PeopleSoft Enterprise Internal Controls Enforcer 9.1 PeopleBook

Establishing the Risk Control Repository

This chapter provides an overview of the risk control repository, lists common elements, and discusses how to:

Establish various risk and control categories.
Establish checklists, template attributes, and test plan templates
Establish risks and controls.

Understanding the Risk Control Repository

This section discusses:

Relationships between risks, controls, and diagnostics.
Risks.
Controls.
Test plan templates.
Diagnostics.
Priorities.
Categories of risks and controls.

Relationships Between Risks, Controls, and Diagnostics

The risk control repository contains the database definitions for all risks, controls, and diagnostics that are related to subprocesses. It is like a library where these objects are stored. These objects are defined independently from the subprocesses with which they are associated. Consequently, once you define an object, you can use it with more than one subprocess without having to recreate it. The repository enables you to define the master risks, and controls for an organization. Ideally, they are the risks and controls that the organization wants every entity to track, based on defined standards or best practices. You distribute the definitions to each entity when you generate instances by running the Process Instance Generator Application Engine process (EPQ_INST_GEN).

A hierarchical relationship exists between risks and controls. Each risk is associated with one or more controls. Controls can also be associated with one or more diagnostics. You establish these relationships when you define each object. Therefore, the definition for a control indicates its assigned diagnostics. Likewise, the definition for a risk indicates the controls and diagnostics with which it is associated.

The following diagram illustrates these relationships:

Relationships between risks, controls, and diagnostics

Because of these relationships, when you associate risks with a subprocess, you indirectly specify all the controls and diagnostics that are associated with the subprocess. Once you create the subprocess instances, entity owners can update the definitions for any risk or control that differs for a particular entity, if applicable, by using the pages within the Process Instance Manager feature.

See Also

Generating and Maintaining Instances

Risks

A risk is something that threatens the integrity of a subprocess. Some examples of risks are:

Unauthorized changes to vendors.
Bank account doesn't reconcile.
Fraud.
Inappropriate adjustments.

Controls

A control is a policy, procedure, or system configuration that mitigates a risk. Controls can be manual (policies and procedures) or automated (built into a computer system). You can use the diagnostics feature to track automated controls. A control can optionally be associated with one or more test plan templates.

Diagnostics

A diagnostic is a tool that tracks any changes to specific system configurations in applications external to PeopleSoft Internal Controls Enforcer, such as Oracle's PeopleSoft Enterprise Financial Management applications. Diagnostics are tied to controls, and you can associate multiple diagnostics with each control. Several diagnostics are delivered with PeopleSoft Internal Controls Enforcer. You can extend them to suit the needs of a particular implementation. The delivered diagnostics use reports in the PeopleSoft Enterprise Financial Management 8.4 or 8.8 systems to capture system configuration information. Each time a diagnostic runs, it compares the current configuration information to the previous information to determine whether any changes have occurred. If changes are detected, the system sets the control state to Not Proven.

Priorities

When you define risks and controls, you specify their priority. The system uses these priority values when determining which risks and controls to include in the sign-off process. The Internal Controls Sign Off Sheet Generator page contains the fields that specify which risk and control priorities are included in the sign-off process. These two criteria are inclusive. For example, when sign-off sheets are generated, if you specify to include only primary risks but you specify to include both primary and secondary controls, then both primary and secondary priority controls are included in the sign-off, but only for primary risks.

Categories of Risks and Controls

There are several fields that the system uses to categorize risks and controls. These fields are required when you define a risk or control. Except for the Risk Category field, however, they are informational only. They enable you to classify the various types of risks and controls that the organization uses. The Risk Category is important because you use it to specify whether a risk category is included in the internal controls sign-off process. This enables you to set up categories of risks that are not subject to sign-off. When you define a risk or control, the valid values for the fields are based on tables that you populate by completing the associated setup page.

The fields that are used to categorize risks and controls are:

Risk category	Categorizes risks by identifying a type of risk. It is generally accepted that the main risk categories are: Operational. Financial. Regulatory (also referred to as compliance). Examples of regulatory risks are the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Basel II requirements for credit risk.
Financial assertion	Categorizes risks and controls by identifying the audit-related assertion with which they are associated. Risks and controls can be associated with one or more financial assertions. A financial assertion specifies how the element is at risk. For example, completeness, validity, and accuracy can affect transactions. Similarly, accounts can be subject to risk due to access to assets and authorization.
Control category	Categorizes controls by identifying whether controls are preventative or detective.
Framework	Categorizes controls by identifying the type of framework under which effective controls are classified. Section 404 of the Sarbanes-Oxley Act specifies that the framework that management uses to assess internal control over financial reporting must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the distribution of the framework for public comment. One example is the framework designed by the Committee of Sponsoring Organizations of the Treadway commission (COSO). COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. Another example is the Control Objectives for Information and Related Technology (COBIT). COBIT has been developed as a generally applicable and accepted standard for information technology security and control practices. It provides a reference framework for management, users, and information system technology professionals who handle auditing, control, and security.

Common Elements Used in This Chapter

Attribute 1, Attribute 2, Attribute 3, Attribute 4, Attribute 5, and Attribute 6

Fields for storing additional attributes that are applicable to your implementation; you can use this information to filter data in queries or reports that you create. These fields can be set up as either free-form text fields or as list boxes, depending on how you define the system preferences on the Internal Controls Enforcer General Preferences page. The labels can also be modified.

See Configuring the Other Attribute Fields.

Establishing Various Risk and Control Categories

This section discusses how to:

Define financial assertions.
Define risk categories.
Define control categories.
Define control frameworks.

Pages Used to Establish Various Risk and Control Categories

Page Name	Definition Name	Navigation	Usage
Financial Assertion Definition	EPQ_FIN_ASSERT	Internal Controls Enforcer, Master Setup, General Setup, Financial Assertions	Establish financial assertions. The information that you enter on this page populates a prompt table that is used when you define risks and controls.
Risk Category Definition	EPQ_RISK_CATEG	Internal Controls Enforcer, Master Setup, General Setup, Risk Categories	Establish risk categories. The information that you enter on this page populates a prompt table that is used when you define risks.
Control Category Definition	EPQ_CTRL_CATEG	Internal Controls Enforcer, Master Setup, General Setup, Control Categories	Establish control categories. The information that you enter on this page populates a prompt table that is used when you define controls.
Framework Definition	EPQ_FRMWORK_SEL	Internal Controls Enforcer, Master Setup, General Setup, Frameworks	Establish control framework categories. The information that you enter on this page populates a prompt table that is used when you define controls.

Defining Financial Assertions

Access the Financial Assertion Definition page (Internal Controls Enforcer, Master Setup, General Setup, Financial Assertions).

Assertion

Enter a two-character code to identify the financial assertion.

Short Description and Description

Enter descriptions of the financial assertion. The description appears in the selection list for the Financial Assertion field on the Risk Definition - Financial Assertions page and the Control Definition - Financial Assertions page.

See Also

Establishing Risks and Controls

Defining Risk Categories

Access the Risk Category Definition page (Internal Controls Enforcer, Master Setup, General Setup, Risk Categories).

Category

Enter a code to identify the risk category.

Short Description and Description

Enter descriptions of the risk category. The description appears in the selection list for the Category field on the Risk Definition page.

Include in Sign-off

Select this option to include risks that are associated with this category in the internal controls sign-off process. When you establish risks, you assign them to one of these risk categories. This enables you to define risks that aren't subject to Sarbanes-Oxley sign-off procedures yet are important for you to identify and track for other reasons.

See Also

Defining Risks

Defining Control Categories

Access the Control Category Definition page (Internal Controls Enforcer, Master Setup, General Setup, Control Categories).

Category

Enter a two-character code to identify the control category.

Short Description and Description

Enter descriptions of the control category. The description appears in the selection list for the Category field on the Control Definition page.

See Also

Defining Controls

Defining Control Frameworks

Access the Framework Definition page (Internal Controls Enforcer, Master Setup, General Setup, Frameworks).

Framework

Enter a code to identify the control framework.

Short Description and Description

Enter descriptions of the control framework. The description appears in the selection list for the Framework Selection field on the Control Definition page.

See Also

Defining Controls

Establishing Checklists, Template Attributes, and Test Plan Templates

To establish checklists, template attributes, and test plan templates use the Checklist Definition (EPQ_CHKLST_DEF), Template Attribute Definition (EPQ_TMPL_ATTR), and Test Plan Template (EPQ_TMPL_DEFN) components. Use the EPQ_CHKLST_DEF_CI and EPQ_TMPL_DEFN_CI component interfaces to load data into the tables for the Checklist Definition and Test Plan Template components.

This section provides an overview of test plan templates and discusses how to:

Establish checklists.
Establish template attributes.
Establish test plan templates.
Associate checklists with test plan templates.

Understanding Test Plan Templates

A test plan template provides the definitions for some or all of the fields for a test plan. Test plan templates are used to automatically generate test plans when sign-off sheets are generated, with the field entries that are specified in the template definition copied automatically to the actual test plan. The advantage to defining the test plan templates at the risk control repository level is that when you generate control instances, the test plan templates are automatically defined for each control instance. Test plan templates can also be used when you manually create a test plan.

Test plans play an important role in the internal controls certification process. When test plans are associated with a control, the system does not allow the control status to be set to Proven until the test plans are completed and passed (or canceled).

Test plan templates can include checklists of items for test plan owners to complete to help ensure that policies and procedures have not been missed in testing. The checklists are defined independently by using the Checklist Definition page, then associated with a test plan template. The system does not require that all items be checked off before a test plan can be considered completed.

Note. Only test plans that are based on a test plan template include checklists.

You can also define attributes to associate with test plan templates. Attributes enable you to categorize test plan templates. This enables you to specify the category of test plan templates that the system will generate test plans for when you run the Test Plan Generation (EPQ_TP_GEN) Application Engine process.

Detailed information about test plans is provided in another chapter of this PeopleBook.

See Understanding Subprocess Management.

Pages Used to Establish Checklists, Template Attributes, and Test Plan Templates

Page Name	Definition Name	Navigation	Usage
Checklist Definition	EPQ_CHKLST_DEF	Internal Controls Enforcer, Master Setup, Checklist Definition	Establish a checklist of items to complete when testing an internal control. Checklists are associated with test plan templates.
Template Attribute Definition	EPQ_TMPL_ATTR	Internal Controls Enforcer, Master Setup, General Setup, Template Attributes	Define attributes to associate with test plan templates. Attributes enable you to categorize test plan templates for the purpose of specifying which test plans to generate when you run the Test Plan Generation (EPQ_TP_GEN) Application Engine process.
Test Plan Template	EPQ_TMPL_DEFN	Internal Controls Enforcer, Master Setup, Test Plan Template	Establish templates for test plans.
Test Plan Template - Template Checklist	EPQ_TMPL_CHKLST	Internal Controls Enforcer, Master Setup, Test Plan Template, Template Checklist	Associate checklists with a test plan template.
Test Plan Template - Template Notes	EPQ_TMPL_NOTES	Internal Controls Enforcer, Master Setup, Test Plan Template, Template Notes	Enter detailed notes about a test plan template.

Establishing Checklists

Access the Checklist Definition page (Internal Controls Enforcer, Master Setup, Checklist Definition).

Checklist ID and Description

Enter an identifier for the checklist and a description.

Insert rows within the Items group box and complete the following fields to define the checklist items.

Sequence	Enter a number to control the order in which this item appears on the checklist. Items appear sequentially in ascending order.
Checklist Item	Enter the text of the question or task for the checklist item.

Establishing Template Attributes

Access the Template Attribute Definition page (Internal Controls Enforcer, Master Setup, General Setup, Template Attributes).

To define template attributes, insert rows within the Template Attributes grid and complete the following fields.

Attribute

Enter the attribute name. Some attribute categories to consider using would be ones that are time frame oriented, ones that specify the level of importance, and so on. These attributes are used when you generate test plans, so that you can create test plans from templates only within a particular attribute category.

Establishing Test Plan Templates

Access the Test Plan Template page (Internal Controls Enforcer, Master Setup, Test Plan Template).

Save as New Template and Save As

Use these fields to create a new test plan template definition from the current template. To save the current template information to a new template, enter a new template ID then click the Save As button.

Test Type

Specify the general format of the test. Options are:

Inquiry: Select if the test is primarily conducted by questioning an individual or department.

Observation: Select if the test is primarily conducted by viewing that the control is in place.

Re-Performance: Select if the test involves reevaluating the control.

Review: Select if the test is primarily conducted by reviewing a report.

The value that you select for this field does not affect any processing.

Template Attribute

Select the attribute within which to categorize this test plan template.

Attributes are established by using the Template Attribute Definition page.

See Establishing Template Attributes.

Associating Checklists with Test Plan Templates

Access the Test Plan Template - Template Checklist page Internal Controls Enforcer, Master Setup, Test Plan Template, Template Checklist).

To add a checklist to the test plan template, specify the checklist ID in the Add Checklist field, then click the Add button. The checklist items appear in the Questions group box. You can add items from multiple checklists.

Checklist items are re-sequenced according to the order in which they are added. For example, if you add two checklists, Checklist1 and Checklist2, in that order, and each checklist contains three items, the items from Checklist1 will be sequenced as 1, 2, 3, and the items from Checklist2 will be sequenced as 4, 5, 6. You can edit the items as well as add or remove individual items by using the add row and delete row buttons within the Questions group box.

Checklist Sequence	Enter a number to control the order in which this item appears. Items appear on the test plan sequentially in ascending order.
Checklist Item	Enter or edit the text of the question or task for the checklist item.

Establishing Risks and Controls

To establish risks and controls, use the Risk Definition (EPQ_RISK_DEFN) and Control Definition (EPQ_CTRL_DEFN) components. Use the EPQ_RISK_DEFN_CI and EPQ_CTRL_DEFN_CI component interfaces to load data into the tables for these components.

This section discusses how to:

Define risks.
Associate financial assertions with a risk.
Define controls.
Associate financial assertions with a control.
Associate test plan templates with a control.

Pages Used to Establish Risks and Controls

Page Name	Definition Name	Navigation	Usage
Risk Definition	EPQ_RISK_DEFN	Internal Controls Enforcer, Master Setup, Risk Definition, Risk Definition	Define risks and specify the controls with which they are associated.
Risk Definition - Financial Assertions	EPQ_RISK_FIN	Internal Controls Enforcer, Master Setup, Risk Definition, Fin. Assertion	Associate financial assertions with a risk.
Risk Definition - Notes	EPQ_RISK_NOTES	Internal Controls Enforcer, Master Setup, Risk Definition, Notes	Enter detailed notes about a risk.
Control Definition	EPQ_CTRL_DEFN	Internal Controls Enforcer, Master Setup, Control Definition Click Create New Control on the Risk Definition page.	Define controls and specify the test plan templates and diagnostics with which they are associated.
Control Definition - Financial Assertions	EPQ_CONTROL_FIN	Internal Controls Enforcer, Master Setup, Control Definition, Fin. Assertion	Associate financial assertions with a control.
Control Definition - Test Template	EPQ_CTRL_TMPL	Internal Controls Enforcer, Master Setup, Control Definition, Test Template	Associate test templates with a control.
Control Definition - Notes	EPQ_CTRL_NOTES	Internal Controls Enforcer, Master Setup, Control Definition, Notes	Enter detailed notes about a control.

Defining Risks

Access the Risk Definition page Internal Controls Enforcer, Master Setup, Risk Definition, Risk Definition).

Risk Definition

Category

Select the category that applies to the risk.

You establish risk categories by using the Risk Category Definition page.

See Defining Risk Categories.

Priority

Select the priority of this risk. Values are Primary, Secondary, and Tertiary. When the system generates sign-off sheets, you indicate the priority level of risks and controls to include.

Create New Control

Click to access the Control Definition page and create a new control to associate with this risk.

Controls

To assign defined controls to a risk, insert rows in the Controls grid, and select the control for each inserted row.

Control	Select the control to associate with this risk.
Description	Displays the control description. Click a description to access the Control Definition page, where you can view the details for the control.
Priority	Displays the control priority.
Type	Displays the control type.
Diagnostics	If diagnostics are associated with the control, the value for this field is Yes; otherwise, it is No.

Associating Financial Assertions with a Risk

Access the Risk Definition - Financial Assertions page (Internal Controls Enforcer, Master Setup, Risk Definition, Fin. Assertion).

Select Applicable Financial Assertions

Add rows as required to associate financial assertions with this risk.

Financial Assertion

Select the audit category with which to associate this risk.

You establish financial assertions by using the Financial Assertion Definition page.

See Defining Financial Assertions.

Defining Controls

Access the Control Definition page (Internal Controls Enforcer, Master Setup, Control Definition).

Control Type

Select the type of control. Options are Manual and Automated. This is used only for informational purposes.

Category

Select the control category that applies to the control.

You establish control categories by using the Control Category Definition page.

See Defining Control Categories.

Control Priority

Select the priority of the control. Options are Primary, Secondary, and Tertiary. When the system generates sign-off sheets, you indicate the priority level of risks and controls to include.

Framework

Select the framework under which the control is categorized.

You establish frameworks by using the Framework Definition page.

See Defining Control Frameworks.

Test Frequency

Specify how often this control should be tested. Options are:

Annual: Select to indicate that this control needs to be retested annually.

Same as Sign Off: Select to indicate that this control should be retested every time the sign-off process occurs. When this option is selected, the value of the Sign Off Type field, which is specified by using the Internal Control Sign Off Sheet Generator page, determines how often the control needs to be retested, either quarterly, semi-annually, or annually.

On sign-off worksheets, the Needs Testing field indicates whether or not a control needs to be retested. The system automatically sets the Needs Testing field to yes when the test frequency is set to Same as Sign Off. If the test frequency is annual, but the value of the Sign Off Type field on the Internal Control Sign Off Sheet Generator page is quarterly, or semi-annual, then the Needs Testing field is set to no.

Control Frequency

Select the frequency with which the control operates. Options are: Annual, Biweekly, Daily, Monthly, Quarterly, Semiannual, Weekly. This field is informational only, it does not affect any processing. Use this information to ensure that associated action plans provide sufficient lead time for a control to demonstrate its operational effectiveness.

Diagnostic

In the Diagnostic Selection grid, insert rows to associate diagnostics with the control, and select a diagnostic for each inserted row.

<diagnostic description>

Click to access the Define Diagnostics page, where you can review the details of the associated diagnostic.

Create New Diagnostic

Click to access the Define Diagnostics page, where you can define a new diagnostic to associate with this control.

Associating Financial Assertions with a Control

Access the Control Definition - Financial Assertions page (Internal Controls Enforcer, Master Setup, Control Definition, Fin. Assertion).

Select Applicable Financial Assertions

Add rows as required to associate financial assertions with this control.

Financial Assertion

Select the audit category with which to associate this control.

You establish financial assertions by using the Financial Assertion Definition page.

See Defining Financial Assertions.

Associating Test Plan Templates with a Control

Access the Control Definition - Test Template page (Internal Controls Enforcer, Master Setup, Control Definition, Test Template).

Create New Test Template

Click to access the Test Definition page, where you can create a new test definition that is associated with the control.

To associate test plan templates with this control, add rows within the Test Template grid and complete the following fields.

Test Template

Select the test plan template to associate with this control.

Description

Click to access the Test Plan Template page, where you can review the template definition.

Test Dependency

Use this field to indicate if the test template for the current row requires that another one of the test templates for this control must take place before it can be executed. Select the test template that is a prerequisite. The list of valid values is limited to templates that are currently associated with this control. This effectively enables you to control the sequencing of test plans that are generated for this control.

Test plans that are not dependent on other test plans can be executed anytime and in parallel. Multiple test plans that are dependent on one common test plan can also be executed in parallel, but only after the test plan that they are dependent on is completed or canceled.

Assertion	Enter a two-character code to identify the financial assertion.
Short Description and Description	Enter descriptions of the financial assertion. The description appears in the selection list for the Financial Assertion field on the Risk Definition - Financial Assertions page and the Control Definition - Financial Assertions page.

Category	Enter a code to identify the risk category.
Short Description and Description	Enter descriptions of the risk category. The description appears in the selection list for the Category field on the Risk Definition page.
Include in Sign-off	Select this option to include risks that are associated with this category in the internal controls sign-off process. When you establish risks, you assign them to one of these risk categories. This enables you to define risks that aren't subject to Sarbanes-Oxley sign-off procedures yet are important for you to identify and track for other reasons.

Framework	Enter a code to identify the control framework.
Short Description and Description	Enter descriptions of the control framework. The description appears in the selection list for the Framework Selection field on the Control Definition page.

Control Type	Select the type of control. Options are Manual and Automated. This is used only for informational purposes.
Category	Select the control category that applies to the control. You establish control categories by using the Control Category Definition page. See Defining Control Categories.
Control Priority	Select the priority of the control. Options are Primary, Secondary, and Tertiary. When the system generates sign-off sheets, you indicate the priority level of risks and controls to include.
Framework	Select the framework under which the control is categorized. You establish frameworks by using the Framework Definition page. See Defining Control Frameworks.
Test Frequency	Specify how often this control should be tested. Options are: Annual: Select to indicate that this control needs to be retested annually. Same as Sign Off: Select to indicate that this control should be retested every time the sign-off process occurs. When this option is selected, the value of the Sign Off Type field, which is specified by using the Internal Control Sign Off Sheet Generator page, determines how often the control needs to be retested, either quarterly, semi-annually, or annually. On sign-off worksheets, the Needs Testing field indicates whether or not a control needs to be retested. The system automatically sets the Needs Testing field to yes when the test frequency is set to Same as Sign Off. If the test frequency is annual, but the value of the Sign Off Type field on the Internal Control Sign Off Sheet Generator page is quarterly, or semi-annual, then the Needs Testing field is set to no.
Control Frequency	Select the frequency with which the control operates. Options are: Annual, Biweekly, Daily, Monthly, Quarterly, Semiannual, Weekly. This field is informational only, it does not affect any processing. Use this information to ensure that associated action plans provide sufficient lead time for a control to demonstrate its operational effectiveness.
Diagnostic	In the Diagnostic Selection grid, insert rows to associate diagnostics with the control, and select a diagnostic for each inserted row.
<diagnostic description>	Click to access the Define Diagnostics page, where you can review the details of the associated diagnostic.
Create New Diagnostic	Click to access the Define Diagnostics page, where you can define a new diagnostic to associate with this control.