This chapter provides an overview of the risk control repository, lists common elements, and discusses how to:
Establish various risk and control categories.
Establish checklists, template attributes, and test plan templates
Establish risks and controls.
See Also
Establishing and Maintaining Diagnostics
This section discusses:
Relationships between risks, controls, and diagnostics.
Risks.
Controls.
Test plan templates.
Diagnostics.
Priorities.
Categories of risks and controls.
The risk control repository contains the database definitions for all risks, controls, and diagnostics that are related to subprocesses. It is like a library where these objects are stored. These objects are defined independently from the subprocesses with which they are associated. Consequently, once you define an object, you can use it with more than one subprocess without having to recreate it. The repository enables you to define the master risks, and controls for an organization. Ideally, they are the risks and controls that the organization wants every entity to track, based on defined standards or best practices. You distribute the definitions to each entity when you generate instances by running the Process Instance Generator Application Engine process (EPQ_INST_GEN).
A hierarchical relationship exists between risks and controls. Each risk is associated with one or more controls. Controls can also be associated with one or more diagnostics. You establish these relationships when you define each object. Therefore, the definition for a control indicates its assigned diagnostics. Likewise, the definition for a risk indicates the controls and diagnostics with which it is associated.
The following diagram illustrates these relationships:
Relationships between risks, controls, and diagnostics
Because of these relationships, when you associate risks with a subprocess, you indirectly specify all the controls and diagnostics that are associated with the subprocess. Once you create the subprocess instances, entity owners can update the definitions for any risk or control that differs for a particular entity, if applicable, by using the pages within the Process Instance Manager feature.
See Also
Generating and Maintaining Instances
A risk is something that threatens the integrity of a subprocess. Some examples of risks are:
Unauthorized changes to vendors.
Bank account doesn't reconcile.
Fraud.
Inappropriate adjustments.
A control is a policy, procedure, or system configuration that mitigates a risk. Controls can be manual (policies and procedures) or automated (built into a computer system). You can use the diagnostics feature to track automated controls. A control can optionally be associated with one or more test plan templates.
A diagnostic is a tool that tracks any changes to specific system configurations in applications external to PeopleSoft Internal Controls Enforcer, such as Oracle's PeopleSoft Enterprise Financial Management applications. Diagnostics are tied to controls, and you can associate multiple diagnostics with each control. Several diagnostics are delivered with PeopleSoft Internal Controls Enforcer. You can extend them to suit the needs of a particular implementation. The delivered diagnostics use reports in the PeopleSoft Enterprise Financial Management 8.4 or 8.8 systems to capture system configuration information. Each time a diagnostic runs, it compares the current configuration information to the previous information to determine whether any changes have occurred. If changes are detected, the system sets the control state to Not Proven.
When you define risks and controls, you specify their priority. The system uses these priority values when determining which risks and controls to include in the sign-off process. The Internal Controls Sign Off Sheet Generator page contains the fields that specify which risk and control priorities are included in the sign-off process. These two criteria are inclusive. For example, when sign-off sheets are generated, if you specify to include only primary risks but you specify to include both primary and secondary controls, then both primary and secondary priority controls are included in the sign-off, but only for primary risks.
See Also
Managing the Internal Controls Certification Process
There are several fields that the system uses to categorize risks and controls. These fields are required when you define a risk or control. Except for the Risk Category field, however, they are informational only. They enable you to classify the various types of risks and controls that the organization uses. The Risk Category is important because you use it to specify whether a risk category is included in the internal controls sign-off process. This enables you to set up categories of risks that are not subject to sign-off. When you define a risk or control, the valid values for the fields are based on tables that you populate by completing the associated setup page.
The fields that are used to categorize risks and controls are:
This section discusses how to:
Define financial assertions.
Define risk categories.
Define control categories.
Define control frameworks.
Page Name |
Definition Name |
Navigation |
Usage |
Financial Assertion Definition |
EPQ_FIN_ASSERT |
Internal Controls Enforcer, Master Setup, General Setup, Financial Assertions |
Establish financial assertions. The information that you enter on this page populates a prompt table that is used when you define risks and controls. |
Risk Category Definition |
EPQ_RISK_CATEG |
Internal Controls Enforcer, Master Setup, General Setup, Risk Categories |
Establish risk categories. The information that you enter on this page populates a prompt table that is used when you define risks. |
Control Category Definition |
EPQ_CTRL_CATEG |
Internal Controls Enforcer, Master Setup, General Setup, Control Categories |
Establish control categories. The information that you enter on this page populates a prompt table that is used when you define controls. |
Framework Definition |
EPQ_FRMWORK_SEL |
Internal Controls Enforcer, Master Setup, General Setup, Frameworks |
Establish control framework categories. The information that you enter on this page populates a prompt table that is used when you define controls. |
Access the Financial Assertion Definition page (Internal Controls Enforcer, Master Setup, General Setup, Financial Assertions).
Enter a two-character code to identify the financial assertion. |
|
Short Description and Description |
Enter descriptions of the financial assertion. The description appears in the selection list for the Financial Assertion field on the Risk Definition - Financial Assertions page and the Control Definition - Financial Assertions page. |
See Also
Establishing Risks and Controls
Access the Risk Category Definition page (Internal Controls Enforcer, Master Setup, General Setup, Risk Categories).
See Also
Access the Control Category Definition page (Internal Controls Enforcer, Master Setup, General Setup, Control Categories).
Category |
Enter a two-character code to identify the control category. |
Short Description and Description |
Enter descriptions of the control category. The description appears in the selection list for the Category field on the Control Definition page. |
See Also
Access the Framework Definition page (Internal Controls Enforcer, Master Setup, General Setup, Frameworks).
Enter a code to identify the control framework. |
|
Short Description and Description |
Enter descriptions of the control framework. The description appears in the selection list for the Framework Selection field on the Control Definition page. |
See Also
To establish checklists, template attributes, and test plan templates use the Checklist Definition (EPQ_CHKLST_DEF), Template Attribute Definition (EPQ_TMPL_ATTR), and Test Plan Template (EPQ_TMPL_DEFN) components. Use the EPQ_CHKLST_DEF_CI and EPQ_TMPL_DEFN_CI component interfaces to load data into the tables for the Checklist Definition and Test Plan Template components.
This section provides an overview of test plan templates and discusses how to:
Establish checklists.
Establish template attributes.
Establish test plan templates.
Associate checklists with test plan templates.
A test plan template provides the definitions for some or all of the fields for a test plan. Test plan templates are used to automatically generate test plans when sign-off sheets are generated, with the field entries that are specified in the template definition copied automatically to the actual test plan. The advantage to defining the test plan templates at the risk control repository level is that when you generate control instances, the test plan templates are automatically defined for each control instance. Test plan templates can also be used when you manually create a test plan.
Test plans play an important role in the internal controls certification process. When test plans are associated with a control, the system does not allow the control status to be set to Proven until the test plans are completed and passed (or canceled).
Test plan templates can include checklists of items for test plan owners to complete to help ensure that policies and procedures have not been missed in testing. The checklists are defined independently by using the Checklist Definition page, then associated with a test plan template. The system does not require that all items be checked off before a test plan can be considered completed.
Note. Only test plans that are based on a test plan template include checklists.
You can also define attributes to associate with test plan templates. Attributes enable you to categorize test plan templates. This enables you to specify the category of test plan templates that the system will generate test plans for when you run the Test Plan Generation (EPQ_TP_GEN) Application Engine process.
Detailed information about test plans is provided in another chapter of this PeopleBook.
See Understanding Subprocess Management.
Page Name |
Definition Name |
Navigation |
Usage |
Checklist Definition |
EPQ_CHKLST_DEF |
Internal Controls Enforcer, Master Setup, Checklist Definition |
Establish a checklist of items to complete when testing an internal control. Checklists are associated with test plan templates. |
Template Attribute Definition |
EPQ_TMPL_ATTR |
Internal Controls Enforcer, Master Setup, General Setup, Template Attributes |
Define attributes to associate with test plan templates. Attributes enable you to categorize test plan templates for the purpose of specifying which test plans to generate when you run the Test Plan Generation (EPQ_TP_GEN) Application Engine process. |
Test Plan Template |
EPQ_TMPL_DEFN |
Internal Controls Enforcer, Master Setup, Test Plan Template |
Establish templates for test plans. |
Test Plan Template - Template Checklist |
EPQ_TMPL_CHKLST |
Internal Controls Enforcer, Master Setup, Test Plan Template, Template Checklist |
Associate checklists with a test plan template. |
Test Plan Template - Template Notes |
EPQ_TMPL_NOTES |
Internal Controls Enforcer, Master Setup, Test Plan Template, Template Notes |
Enter detailed notes about a test plan template. |
Access the Checklist Definition page (Internal Controls Enforcer, Master Setup, Checklist Definition).
Checklist ID and Description |
Enter an identifier for the checklist and a description. |
Insert rows within the Items group box and complete the following fields to define the checklist items.
Sequence |
Enter a number to control the order in which this item appears on the checklist. Items appear sequentially in ascending order. |
Checklist Item |
Enter the text of the question or task for the checklist item. |
Access the Template Attribute Definition page (Internal Controls Enforcer, Master Setup, General Setup, Template Attributes).
To define template attributes, insert rows within the Template Attributes grid and complete the following fields.
Attribute |
Enter the attribute name. Some attribute categories to consider using would be ones that are time frame oriented, ones that specify the level of importance, and so on. These attributes are used when you generate test plans, so that you can create test plans from templates only within a particular attribute category. |
Access the Test Plan Template page (Internal Controls Enforcer, Master Setup, Test Plan Template).
Use these fields to create a new test plan template definition from the current template. To save the current template information to a new template, enter a new template ID then click the Save As button. |
|
Specify the general format of the test. Options are: Inquiry: Select if the test is primarily conducted by questioning an individual or department. Observation: Select if the test is primarily conducted by viewing that the control is in place. Re-Performance: Select if the test involves reevaluating the control. Review: Select if the test is primarily conducted by reviewing a report. The value that you select for this field does not affect any processing. |
|
Template Attribute |
Select the attribute within which to categorize this test plan template. Attributes are established by using the Template Attribute Definition page. |
Access the Test Plan Template - Template Checklist page Internal Controls Enforcer, Master Setup, Test Plan Template, Template Checklist).
To add a checklist to the test plan template, specify the checklist ID in the Add Checklist field, then click the Add button. The checklist items appear in the Questions group box. You can add items from multiple checklists.
Checklist items are re-sequenced according to the order in which they are added. For example, if you add two checklists, Checklist1 and Checklist2, in that order, and each checklist contains three items, the items from Checklist1 will be sequenced as 1, 2, 3, and the items from Checklist2 will be sequenced as 4, 5, 6. You can edit the items as well as add or remove individual items by using the add row and delete row buttons within the Questions group box.
Checklist Sequence |
Enter a number to control the order in which this item appears. Items appear on the test plan sequentially in ascending order. |
Checklist Item |
Enter or edit the text of the question or task for the checklist item. |
To establish risks and controls, use the Risk Definition (EPQ_RISK_DEFN) and Control Definition (EPQ_CTRL_DEFN) components. Use the EPQ_RISK_DEFN_CI and EPQ_CTRL_DEFN_CI component interfaces to load data into the tables for these components.
This section discusses how to:
Define risks.
Associate financial assertions with a risk.
Define controls.
Associate financial assertions with a control.
Associate test plan templates with a control.
Page Name |
Definition Name |
Navigation |
Usage |
Risk Definition |
EPQ_RISK_DEFN |
Internal Controls Enforcer, Master Setup, Risk Definition, Risk Definition |
Define risks and specify the controls with which they are associated. |
Risk Definition - Financial Assertions |
EPQ_RISK_FIN |
Internal Controls Enforcer, Master Setup, Risk Definition, Fin. Assertion |
Associate financial assertions with a risk. |
Risk Definition - Notes |
EPQ_RISK_NOTES |
Internal Controls Enforcer, Master Setup, Risk Definition, Notes |
Enter detailed notes about a risk. |
Control Definition |
EPQ_CTRL_DEFN |
|
Define controls and specify the test plan templates and diagnostics with which they are associated. |
Control Definition - Financial Assertions |
EPQ_CONTROL_FIN |
Internal Controls Enforcer, Master Setup, Control Definition, Fin. Assertion |
Associate financial assertions with a control. |
Control Definition - Test Template |
EPQ_CTRL_TMPL |
Internal Controls Enforcer, Master Setup, Control Definition, Test Template |
Associate test templates with a control. |
Control Definition - Notes |
EPQ_CTRL_NOTES |
Internal Controls Enforcer, Master Setup, Control Definition, Notes |
Enter detailed notes about a control. |
Access the Risk Definition page Internal Controls Enforcer, Master Setup, Risk Definition, Risk Definition).
Risk Definition
Category |
Select the category that applies to the risk. You establish risk categories by using the Risk Category Definition page. |
Select the priority of this risk. Values are Primary, Secondary, and Tertiary. When the system generates sign-off sheets, you indicate the priority level of risks and controls to include. |
|
Create New Control |
Click to access the Control Definition page and create a new control to associate with this risk. |
To assign defined controls to a risk, insert rows in the Controls grid, and select the control for each inserted row.
Control |
Select the control to associate with this risk. |
Description |
Displays the control description. Click a description to access the Control Definition page, where you can view the details for the control. |
Displays the control priority. |
|
Displays the control type. |
|
Diagnostics |
If diagnostics are associated with the control, the value for this field is Yes; otherwise, it is No. |
Access the Risk Definition - Financial Assertions page (Internal Controls Enforcer, Master Setup, Risk Definition, Fin. Assertion).
Select Applicable Financial Assertions
Add rows as required to associate financial assertions with this risk.
Select the audit category with which to associate this risk. You establish financial assertions by using the Financial Assertion Definition page. |
Access the Control Definition page (Internal Controls Enforcer, Master Setup, Control Definition).
Select the type of control. Options are Manual and Automated. This is used only for informational purposes. |
|
Select the control category that applies to the control. You establish control categories by using the Control Category Definition page. |
|
Select the priority of the control. Options are Primary, Secondary, and Tertiary. When the system generates sign-off sheets, you indicate the priority level of risks and controls to include. |
|
Select the framework under which the control is categorized. You establish frameworks by using the Framework Definition page. |
|
Specify how often this control should be tested. Options are: Annual: Select to indicate that this control needs to be retested annually. Same as Sign Off: Select to indicate that this control should be retested every time the sign-off process occurs. When this option is selected, the value of the Sign Off Type field, which is specified by using the Internal Control Sign Off Sheet Generator page, determines how often the control needs to be retested, either quarterly, semi-annually, or annually. On sign-off worksheets, the Needs Testing field indicates whether or not a control needs to be retested. The system automatically sets the Needs Testing field to yes when the test frequency is set to Same as Sign Off. If the test frequency is annual, but the value of the Sign Off Type field on the Internal Control Sign Off Sheet Generator page is quarterly, or semi-annual, then the Needs Testing field is set to no. |
|
Control Frequency |
Select the frequency with which the control operates. Options are: Annual, Biweekly, Daily, Monthly, Quarterly, Semiannual, Weekly. This field is informational only, it does not affect any processing. Use this information to ensure that associated action plans provide sufficient lead time for a control to demonstrate its operational effectiveness. |
Diagnostic |
In the Diagnostic Selection grid, insert rows to associate diagnostics with the control, and select a diagnostic for each inserted row. |
<diagnostic description> |
Click to access the Define Diagnostics page, where you can review the details of the associated diagnostic. |
Create New Diagnostic |
Click to access the Define Diagnostics page, where you can define a new diagnostic to associate with this control. |
See Also
Establishing and Maintaining Diagnostics
Access the Control Definition - Financial Assertions page (Internal Controls Enforcer, Master Setup, Control Definition, Fin. Assertion).
Select Applicable Financial Assertions
Add rows as required to associate financial assertions with this control.
Select the audit category with which to associate this control. You establish financial assertions by using the Financial Assertion Definition page. |
Access the Control Definition - Test Template page (Internal Controls Enforcer, Master Setup, Control Definition, Test Template).
Create New Test Template |
Click to access the Test Definition page, where you can create a new test definition that is associated with the control. |
To associate test plan templates with this control, add rows within the Test Template grid and complete the following fields.
Select the test plan template to associate with this control. |
|
Description |
Click to access the Test Plan Template page, where you can review the template definition. |
Use this field to indicate if the test template for the current row requires that another one of the test templates for this control must take place before it can be executed. Select the test template that is a prerequisite. The list of valid values is limited to templates that are currently associated with this control. This effectively enables you to control the sequencing of test plans that are generated for this control. Test plans that are not dependent on other test plans can be executed anytime and in parallel. Multiple test plans that are dependent on one common test plan can also be executed in parallel, but only after the test plan that they are dependent on is completed or canceled. |