Understanding the Internal Controls Certification Procedure
This chapter provides an overview of the internal controls certification procedure and discusses how to:
Manage the internal controls certification process.
Sign off internal controls.
See Also
Monitoring and Managing Controls
Understanding the Internal Controls Certification Procedure
This section discusses:
Certification activities.
Sign-off options.
Change management.
Notifications.
Sign-off sheet generator process flow.
Certification Activities
To comply with the requirements stated in section 404 of the Sarbanes-Oxley Act, organizations must annually validate their internal controls. To meet these requirements, there are several activities included in the internal controls certification process:
Generate sign-off sheets and worksheets.
Sign-off sheets and worksheets are generated by running the Sign-off Sheet Generator Application Engine process (EPQ_SO_GEN). There can only be one active sign-off sheet at any time, and a new sign-off sheet cannot be created until all existing sign-off sheets have been either signed off or canceled. The sign-off ID is specified when you generate sign-off sheets. When you run the sign-off sheet generation process, the system creates sign-off sheets for each subprocess instance, and sends notifications to the corresponding subprocess owners that sign-off sheets have been created for which they are responsible; the notification includes a link that they can use to access their respective sign-off sheets. There are also options for the system to automatically generate test plans (by using the test plan templates that are associated with each control instance) and delete any existing generated test plans. You can either run the process on demand by using the Internal Controls Sign-off Sheet Generator page, or define a schedule for running the process by using the Schedule Sign-off Generation run control page, which runs the engine using process scheduler.
Certify controls by using sign-off worksheets.
Sign-off worksheets are used by subprocess owners to:
Review and specify which controls have changed since the last sign off.
Review which controls need to be retested.
Update control status.
Initiate action plans and test plans for unproven controls.
Sign off subprocesses by using sign-off sheets.
Once all of a subprocesses controls are in proven or exception status, the subprocess can be signed off. Subprocess owners, and optionally business process owners, are required to complete the sign-off sheet; this option is set by using the General Preferences page.
Sign-Off Options
The following options are specified when you generate sign-off sheets:
Sign-off frequency.
Sign-offs can be conducted either annually, semiannually, or quarterly. The frequency that is specified determines which controls the system sets to not proven status, in conjunction with the control's defined test frequency. (You specify the test frequency when you define the control instance).
Risk priority and control priority.
Either primary, primary and secondary, or all (primary, secondary, and tertiary) risks and controls can be included. The priority options provide you with the flexibility to control which risks and controls to evaluate for a particular sign off. For example, your organization can opt to evaluate only primary risks for interim sign-offs, then evaluate all risks for an annual sign off.
Change Management
If risks or controls are added or modified after sign-off sheets have been generated, use the Sign-Off Sheet Refresh Application Engine process (EPQ_SO_REFRESH) to regenerate the sign-off sheets for either all subprocesses or a specific subprocess, and all entities or a specific entity. You can either run the process on demand by using the Internal Controls Sign-off Sheet Refresh page, or define a schedule for running the process by using the Schedule Sign-off Refresh run control page, which runs the engine using process scheduler.
There is a system-wide option that controls whether you can cancel or refresh sign-off sheets after they have all been completed for a given sign-off ID.
See Establishing General Preferences.
Notifications
The system sends notifications when several key actions occur during the sign-off procedure:
When sign-off sheets are generated, subprocess owners are notified.
When a subprocess is signed off by a subprocess owner, the corresponding business process owner is notified if the system preferences have been set to require business process owners to sign off.
When a subprocess is denied by the business process owner, subprocess owners are notified.
When a subprocess is signed off, the system notifies the entity owner.
Sign-Off Sheet Generator Process Flow
This diagram illustrates the process flow for the Sign-Off Sheet Generator Application Engine process (EPQ_SO_GEN), during which:
Sign-off sheets are created or refreshed.
The value of the Retest field for each control is updated.
The status of controls that require retesting is changed to Not Proven.
Notifications that sign-off sheets were generated are sent to subprocess instance owners.
Sign-Off Sheet Generator process flow
Managing the Internal Controls Certification ProcessThis section discusses how to:
Create sign-off sheets on demand.
Define scheduled sign-off sheet generation.
View sign-off sheet history.
Refresh sign-off sheets on demand.
Define scheduled sign-off sheet refreshes.
Cancel sign-off sheets.
Pages Used to Manage the Internal Controls Certification Process
|
Page Name |
Definition Name |
Navigation |
Usage |
|
Internal Controls Sign-off Sheet Generator |
EPQ_SO_GEN |
Internal Controls Enforcer, Sign Off, Sign-off Setup, Sign-off Sheet Generator |
Create the sign-off sheets that are used for certifying internal controls. |
|
Schedule Sign-off Generation |
EPQ_SIGN_OFF_RUN |
Internal Controls Enforcer, Sign Off, Sign-off Setup, Schedule Sign-off Generation |
Define scheduled sign-off sheet generation. |
|
Sign-off Sheet Generation History |
EPQ_SO_HIST |
|
Lists the events that have occurred for a sign-off sheet. |
|
Internal Controls Sign-off Sheet Refresh |
EPQ_SO_REFRESH |
|
Regenerate existing sign-off sheets. Any existing sign-off sheet activity or sign-off worksheet activity is lost. This enables you to recreate sign-off sheets if you have modified risks and controls after the sign-off sheets were initially created. |
|
Schedule Sign-off Refresh |
EPQ_SO_REFRESH_RUN |
Internal Controls Enforcer, Sign Off, Sign-off Setup, Schedule Sign-off Refresh |
Define scheduled sign-off sheet refreshes. |
Creating Sign-Off Sheets on Demand
Access the Internal Controls Sign-off Sheet Generator page (Internal Controls Enforcer, Sign Off, Sign-off Setup, Sign-off Sheet Generator).
|
Displays the overall status of the current sign off. This status is system maintained. Values are: New: Indicates that the sign-off sheet generation process has not yet been run for this sign-off sheet. Generated: Indicates that the sign-off sheet generation process has been run, and sign-off sheets exist. If you access the page under these circumstances, only the Delete Generated Test Plans check box is available; all other fields will be unavailable for entry, and the only actions that you can take are to cancel or refresh the existing sign-off sheets, or view the sign-off sheet history. Canceled: Indicates that the sign-off sheets were generated but subsequently canceled. Signed-off: Indicates that all generated sign-off sheets have been signed off. |
|
|
Select the type of sign-off sheet. Options are: Annual. Semi-Annual. Quarterly. The value that you select, in conjunction with the test frequency value for each control, which is set by using the Control Definition page or the Control Instance Definition page, determines which controls are automatically set to not proven status. |
|
|
Enter the date by which the sign-off sheet is due. |
|
|
Risk Priority for Sign Off and Control Priority for Sign Off |
Select the priorities of risks and controls to include in the sign-off process. Options are: All. Primary. Primary and Secondary. These criteria are inclusive. For example, if you specify to include only primary risks but you specify to include both primary and secondary controls, then both primary and secondary priority controls are included in the sign off, but only for primary risks. |
|
Generate Test Plans |
Select this check box to have the system generate test plans while generating sign-off sheets. Clear this option if test plans have already been created. Note. If there are active test plans that have been generated by other methods and you select this option, the system checks the existing test plans, and only generates a test plan if it does not already exist; no duplicates are created. |
|
Delete Generated Test Plans |
Select this check box to delete all existing system generated test plans when canceling sign-off sheets. This option is available only when the Status is Generated. |
|
Default Plan End Date |
Select the default end date to use for generated test plans. This date must be equal to less than the value of the Sign-off Due Date. You can override this date after test plans are generated, if necessary, by using the Test Plan page to modify it for individual test plans. |
|
Generate and Distribute Sign-off Sheets |
Click to run the Sign-Off Sheet Generator process, which generates sign-off sheets for subprocess instances, based on the specified parameters. This button is available only if the current sign-off status is New. |
|
Cancel Sign-off Sheet |
Click to cancel generated sign-off sheets; the system changes the status of all existing sign-off sheets to Canceled. Select the Delete Generated Test Plans check box to also delete generated test plans when canceling the sign-off sheet. |
|
Refresh Existing Sign-off Sheet |
Click to access the Internal Controls Sign-off Sheet Refresh page, where you can regenerate sign-off sheets. You can't refresh sign-off sheets if the current date is greater than the sign-off due date. |
|
View Sign-off Sheet Generation History |
Click to access the Sign-off Sheet Generation History page, where you can view all activity for generating or refreshing sign-off sheets. |
Note. If the Sign Off Auto-Lock check box on the Internal Controls Enforcer General Preferences page is selected, you cannot cancel, regenerate, or refresh sign-off sheets after they are signed off.
See Establishing General Preferences.
Defining Scheduled Sign-Off Sheet Generation
Access the Schedule Sign-off Generation page (Internal Controls Enforcer, Sign Off, Sign-off Setup, Schedule Sign-off Generation).
|
Compliance Project |
Specify the compliance project for which to run sign-off sheet generation. |
|
Sign-off ID |
Enter an identifier for the generated sign-off sheets. |
|
Select the type of sign-off sheet. Options are: Annual. Semi-Annual. Quarterly. The value that you select, in conjunction with the test frequency value for each control, which is set by using the Control Definition page or the Control Instance Definition page, determines which controls are automatically set to not proven status. |
|
|
Enter the date by which the sign-off sheet is due. |
|
|
Risk Priority for Sign Off and Control Priority for Sign Off |
Select the priorities of risks and controls to include in the sign-off process. Options are: All. Primary. Primary and Secondary. These criteria are inclusive. For example, if you specify to include only primary risks but you specify to include both primary and secondary controls, then both primary and secondary priority controls are included in the sign off, but only for primary risks. |
|
Generate Test Plans |
Select this check box to have the system generate test plans while generating sign-off sheets. Clear this option if test plans have already been created. Note. If there are active test plans that have been generated by other methods and you select this option, the system checks the existing test plans, and only generates a test plan if it does not already exist; no duplicates are created. |
|
Default Plan End Date |
Select the default end date to use for generated test plans. This date must be equal to less than the value of the Sign-off Due Date. You can override this date after test plans are generated, if necessary, by using the Test Plan page to modify it for individual test plans. |
|
Run |
Click to run the Sign-Off Sheet Generator process via process scheduler. |
See Also
Enterprise PeopleTools 8.50 PeopleBook: Using PeopleSoft Applications
Enterprise PeopleTools 8.50 PeopleBook: PeopleSoft Process Scheduler
Viewing Sign-Off Sheet History
Access the Sign-off Sheet Generation History page (Internal Controls Enforcer, Sign Off, Sign-off Setup, Sign-Off Sheet History).
Note. The fields on this page are display-only.
|
Sign-off Sheet Generation History |
Displays the history of generating and refreshing sign-off sheets for a single sign-off ID. |
|
Action |
Displays the action taken. Values are: Generate: Indicates that sign-off sheets were generated. Refresh: Indicates that sign-off sheets were refreshed. |
|
Selected Subprocesses |
Displays the subprocess for which sign-off sheets were refreshed. This column applies only to refresh activity. If this field is blank, then all subprocesses were refreshed. |
|
Selected Entities |
Displays the entities for which sign-off sheets were refreshed. This column applies only to refresh activity. If this field is blank, then all entities were refreshed. |
|
Sign-off Sheets Deleted |
Displays the number of sign-off sheets that were deleted. Applicable only to refresh activity; for generate activity this value is always zero. |
|
Sign-off Sheets Generated |
Displays the number of sign-off sheets that were created by either the Sign-Off Sheet Generator process (for generate activity) or Sign-Off Sheet Refresh process (for refresh activity). |
Refreshing Sign-Off Sheets on Demand
Access the Internal Controls Sign-off Sheet Refresh page (Internal Controls Enforcer, Sign Off, Sign-off Setup, Sign-Off Sheet Refresh).
Sign-off Options
|
Delete Generated Test Plans |
Select this check box to delete existing system generated test plans when refreshing sign-off sheets. To recreate sign-off sheets without recreating their associated test plans, select this option without selecting the Generate Test Plans check box, then click the Refresh Existing Sign-off Sheet button. The system automatically selects this check box and the field becomes unavailable for entry when you select the Generate Test Plans check box, because in that case it automatically deletes any existing test plans for the subprocess and entities that are being refreshed. |
|
Generate Test Plans |
Select this check box to have the system regenerate test plans while refreshing sign-off sheets. |
Note. If you refresh sign-off sheets and do not select Generate Test Plans, then the test plans will not be associated with the new sign-off sheets. Subsequently if you refresh sign-off sheets again and at that time specify to delete the test plans, the test plans will not be deleted.
Refresh Options
|
Subprocess Selection |
Select All Subprocesses to refresh sign-off sheets for all active subprocesses. Select Select Subprocess to refresh sign-off sheets for a single subprocess, then specify the subprocess in the adjacent field. |
|
Entity Selection |
Select All Entities to refresh sign-off sheets for all active entities. Select Select Entity to refresh sign-off sheets for a single entity, then specify the entity in the adjacent field. |
|
Refresh Existing Sign-off Sheet |
Click to run the Sign-Off Sheet Refresh Application Engine process (EPQ_SO_REFRESH), which regenerates sign-off sheets based on the specified parameters. The system deletes any existing sign-off sheets for the specified entity and subprocess—even if it has been signed off—then regenerates the sign-off sheets; the existing sign off and worksheet activity is lost. |
Defining Scheduled Sign-off Sheet RefreshesAccess the Schedule Sign-off Refresh page (Internal Controls Enforcer, Sign Off, Sign-off Setup, Schedule Sign-off Refresh).
Sign-off Options
|
Delete Generated Test Plans |
Select this check box to delete existing system generated test plans when refreshing sign-off sheets. To recreate sign-off sheets without recreating their associated test plans, select this option without selecting the Generate Test Plans check box, then click the Refresh Existing Sign-off Sheet button. The system automatically selects this check box and the field becomes unavailable for entry when you select the Generate Test Plans check box, because in that case it automatically deletes any existing test plans for the subprocess and entities that are being refreshed. |
|
Generate Test Plans |
Select this check box to have the system regenerate test plans while refreshing sign-off sheets. |
Note. If you refresh sign-off sheets and do not select Generate Test Plans, then the test plans will not be associated with the new sign-off sheets. Subsequently if you refresh sign-off sheets again and at that time specify to delete the test plans, the test plans will not be deleted.
Refresh Options
|
Subprocess Selection |
Select All Subprocesses to refresh sign-off sheets for all active subprocesses. Select Select Subprocess to refresh sign-off sheets for a single subprocess, then specify the subprocess in the adjacent field. |
|
Entity Selection |
Select All Entities to refresh sign-off sheets for all active entities. Select Select Entity to refresh sign-off sheets for a single entity, then specify the entity in the adjacent field. |
Running the Process
|
Run |
Click to refresh sign-off sheets via process scheduler. |
See Also
Enterprise PeopleTools 8.50 PeopleBook: Using PeopleSoft Applications
Enterprise PeopleTools 8.50 PeopleBook: PeopleSoft Process Scheduler
Canceling Sign-Off Sheets
Access the Internal Controls Sign-off Sheet Generator page (Internal Controls Enforcer, Sign Off, Sign-off Setup, Sign-off Sheet Generator), and click Cancel Sign-off Sheet. This cancels all sign-off sheets. To delete any generated test plans when you cancel the sign-off sheets you must select the Delete Generated Test Plans check box.
Signing Off Internal Controls
This section discusses how to:
Certify controls.
Sign off subprocesses.
Pages Used to Sign Off Internal Controls
|
Page Name |
Definition Name |
Navigation |
Usage |
|
Internal Controls Sign-off Worksheet |
EPQ_WORKSHEET |
|
View and update the status of subprocess controls. You can change the status of the controls by using this page, but you can't certify that the internal controls for a subprocess are proven; that action is performed by using the Internal Controls Sign Off page. |
|
Internal Controls Sign Off |
EPQ_SIGN_OFF |
|
Enables subprocess owners and, optionally, business process owners to certify that the internal controls for a subprocess are proven. Only the sign-off status is updated by using this page; the status of the associated controls is maintained by using the Internal Controls Sign-Off Worksheet page and other related pages. |
|
Reviewer Comments |
EPQ_ADD_COMMENT |
|
Enter sign off comments. |
|
View Reviewer Comments |
EPQ_VIEW_COMMENT |
Click View Reviewer Comments on the Internal Controls Sign Off page. |
View existing comments. |
|
Control Change Comments |
EPQ_CTL_CHG_SEC |
Click |
Enter or review control change comments. |
|
Control Retest Comments |
EPQ_CTL_RT_SEC |
Click |
Enter or review control retest comments. |
Certifying Controls
Access the Internal Controls Sign-off Worksheet page (Internal Controls Enforcer, Sign Off, Sign-off Worksheet).
General Information
|
Subprocess |
Click the subprocess description to access the Process Definition page, where you can review the definition for this subprocess. |
|
Sign-off Sheet |
Click to access the corresponding sign-off sheet. |
Sign-Off Status
|
Displays the current subprocess sign-off status. Values are: Initiated: The initial status when sign-off sheets are generated. This is the only state in which you can modify the Changed Since Last Sign Off and Needs Testing fields. Subprocess Signed Off: Indicates that the subprocess owner has signed off but business process owner sign off is also required and that person has not yet signed off. Signed Off: Indicates that all required sign-offs are complete. Canceled: Indicates that the sign-off sheet was canceled. |
|
|
Responsible |
Lists the subprocess owner. |
Risks
This group box lists all active subprocess risks and associated controls for which sign-off sheets were generated.
|
Risk and <Description> |
Click the risk description to access the Risk Instance Definition page, where you can view the risk details. |
|
Control ID and <Description> |
Click the control description to access the Control Instance Definition page, where you can view the control details. |
|
If the current sign-off status is Initiated, select Yes to indicate that this control has changed since the last sign off, or No if it has not changed. If the sign-off status is Subprocess Signed Off, Signed Off, or Canceled, this field is display-only. |
|
|
If the current sign-off status is Initiated, select Yes to indicate that this control needs to be tested, or No if it does not. If the sign-off status is Subprocess Signed Off, Signed Off, or Canceled, this field is display-only. When the system generates sign-off sheets, it automatically sets this field to yes when the control's test frequency is set to Same as Sign Off. The control frequency is set by using the Control Definition page. See Defining Controls. |
|
|
|
Click to access the Control Change Comments or Control Retest Comments page, where you can view or enter comments. |
|
Status |
Displays the current control status. Click to access the Control Management component, where you can review the status of the control's test plans and action plans, and maintain the control status. |
|
Diagnostics |
If diagnostics are associated with this control, the value for this field is View; otherwise this field is blank. Click View to access the Diagnostic Reports By Control page, where you can view the diagnostic report. |
|
Test Package ID |
Optionally, select a test package to associate with the control. See Test Packages. |
|
Overall Test Result |
Displays the current results overall for the tests that are included in the associated test package. If one of the tests within the test package fails, then the overall test result is set to Failed; if all of the tests within the test package pass, then the overall test result is set to Passed. Click the result value to access the Test Plan Package page, where you can view the details of the test package results. |
See Also
Understanding Subprocess Management
Signing Off Subprocesses
Access the Internal Controls Sign Off page (Internal Controls Enforcer, Sign Off, Sign-off Sheet).
General Information
|
Subprocess |
Click the subprocess description to access the Process Definition page, where you can review the definition for this subprocess. |
|
Worksheet |
Click to access the corresponding Internal Controls Sign-off Worksheet page, where you can update the status of the subprocess controls. |
|
Add Reviewer Comments |
Click to access the Reviewer Comment page, where you can enter new comments about the sign-off sheet. |
|
View Reviewer Comments |
Click to access the View Reviewer Comments page, where you can review existing comments. |
Sign-Off Status
Use the fields within the Sign-Off Status group box to modify the status of the associated subprocesses.
|
Sign-off Due Date |
Displays the sign-off date deadline. |
|
<subprocess owner user ID> or Subprocess Status and <process owner user ID> or Business Process Status |
Displays the names of the individuals specified as the subprocess owner and associated process owner, and the current sign-off status for each in the adjacent drop-down list box. The ability to modify the status depends on the current sign-off state and whether or not sign-offs are required by business process owners. If the subprocess is not signed off, you can change the subprocess status by selecting a value from the drop-down list box. However, you can change the status to Signed Off only when all controls are tested and proven. After the status is set to Signed Off, the field becomes unavailable for entry. If business process owner sign-off is not required, then the business process status is unavailable for entry. If business process owner sign-offs are required, you can similarly modify the business process status. Before the subprocess is signed off, the business process status value is Undetermined, and the field is unavailable for entry. After the subprocess is signed off, the system automatically updates the business process status from Undetermined to Pending Approval, and enables access to the field, where you can select one of the following values: Approved:Select to approve the sign-off. The system automatically updates the sign-off sheet status to Signed-Off when you select this option. Denied: Select to indicate the sign-off is not approved. When you select this option, the system automatically resets the sign-off status to Initiatedand transfers you to the Reviewer Comments page where you can document the reasons for the denial. The system also notifies the subprocess owner that the sign-off is not complete, and enables the control status to be modified. |
|
Sign-off Date and Signed Off By |
Displays who signed off the subprocess and business process (if required), and when. |
Risks
This group box lists all active subprocess risks and associated controls for which sign-off sheets were generated.
|
Risk |
Click the risk description to access the Risk Instance Definition page, where you can view the risk details. |
|
Control |
Click the control description to access the Control Instance Definition page, where you can view the control details. |
|
|
Click to access the Control Change Comments or Control Retest Comments page, where you can view or enter comments. |
|
Status |
Displays the current control status. Click to access the Control Management component, where you can review the status of the control's test plans and action plans, and maintain the control status. |
|
Diagnostics |
If diagnostics are associated with this control, the value for this field is View; otherwise this field is blank. Click View to access the Diagnostic Reports By Control page, where you can view the diagnostic report. |
|
Test Package ID |
Displays the test package that is associated with the control. |
|
Overall Test Result |
Displays the current results overall for the tests that are included in the associated test package. |
on the Internal Controls Sign Off page.