Comments
Transcript
Internal Audit Management Module Overview
IBM OpenPages GRC Platform Version 7.0.0 Internal Audit Management Module Overview Note Before using this information and the product it supports, read the information in “Notices” on page 37. Product Information This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases. Licensed Materials - Property of IBM Corporation. © Copyright IBM Corporation, 2003, 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Module Description . . Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . 2 Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Chapter 3. Computed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Close Audit Helper . . . . . . . Add or Modify Plans Helper . . . Timesheet Entry Report Helper . . . Administrator Timesheet Entry Report Chapter 5. Reports . . . . . . . . . Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 13 13 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 IAM-Specific Reports . . . . . . Reports Shared with Other Modules . Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 . 17 . 19 Chapter 6. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 21 Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 IAM-Specific Triggers . . . . . . . . . Triggers Shared with Other Modules . . . . Issue Management and Remediation trigger Risk and Control Self-assessments triggers . Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 24 24 25 29 Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 OpenPages IAM 7.0.0 Master Profile . Home Page Filtered Lists . . . . . Activity Views . . . . . . . . Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 31 32 33 Chapter 9. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 iii iv IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Document Release and Update Information This topic lists information about this document and where updates to this document can be found. Document Release Information Software Version: 7.0.0 Document Published: December, 2013 Document Updates Supplemental documentation is available on the web. Go to the IBM® OpenPages® GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/ v7r0m0/index.jsp). v vi IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 1. Introduction Use this guide with the IBM OpenPages Internal Audit Management module. Finding information To find IBM OpenPages GRC Platform product documentation on the web, including all translated documentation, access the IBM OpenPages GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp). Release Notes are published directly to the Information Center, and include links to the latest technotes and APARs. Accessibility features Accessibility features help users who have a physical disability, such as restricted mobility or limited vision, to use information technology products. IBM HTML documentation has accessibility features. PDF documents are supplemental and, as such, include no added accessibility features. Module Description IBM OpenPages Internal Audit Management (IAM) provides internal auditors with a uniquely configured view into organizational governance, risk, and compliance (GRC), affording audit the chance to supplement and coexist with broader risk and compliance management activities. As with all modules, IBM OpenPages Internal Audit Management is completely integrated with financial controls management, IT governance, policy and compliance efforts and operational risk management programs. The internal audit team has the capability to work as a fully integrated partner to business stakeholders, completely independently, or anywhere in between, as determined by the specific needs of the audit department or a particular audit being undertaken. Key features include: v The capability to risk rank the audit universe, configured according to your audit methodology – Powerful support for your risk assessment methodology – Full reporting across the entire audit universe v The ability to define, plan, execute and report on audits across your business – Track and manage audits, audit sections, workpapers, and audit resource requirements and allocations – Automate operations through fully configurable reporting and workflow v The ability to provide independent assurance to the business or work as an integrated part of GRC efforts – Opine on management’s GRC efforts independently – Control access to confidential audits, fields, and audit-only views 1 Object Type Licensing For the IBM OpenPages Internal Audit Management module, you are licensed to use the object types listed in Chapter 2, “Object Types,” on page 3. Use of any other object types is prohibited without prior written approval from IBM. 2 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 2. Object Types The IBM OpenPages Internal Audit Management module includes object types that are enabled or disabled by default, and subcomponents. Object Types Enabled by Default The following object types are available in the default IBM OpenPages Internal Audit Management configuration and are enabled by default. Table 1. Object types enabled by default Object type label Description Business Entity Business entities are abstract representations of your business structure. A business entity can contain sub-entities (such as departments, business units, or geographic locations). The entity structure that you create depends on your business needs. For example, you could create a parent entity for your business headquarters then a sub-entity for each location or department. You may also want to represent both a legal entity structure and a business entity structure. Business entities are also used to organize library data such as risk and control libraries, or regulatory content (for example, laws, regulations, and standards). When setting up your business entity hierarchy, you should work with your OpenPages consultant as the structure of your business entities will greatly impact the type and quality of the information that can be extracted from the application. In IBM OpenPages Internal Audit Management, Business Entities are also used to model the Internal Audit organizational structure, which facilitates reporting and security for the Internal Audit team. The Internal Audit organizational structure is typically a top level entity to minimize the chance of accidentally granting a business user access to Internal Audit information. The elements of the Audit Universe which are "owned" by a given Internal Audit team are typically associated to that teams’ Business Entity. Another top level Business Entity structure can be created to organize confidential Audits, providing the ability to give special security to these Audits. Business Entity can also be used to organize a Library of template audit content. Process Processes represent the major end-to-end business activities within a business entity that are subject to risk. The processes will typically reside in areas such as financial reporting, compliance, information security, and so forth. Processes are also used in scoping audits. Audit can associate to Processes created by the Business, can make their own copy, can create their own Processes from scratch or any mixture of these. 3 Table 1. Object types enabled by default (continued) Object type label Description Sub-Process A Sub-Process is a component of a Process. It is used to decompose Processes into smaller granularity units for assessment purposes. This object is not expected to be used in audit scoping, but may be used in documenting Process details. Risk Risks are potential liabilities. Risks can be associated with, for example, business processes, business entities, or compliance with a particular mandate. Each Risk has one or more Controls associated with it that provide safeguards against the Risk and help mitigate any consequences that may result from the Risk. You can use the Risk object to categorize risks; capture the frequency, rating, and severity of inherent and residual risk data; and view reports that help identify your top risk items. A Risk instance shared between Internal Audit and the Business can be rated separately by Audit and by the Business. Control Controls are typically policies and procedures (procedures are actions that implement the policies), to help ensure that risk mitigation responses are carried out. Once you have identified the risks in your practices, you need to establish controls (such as approvals, authorizations, verifications, and so forth) that remove, limit, or transfer these potential risks. Controls should be designed to provide either prevention or detection of risks. Controls are usually associated with tests that ensure a control is effective. In IBM OpenPages Internal Audit Management, Controls can be used to create a detailed model of the Controls that exist or that should exist on the activities being Audited. If shared with the Business, the Controls can be rated separately by Internal Audit and by the Business. Test Plan, Test Result You can determine the operating effectiveness of a Control by conducting one or more detailed tests of a Control and then documenting the results. Test Plans are mechanisms that determine whether or not a Control is effective. A Test Result is the information obtained from running a Test Plan. IBM OpenPages Internal Audit Management is configured by default to use the Workpaper object in place of the Test Plan and Test Result objects. Audit needs access to these objects since they are often used by the Business to document their testing, Risk Assessment 4 Risk assessments give you the ability to evaluate and report on potential liabilities for a set of business entities or processes. You can use the Risk Assessment object - which contains the names of the assessor and reviewer, the time frames for the assessment, and the status of the assessment - to manage your risk self-assessment process. IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Table 1. Object types enabled by default (continued) Object type label Description Preference Group, Preference The Preference Group object is used for grouping Preference object instances together. Without this grouping object, each Preference object instance would need to be associated separately to each of the relevant Business Entities. The group object helps to minimize the associated maintenance. The Preference object is a child of Business Entity, and is used for holding variable values that can drive reports, workflows and computed fields (it has entity-specific variable values which enable different behavior for the same workflows). For example, to determine the behavior for review and approval workflows (e.g. who the appropriate users are for each level of review and approval, and what the thresholds are for determining how many levels of review and approval are required). In the default IBM OpenPages Internal Audit Management configuration, these objects are used to hold weights for Risk Factors used in Annual Assessment Risk Ranking. Since the weights and factors can be different for each type of audit (financial, operational, strategic, etc.) there is a separate Preference instance for each audit type. As a child of Business Entity, this provides the ability to have entity-specific variable values. Auditable Entity Auditable Entity is a child of Business Entity. Typically, an Internal Audit Business Entity Hierarchy would be established under which all of the Auditable Entities would live. Auditable Entities which are aligned with one or more elements of the Business Entity Organizational Hierarchy are typically also associated to those Business Entities. An Auditable Entity represents a single element of the Audit Universe – the collection of things in the Business that might be audited. Typically, the majority of Auditable Entities represent one or more business or legal entities, but they can also represent one or more processes, long-running projects or initiatives, compliance programs, shared IT Services, and so on. Auditable Entities are risk ranked every year to determine the priority of performing an audit that year. A Weighted Risk Score is calculated and an ability to manually override the score is provided. Chapter 2. Object Types 5 Table 1. Object types enabled by default (continued) Object type label Description Audit An Audit represents each execution of an "audit" against an Auditable Entity. For example, if an Auditable Entity will be audited every two years, there would be separate child Audit instances for 2006, 2008, 2010, etc. The Audit object is configured to be a self-contained object type, meaning that a folder will be automatically created for each instance of it. This facilitates the ability to copy template audits and audit components from a library to the audit hierarchy without object naming conflicts. Planning and Scheduling of the Audit Resources is typically done at the Audit level. High level Audit progress can be tracked by monitoring the Status values and Date values on the Audit. Key audit milestones can be tracked by adding fields on the Audit that represent completion dates for each of the key milestones they wish to track. You use the Audit object to manage the audit process across your enterprise. The Audit object identifies a holding point where you can capture information such as scope, objectives, timing information, review, execution and approval roles. If wanted, you could track only those audits you will be undertaking in a given planning horizon, or all audits in the audit universe. Audit Section Audit Sections can be used to represent the phases of the audit, work programs within the audit, or other components of the audit at the desired level of granularity. Typically organizations have a number of standard components for each audit. Template audits that include Sections for each of these standard components can be created in a Library. Planned and Actual Start and End Dates for these sections can be used to report progress on key milestones in the audits. Detailed Audit progress can be tracked by including an Audit Section that represents each milestone. Alternatively, some organizations may choose to add fields on the Audit that represent completion dates for each of the key milestones they wish to track. Although Audit Sections can be used as the basis for planning and scheduling Audit resources, most organizations will find this to be too detailed. Workpaper A workpaper is any artifact or deliverable you want to track in the scope of an audit. It can represent an engagement letter, a testing matrix, interview notes or anything else appropriate to the audit in question. The workpaper itself can be attributes stored on the Workpaper object, or it can be a Word, Excel or other type of file attached to a Workpaper object. When Workpaper is used for test evidence, it documents both the test planning and the test results. Typically, you create a Workpaper object from the detail page of an Audit Section. Workpaper objects can also be copied from a library, where they represent templates of different types of workpapers generated by an internal audit department. 6 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Table 1. Object types enabled by default (continued) Object type label Description Finding Findings can be used to represent observations which are reportable to the business, to the Audit Committee, or both. Alternatively, Findings can be used to represent individual factual observations, while Issues are used to represent consolidated themes/systemic problems, which are then reported to the business, to the Audit Committee, or both. A Finding represents anything uncovered in the course of an audit that needs to be accounted for and addressed by management. You can use a finding to track management’s progress in addressing the underlying issue identified. The Issue object can be used in place of, or in conjunction with, the Finding object. Plan, Timesheet A Plan object type facilitates audit resource scheduling and allocation at any level. For example, you can create a single Plan object for an entire audit, or you can create one Plan object per task for each auditor involved with the audit. Plan objects are used to determine the availability, skills, and experience required of the desired resource. OpenPages Audit Activity Views, reports, etc. are aligned with Planning at the Audit level. Plans can instead be associated to Audit Sections, in which case these components would need to be modified. Plan objects also drive time tracking – all time is tracked against Plans. A Timesheet object type is used to record weekly actual hours and expenses expended against a Plan object for an Audit. Because Timesheet objects are associated with Plans, it is easy to track deviations between planned and actual time and expenses. The Timesheet Entry interactive report should always be used to enter or modify time and expense data. For this reason, there is no Timesheet top menu item in the default IBM OpenPages Internal Audit Management configuration. You typically create or modify a Plan object using the Add or Modify Plans helper, accessed from a link on the Audit detail page Auditor Resource planning and allocating requires key information about each individual who may perform audit work. The Auditor object is used to create a pool of Auditors who can be assigned to Audits. Each user who may be assigned to audit work is represented as an Auditor instance. Auditors are then available for resource allocation. The Auditor object includes attributes for which you evaluate and select Auditors for audit engagements, such as specialties, languages, and certifications. Typically, Auditor objects are associated with the relevant component of the Internal Audit organizational hierarchy. It is a best practice that the Name field on the Auditor object matches the user's username. Audit Review Comment The Audit Review Comment object type is used to provide feedback during the review process for an audit and its components. It is associated as a child to the instance of the Audit, Section, Workpaper or Finding for which feedback is being provided Chapter 2. Object Types 7 Table 1. Object types enabled by default (continued) Object type label Description Signature A signature generally indicates agreement that the object meets your approval. It has no enforcement powers, and does not prevent the item from being modified after approval has been given. An object with a signature has a signature icon next to the signer's name on the Signatures tab. Depending on your system configuration, signatures (with or without associated locks) can be applied to an object in the following ways: v Manually from the detail page of an object. v Automatically through a workflow task. v Some combination of both automatic and manual. If signature locks are configured on your system, when you sign off on an object, the object and all its associated child objects are locked and cannot be modified until you either revoke your signature or an administrator unlocks the object. Issue, Action Item Although issues typically result from areas where internal controls are not properly implemented or designed, you can use the Issue object to document a concern associated with any object type. An issue is resolved through one or more Action Items. You can use an Action Item object or a series of related Action Item objects to form an action plan. Each Action Item can be assigned to a user for resolution, and progress can be tracked from the detail page of the parent Issue. Once all Action Items for an Issue are complete (an assignee sets the value to 100%), you can close the Issue. In IBM OpenPages Internal Audit Management, Issues and Action Items may be used instead of, or in conjunction with, Findings. 8 File The File object type is used to embed a reference to a file (such as a document, flow chart or spreadsheet) in the OpenPages system, and associate it to one or more relevant objects. Link The Link object type is used to embed a reference to a URL in the OpenPages system, and associate it to one or more relevant objects. Process Diagram A Process Diagram is a child object of the Process and can have many diagrams per process. It is used to store the sequence of sub-processes or activities within a process with associated Risks and Controls along with any annotations such as decision nodes. All attributes of the Business Process visualization are stored in the Process Diagram object. Data Input, Data Output The Data Input Object and Data Output Object are child objects of the Process and can have associations only to existing Risks. They represent elements of a flow to depict an Input into the Business Flow or an Output from various activities within a process, such as running a report or updating a CRM system or getting an external data source feed. IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Object Types Disabled by Default The following object types are available in the default IBM OpenPages Internal Audit Management configuration and are disabled by default. Table 2. Object types disabled by default Object Type Label Description Questionnaire, Section, Question Questionnaire, Section and Question are three objects that are used together to implement questionnaires. Control Objective A Control Objective is an assessment object that helps define the risk categories for a Process or Sub-Process. For each Process or Sub-Process, an organization sets the Control Objectives. Control Objectives define the COSO compliance categories that the Controls associated with the Risks are intended to mitigate. For example, Control Objectives can be classified into one or more categories such as Compliance, Financial Reporting, Strategic, Operations, or Unknown. Once a Control Objective is identified, the Risks belonging to that Control Objective can then be identified and defined. In most cases, each Control Objective will have one Risk associated with it. However, Control Objectives can have more than one Risk associated with them, so they are separated into their own object type. The default behavior is for Control Objective to be disabled. This object is not expected to be used in a typical IBM OpenPages Internal Audit Management deployment, except to align with other modules which may use it. Milestone, Milestone Action Item A Milestone represents a significant point in the development of your project. You can tie Milestones to specific dates, or use them to signify the completion of a portion of the entire project. Milestones can contain other Milestones or Milestone Action Items. You cannot associate a Milestone with other objects in the object hierarchy. A Milestone Action Item is a specific objective that must be completed in order to reach a Milestone. In general, all Milestone Action Items associated with a Milestone must be completed in order to reach a Milestone. When you are assigned a Milestone Action Item object, it is displayed (if configured) in the My Milestone Action Items section of your My Work tab. Risk Eval Risk Evaluation objects are children of Risk objects and they are used to capture risk measurement values for trending purposes. Often reporting periods do not line up with risk evaluation cycles and so Risk Eval objects can be used to capture multiple evaluation cycles within a single reporting period. Control Eval Control Evaluation objects are similar to Risk Evaluation objects except that they are instantiated as children of Controls. They store control assessment data. Risk Assessment Eval Risk Assessment Evaluation objects are similar to Risk Evaluation objects except that they are instantiated as children of Risk Assessments. They store risk assessment data. Chapter 2. Object Types 9 Table 2. Object types disabled by default (continued) Object Type Label Description Process Eval Process Evaluation objects are children of Process objects and they are used to capture process measurement values for trending purposes. When the reporting periods do not align with the evaluation cycles, you can use Process Eval objects to capture multiple evaluation cycles within a single reporting period. Subcomponents IBM OpenPages GRC Platform modules consist of several subcomponents, which are groups of object types that support a logical function within a module. The following tables list the subcomponents for the IBM OpenPages Internal Audit Management module. Table 3. Subcomponents shared with other modules Subcomponent Object Types Organization Business Entity Preference Preference Group, Preference Risk Assessment Risk Assessment, Risk Assessment Eval Process Process, Process Eval, Sub-Process, Control Objective Risk Risk, Risk Eval Control Control, Control Eval Test Test Plan, Test Result Issue Issue, Action Item Questionnaire Questionnaire, Section, Question Milestone Milestone, Milestone Action Item Visualization Process Diagram, Data Input, Data Output Table 4. IAM-specific subcomponents Subcomponent Object Types Annual Plan Auditable Entity, Audit Engagement Plan Plan, Timesheet, Auditor Findings Finding Field Work Audit Section, Workpaper, Audit Review Comment In addition to the subcomponents listed in the tables, the following object types are included in each module and can be accessed by any authorized user: v Signature v File v Link 10 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 3. Computed Fields By default, the IBM OpenPages Internal Audit Management module includes computed fields, such as Weighted Risk Score and Plans. Table 5. Computed fields Object Type Label Field Group Name Field Name Label Description of Computation Auditable Entity OPSS-AudEnt Weighted Risk Score Calculates the sum of the products of each relevant Risk Factor value and its associated Risk Factor Weight. Risk Factor values are entered on the Auditable Entity. Risk Factor Weights are from the "nearest" Audit Risk Factor Preference object, matching the Audit Type specified on the Auditable Entity. Audit OPSS-Aud Close Audit Creates a link to launch the Close Audit helper. Audit OPSS-Aud Plans Creates a link to launch the Audit Plans helper. Audit OPSS-Aud Actual T&E Calculates the sum of the T&E entries on all of the Timesheets for all of the Plans for this Audit. Audit OPSS-Aud Actual Hours Calculates the sum of the Hours entries on all of the Timesheets for all of the Plans for this Audit. Plan OPSS-Plan Actual Hours Calculates the sum of the Hours entries on all of the Timesheets for this Plan. Plan OPSS-Plan Actual T&E Calculates the sum of the T&E entries on all of the Timesheets for this Plan. 11 12 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 4. Helpers IBM OpenPages Internal Audit Management includes the following helpers by default: Close Audit, Add or Modify Plans, Timesheet Entry, and Administrator Timesheet Entry Refer to IBM OpenPages GRC Platform IAM Module Details for more information on these helpers. Close Audit Helper Launched from a computed field link on the Audit object, the Close Audit helper facilitates automation of the Audit Close process. It provides a summary and optionally details of the readiness for close status of the audit from which this helper was launched, and all of its components. When all components are ready, provides a Close Audit button which automates the actions taken when an audit is closed, such as setting and clearing field values, deleting object instances and locking objects. IBM OpenPages or the customer can configure this component to behave as appropriate for the customer methodology via registry and application text settings. Add or Modify Plans Helper Launched from a computed field link on the Audit object, the Add or Modify Plans helper facilitates creating and editing Audit Plans, and finding and populating Auditors to assign to the Plans. These processes are time consuming, error prone and cumbersome to perform using the platform user interface. The helper provides a summary of and the ability to modify, the existing Plans for this Audit. It provides the ability to add a new Plan for this Audit. It also enables search of the Auditor pool or a selected portion of it, for Auditors who match the skills, attributes and availability requirements identified in the Plan. It provides the ability to view details of other Plans for each found Auditor, and to select and auto-populate the appropriate auditor from the search results. IBM OpenPages or the customer can configure this component to behave as appropriate for the customer methodology via registry and application text settings. Timesheet Entry Report Helper Launched from the reporting menu, the Timesheet Entry Report helper allows an Auditor to enter or review their time. It defaults to the current week. Weeks start on Mondays which is consistent with the GANTT chart reports. This interactive report is used for reviewing your previously entered time and expenses, and also for entering your actual time and 13 expenses. The report automatically filters itself to the current user, and to include Plans for which the user is the assigned Auditor. User can move to a different nearby week using Previous Week and Next Week buttons. User can move to a different week that isn’t nearby by using a calendar widget to select a date in the desired week and then clicking the Go To Week button. Time and expenses can only be entered against Plans with assigned Auditors. The user can navigate to the Week for which they want to enter or view time and expenses. There is no restriction on creating or editing Timesheets in advance or in arrears other than by Status. Timesheet rows with Status Submitted or Approved can not be edited. When the user clicks Save, Timesheet objects are created and populated for any new rows, and values are saved in any existing Timesheets. T&E expenses are a single entry per row per week; they are not broken down into expense categories. T&E is always entered and displayed in Base Currency. IBM OpenPages or the customer can configure this component to behave as appropriate for the customer methodology. Administrator Timesheet Entry Report Helper Launched from the reporting menu, the Administrator Timesheet Entry Report helper is an extension to the Timesheet Entry Report helper which includes a scoping page that allows a user with access to this report to select a different user for whom to enter time. The Administrator version of the helper includes Approve and Reject buttons and associated functionality. IBM OpenPages or the customer can configure this component to behave as appropriate for the customer methodology. 14 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 5. Reports The IBM OpenPages Internal Audit Management module includes a set of default reports. IBM OpenPages GRC Platform Modules Report Details provides additional details on the reports described here. For a description of additional reports installed with the IBM OpenPages GRC Platform and available to all modules, see the IBM OpenPages GRC Platform Administrator's Guide. IAM-Specific Reports Descriptions are provided for reports that are available only from the IBM OpenPages Internal Audit Management module. Table 6. Audit Management reports Name Audit Universe Drill-Through Description For the selected audit organization, view Auditable Entities, including information about risk ranking and previous audit results. List of Auditable Entities, including information about risk ranking and previous audit results. Scoped by Business Entity, user can choose sort order. If the selected Business Entity is in the Internal Audit business hierarchy then the report will show the portion of the audit universe owned by that internal audit team(s). If the selected Business Entity is in the organizational hierarchy, then the report shows all elements of the audit universe which are associated with that Business Entity or any descendent Business Entities. Used in the early annual planning stages to help determine which elements of the audit universe should be audited this year. Audit Plan Audit Plan Detail For the selected audit organization and date range, provides a GANTT chart view of the Audit Plan. A GANTT chart view of the Audit Plan, for the selected date range. Scope by Business Entity and Date Range, and indicate whether to display by days, weeks, months or quarters. Selected date range provides ability to view the current year plan, or a 3 or 5 year plan, or to zero in on a particular planning timeframe. After report displays, can toggle between Detail View (shows details for each audit scheduled for each Auditable Entity) and Summary View (shows only a rollup of the audits for each Auditable Entity). If the Audit Scheduled Start Date and Scheduled End Date overlap with a cell, then that entire cell is colored. Summary cells colored Red indicate more than one audit scheduled during that time for that Auditable Entity. Report is filtered to include only Audits where the Status is Planned or Scheduled. 15 Table 6. Audit Management reports (continued) Name Drill-Through Description Auditor Plan Auditor Plan Detail For the selected audit organization, Auditors and date range, provides a GANTT chart view of Plans. A GANTT chart view of the plans for the selected Auditor(s), for the selected date range. Scope by Business Entity, Auditor and Date Range, and indicate whether to display by days, weeks, months or quarters. The Auditors available are those who are associated to the selected Business Entity or its descendents. Selected date range provides ability to view the current year plan or to zero in on a particular planning timeframe. After report displays, can toggle between Detail View (shows details for each Plan for each Auditor) and Summary View (shows only a rollup of the Plans for each Auditor). If an Auditor is scheduled for more than one Plan in a given column, then that entire cell is colored. Summary cells colored red indicate more than one Plan assigned during that time for that Auditor. The report does not utilize the Percent Allocated information on the Plan to determine if there is a conflict. Audit Overview v Audit Findings For the selected Audit, view the status of its Audit Sections and Workpapers, and view associated Detail Findings, Issues and Audit Review Comments. v Audit Issues Detail For the selected Audit, view the status of its v Audit Review Comments Detail Internal Audit Report components, and view associated Findings, Issues and Review Comments. Scoped by Audit. Includes Findings, Issues and Review Comments that are direct children of the Audit, Sections and Workpapers included in the report. Clicking on the number of Issues, Findings or Audit Review Comments launches a detail report which includes more details and provides links to the objects in the application. Complete report for the selected Audit, including an executive summary and associated Findings and Issues. Complete report for the selected audit, including an executive summary, reportable Findings and Issues. Scoped by Auditable Entity and then by Audit. Includes Findings associated to Audits, Audit Sections and Workpapers, and Issues associated with the Audit. 16 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Table 6. Audit Management reports (continued) Name Drill-Through Audit Deviation Description For the selected Audit, view its Plans and Audit Sections, including schedule and budget information, with highlights for significant deviations. This report lists the plans and sections for the selected Audit. It includes schedule and budget information and highlights significant deviations. Cells colored yellow indicate missing key information. Cells colored red indicate an unfavorable deviation from plan of more than 20%. Scoped by Auditable Entity and then by Audit. Includes the selected Audit, and Plans and Audit Sections associated directly to the Audit. Auditor Deviation For the selected Auditors, view their planned and actual dates, hours and expenses. Scope by Auditors Business Entity, Auditor and Date Range. The Auditors available are those who are associated to the selected Business Entity or its descendents. Selected date range provides ability to zero in on a particular timeframe. Report shows Plans for each selected Auditor including the Scheduled, Expected and Actual Start and End Dates, the number of planned hours for each, and the number of actual timesheet hours, and the amount of planned and actual T&E recorded against each Plan during each time period. Cells shaded red indicate actual amounts that are 20% or more larger than planned amounts. Includes all Plans where the Auditor is the selected Auditor; Plans that do not have an assigned Auditor are not included in this report. The report includes a summary row for each Auditor and for the entire report. It defaults to html format and is also available in Microsoft Excel format. Timesheet Entry See “Timesheet Entry Report Helper” on page 13. Administrator Timesheet Entry Timesheet Entry See “Administrator Timesheet Entry Report Helper” on page 14. Reports Shared with Other Modules The IBM OpenPages Internal Audit Management module contains a number of reports that are shared with other IBM OpenPages GRC Platform modules. Table 7. Risk Assessment reports Name Drill-Through Risk Assessment List Description Shows Risk Assessment details for a specified Business Entity and all of its descendents. Risk Assessment Status Risk Assessment Status Detail Displays a stacked column chart showing the status of Risk Assessments for the specified Business Entity and its direct descendents. Risk Assessment Summary Risk Assessment Displays Risk Assessment details along with all Issues and Action associated Risks and Controls. A drill through report Items displays Issues and Action Items that are related to the Risk Assessments, Risks, or Controls. Chapter 5. Reports 17 Table 7. Risk Assessment reports (continued) Name Drill-Through Risk Assessment Issues and Action Items Description Shows all Issues and Action Items that are related to the selected Risk Assessment and its associated Risks and controls. Parent Object shows only the Risk Assessment, Risk, and Control parents. The report prompts for two values: Business Entity and Risk Assessment. Data is filtered on the selected entity. Users can select from all Risk Assessments that are associated, whether directly or indirectly, to the selected business entity. Table 8. Risk reports Name Drill-Through Risk Analysis Description Shows Risks grouped by Process for a specified Business Entity. Risk Heat Map Risk Detail Displays a table that aggregates Risks by Residual Impact and Likelihood for a specified Business Entity. Risk Rating by Entity Risk Rating by Entity Detail Displays Residual Risk Rating summary information for the selected Business Entity and its descendents, with the ability to drill-through to risk details Risk Rating by Category Risk Rating by Category Detail Displays Risk Category and Residual Risk Rating summary information for the selected Business Entity, with the ability to drill-through to Risk details. Top Risks Summary of the top Risks ranked by Residual Risk Exposure, and also shows the Inherent Risk Exposure. Table 9. Control reports Name Drill-Through Risk and Control Matrix Control Effectiveness Map Description Shows Risk and Control data for specified Business Entity and Process(es). Control Effectiveness Detail Control map shows counts of Controls grouped by Process(es) and Operating Effectiveness, with the ability to drill-through to a sub-report for detail information. Table 10. Testing reports 18 Name Drill-Through Description Testing Dashboard Testing Details Displays summary Test Result information for the selected Business Entity, with the ability to drill-through to detail and trend information. IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Table 11. Visualization reports Name Description Process Analysis Displays Risk and Controls in the context of a process diagram. Provides an aggregated view of Risk and Controls with risk rating and control effectiveness at the Process and Business Entity level. Notifications Notifications are email notifications sent to owners of a process as a reminder to act. These notifications can occur at different stages of a process or as a final step in a trigger. All notifications that are sent from IBM OpenPages IAM use the sender address identified below. Configure the email address and server settings. v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to send notifications v /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the email sender name that is used by notifications v /OpenPages/Common/Email/Mail Server - configure this item to identify the email server that is used to send notifications Notifications are part of the Issue Management and Remediation process. Chapter 5. Reports 19 20 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 6. Notifications Notifications are email notifications sent to owners of a process as a reminder to act. These notifications can occur at different stages of a process or as a final step in a trigger. All notifications that are sent from IBM OpenPages IAM use the sender address identified below. Configure the email address and server settings. v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to send notifications v /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the email sender name that is used by notifications v /OpenPages/Common/Email/Mail Server - configure this item to identify the email server that is used to send notifications Notifications are part of the Issue Management and Remediation process. Issue and Action Bulletin notification During the closedown phase of the Issue Management and Remediation (IMR) process, an Issue and Action Bulletin is sent as an email notification to the users. The bulletin highlights important areas such as overdue issues and Actions that are due for closure. The administrator can set the frequency of this notification by using the Issue Management and Remediation (IMR) bulletin. When the Issue is defined, its status is Open and the user must enter a value in the Current due date field. The due date is copied to a read-only field that contains the original due date. When the user creates an Issue, the Issue Owner (who might not be the same person who created the Issue) receives an email notification. The Issue Owner must record the appropriate actions to resolve an identified Issue. The following data is captured in an Action Item: v Description v Assignee v Start Date v Due Date v Actual Closure date v Status (Read Only) v A comment field to record the latest updates The Issue Owner receives an email that summarizes the Actions that must be approved for closure. The owner can either Accept Closure or Reject Closure. When Actions are completed, the Issue Owner must review the Issue and update the status to Closed. If any child actions are Open or Awaiting Approval, the Issue Owner cannot close the issue. Users receive email notifications through the consolidated Issue and Action bulletins. The bulletin consolidates the following information in an email: v Issues Assigned to the recipient in the past number days 21 v v v v v Actions Assigned to recipient in the past number days Issues due for Closure in the next number days Actions due for Closure in the next number days Overdue Issues Overdue Actions v Actions awaiting closure approval 22 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 7. Triggers The IBM OpenPages modules contain several available triggers. IBM OpenPages GRC Platform Module Trigger Details provides additional details on the triggers described here. Triggers must be disabled before loading XML instance data via Object Manager to any object types which are configured to have triggers by default. Object types that are configured for IBM OpenPages Internal Audit Management to have triggers by default include: v Audit v Audit Section v v v v v v v Workpaper Plan Timesheet Finding Audit Review Comment Action Item Issue v Data Input v Data Output v Risk Object types that are configured for other Modules to have triggers by default include: v Loss Impact v Loss Recovery v Loss Event v KRI Value v KPI Value v File (SOXDocument) v Policy IAM-Specific Triggers Descriptions of triggers that are specific to the Internal Audit Management module are included in this section. Audit Risk Rating Computations Trigger The RCSA Quantitative trigger and the RCSA Qualitative trigger apply to the Audit Risk Rating Computations trigger. For more information, see “RCSA Quantitative trigger” on page 25 and “RCSA Qualitative trigger” on page 27. 23 Audit Close Automation Triggers The Audit Close Automation trigger assesses close readiness for each of the configured components of an audit. By default, the trigger is configured for the following object types: Audit, Audit Section, Workpaper, Finding, Audit Review Comment, Plan, and Timesheet. When an instance of a configured object type is created or updated, the trigger evaluates all of the criteria which are configured for that object type. If all of the criteria have been met, then the trigger sets the Ready To Close field value to Yes. This field value is used by the Audit Close helper to determine if all of the audit components are ready to close. Configured ready to close criteria categories include fields that are required, date fields that must be set to on or before today's date, date fields that must be set to values on or before other date field values, and user fields that cannot be set the same as other user fields. Triggers Shared with Other Modules Several triggers are shared with other IBM OpenPages GRC Platform modules. Issue Management and Remediation trigger In an Issue Management and Remediation (IMR) framework, you can effectively document, monitor, remediate, and audit identified Issues. Issues are items that are identified against the documented framework and are deemed to negatively affect the ability to accurately manage and report risk. In its lifecycle, an issue can have only one of two states: Open or Closed. To resolve the identified Issue, the Issue Owner establishes and records the appropriate actions. When the Action is complete, the Assignee sets the Submit for Closure field to Yes. When this field is saved, a trigger is started and completes the following actions: v Copies the value in the Issue Owner field from the parent Issue to the Action v Sets the Action field to Awaiting Approval The Issue owner reviews the Action and can specify to either Accept Closure or Reject Closure. If the Action is saved with Reject Closure, the status reverts to Open and the Action returns to the Action Assignee. Several triggers are used to automate the Issue management process. Issue Lifecycle trigger The Issue Lifecycle trigger sets the Original Due date on the first instance of Save of Issue and checks for any Open Actions when the Issue is saved with a status of Closed. When an Issue object type is created or updated, and the status of the Issue object type is set to Closed, the trigger completes the following actions: v The trigger checks all direct child Actions and determines whether they are all closed. If any Actions have a status of Open or Awaiting Approval, the trigger generates an error message. If all Actions are closed, the trigger saves the changes. 24 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Note: As an administrator, you can configure the error message under the Administrator > Settings menu. v If the Original Due date field on the Issue is blank, the trigger populates the Original Due date with the Current Due date value. Risk and Control Self-assessments triggers The Risk Assessments process is used to identify, assess, and quantify a risk profile of the business. Each Risk is assessed on either a Qualitative or Quantitative basis. When a Risk is saved, the Qualitative risk rating trigger determines a Risk Rating of Low, Medium, High, or Very High. The trigger also populates the hidden Quantitative fields: Severity, Frequency, and Exposure. When a Risk is saved, the Quantitative risk rating trigger completes the following actions: 1. Computes the Exposure (Frequency x Severity) 2. Computes the Risk Rating as Low, Medium, High, or Very High 3. Derives the Impact value (1 - 10) based on a mapping table for each Business Unit that is stored in its Preference record. 4. Derives the Likelihood value (1 - 10) based on a mapping table for each Business Unit that is stored in its Preference record RCSA Quantitative trigger The Risk and Control Self-assessments (RCSA) Quantitative trigger sets the Risk Rating and establishes impact, likelihood, and exposure for risks that are entered by using the Quantitative method. The trigger occurs only if the values for the Impact or Likelihood fields for Risk were modified. Important: You must determine whether you want to assess risks by using a quantitative or qualitative approach. If you chose qualitative, this trigger does not apply. The option for quantitative or qualitative is set during the Application installation of IBM OpenPages GRC Modules. For more information, see the IBM OpenPages GRC Platform Modules Installation Guide. When a Risk object is updated, associated, or disassociated, the trigger completes the following actions: v Obtains the parent Preference object. The trigger attempts to find the Preference object associated with the business entity. The trigger traverses up the parent Entity hierarchy until a Preference object that is associated with a business entity is found. The preference object contains the settings for required parameters as described in the Severity table. v Determines the Impact fields of the Risk object. The Impact is calculated by identifying the threshold range in which the Severity Value falls. If any Severity value is null, the previous value is managed as the MAX Severity. Table 12. Impact value based on severity value Severity value Impact value >= 0 and <= Severity 1 1 > Severity 1 and <= Severity 2 2 > Severity 2 and <= Severity 3 3 > Severity 3 and <= to Severity 4 4 Chapter 7. Triggers 25 Table 12. Impact value based on severity value (continued) Severity value Impact value > Severity 4 and <= Severity 5 5 > Severity 5 and <= Severity 6 6 > Severity 6 and <= Severity 7 7 > Severity 7 and<= Severity 8 8 > Severity 8 and <= Severity 9 9 > Severity 9 10 v Determines the Liklihood fields on the SOXRisk object. The Likelihood is calculated by identifying the threshold range in which the Frequency value falls. If any Frequency value is null, the previous value is managed as the MAX frequency. Table 13. Likelihood value based on frequency value Frequency value Likelihood value >= 0 and <= Frequency 1 1 > Frequency 1 and <= Frequency 2 2 > Frequency 2 and <= Frequency 3 3 > Frequency 3 and <= Frequency 4 4 > Frequency 4 and <= Frequency 5 5 > Frequency 5 and <= Frequency 6 6 > Frequency 6 and <= Frequency 7 7 > Frequency 7 and <= Frequency 8 8 > Frequency 8 and <= Frequency 9 9 > Frequency 9 10 v Calculates the Exposure as Severity multiplied by Frequency v Where the Impact value is X and the Likelihood value is Y: The XMAX value is the maximum value for impact. The YMAX value is the maximum value for likelihood. The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/ YMAX. The XMAX and YMAX values are defined during installation. Do not change these values. If these values are changed, the RCSA Qualitative and Quantitative triggers might not correctly compute the risk rating. The trigger computes the Risk Rating by using the following formula: ((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax)) The rating value is 0 - 1 and expressed as a percentage. Table 14. Risk ratings based on rating values 26 Rating value Risk rating 0 - 25 % LOW (green) 26-50 % MEDIUM (yellow) 51-75 % HIGH (orange) IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Table 14. Risk ratings based on rating values (continued) Rating value Risk rating 76-100 % VERY HIGH (red) RCSA Qualitative trigger The Risk and Control Self-assessments (RCSA) Qualitative trigger sets the Risk Rating and establishes severity, frequency, and exposure for risks that are entered by using the Qualitative method. Important: You must determine whether you want to assess risks by using a quantitative or qualitative approach. If you chose quantitative, this trigger does not apply. The option for quantitative or qualitative is set during the Application installation of IBM OpenPages GRC Modules. For more information, see the IBM OpenPages GRC Platform Modules Installation Guide. When a Risk object is updated, associated, or disassociated, the trigger completes the following actions: v Evaluates the Preference record for the entity, or its parent entity if no Preference record exists. The trigger attempts to find the Preference object associated with the business entity. The trigger traverses up the parent Entity hierarchy until a Preference object that is associated with a business entity is found. The preference object contains the settings for required parameters as described in the Severity table. v Evaluates the Severity fields of the Risk object. The Severity is determined by the Impact Value mappings that are specified in the Preference object. Table 15. Severity based on impact values Impact value Severity 1 Severity 1 2 Severity 2 3 Severity 3 4 Severity 4 5 Severity 5 6 Severity 6 7 Severity 7 8 Severity 8 9 Severity 9 10 Severity 10 v Based on the Likelihood, evaluates the Frequency fields of the Risk object. The Frequency is determined by the Likelihood Value mappings that are specified in the Preference object. Table 16. Frequency based on Likelihood values Likelihood value Frequency 1 Frequency 1 2 Frequency 2 Chapter 7. Triggers 27 Table 16. Frequency based on Likelihood values (continued) Likelihood value Frequency 3 Frequency 3 4 Frequency 4 5 Frequency 5 6 Frequency 6 7 Frequency 7 8 Frequency 8 9 Frequency 9 10 Frequency 10 v Calculates the Exposure as Severity multiplied by Frequency. v Where the Impact value is X, Likelihood value is Y: The XMAX value is the maximum value for impact. The YMAX value is the maximum value for likelihood. The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/ YMAX. The XMAX and YMAX values are defined during installation. Do not change these values. If these values are changed, the RCSA Qualitative and Quantitative triggers might not correctly compute the risk rating. The trigger computes the Risk Rating by using the following formula: ((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax)) The rating value is 0 - 1 and expressed as a percentage. Table 17. Risk ratings based on rating values Rating value Risk rating 0 - 25 % LOW (green) 26-50 % MEDIUM (yellow) 51-75 % HIGH (orange) 76-100 % VERY HIGH (red) Risk Approval Submission trigger The Risk Approval Submission trigger updates the Status field on Risk and Controls so that the Process Owner can process the Approval. When a Risk object is created or updated, and the Submit for Approval field value is set to Yes, the trigger completes the following actions: v Obtains all associated child Control objects and applies validation rules. All child Control objects are assessed and the Status field is set to Awaiting Assessment. v Updates the Status field on the Risk object and all associated control objects from Awaiting Assessment to Awaiting Approval. v Obtains the parent Process object to obtain all Risk objects and checks whether all risks for a Process are Awaiting Approval. v Determines whether all risks for a Process are awaiting approval, and continues based on the following status: 28 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview – If the status is Yes, the trigger ends its process. – If the status is No, the trigger sets the Status of the parent Process object to Awaiting Approval, and sends an email notification to the Process Owner. RCSA Risk and Control Approval trigger The RCSA Risk and Control Approval trigger allows the Process Owner to approve or reject an assessment of a risk and its controls. When a Risk object Approve/Reject field is set to Approve or Reject, the trigger completes the following actions: v If the Approve/Reject field is set to Reject, the trigger updates the Status field value of the Risk and associated Controls to Awaiting Assessment, and sends an email notification to the Risk Owner. v If the Approve/Reject field is set to Approve, the trigger continues with the following processes: – Updates the Status field value of the Risk and associated Controls to Approved. – Updates the Process status to Approved, sets the Approval Date, and sends an email notification to the RCSA coordinator. Visualization triggers The Visualization triggers prevent the user from adding new Risks as children of the Data Input and Data Output object types. Risks can only be made children of these object types by associating existing Risks to them. Data Input and Data Output object types are not allowed to be primary parents of Risks. Chapter 7. Triggers 29 30 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 8. Profiles The IBM OpenPages Internal Audit Management module includes the OpenPages IAM 7.0.0 Master profile by default. OpenPages IAM 7.0.0 Master Profile The OpenPages IAM 7.0.0 Master profile includes the fields and configuration for all of IBM OpenPages Internal Audit Management. This profile includes: v Filters v My Work Home page tab and Home page tabs v Dependent fields and dependent pick lists v Computed fields v Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List Views Subsets of this profile that are appropriate for a Lead Auditor, Audit Director, etc. are created during the implementation project. Home Page Filtered Lists The following filtered lists are defined for the My Work home page for users of the OpenPages IAM 7.0.0 Master profile. Table 18. IBM OpenPages Internal Audit Management Home page filtered lists Filter Description Object Type My Open Issues Home page access to your open Issues. Issue My Audits In Progress Home page access to the Audits you own which Audit you are likely to be working on now. My Open Audit Review Home page access to Audit Review Comments Comments requiring action, where you are the Owner. Audit Review Comment My Findings for Review Home page access to Open Findings where you are the Reviewer. Finding My Open Findings Home page access to Open Findings where you are the Preparer. Finding My Workpapers In Progress Home page access to Workpapers requiring action, where you are the Preparer. Workpaper Workpapers Ready for My Review Home page access to Workpapers requiring action, where you are the Reviewer. Workpaper 31 Activity Views By default, the OpenPages IAM 7.0.0 Master profile includes the following activity views. Table 19. IBM OpenPages Internal Audit Management activity views Activity View Name Starting Object Type Audit Planning Business Entity Allows for entry of Schedule Dates and Estimated Hours and T&E for each audit in the Universe. Filtered to 2008 and beyond Audits where Status is any except Completed. Scope Matrix Audit Identify the activities within the Auditable Entity and decide whether each one is in or out of scope for this audit. Refer to the risks for each activity to assist in making the scope decision. Scope Matrix View Audit Scope Matrix Activity View with all fields configured as read only. Audits and Sections Auditable Entity View the sections for an audit and update Scheduled Start and End Dates. All Review Comments Auditable Entity View Review Comments associated to the selected Audit and its Audit Sections, Workpapers and Findings. Audit Overview Audit Select each Audit Section to view all of its Workpapers and Findings, and then update key information. Section Edit Checklist Audit Provides a consolidated view of the work program and facilitates rapid Audit Section update for an audit. Workpaper Edit Checklist Audit Provides a consolidated view of the Workpapers and facilitates rapid Workpaper update for an audit. Section Checklist Auditable Entity Provides an at-a-glance read only view of the Sections in the work program. Workpaper Checklist Auditable Entity Provides an at-a-glance read only view of the Workpapers in the work program. Control Testing Summary Control Used to indicate Control Operating Effectiveness. Provides Test Plan and Test Result information that informs the Operating Effectiveness decision. Questionnaire Set Up Questionnaire Used to create and modify questionnaires using the Questionnaire, Section, Question object model. Questionnaire Questionnaire Used to respond to questionnaires using the Questionnaire, Section, Question object model. Process RCSA View Process Facilitates conducting Process-based Risk and Control Self Assessments. Process Approval Process Used by the Process Owner to confirm the assessment of each Risk and Control. RCSA Approval 32 Description Used by Risk Coordinator to approve Risk and Control Self Assessments. Project Mgmt Planning Workpaper Used when planning workpapers. Test Planning Workpaper Used when creating test plans for workpapers. Test Execution Workpaper Used when executing workpaper tests during field work. IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Table 19. IBM OpenPages Internal Audit Management activity views (continued) Activity View Name Starting Object Type Description Review and Approval Workpaper Used when reviewing workpapers. Project Mgmt Update Workpaper Used when finalizing workpaper status. Grid Views By default, grid views are defined for users of the OpenPages IAM 7.0.0 Master profile. Table 20. Grid Views Grid View Description Object Type PRSA Update Use to update Process Risk Self Assessments. Process, Risk, Control PRSA Review Use to review Process Risk Self Assessments. Process, Risk, Control Chapter 8. Profiles 33 34 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Chapter 9. Role Templates The following role templates are available, by default, for the IBM OpenPages Internal Audit Management module. OpenPages IAM 7.0 - All Permissions Full Read, Write, Delete, Associate (R/W/D/A) access to all default Internal Audit Management object types that are present and enabled by default. Full administrator rights. OpenPages IAM 7.0 - All Data - No Admin Full Read, Write, Delete, Associate (R/W/D/A) access to all default Internal Audit Management object types that are present and enabled by default. No administrator rights except those associated with workflows, files and folders. The above role templates provide read, write, delete and associate access to the following object types. Table 21. Role template object types Object Type Name Object Type Label SOXBusEntity Business Entity SOXIssue Issue SOXTask Action Item SOXDocument, SOXExternalDocument File, Link SOXSignature Signature AuditableEntity Auditable Entity Auditor Auditor AuditPhase Audit Section AuditProgram Audit DataInput Data Input DataOutput Data Output ProcessDiagram Process Diagram Finding Finding Plan Plan Preference Preference PrefGrp Preference Group ReviewComment Audit Review Comment RiskAssessment Risk Assessment SOXControl Control SOXProcess Process SOXRisk Risk SOXSubprocess Sub-Process SOXTest Test Plan SOXTestResult Test Result 35 Table 21. Role template object types (continued) 36 Object Type Name Object Type Label Timesheet Timesheet Workpaper Workpaper IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. This document may describe products, services, or features that are not included in the Program or license entitlement that you have purchased. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. 37 IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Location Code FT0 550 King Street Littleton, MA 01460-1250 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. If you are viewing this information softcopy, the photographs and color illustrations may not appear. This Software Offering does not use cookies or other technologies to collect personally identifiable information. 38 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Copyright Licensed Materials - Property of IBM Corporation. © Copyright IBM Corporation, 2003, 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. Trademarks IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. The following terms are trademarks or registered trademarks of other companies: v Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “ Copyright and trademark information ” at www.ibm.com/legal/copytrade.shtml. Notices 39 40 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview Index A Action items object types (continued) SOXRisk 25 24 R D RCSA Qualitative trigger 27 RCSA Quantitative trigger 25 RCSA Risk and Control Approval trigger 29 RCSA triggers 25 Risk and Control Self-assessments triggers See RCSA triggers Risk Approval Submission trigger 28 Data Input trigger 29 Data Output trigger 29 G grid views 33 I S Impact values 25, 27 Issue (object type) 24 Issue and Action Bulletin notification Issue Lifecycle trigger 24 Issues management 24 Severity values 27 SOXRisk (object type) L Likelihood values 27 Liklihood values 25 N notifications 19, 21 Issue and Action Bulletin 25 21 T triggers Issue Lifecycle 24 RCSA Qualitative 27 RCSA Quantitative 25 RCSA Risk and Control Approval Risk Approval Submission 28 visualization 29 29 V 21 visualization triggers 29 O object types Issue 24 41