1. Using Financial Reporting Compliance
  2. Create or Edit a Control

Create or Edit a Control

To create or edit a control, name it and determine how it's to be enforced. Optionally define it further and select perspective values that set it in a context.

Use either of two methods to open the page to create a control.

  • Select the Create Documented Control quick action from the Risk Management springboard. (Depending on the number of quick actions available to you, you may need to select a Show More option on the springboard.)
  • In the Controls work area, select the Controls tab. Then select the Create icon.

To edit a control, select the Controls tab, select the row representing a control, and select the Edit icon. Or, click the name of a control and, in a page to view details about it, click Actions > Edit Definition.

As you work with the control:

  1. Enter or modify required values. These include:

    • A name. This should indicate how the control alleviates risk.

    • A method: Manual indicates that the control requires human action. For example, a manual control might require a person to review an insurance policy before renewal. Automated indicates that the control runs automatically in an external system.

    • A status: Accept the default, Active, or change it to Inactive.

  2. Optionally, enter or modify additional values that define the control further:

    • Enter a description. Along with the control name, this should tell how the control alleviates a risk.

    • Select a type. Your organization would need to create its own type values. (See Manage Lookups.)

    • Select an enforcement type. Default values indicate whether a control corrects, prevents, or detects a risk. Your organization can create additional enforcement-type values that describe how the control addresses a risk. (See Manage Lookups.)

    • Select a frequency, which determines how often the control should be enforced.

    • Enter an estimate of the cost for implementing the control.

    • Select one or more types of assertion that you intend for the control to evaluate.

      An assertion is a statement of presumed facts about the status of a business process. For example, you can assert that financial assets exist and that financial transactions have occurred and been recorded during a period of time. Typically, you'd include the assertions themselves in test plans you create for the control.

    • Select in-scope values. These correspond to activity types selected for assessment batches, and so determine whether the control can be included in assessment batches. You can:

      • Select the Audit Testing in-scope value to make the control eligible for assessment batches whose activity type is Audit Test.

      • Select the Assessment Testing in-scope value to make the control eligible for assessment batches whose activity type is Certification, Operational Assessment, or Design Review.

      • Select both in-scope values to make the control eligible for assessment batches assigned any of these activity types.

      • Leave both in-scope values unselected. In this case, the control can't be included in assessment batches. You can, however, create "impromptu" (individual) assessments for it, because in-scope values have no bearing on impromptu assessments.

    • Enter comments if any are germane.

    • Attach documents to add detail to the definition of the control. (See Attach and View Documents.)

  3. In the Perspectives panel, optionally select perspective values appropriate for the control. (See Select Perspective Values in Financial Reporting Compliance.)

  4. If descriptive flexfield segments have been defined for the Control object, these appear as fields in an Additional Information panel. Provide values for these fields.

You can't relate controls to other objects. As you create or edit risks, however, you can relate them to controls. So both the edit page for a control and the definition tab of the control record contain a Related Records panel. In it, you can view the control's relationships to risks for which it's been selected. The name of each related risk is a link to its record, but the link is active only if you're authorized as an owner, editor, or viewer of the risk.

You can authorize other users to work with the control, its certification assessments, or both only after you create it. (See Secure Records in Financial Reporting Compliance.) Save or submit it, and the create page changes either into the edit page or into the completed record of the control. These pages, unlike the create page, display a Security Assignment button. Expand it, and then either:

  • Click Control Security Assignment to authorize users' access to the control itself.

  • Click Default Assessment Security Assignment to select assessment actors assigned by default to certification assessments of the control.