
IC
Testing and remediation Control assessment
• Control assessment campaign and
• Test plan Compliance session
• Work program
• Test execution • Assessment levels
Unique repository
Page 8
The Internal Control solution
Execution
Testing
(execution
and
assessment)
Page 9
Course Content
Page 10
HOPEX interface
Connection page:
Page 11
HOPEX interface
Desktop Intuitive menus, following business logic
Navigation panes
Page 12
HOPEX interface
●Business objects are presented in lists.
●It is possible to filter, order and group.
Page 13
HOPEX interface
Page 14
Course Content
Page 15
Main Tasks for the Control Manager
●Assess the best option to take into consideration the risk appetite in the
strategic decision making.
●Provide relevant information to support management decisions.
●Assess the current state of the controls to capture what is done well and
identify where there are risks.
Page 16
Profiles
Page 17
Rights by profile
Internal Control
Internal
Director GRC Contributor
Controller
(GRC Manager)
Defines controls Defines controls
Executes controls
Prepares campaigns Prepares campaigns
Answers assessment
Validates campaigns questionnaires
Prepares test plan
Page 18
Managing the control library
Page 19
Course Content
Page 20
Control creation
●The internal controller and the internal control director create
controls
Page 21
Control characteristics
Corrective , Detective,
Preventive
Page 22
Control Characteristics
Page 23
Control characteristics
Page 24
Control RACI
●Under section RACI, responsibilities relating to control can be
defined.
Responsibility Meaning
Responsible Responsible for execution and assessment of control and actions required
Page 25
Control RACI
● There can be several responsible users for a control in different
entities.
Page 26
Course Content
Page 27
Contextualization
● Controls can be attached to different elements of the business
repository to which they relate, for instance:
o Entities
o Processes
o Control types
o Requirements
Page 28
Course content
Page 29
Library menus
●Menus enabling easy consultation of controls are accessible from
drop-down lists:
Page 30
Control navigation trees
●Navigation trees are available to view controls by context.
Page 31
Exercise1
Page 32
Course Content
Page 33
Contextualize the Control
● To carry out a Control execution campaign, it is necessary to
previously record the following information for its
contextualization:
o Controls to be evaluated
o Calendars
o Responsible associated to the Control and its Assignment location (Person
who will answer the questionnaires)
o Process associated with the Control to be evaluated, which must be directly or
indirectly (higher Processes) associated to the same Org-Unit assigned to the
Responsible
Page 34
Control steps
● Before planning control execution, its execution steps must be defined. There are
two types:
o Inherited control steps (applicable to all controls without exception)
Page 35
Control steps
●Control Step properties page:
Step name
Step description
Page 36
Course Content
Page 37
Recurrence and steering calendar
● Having defined elements of the control, its execution
periodicity must be defined.
Page 38
Control execution
Page 39
Control execution
Page 40
Course Content
Page 41
Campaigns
●Campaigns are created from the Campaigns menu in the Control Execution navigation
pane.
Page 42
Campaign
Campaign name
Campaign owner
Page 43
Campaign
Page 44
Campaign
●Having been declared, the campaign can be started.
Page 45
Campaign
●The check-list calendar is available in the Automatic Execution tab
of the campaign.
Page 46
Check-lists
●The Contributor receives check-lists (My control execution check-
lists).
Page 47
Check-lists
●Contributors can complete the check-lists.
●If the contributor discovers the check-list has been incorrectly
assigned to him, he can return it to the person who is responsible for
the session.
● The check-list will be reassigned to the correct person.
Page 48
Course Content
Page 49
Execution follow-up reports
●Different reports are available.
Page 50
Execution session follow-up
Page 51
Execution session statistics
●This report enables analysis of distribution of execution session
replies.
Page 52
Exercise 2
Executing Controls
Page 53
Course Content
Page 54
Direct assessment
Page 55
Simple direct assessment
●In the properties of a control, under the Assessment tab:
Adequate, Inadequate
Efficient, Deficient
Date
Page 56
Simple direct assessment
●Assessments can be consulted under the control Assessment
Results section(Assessment page).
Page 57
Multiple direct assessment
●From the Control Multiple Assessment Table tile.
●All controls to be assessed within a specific entity must be
connected.
Page 58
Multiple direct assessment
Page 59
Course Content
Page 60
Assessment by questionnaires
Page 61
Assessment by questionnaires
●Campaigns are created from the Campaigns list.
Page 62
Assessment campaign definition
Control assessment
Page 63
Assessment campaign definition
●Controls are selected in their context with the tree of Entities >
Processes > Controls.
Page 64
Assessment campaign definition
Page 65
Campaign deployment
●When the campaign has been created, it can be deployed:
o Now
o As soon as possible (after dispatch)
o At a later date
Page 66
Defining assessment scope
●You can:
o Define assessment scope from the Effective Scope page.
o Invalidate elements to be excluded.
o Modify respondents
Page 67
Creating sessions
●Assessment sessions need to be created.
Page 68
Campaign planning
●When campaign scope has been defined and assessment sessions created, you can plan the
campaign.
●This consists of indicating in which sessions the controls of each process and each entity
should be assessed.
Page 69
Campaign planning
●From the Planning tab of the campaign:
Page 70
Deploying sessions
●Session deployment consists of preparing sending of
questionnaires to users.
●Deployment can be executed:
oNow
oAs soon as possible (after private workspace dispatch)
oOn a scheduled date
Page 71
Session scope
Page 72
Session scope
●It is possible to modify respondents and delete elements to be
assessed.
●If scope is satisfactory, the session can be validated, enabling
generation of questionnaires.
Page 73
Starting the session
Page 74
Assessment questionnaires
●Respondents can consult questionnaires from the "My assessment questionnaires" pane of
the Home tab.
●The can reply to questionnaires and submit answers, or request redirection of the
questionnaire if it is not for them to answer.
Page 75
Session follow-up
●Two menus on the session properties page enable session follow-up
and statistics.
Page 76
Session follow-up
●"Execution session follow-up" presents different charts concerning
session progress:
o Percentage of completed questionnaires
o Percentage of validated questionnaires
o Distribution of questionnaires:
by status
delegated/not delegated
by respondent and status
by object and status
Page 77
Session statistics
●"Execution session statistics" enables analysis of distribution of
assessment session replies.
A tree displays:
number of respondents
controls to which the answer relates
Page 78
Exercise 3
Assessing Controls
Page 79
Course Content
Page 80
Issue management
●Issues are identified from control assessment questionnaires.
●Their analysis enables implementation of the appropriate corrective
actions in the form of action plans.
●Action plan follow-up is simplified by production of reports.
●Issues are created automatically at control assessment when
controls are considered unsatisfactory.
●They can also be created manually.
Page 81
Issue characteristics
Assessment
Generic
Testing
Very high
High
Medium
Low
Page 82
Issue characteristics
●The issue can be qualified and connected to Testing activities,
Questionnaires, Origin Assessment Nodes, Controls.
Page 83
Issue remediation
●To remediate the issue, you must create an action plan.
●Action plans can be set up to improve or correct a control
considered unsatisfactory.
●The issue is considered remediated when the action plan is
completed.
Page 84
Issue follow-up
●A report enables issue follow-up. It indicates breakdown of issues
(remediated, non-remediated, without action plan).
●Different filters are proposed (process, entity, begin date, end date)
Page 85
Course Content
Page 86
Action plan characteristics
Specified by default with the name of the
user who created the action plan
Global, Local
Corrective, Preventive
Page 87
Action plan characteristics
Page 88
Action characteristics
●Actions are action plan units.
Page 89
Action plan workflows
●When the action plan has been created with its actions, the
workflow can be started.
●Two workflows are available according to the business role of the
user.
●These two workflows depend on the required approach:
o Top-down
o Bottom-up
Page 90
Bottom-up workflow
●In a "bottom-up" approach, the action plan must be validated to
enable implementation.
●This is the case when control assessment questionnaire respondents
propose an action plan: they must submit it via the workflow.
Page 91
Top-down workflow
●In the framework of a "top-down" approach, the action plan is
created by a responsible user.
●Internal controllers executing tests use this approach: the action plan
does not require validation.
Page 92
Action plan progress
●When the action plan has been started, the responsible user can
create progress states to indicate its progress.
Page 93
Action plan report
●Reports on action plan progress are available under the Progress Report tab.
oActions Gantt chart
oProgress history
Page 94
Closing action plans
●The action plan responsible can Terminate the action plan, which
will enable placing of a final status.
●An e-mail is sent to the approver to inform him of the action plan
to Close.
Page 95
Action plan management
Page 96
Action plan follow-up
o Status
o Progression
o Priority
o Category
o Nature
o Processes
o Entity
Page 97
Exercise 4
Remediation
Page 98
98
Conclusion
Page 99
mega.com @mega_int
Page 100