PeopleSoft Enterprise Internal Controls Enforcer 9.1 PeopleBook

Understanding PeopleSoft Internal Controls Enforcer

This chapter introduces the main concepts in the PeopleSoft Internal Controls Enforcer system. It discusses:

Internal controls management.
Key terms.
Key features.
Security.

Internal Controls Management

PeopleSoft Internal Controls Enforcer enables organizations to meet the requirements of section 404 of the Sarbanes-Oxley Act, which requires the issuance of an annual Internal Controls Report that measures the effectiveness of controls that could have a material impact on financial statements. Section 404 requires management assessment and disclosure of internal controls effectiveness on an annual basis, and also requires external auditors to issue an opinion on the effectiveness of a company’s internal controls.

Additionally, the application enables you to continuously track and monitor controls, and, optionally, certify their effectiveness at interim times throughout the year, to support certifications that are required for section 302 of the Sarbanes-Oxley Act.

The process of managing internal controls using PeopleSoft Internal Controls Enforcer includes the following major phases:

Setting up the main components of the system, including:
- Defining compliance projects.
- Defining the major entities, such as business units, that make up your organization.
- Defining the key financial elements that are exposed to risk and need to be monitored.
- Establishing a centralized library of identified risks that need to be mitigated, the controls employed to mitigate those risks, and templates of the test plans that are used to determine the effectiveness of those controls.
  
  This library is referred to as the risk control repository.
- (Optional) Associating diagnostics with controls.
  
  Diagnostics enable you to track and monitor changes to system configurations that are identified as control points to mitigate risks in transaction systems that are external to the PeopleSoft Internal Controls Enforcer application, such as Oracle's PeopleSoft Enterprise Financial Management applications.
- Establishing the business processes and subprocesses that impact the defined key financial elements, specify which entities take part in those subprocesses, and identify the risks that are associated with those subprocesses.
Typically, key executives, managers, and officers within an organization need to determine the various objects within each of these main components.
Creating the database records for each subprocess-entity combination and their associated risks by using an Application Engine process.

These records are referred to as “instances.”
At the instance level, maintaining and revising, if necessary, the process, subprocess, risk, control, and test plan template definitions.

At this point the management of controls shifts to the instance level. Controls are monitored and tracked independently by each entity-subprocess combination, and the status of the controls for every subprocess is maintained, with the goal of verifying that every control is proven to be effective so that each subprocess owner can confirm, using a sign-off worksheet, that the controls for the subprocess are in place and effective. Action plans and test plans can be initiated for unproven, missing, or ineffective controls to resolve any gaps that exist. The system provides tools to monitor controls, including pages that enable key individuals to view control status, view ineffective controls and unmitigated risks, and subsequently initiate action plans and test plans to ensure internal controls effectiveness. In addition, the system automatically sends email notifications to subprocess owners when changes in status occur.
Creating and distributing sign-off sheets to certify the effectiveness of internal controls.

This can be done annually, or more often, if needed.

These features are covered in detail in the subsequent chapters of this documentation.

Key Terms

The following terms are used throughout this documentation.

Action plan	A project that you initiate to resolve ineffective or missing controls.
Benchmark	The certified version of a diagnostic report. This report contains the expected result values.
Business process	The main processes within an organization. They are logical groupings of subprocesses.
Checklist	A list of items that can be marked off as reviewed or completed, which are used when executing a test plan to ensure that policies and procedures have not been missed during testing. Checklists are defined independently by using the Checklist Definition page, then associated with a test plan template.
Compliance project	The highest level of organization in PeopleSoft Internal Controls Enforcer. A compliance project is a complete collection of all of the components necessary to perform compliance management tasks such as documentation, monitoring, and certification.
Control	A policy, procedure, or system configuration that mitigates a risk.
Diagnostic	A tool that tracks and monitors changes to a specific configuration on an external transaction system that serves as a control point to mitigate risks.
Diagnostic report	The set of data that is returned when a diagnostic is run.
Element	A discrete financial item, such as accounts payable, that has a significant impact on a company’s financial statements.
Entity	An organizational unit for which Sarbanes-Oxley reporting is required. Typically a business unit.
Process instance	An entity's version of a business process or subprocess.
Instance	The database records for a particular subprocess-entity combination, including control instance, risk instance, and test template instance.
Risk	Something that threatens the integrity of a subprocess.
Subprocess	The level of business process at which risks and controls are tied and at which the first level of internal control certification is achieved. This is compared to a business process, which is simply a logical grouping of subprocesses. For example, the business process “Accounts Receivable” could include the subprocesses “Maintain Customer Master File” and “Manage Collections and Write-Off.”
Test package	A collection of test plans that does not have any direct impact on controls. Test packages can be executed prior to sign-off generation and referenced later in the sign-off worksheets
Test plan	Test plans are initiated to test unproven controls. There can be multiple active test plans at a time for a given control. The system can generate test plans automatically from test plan templates when sign-off sheets are generated, or by running the Test Plan Generation Application Engine process. You can also create test plans manually.
Test plan template	A test plan template specifies the details for a test plan and its associated checklist. Test plan templates enable the system to automatically generate test plans when sign-off sheets are generated. Test plans that are created from a template will have the information that is specified in the template automatically filled in. You can associate one or more test plan templates with a control.

Key Features

The following table lists the key features of PeopleSoft Internal Controls Enforcer:

Feature	Function	Main Objects
Business Process Manager	Defines business processes and subprocesses, their associated risks, the elements that they affect, and their participating entities.	Business Process Manager component (EPQ_BP_DEFN).
Diagnostic Manager	Processes diagnostics, retrieving the data and generating the diagnostic reports. Reviews diagnostic reports and maintains benchmarks.	Diagnostic Data Feed Application Engine process (EPQ_DIAG_FCH) and Diagnostic Data Feed page. Diagnostic Run Log page. Diagnostic Error XML page. Diagnostic Manager page. Diagnostic Reports by Control page. Diagnostic Report page. Diagnostics Comparison page. Diagnostic Reports By Control - Benchmark page. Diagnostics History page.
Diagnostic Setup	Maintains definitions for diagnostics.	Define Diagnostic Source Types page. Define Diagnostic Source page. Define Query Reference page. Define Function Reference page. Define Diagnostics page. Define SQL Reference page.
Element Manager	Defines the financial elements for which risks must be mitigated.	Element Definition component (EPQ_ELEM_DEFN). Element Risk Category Definition page. Element Risk Ranking Matrix page.
Entity Manager	Defines the organizational entities (business units) within your enterprise.	Entity Definition component (EPQ_ENTITY_DEFN).
Process Instance Generator	Generates entity-level process definitions (process instances).	Process Instance Generator Application Engine process (EPQ_INST_GEN).
Process Instance Manager	Maintains the entity-level definitions for processes and their associated risks, controls, and test plan templates.	Process Instance Definition component (EPQ_BP_INSTANCE). Risk Instance Definition page. Control Instance Definition page. Test Template Instance Definition page. Change Manager component and Application Engine process (EPQ_CHG_MGR). Work Assignment component (EPQ_WORK_ASSIGN).
Risk Control Repository	Defines the centralized library of risks, controls, test plan templates, and diagnostics.	Risk Definition page. Control Definition page. Test Plan Template page. Define Diagnostics page.
Sign-Off Manager	Creates and distributes worksheets and sign-off sheets for the internal control certification process.	Sign-Off Sheet Generator Application Engine process (EPQ_SO_GEN). Sign-Off Sheet Generator page. Sign-off Sheet Generation History page. Internal Controls Sign-off Sheet Refresh page. Internal Controls Sign-off Worksheet page. Internal Controls Sign- Off page. Schedule Sign-Off Generation page. Schedule Sign-Off Refresh page.
Subprocess Manager	Enables process owners to: View the current status of subprocess controls, generate and initiate test plans and action plans, and view associated diagnostics. View all ineffective controls for a process instance, and the status of their associated test plans and action plans.	Unproven Control Monitor page. Control Management page. Action Plan page. Test Plan page. View Test/Action Plan page. Test Plan Generation run control page. Test Plan Package page. Test Plan History page. Action Plan History page. Test/Action Plan Alert run control page.
Pagelets	Dashboards that enable users to view the status of their business processes and controls.	Not Signed Off by Entity pagelet. Not Signed Off - Process pagelet. Unmitigated Risks by Entity pagelet. Ineffective Controls by Entity pagelet. Internal Controls by Entity pagelet. Unmitigated Risks - Process pagelet. Ineffective Controls - Process pagelet. Internal Controls by Business Process pagelet. Business Process Status pagelet. Report Business Conduct pagelet.
Tone at the Top Survey Note. This feature is provided with the Enterprise Portal application. See PeopleSoft Enterprise Portal 9.1 PeopleBook: Using Portal Features	Creates and distributes questionnaires, and enables you to review the responses.	Distribution List page. Response Type page. Survey Setup page. Survey page. Survey Summary page. Survey Summary - Recipients page. Response Detail page. User Response page.

The following diagrams depict the interdependencies that exist between the main setup features:

Relationship among setup features

Relationship among other features

Security

This section discusses:

Row-level security.
Delivered users and roles.

Row-Level Security

During implementation, you can establish whether to use row-level security to control who has access to compliance projects, entities, and business processes at the instance level. You can set up security so that access is limited based on ownership, or so that access is limited based on explicitly defined combinations of compliance projects, entities and processes. Entity owners, business process owners, and subprocess owners have access to those instances to which they are assigned as owners. You can grant additional access privileges by using PeopleSoft roles.

You establish security during the following phases of using the system:

When you set up system-wide preferences.

This defines the level of security the system uses.

See Establishing General Preferences.
After you establish compliance projects.

This establishes which compliance projects a role can access.

See Defining Security for Compliance Projects.
After you define the business processes and subprocesses for a compliance project.

This establishes which process instances a role can access.

See Defining Role Security for Instances.

Any changes you make to security do not take effect until the next time users logon to the system.

Delivered Users and Roles

PeopleSoft Internal Controls Enforcer provides and uses the following users and roles:

User	User Description	Role	Role Description	Permissions
PAPQ_ACTIONPLANOWNER	Enforcer Action Plan Owner	PAPQ_ACTION_PLAN_USER	Enforcer Action Plan Owner	Accesses PeopleSoft Internal Controls Enforcer as an action plan owner. Can update action plan information and has display-only access to subprocess information.
PAPQ_BUSPROCOWNER	Enforcer Bus Process Owner	PAPQ_BUS_PROC_USER	Enforcer Bus Process Owner	Accesses PeopleSoft Internal Controls Enforcer as a business process owner. Has full update access to all subprocess pages. Also can access business process oriented pagelets.
PAPQ_COMPLIANCEMANAGER	Enforcer Compliance Manager	PAPQ_COMPLIANCE_MANAGER	Enforcer Compliance Manager	Accesses PeopleSoft Internal Controls Enforcer with full update access to all pages except the General Preferences page.
PAPQ_ENTITYOWNER	Enforcer Entity Owner	PAPQ_ENTITY_USER	Enforcer Entity Owner	Accesses PeopleSoft Internal Controls Enforcer as an entity owner. Has full update access to all subprocess pages. Also can access entity and business process oriented pagelets.
PAPQ_REVIEWER	Enforcer Reviewer	PAPQ_REVIEWER_USER	Enforcer Reviewer	Accesses PeopleSoft Internal Controls Enforcer as a reviewer. Can access most pages in update/display mode. Has full update access to comment pages.
PAPQ_SUBPROCESSOWNER	Enforcer Subprocess Owner	PAPQ_SUBPROCESS_USER	Enforcer Subprocess Owner	Accesses PeopleSoft Internal Controls Enforcer as a subprocess owner. Has full update access to all subprocess pages.
PAPQ_SYSADM	Enforcer System Administrator	PAPQ_SYSTEM_ADMIN	Enforcer System Administrator	Accesses PeopleSoft Internal Controls Enforcer with full update access to all pages, component interfaces, and web libraries.
PAPQ_TESTPLANOWNER	Enforcer Test Plan Owner	PAPQ_TEST_PLAN_USER	Enforcer Test Plan Owner	Accesses PeopleSoft Internal Controls Enforcer as a test plan owner. Has full update access to test plan information, and display-only access to subprocess information.