...

Internal Audit Management Module Overview

by user

on
Category: Documents
30

views

Report

Comments

Transcript

Internal Audit Management Module Overview
IBM OpenPages GRC Platform
Version 7.0.0
Internal Audit Management Module
Overview
򔻐򗗠򙳰
Note
Before using this information and the product it supports, read the information in “Notices” on page 37.
Product Information
This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Module Description . .
Object Type Licensing .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
. 2
Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 3. Computed Fields
. . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Close Audit Helper . . . . . . .
Add or Modify Plans Helper . . .
Timesheet Entry Report Helper . . .
Administrator Timesheet Entry Report
Chapter 5. Reports
. . .
. . .
. . .
Helper .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
13
13
14
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
IAM-Specific Reports . . . . . .
Reports Shared with Other Modules .
Notifications . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
. 17
. 19
Chapter 6. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
21
Issue and Action Bulletin notification .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
IAM-Specific Triggers . . . . . . . . .
Triggers Shared with Other Modules . . . .
Issue Management and Remediation trigger
Risk and Control Self-assessments triggers .
Visualization triggers . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
24
24
25
29
Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
OpenPages IAM 7.0.0 Master Profile .
Home Page Filtered Lists . . . . .
Activity Views . . . . . . . .
Grid Views . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
31
32
33
Chapter 9. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
iii
iv
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Document Release and Update Information
This topic lists information about this document and where updates to this
document can be found.
Document Release Information
Software Version: 7.0.0
Document Published: December, 2013
Document Updates
Supplemental documentation is available on the web. Go to the IBM® OpenPages®
GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/
v7r0m0/index.jsp).
v
vi
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 1. Introduction
Use this guide with the IBM OpenPages Internal Audit Management module.
Finding information
To find IBM OpenPages GRC Platform product documentation on the web,
including all translated documentation, access the IBM OpenPages GRC Platform
Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).
Release Notes are published directly to the Information Center, and include links
to the latest technotes and APARs.
Accessibility features
Accessibility features help users who have a physical disability, such as restricted
mobility or limited vision, to use information technology products.
IBM HTML documentation has accessibility features. PDF documents are
supplemental and, as such, include no added accessibility features.
Module Description
IBM OpenPages Internal Audit Management (IAM) provides internal auditors with
a uniquely configured view into organizational governance, risk, and compliance
(GRC), affording audit the chance to supplement and coexist with broader risk and
compliance management activities.
As with all modules, IBM OpenPages Internal Audit Management is completely
integrated with financial controls management, IT governance, policy and
compliance efforts and operational risk management programs. The internal audit
team has the capability to work as a fully integrated partner to business
stakeholders, completely independently, or anywhere in between, as determined by
the specific needs of the audit department or a particular audit being undertaken.
Key features include:
v The capability to risk rank the audit universe, configured according to your
audit methodology
– Powerful support for your risk assessment methodology
– Full reporting across the entire audit universe
v The ability to define, plan, execute and report on audits across your business
– Track and manage audits, audit sections, workpapers, and audit resource
requirements and allocations
– Automate operations through fully configurable reporting and workflow
v The ability to provide independent assurance to the business or work as an
integrated part of GRC efforts
– Opine on management’s GRC efforts independently
– Control access to confidential audits, fields, and audit-only views
1
Object Type Licensing
For the IBM OpenPages Internal Audit Management module, you are licensed to
use the object types listed in Chapter 2, “Object Types,” on page 3. Use of any
other object types is prohibited without prior written approval from IBM.
2
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 2. Object Types
The IBM OpenPages Internal Audit Management module includes object types that
are enabled or disabled by default, and subcomponents.
Object Types Enabled by Default
The following object types are available in the default IBM OpenPages Internal
Audit Management configuration and are enabled by default.
Table 1. Object types enabled by default
Object type label
Description
Business Entity
Business entities are abstract representations of your business
structure. A business entity can contain sub-entities (such as
departments, business units, or geographic locations). The entity
structure that you create depends on your business needs. For
example, you could create a parent entity for your business
headquarters then a sub-entity for each location or department.
You may also want to represent both a legal entity structure and a
business entity structure.
Business entities are also used to organize library data such as
risk and control libraries, or regulatory content (for example,
laws, regulations, and standards).
When setting up your business entity hierarchy, you should work
with your OpenPages consultant as the structure of your business
entities will greatly impact the type and quality of the information
that can be extracted from the application.
In IBM OpenPages Internal Audit Management, Business Entities
are also used to model the Internal Audit organizational structure,
which facilitates reporting and security for the Internal Audit
team. The Internal Audit organizational structure is typically a top
level entity to minimize the chance of accidentally granting a
business user access to Internal Audit information. The elements
of the Audit Universe which are "owned" by a given Internal
Audit team are typically associated to that teams’ Business Entity.
Another top level Business Entity structure can be created to
organize confidential Audits, providing the ability to give special
security to these Audits. Business Entity can also be used to
organize a Library of template audit content.
Process
Processes represent the major end-to-end business activities
within a business entity that are subject to risk. The processes will
typically reside in areas such as financial reporting, compliance,
information security, and so forth.
Processes are also used in scoping audits. Audit can associate to
Processes created by the Business, can make their own copy, can
create their own Processes from scratch or any mixture of these.
3
Table 1. Object types enabled by default (continued)
Object type label
Description
Sub-Process
A Sub-Process is a component of a Process. It is used to
decompose Processes into smaller granularity units for assessment
purposes.
This object is not expected to be used in audit scoping, but may
be used in documenting Process details.
Risk
Risks are potential liabilities. Risks can be associated with, for
example, business processes, business entities, or compliance with
a particular mandate. Each Risk has one or more Controls
associated with it that provide safeguards against the Risk and
help mitigate any consequences that may result from the Risk.
You can use the Risk object to categorize risks; capture the
frequency, rating, and severity of inherent and residual risk data;
and view reports that help identify your top risk items.
A Risk instance shared between Internal Audit and the Business
can be rated separately by Audit and by the Business.
Control
Controls are typically policies and procedures (procedures are
actions that implement the policies), to help ensure that risk
mitigation responses are carried out.
Once you have identified the risks in your practices, you need to
establish controls (such as approvals, authorizations, verifications,
and so forth) that remove, limit, or transfer these potential risks.
Controls should be designed to provide either prevention or
detection of risks. Controls are usually associated with tests that
ensure a control is effective.
In IBM OpenPages Internal Audit Management, Controls can be
used to create a detailed model of the Controls that exist or that
should exist on the activities being Audited. If shared with the
Business, the Controls can be rated separately by Internal Audit
and by the Business.
Test Plan, Test Result
You can determine the operating effectiveness of a Control by
conducting one or more detailed tests of a Control and then
documenting the results. Test Plans are mechanisms that
determine whether or not a Control is effective. A Test Result is
the information obtained from running a Test Plan.
IBM OpenPages Internal Audit Management is configured by
default to use the Workpaper object in place of the Test Plan and
Test Result objects. Audit needs access to these objects since they
are often used by the Business to document their testing,
Risk Assessment
4
Risk assessments give you the ability to evaluate and report on
potential liabilities for a set of business entities or processes. You
can use the Risk Assessment object - which contains the names of
the assessor and reviewer, the time frames for the assessment, and
the status of the assessment - to manage your risk self-assessment
process.
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Table 1. Object types enabled by default (continued)
Object type label
Description
Preference Group,
Preference
The Preference Group object is used for grouping Preference
object instances together. Without this grouping object, each
Preference object instance would need to be associated separately
to each of the relevant Business Entities.
The group object helps to minimize the associated maintenance.
The Preference object is a child of Business Entity, and is used for
holding variable values that can drive reports, workflows and
computed fields (it has entity-specific variable values which
enable different behavior for the same workflows). For example,
to determine the behavior for review and approval workflows
(e.g. who the appropriate users are for each level of review and
approval, and what the thresholds are for determining how many
levels of review and approval are required).
In the default IBM OpenPages Internal Audit Management
configuration, these objects are used to hold weights for Risk
Factors used in Annual Assessment Risk Ranking. Since the
weights and factors can be different for each type of audit
(financial, operational, strategic, etc.) there is a separate Preference
instance for each audit type. As a child of Business Entity, this
provides the ability to have entity-specific variable values.
Auditable Entity
Auditable Entity is a child of Business Entity. Typically, an
Internal Audit Business Entity Hierarchy would be established
under which all of the Auditable Entities would live. Auditable
Entities which are aligned with one or more elements of the
Business Entity Organizational Hierarchy are typically also
associated to those Business Entities.
An Auditable Entity represents a single element of the Audit
Universe – the collection of things in the Business that might be
audited. Typically, the majority of Auditable Entities represent one
or more business or legal entities, but they can also represent one
or more processes, long-running projects or initiatives, compliance
programs, shared IT Services, and so on.
Auditable Entities are risk ranked every year to determine the
priority of performing an audit that year. A Weighted Risk Score
is calculated and an ability to manually override the score is
provided.
Chapter 2. Object Types
5
Table 1. Object types enabled by default (continued)
Object type label
Description
Audit
An Audit represents each execution of an "audit" against an
Auditable Entity. For example, if an Auditable Entity will be
audited every two years, there would be separate child Audit
instances for 2006, 2008, 2010, etc.
The Audit object is configured to be a self-contained object type,
meaning that a folder will be automatically created for each
instance of it. This facilitates the ability to copy template audits
and audit components from a library to the audit hierarchy
without object naming conflicts.
Planning and Scheduling of the Audit Resources is typically done
at the Audit level.
High level Audit progress can be tracked by monitoring the
Status values and Date values on the Audit. Key audit milestones
can be tracked by adding fields on the Audit that represent
completion dates for each of the key milestones they wish to
track.
You use the Audit object to manage the audit process across your
enterprise. The Audit object identifies a holding point where you
can capture information such as scope, objectives, timing
information, review, execution and approval roles. If wanted, you
could track only those audits you will be undertaking in a given
planning horizon, or all audits in the audit universe.
Audit Section
Audit Sections can be used to represent the phases of the audit,
work programs within the audit, or other components of the
audit at the desired level of granularity.
Typically organizations have a number of standard components
for each audit. Template audits that include Sections for each of
these standard components can be created in a Library. Planned
and Actual Start and End Dates for these sections can be used to
report progress on key milestones in the audits.
Detailed Audit progress can be tracked by including an Audit
Section that represents each milestone. Alternatively, some
organizations may choose to add fields on the Audit that
represent completion dates for each of the key milestones they
wish to track.
Although Audit Sections can be used as the basis for planning
and scheduling Audit resources, most organizations will find this
to be too detailed.
Workpaper
A workpaper is any artifact or deliverable you want to track in
the scope of an audit. It can represent an engagement letter, a
testing matrix, interview notes or anything else appropriate to the
audit in question. The workpaper itself can be attributes stored on
the Workpaper object, or it can be a Word, Excel or other type of
file attached to a Workpaper object. When Workpaper is used for
test evidence, it documents both the test planning and the test
results.
Typically, you create a Workpaper object from the detail page of
an Audit Section. Workpaper objects can also be copied from a
library, where they represent templates of different types of
workpapers generated by an internal audit department.
6
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Table 1. Object types enabled by default (continued)
Object type label
Description
Finding
Findings can be used to represent observations which are
reportable to the business, to the Audit Committee, or both.
Alternatively, Findings can be used to represent individual factual
observations, while Issues are used to represent consolidated
themes/systemic problems, which are then reported to the
business, to the Audit Committee, or both.
A Finding represents anything uncovered in the course of an
audit that needs to be accounted for and addressed by
management. You can use a finding to track management’s
progress in addressing the underlying issue identified. The Issue
object can be used in place of, or in conjunction with, the Finding
object.
Plan, Timesheet
A Plan object type facilitates audit resource scheduling and
allocation at any level. For example, you can create a single Plan
object for an entire audit, or you can create one Plan object per
task for each auditor involved with the audit. Plan objects are
used to determine the availability, skills, and experience required
of the desired resource. OpenPages Audit Activity Views, reports,
etc. are aligned with Planning at the Audit level. Plans can
instead be associated to Audit Sections, in which case these
components would need to be modified.
Plan objects also drive time tracking – all time is tracked against
Plans. A Timesheet object type is used to record weekly actual
hours and expenses expended against a Plan object for an Audit.
Because Timesheet objects are associated with Plans, it is easy to
track deviations between planned and actual time and expenses.
The Timesheet Entry interactive report should always be used to
enter or modify time and expense data. For this reason, there is
no Timesheet top menu item in the default IBM OpenPages
Internal Audit Management configuration.
You typically create or modify a Plan object using the Add or
Modify Plans helper, accessed from a link on the Audit detail
page
Auditor
Resource planning and allocating requires key information about
each individual who may perform audit work. The Auditor object
is used to create a pool of Auditors who can be assigned to
Audits.
Each user who may be assigned to audit work is represented as
an Auditor instance. Auditors are then available for resource
allocation. The Auditor object includes attributes for which you
evaluate and select Auditors for audit engagements, such as
specialties, languages, and certifications. Typically, Auditor objects
are associated with the relevant component of the Internal Audit
organizational hierarchy. It is a best practice that the Name field
on the Auditor object matches the user's username.
Audit Review
Comment
The Audit Review Comment object type is used to provide
feedback during the review process for an audit and its
components. It is associated as a child to the instance of the
Audit, Section, Workpaper or Finding for which feedback is being
provided
Chapter 2. Object Types
7
Table 1. Object types enabled by default (continued)
Object type label
Description
Signature
A signature generally indicates agreement that the object meets
your approval. It has no enforcement powers, and does not
prevent the item from being modified after approval has been
given. An object with a signature has a signature icon next to the
signer's name on the Signatures tab.
Depending on your system configuration, signatures (with or
without associated locks) can be applied to an object in the
following ways:
v Manually from the detail page of an object.
v Automatically through a workflow task.
v Some combination of both automatic and manual.
If signature locks are configured on your system, when you sign
off on an object, the object and all its associated child objects are
locked and cannot be modified until you either revoke your
signature or an administrator unlocks the object.
Issue, Action Item
Although issues typically result from areas where internal
controls are not properly implemented or designed, you can use
the Issue object to document a concern associated with any object
type.
An issue is resolved through one or more Action Items. You can
use an Action Item object or a series of related Action Item objects
to form an action plan. Each Action Item can be assigned to a
user for resolution, and progress can be tracked from the detail
page of the parent Issue. Once all Action Items for an Issue are
complete (an assignee sets the value to 100%), you can close the
Issue.
In IBM OpenPages Internal Audit Management, Issues and Action
Items may be used instead of, or in conjunction with, Findings.
8
File
The File object type is used to embed a reference to a file (such as
a document, flow chart or spreadsheet) in the OpenPages system,
and associate it to one or more relevant objects.
Link
The Link object type is used to embed a reference to a URL in the
OpenPages system, and associate it to one or more relevant
objects.
Process Diagram
A Process Diagram is a child object of the Process and can have
many diagrams per process. It is used to store the sequence of
sub-processes or activities within a process with associated Risks
and Controls along with any annotations such as decision nodes.
All attributes of the Business Process visualization are stored in
the Process Diagram object.
Data Input, Data
Output
The Data Input Object and Data Output Object are child objects of
the Process and can have associations only to existing Risks. They
represent elements of a flow to depict an Input into the Business
Flow or an Output from various activities within a process, such
as running a report or updating a CRM system or getting an
external data source feed.
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Object Types Disabled by Default
The following object types are available in the default IBM OpenPages Internal
Audit Management configuration and are disabled by default.
Table 2. Object types disabled by default
Object Type Label
Description
Questionnaire, Section,
Question
Questionnaire, Section and Question are three objects that are
used together to implement questionnaires.
Control Objective
A Control Objective is an assessment object that helps define the
risk categories for a Process or Sub-Process. For each Process or
Sub-Process, an organization sets the Control Objectives.
Control Objectives define the COSO compliance categories that
the Controls associated with the Risks are intended to mitigate.
For example, Control Objectives can be classified into one or more
categories such as Compliance, Financial Reporting, Strategic,
Operations, or Unknown.
Once a Control Objective is identified, the Risks belonging to that
Control Objective can then be identified and defined. In most
cases, each Control Objective will have one Risk associated with
it. However, Control Objectives can have more than one Risk
associated with them, so they are separated into their own object
type.
The default behavior is for Control Objective to be disabled. This
object is not expected to be used in a typical IBM OpenPages
Internal Audit Management deployment, except to align with
other modules which may use it.
Milestone, Milestone
Action Item
A Milestone represents a significant point in the development of
your project. You can tie Milestones to specific dates, or use them
to signify the completion of a portion of the entire project.
Milestones can contain other Milestones or Milestone Action
Items. You cannot associate a Milestone with other objects in the
object hierarchy.
A Milestone Action Item is a specific objective that must be
completed in order to reach a Milestone. In general, all Milestone
Action Items associated with a Milestone must be completed in
order to reach a Milestone. When you are assigned a Milestone
Action Item object, it is displayed (if configured) in the My
Milestone Action Items section of your My Work tab.
Risk Eval
Risk Evaluation objects are children of Risk objects and they are
used to capture risk measurement values for trending purposes.
Often reporting periods do not line up with risk evaluation cycles
and so Risk Eval objects can be used to capture multiple
evaluation cycles within a single reporting period.
Control Eval
Control Evaluation objects are similar to Risk Evaluation objects
except that they are instantiated as children of Controls. They
store control assessment data.
Risk Assessment Eval
Risk Assessment Evaluation objects are similar to Risk Evaluation
objects except that they are instantiated as children of Risk
Assessments. They store risk assessment data.
Chapter 2. Object Types
9
Table 2. Object types disabled by default (continued)
Object Type Label
Description
Process Eval
Process Evaluation objects are children of Process objects and they
are used to capture process measurement values for trending
purposes.
When the reporting periods do not align with the evaluation
cycles, you can use Process Eval objects to capture multiple
evaluation cycles within a single reporting period.
Subcomponents
IBM OpenPages GRC Platform modules consist of several subcomponents, which
are groups of object types that support a logical function within a module. The
following tables list the subcomponents for the IBM OpenPages Internal Audit
Management module.
Table 3. Subcomponents shared with other modules
Subcomponent
Object Types
Organization
Business Entity
Preference
Preference Group, Preference
Risk Assessment
Risk Assessment, Risk Assessment Eval
Process
Process, Process Eval, Sub-Process, Control Objective
Risk
Risk, Risk Eval
Control
Control, Control Eval
Test
Test Plan, Test Result
Issue
Issue, Action Item
Questionnaire
Questionnaire, Section, Question
Milestone
Milestone, Milestone Action Item
Visualization
Process Diagram, Data Input, Data Output
Table 4. IAM-specific subcomponents
Subcomponent
Object Types
Annual Plan
Auditable Entity, Audit
Engagement Plan
Plan, Timesheet, Auditor
Findings
Finding
Field Work
Audit Section, Workpaper, Audit Review Comment
In addition to the subcomponents listed in the tables, the following object types are
included in each module and can be accessed by any authorized user:
v Signature
v File
v Link
10
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 3. Computed Fields
By default, the IBM OpenPages Internal Audit Management module includes
computed fields, such as Weighted Risk Score and Plans.
Table 5. Computed fields
Object Type
Label
Field Group
Name
Field Name
Label
Description of Computation
Auditable Entity OPSS-AudEnt
Weighted Risk
Score
Calculates the sum of the
products of each relevant Risk
Factor value and its associated
Risk Factor Weight. Risk Factor
values are entered on the
Auditable Entity. Risk Factor
Weights are from the "nearest"
Audit Risk Factor Preference
object, matching the Audit Type
specified on the Auditable Entity.
Audit
OPSS-Aud
Close Audit
Creates a link to launch the Close
Audit helper.
Audit
OPSS-Aud
Plans
Creates a link to launch the Audit
Plans helper.
Audit
OPSS-Aud
Actual T&E
Calculates the sum of the T&E
entries on all of the Timesheets
for all of the Plans for this Audit.
Audit
OPSS-Aud
Actual Hours
Calculates the sum of the Hours
entries on all of the Timesheets
for all of the Plans for this Audit.
Plan
OPSS-Plan
Actual Hours
Calculates the sum of the Hours
entries on all of the Timesheets
for this Plan.
Plan
OPSS-Plan
Actual T&E
Calculates the sum of the T&E
entries on all of the Timesheets
for this Plan.
11
12
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 4. Helpers
IBM OpenPages Internal Audit Management includes the following helpers by
default: Close Audit, Add or Modify Plans, Timesheet Entry, and Administrator
Timesheet Entry
Refer to IBM OpenPages GRC Platform IAM Module Details for more information on
these helpers.
Close Audit Helper
Launched from a computed field link on the Audit object, the Close Audit helper
facilitates automation of the Audit Close process.
It provides a summary and optionally details of the readiness for close status of
the audit from which this helper was launched, and all of its components. When
all components are ready, provides a Close Audit button which automates the
actions taken when an audit is closed, such as setting and clearing field values,
deleting object instances and locking objects.
IBM OpenPages or the customer can configure this component to behave as
appropriate for the customer methodology via registry and application text
settings.
Add or Modify Plans Helper
Launched from a computed field link on the Audit object, the Add or Modify
Plans helper facilitates creating and editing Audit Plans, and finding and
populating Auditors to assign to the Plans.
These processes are time consuming, error prone and cumbersome to perform
using the platform user interface.
The helper provides a summary of and the ability to modify, the existing Plans for
this Audit. It provides the ability to add a new Plan for this Audit. It also enables
search of the Auditor pool or a selected portion of it, for Auditors who match the
skills, attributes and availability requirements identified in the Plan. It provides the
ability to view details of other Plans for each found Auditor, and to select and
auto-populate the appropriate auditor from the search results.
IBM OpenPages or the customer can configure this component to behave as
appropriate for the customer methodology via registry and application text
settings.
Timesheet Entry Report Helper
Launched from the reporting menu, the Timesheet Entry Report helper allows an
Auditor to enter or review their time.
It defaults to the current week. Weeks start on Mondays which is consistent with
the GANTT chart reports. This interactive report is used for reviewing your
previously entered time and expenses, and also for entering your actual time and
13
expenses. The report automatically filters itself to the current user, and to include
Plans for which the user is the assigned Auditor.
User can move to a different nearby week using Previous Week and Next Week
buttons. User can move to a different week that isn’t nearby by using a calendar
widget to select a date in the desired week and then clicking the Go To Week
button.
Time and expenses can only be entered against Plans with assigned Auditors. The
user can navigate to the Week for which they want to enter or view time and
expenses. There is no restriction on creating or editing Timesheets in advance or in
arrears other than by Status. Timesheet rows with Status Submitted or Approved
can not be edited.
When the user clicks Save, Timesheet objects are created and populated for any
new rows, and values are saved in any existing Timesheets. T&E expenses are a
single entry per row per week; they are not broken down into expense categories.
T&E is always entered and displayed in Base Currency.
IBM OpenPages or the customer can configure this component to behave as
appropriate for the customer methodology.
Administrator Timesheet Entry Report Helper
Launched from the reporting menu, the Administrator Timesheet Entry Report
helper is an extension to the Timesheet Entry Report helper which includes a
scoping page that allows a user with access to this report to select a different user
for whom to enter time.
The Administrator version of the helper includes Approve and Reject buttons and
associated functionality.
IBM OpenPages or the customer can configure this component to behave as
appropriate for the customer methodology.
14
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 5. Reports
The IBM OpenPages Internal Audit Management module includes a set of default
reports.
IBM OpenPages GRC Platform Modules Report Details provides additional details on
the reports described here. For a description of additional reports installed with the
IBM OpenPages GRC Platform and available to all modules, see the IBM
OpenPages GRC Platform Administrator's Guide.
IAM-Specific Reports
Descriptions are provided for reports that are available only from the IBM
OpenPages Internal Audit Management module.
Table 6. Audit Management reports
Name
Audit Universe
Drill-Through
Description
For the selected audit organization, view Auditable
Entities, including information about risk ranking
and previous audit results.
List of Auditable Entities, including information
about risk ranking and previous audit results.
Scoped by Business Entity, user can choose sort
order. If the selected Business Entity is in the
Internal Audit business hierarchy then the report
will show the portion of the audit universe owned
by that internal audit team(s). If the selected
Business Entity is in the organizational hierarchy,
then the report shows all elements of the audit
universe which are associated with that Business
Entity or any descendent Business Entities. Used in
the early annual planning stages to help determine
which elements of the audit universe should be
audited this year.
Audit Plan
Audit Plan Detail For the selected audit organization and date range,
provides a GANTT chart view of the Audit Plan.
A GANTT chart view of the Audit Plan, for the
selected date range. Scope by Business Entity and
Date Range, and indicate whether to display by
days, weeks, months or quarters. Selected date range
provides ability to view the current year plan, or a 3
or 5 year plan, or to zero in on a particular planning
timeframe. After report displays, can toggle between
Detail View (shows details for each audit scheduled
for each Auditable Entity) and Summary View
(shows only a rollup of the audits for each Auditable
Entity). If the Audit Scheduled Start Date and
Scheduled End Date overlap with a cell, then that
entire cell is colored. Summary cells colored Red
indicate more than one audit scheduled during that
time for that Auditable Entity. Report is filtered to
include only Audits where the Status is Planned or
Scheduled.
15
Table 6. Audit Management reports (continued)
Name
Drill-Through
Description
Auditor Plan
Auditor Plan
Detail
For the selected audit organization, Auditors and
date range, provides a GANTT chart view of Plans.
A GANTT chart view of the plans for the selected
Auditor(s), for the selected date range. Scope by
Business Entity, Auditor and Date Range, and
indicate whether to display by days, weeks, months
or quarters. The Auditors available are those who
are associated to the selected Business Entity or its
descendents. Selected date range provides ability to
view the current year plan or to zero in on a
particular planning timeframe. After report displays,
can toggle between Detail View (shows details for
each Plan for each Auditor) and Summary View
(shows only a rollup of the Plans for each Auditor).
If an Auditor is scheduled for more than one Plan in
a given column, then that entire cell is colored.
Summary cells colored red indicate more than one
Plan assigned during that time for that Auditor. The
report does not utilize the Percent Allocated
information on the Plan to determine if there is a
conflict.
Audit Overview
v Audit Findings For the selected Audit, view the status of its Audit
Sections and Workpapers, and view associated
Detail
Findings, Issues and Audit Review Comments.
v Audit Issues
Detail
For the selected Audit, view the status of its
v Audit Review
Comments
Detail
Internal Audit
Report
components, and view associated Findings, Issues
and Review Comments. Scoped by Audit. Includes
Findings, Issues and Review Comments that are
direct children of the Audit, Sections and
Workpapers included in the report. Clicking on the
number of Issues, Findings or Audit Review
Comments launches a detail report which includes
more details and provides links to the objects in the
application.
Complete report for the selected Audit, including an
executive summary and associated Findings and
Issues.
Complete report for the selected audit, including an
executive summary, reportable Findings and Issues.
Scoped by Auditable Entity and then by Audit.
Includes Findings associated to Audits, Audit
Sections and Workpapers, and Issues associated with
the Audit.
16
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Table 6. Audit Management reports (continued)
Name
Drill-Through
Audit Deviation
Description
For the selected Audit, view its Plans and Audit
Sections, including schedule and budget information,
with highlights for significant deviations.
This report lists the plans and sections for the
selected Audit. It includes schedule and budget
information and highlights significant deviations.
Cells colored yellow indicate missing key
information. Cells colored red indicate an
unfavorable deviation from plan of more than 20%.
Scoped by Auditable Entity and then by Audit.
Includes the selected Audit, and Plans and Audit
Sections associated directly to the Audit.
Auditor
Deviation
For the selected Auditors, view their planned and
actual dates, hours and expenses. Scope by Auditors
Business Entity, Auditor and Date Range. The
Auditors available are those who are associated to
the selected Business Entity or its descendents.
Selected date range provides ability to zero in on a
particular timeframe. Report shows Plans for each
selected Auditor including the Scheduled, Expected
and Actual Start and End Dates, the number of
planned hours for each, and the number of actual
timesheet hours, and the amount of planned and
actual T&E recorded against each Plan during each
time period. Cells shaded red indicate actual
amounts that are 20% or more larger than planned
amounts. Includes all Plans where the Auditor is the
selected Auditor; Plans that do not have an assigned
Auditor are not included in this report. The report
includes a summary row for each Auditor and for
the entire report. It defaults to html format and is
also available in Microsoft Excel format.
Timesheet Entry
See “Timesheet Entry Report Helper” on page 13.
Administrator
Timesheet Entry
Timesheet Entry
See “Administrator Timesheet Entry Report Helper”
on page 14.
Reports Shared with Other Modules
The IBM OpenPages Internal Audit Management module contains a number of
reports that are shared with other IBM OpenPages GRC Platform modules.
Table 7. Risk Assessment reports
Name
Drill-Through
Risk Assessment
List
Description
Shows Risk Assessment details for a specified
Business Entity and all of its descendents.
Risk Assessment
Status
Risk Assessment
Status Detail
Displays a stacked column chart showing the status
of Risk Assessments for the specified Business Entity
and its direct descendents.
Risk Assessment
Summary
Risk Assessment Displays Risk Assessment details along with all
Issues and Action associated Risks and Controls. A drill through report
Items
displays Issues and Action Items that are related to
the Risk Assessments, Risks, or Controls.
Chapter 5. Reports
17
Table 7. Risk Assessment reports (continued)
Name
Drill-Through
Risk Assessment
Issues and Action
Items
Description
Shows all Issues and Action Items that are related to
the selected Risk Assessment and its associated Risks
and controls. Parent Object shows only the Risk
Assessment, Risk, and Control parents. The report
prompts for two values: Business Entity and Risk
Assessment.
Data is filtered on the selected entity. Users can
select from all Risk Assessments that are associated,
whether directly or indirectly, to the selected
business entity.
Table 8. Risk reports
Name
Drill-Through
Risk Analysis
Description
Shows Risks grouped by Process for a specified
Business Entity.
Risk Heat Map
Risk Detail
Displays a table that aggregates Risks by Residual
Impact and Likelihood for a specified Business
Entity.
Risk Rating by
Entity
Risk Rating by
Entity Detail
Displays Residual Risk Rating summary information
for the selected Business Entity and its descendents,
with the ability to drill-through to risk details
Risk Rating by
Category
Risk Rating by
Category Detail
Displays Risk Category and Residual Risk Rating
summary information for the selected Business
Entity, with the ability to drill-through to Risk
details.
Top Risks
Summary of the top Risks ranked by Residual Risk
Exposure, and also shows the Inherent Risk
Exposure.
Table 9. Control reports
Name
Drill-Through
Risk and Control
Matrix
Control
Effectiveness
Map
Description
Shows Risk and Control data for specified Business
Entity and Process(es).
Control
Effectiveness
Detail
Control map shows counts of Controls grouped by
Process(es) and Operating Effectiveness, with the
ability to drill-through to a sub-report for detail
information.
Table 10. Testing reports
18
Name
Drill-Through
Description
Testing
Dashboard
Testing Details
Displays summary Test Result information for the
selected Business Entity, with the ability to
drill-through to detail and trend information.
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Table 11. Visualization reports
Name
Description
Process Analysis
Displays Risk and Controls in the context of a process
diagram. Provides an aggregated view of Risk and
Controls with risk rating and control effectiveness at the
Process and Business Entity level.
Notifications
Notifications are email notifications sent to owners of a process as a reminder to
act. These notifications can occur at different stages of a process or as a final step
in a trigger.
All notifications that are sent from IBM OpenPages IAM use the sender address
identified below. Configure the email address and server settings.
v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to
send notifications
v /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the
email sender name that is used by notifications
v /OpenPages/Common/Email/Mail Server - configure this item to identify the email
server that is used to send notifications
Notifications are part of the Issue Management and Remediation process.
Chapter 5. Reports
19
20
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 6. Notifications
Notifications are email notifications sent to owners of a process as a reminder to
act. These notifications can occur at different stages of a process or as a final step
in a trigger.
All notifications that are sent from IBM OpenPages IAM use the sender address
identified below. Configure the email address and server settings.
v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to
send notifications
v /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the
email sender name that is used by notifications
v /OpenPages/Common/Email/Mail Server - configure this item to identify the email
server that is used to send notifications
Notifications are part of the Issue Management and Remediation process.
Issue and Action Bulletin notification
During the closedown phase of the Issue Management and Remediation (IMR)
process, an Issue and Action Bulletin is sent as an email notification to the users.
The bulletin highlights important areas such as overdue issues and Actions that are
due for closure. The administrator can set the frequency of this notification by
using the Issue Management and Remediation (IMR) bulletin.
When the Issue is defined, its status is Open and the user must enter a value in
the Current due date field. The due date is copied to a read-only field that
contains the original due date. When the user creates an Issue, the Issue Owner
(who might not be the same person who created the Issue) receives an email
notification.
The Issue Owner must record the appropriate actions to resolve an identified Issue.
The following data is captured in an Action Item:
v Description
v Assignee
v Start Date
v Due Date
v Actual Closure date
v Status (Read Only)
v A comment field to record the latest updates
The Issue Owner receives an email that summarizes the Actions that must be
approved for closure. The owner can either Accept Closure or Reject Closure.
When Actions are completed, the Issue Owner must review the Issue and update
the status to Closed. If any child actions are Open or Awaiting Approval, the
Issue Owner cannot close the issue.
Users receive email notifications through the consolidated Issue and Action
bulletins. The bulletin consolidates the following information in an email:
v Issues Assigned to the recipient in the past number days
21
v
v
v
v
v
Actions Assigned to recipient in the past number days
Issues due for Closure in the next number days
Actions due for Closure in the next number days
Overdue Issues
Overdue Actions
v Actions awaiting closure approval
22
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 7. Triggers
The IBM OpenPages modules contain several available triggers.
IBM OpenPages GRC Platform Module Trigger Details provides additional details on
the triggers described here.
Triggers must be disabled before loading XML instance data via Object Manager to
any object types which are configured to have triggers by default.
Object types that are configured for IBM OpenPages Internal Audit Management to
have triggers by default include:
v Audit
v Audit Section
v
v
v
v
v
v
v
Workpaper
Plan
Timesheet
Finding
Audit Review Comment
Action Item
Issue
v Data Input
v Data Output
v Risk
Object types that are configured for other Modules to have triggers by default
include:
v Loss Impact
v Loss Recovery
v Loss Event
v KRI Value
v KPI Value
v File (SOXDocument)
v Policy
IAM-Specific Triggers
Descriptions of triggers that are specific to the Internal Audit Management module
are included in this section.
Audit Risk Rating Computations Trigger
The RCSA Quantitative trigger and the RCSA Qualitative trigger apply to the
Audit Risk Rating Computations trigger. For more information, see “RCSA
Quantitative trigger” on page 25 and “RCSA Qualitative trigger” on page 27.
23
Audit Close Automation Triggers
The Audit Close Automation trigger assesses close readiness for each of the
configured components of an audit. By default, the trigger is configured for the
following object types: Audit, Audit Section, Workpaper, Finding, Audit Review
Comment, Plan, and Timesheet.
When an instance of a configured object type is created or updated, the trigger
evaluates all of the criteria which are configured for that object type. If all of the
criteria have been met, then the trigger sets the Ready To Close field value to Yes.
This field value is used by the Audit Close helper to determine if all of the audit
components are ready to close.
Configured ready to close criteria categories include fields that are required, date
fields that must be set to on or before today's date, date fields that must be set to
values on or before other date field values, and user fields that cannot be set the
same as other user fields.
Triggers Shared with Other Modules
Several triggers are shared with other IBM OpenPages GRC Platform modules.
Issue Management and Remediation trigger
In an Issue Management and Remediation (IMR) framework, you can effectively
document, monitor, remediate, and audit identified Issues.
Issues are items that are identified against the documented framework and are
deemed to negatively affect the ability to accurately manage and report risk. In its
lifecycle, an issue can have only one of two states: Open or Closed.
To resolve the identified Issue, the Issue Owner establishes and records the
appropriate actions. When the Action is complete, the Assignee sets the Submit for
Closure field to Yes. When this field is saved, a trigger is started and completes
the following actions:
v Copies the value in the Issue Owner field from the parent Issue to the Action
v Sets the Action field to Awaiting Approval
The Issue owner reviews the Action and can specify to either Accept Closure or
Reject Closure. If the Action is saved with Reject Closure, the status reverts to
Open and the Action returns to the Action Assignee.
Several triggers are used to automate the Issue management process.
Issue Lifecycle trigger
The Issue Lifecycle trigger sets the Original Due date on the first instance of Save
of Issue and checks for any Open Actions when the Issue is saved with a status of
Closed.
When an Issue object type is created or updated, and the status of the Issue object
type is set to Closed, the trigger completes the following actions:
v The trigger checks all direct child Actions and determines whether they are all
closed. If any Actions have a status of Open or Awaiting Approval, the trigger
generates an error message. If all Actions are closed, the trigger saves the
changes.
24
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Note: As an administrator, you can configure the error message under the
Administrator > Settings menu.
v If the Original Due date field on the Issue is blank, the trigger populates the
Original Due date with the Current Due date value.
Risk and Control Self-assessments triggers
The Risk Assessments process is used to identify, assess, and quantify a risk profile
of the business. Each Risk is assessed on either a Qualitative or Quantitative basis.
When a Risk is saved, the Qualitative risk rating trigger determines a Risk Rating
of Low, Medium, High, or Very High. The trigger also populates the hidden
Quantitative fields: Severity, Frequency, and Exposure.
When a Risk is saved, the Quantitative risk rating trigger completes the following
actions:
1. Computes the Exposure (Frequency x Severity)
2. Computes the Risk Rating as Low, Medium, High, or Very High
3. Derives the Impact value (1 - 10) based on a mapping table for each Business
Unit that is stored in its Preference record.
4. Derives the Likelihood value (1 - 10) based on a mapping table for each
Business Unit that is stored in its Preference record
RCSA Quantitative trigger
The Risk and Control Self-assessments (RCSA) Quantitative trigger sets the Risk
Rating and establishes impact, likelihood, and exposure for risks that are entered
by using the Quantitative method. The trigger occurs only if the values for the
Impact or Likelihood fields for Risk were modified.
Important: You must determine whether you want to assess risks by using a
quantitative or qualitative approach. If you chose qualitative, this trigger does not
apply. The option for quantitative or qualitative is set during the Application
installation of IBM OpenPages GRC Modules. For more information, see the IBM
OpenPages GRC Platform Modules Installation Guide.
When a Risk object is updated, associated, or disassociated, the trigger completes
the following actions:
v Obtains the parent Preference object.
The trigger attempts to find the Preference object associated with the business
entity. The trigger traverses up the parent Entity hierarchy until a Preference
object that is associated with a business entity is found. The preference object
contains the settings for required parameters as described in the Severity table.
v Determines the Impact fields of the Risk object.
The Impact is calculated by identifying the threshold range in which the Severity
Value falls. If any Severity value is null, the previous value is managed as the
MAX Severity.
Table 12. Impact value based on severity value
Severity value
Impact value
>= 0 and <= Severity 1
1
> Severity 1 and <= Severity 2
2
> Severity 2 and <= Severity 3
3
> Severity 3 and <= to Severity 4
4
Chapter 7. Triggers
25
Table 12. Impact value based on severity value (continued)
Severity value
Impact value
> Severity 4 and <= Severity 5
5
> Severity 5 and <= Severity 6
6
> Severity 6 and <= Severity 7
7
> Severity 7 and<= Severity 8
8
> Severity 8 and <= Severity 9
9
> Severity 9
10
v Determines the Liklihood fields on the SOXRisk object.
The Likelihood is calculated by identifying the threshold range in which the
Frequency value falls. If any Frequency value is null, the previous value is
managed as the MAX frequency.
Table 13. Likelihood value based on frequency value
Frequency value
Likelihood value
>= 0 and <= Frequency 1
1
> Frequency 1 and <= Frequency 2
2
> Frequency 2 and <= Frequency 3
3
> Frequency 3 and <= Frequency 4
4
> Frequency 4 and <= Frequency 5
5
> Frequency 5 and <= Frequency 6
6
> Frequency 6 and <= Frequency 7
7
> Frequency 7 and <= Frequency 8
8
> Frequency 8 and <= Frequency 9
9
> Frequency 9
10
v Calculates the Exposure as Severity multiplied by Frequency
v Where the Impact value is X and the Likelihood value is Y:
The XMAX value is the maximum value for impact. The YMAX value is the
maximum value for likelihood.
The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/
ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/
YMAX.
The XMAX and YMAX values are defined during installation. Do not change
these values. If these values are changed, the RCSA Qualitative and Quantitative
triggers might not correctly compute the risk rating.
The trigger computes the Risk Rating by using the following formula:
((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))
The rating value is 0 - 1 and expressed as a percentage.
Table 14. Risk ratings based on rating values
26
Rating value
Risk rating
0 - 25 %
LOW (green)
26-50 %
MEDIUM (yellow)
51-75 %
HIGH (orange)
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Table 14. Risk ratings based on rating values (continued)
Rating value
Risk rating
76-100 %
VERY HIGH (red)
RCSA Qualitative trigger
The Risk and Control Self-assessments (RCSA) Qualitative trigger sets the Risk
Rating and establishes severity, frequency, and exposure for risks that are entered
by using the Qualitative method.
Important: You must determine whether you want to assess risks by using a
quantitative or qualitative approach. If you chose quantitative, this trigger does not
apply. The option for quantitative or qualitative is set during the Application
installation of IBM OpenPages GRC Modules. For more information, see the IBM
OpenPages GRC Platform Modules Installation Guide.
When a Risk object is updated, associated, or disassociated, the trigger completes
the following actions:
v Evaluates the Preference record for the entity, or its parent entity if no Preference
record exists.
The trigger attempts to find the Preference object associated with the business
entity. The trigger traverses up the parent Entity hierarchy until a Preference
object that is associated with a business entity is found. The preference object
contains the settings for required parameters as described in the Severity table.
v Evaluates the Severity fields of the Risk object.
The Severity is determined by the Impact Value mappings that are specified in
the Preference object.
Table 15. Severity based on impact values
Impact value
Severity
1
Severity 1
2
Severity 2
3
Severity 3
4
Severity 4
5
Severity 5
6
Severity 6
7
Severity 7
8
Severity 8
9
Severity 9
10
Severity 10
v Based on the Likelihood, evaluates the Frequency fields of the Risk object.
The Frequency is determined by the Likelihood Value mappings that are
specified in the Preference object.
Table 16. Frequency based on Likelihood values
Likelihood value
Frequency
1
Frequency 1
2
Frequency 2
Chapter 7. Triggers
27
Table 16. Frequency based on Likelihood values (continued)
Likelihood value
Frequency
3
Frequency 3
4
Frequency 4
5
Frequency 5
6
Frequency 6
7
Frequency 7
8
Frequency 8
9
Frequency 9
10
Frequency 10
v Calculates the Exposure as Severity multiplied by Frequency.
v Where the Impact value is X, Likelihood value is Y:
The XMAX value is the maximum value for impact. The YMAX value is the
maximum value for likelihood.
The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/
ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/
YMAX.
The XMAX and YMAX values are defined during installation. Do not change
these values. If these values are changed, the RCSA Qualitative and Quantitative
triggers might not correctly compute the risk rating.
The trigger computes the Risk Rating by using the following formula:
((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))
The rating value is 0 - 1 and expressed as a percentage.
Table 17. Risk ratings based on rating values
Rating value
Risk rating
0 - 25 %
LOW (green)
26-50 %
MEDIUM (yellow)
51-75 %
HIGH (orange)
76-100 %
VERY HIGH (red)
Risk Approval Submission trigger
The Risk Approval Submission trigger updates the Status field on Risk and
Controls so that the Process Owner can process the Approval.
When a Risk object is created or updated, and the Submit for Approval field value
is set to Yes, the trigger completes the following actions:
v Obtains all associated child Control objects and applies validation rules.
All child Control objects are assessed and the Status field is set to Awaiting
Assessment.
v Updates the Status field on the Risk object and all associated control objects
from Awaiting Assessment to Awaiting Approval.
v Obtains the parent Process object to obtain all Risk objects and checks whether
all risks for a Process are Awaiting Approval.
v Determines whether all risks for a Process are awaiting approval, and continues
based on the following status:
28
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
– If the status is Yes, the trigger ends its process.
– If the status is No, the trigger sets the Status of the parent Process object to
Awaiting Approval, and sends an email notification to the Process Owner.
RCSA Risk and Control Approval trigger
The RCSA Risk and Control Approval trigger allows the Process Owner to approve
or reject an assessment of a risk and its controls.
When a Risk object Approve/Reject field is set to Approve or Reject, the trigger
completes the following actions:
v If the Approve/Reject field is set to Reject, the trigger updates the Status field
value of the Risk and associated Controls to Awaiting Assessment, and sends an
email notification to the Risk Owner.
v If the Approve/Reject field is set to Approve, the trigger continues with the
following processes:
– Updates the Status field value of the Risk and associated Controls to
Approved.
– Updates the Process status to Approved, sets the Approval Date, and sends
an email notification to the RCSA coordinator.
Visualization triggers
The Visualization triggers prevent the user from adding new Risks as children of
the Data Input and Data Output object types.
Risks can only be made children of these object types by associating existing Risks
to them. Data Input and Data Output object types are not allowed to be primary
parents of Risks.
Chapter 7. Triggers
29
30
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 8. Profiles
The IBM OpenPages Internal Audit Management module includes the OpenPages
IAM 7.0.0 Master profile by default.
OpenPages IAM 7.0.0 Master Profile
The OpenPages IAM 7.0.0 Master profile includes the fields and configuration for
all of IBM OpenPages Internal Audit Management.
This profile includes:
v Filters
v My Work Home page tab and Home page tabs
v Dependent fields and dependent pick lists
v Computed fields
v Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List
Views
Subsets of this profile that are appropriate for a Lead Auditor, Audit Director, etc.
are created during the implementation project.
Home Page Filtered Lists
The following filtered lists are defined for the My Work home page for users of
the OpenPages IAM 7.0.0 Master profile.
Table 18. IBM OpenPages Internal Audit Management Home page filtered lists
Filter
Description
Object Type
My Open Issues
Home page access to your open Issues.
Issue
My Audits In Progress
Home page access to the Audits you own which Audit
you are likely to be working on now.
My Open Audit Review Home page access to Audit Review Comments
Comments
requiring action, where you are the Owner.
Audit Review
Comment
My Findings for
Review
Home page access to Open Findings where you
are the Reviewer.
Finding
My Open Findings
Home page access to Open Findings where you
are the Preparer.
Finding
My Workpapers In
Progress
Home page access to Workpapers requiring
action, where you are the Preparer.
Workpaper
Workpapers Ready for
My Review
Home page access to Workpapers requiring
action, where you are the Reviewer.
Workpaper
31
Activity Views
By default, the OpenPages IAM 7.0.0 Master profile includes the following activity
views.
Table 19. IBM OpenPages Internal Audit Management activity views
Activity View
Name
Starting
Object Type
Audit Planning
Business
Entity
Allows for entry of Schedule Dates and Estimated
Hours and T&E for each audit in the Universe. Filtered
to 2008 and beyond Audits where Status is any except
Completed.
Scope Matrix
Audit
Identify the activities within the Auditable Entity and
decide whether each one is in or out of scope for this
audit. Refer to the risks for each activity to assist in
making the scope decision.
Scope Matrix
View
Audit
Scope Matrix Activity View with all fields configured as
read only.
Audits and
Sections
Auditable
Entity
View the sections for an audit and update Scheduled
Start and End Dates.
All Review
Comments
Auditable
Entity
View Review Comments associated to the selected
Audit and its Audit Sections, Workpapers and
Findings.
Audit Overview
Audit
Select each Audit Section to view all of its Workpapers
and Findings, and then update key information.
Section Edit
Checklist
Audit
Provides a consolidated view of the work program and
facilitates rapid Audit Section update for an audit.
Workpaper Edit
Checklist
Audit
Provides a consolidated view of the Workpapers and
facilitates rapid Workpaper update for an audit.
Section Checklist
Auditable
Entity
Provides an at-a-glance read only view of the Sections
in the work program.
Workpaper
Checklist
Auditable
Entity
Provides an at-a-glance read only view of the
Workpapers in the work program.
Control Testing
Summary
Control
Used to indicate Control Operating Effectiveness.
Provides Test Plan and Test Result information that
informs the Operating Effectiveness decision.
Questionnaire Set
Up
Questionnaire Used to create and modify questionnaires using the
Questionnaire, Section, Question object model.
Questionnaire
Questionnaire Used to respond to questionnaires using the
Questionnaire, Section, Question object model.
Process RCSA
View
Process
Facilitates conducting Process-based Risk and Control
Self Assessments.
Process Approval
Process
Used by the Process Owner to confirm the assessment
of each Risk and Control.
RCSA Approval
32
Description
Used by Risk Coordinator to approve Risk and Control
Self Assessments.
Project Mgmt
Planning
Workpaper
Used when planning workpapers.
Test Planning
Workpaper
Used when creating test plans for workpapers.
Test Execution
Workpaper
Used when executing workpaper tests during field
work.
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Table 19. IBM OpenPages Internal Audit Management activity views (continued)
Activity View
Name
Starting
Object Type
Description
Review and
Approval
Workpaper
Used when reviewing workpapers.
Project Mgmt
Update
Workpaper
Used when finalizing workpaper status.
Grid Views
By default, grid views are defined for users of the OpenPages IAM 7.0.0 Master
profile.
Table 20. Grid Views
Grid View
Description
Object Type
PRSA Update
Use to update Process Risk Self Assessments.
Process, Risk,
Control
PRSA Review
Use to review Process Risk Self Assessments.
Process, Risk,
Control
Chapter 8. Profiles
33
34
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Chapter 9. Role Templates
The following role templates are available, by default, for the IBM OpenPages
Internal Audit Management module.
OpenPages IAM 7.0 - All Permissions
Full Read, Write, Delete, Associate (R/W/D/A) access to all default
Internal Audit Management object types that are present and enabled by
default. Full administrator rights.
OpenPages IAM 7.0 - All Data - No Admin
Full Read, Write, Delete, Associate (R/W/D/A) access to all default
Internal Audit Management object types that are present and enabled by
default. No administrator rights except those associated with workflows,
files and folders.
The above role templates provide read, write, delete and associate access to the
following object types.
Table 21. Role template object types
Object Type Name
Object Type Label
SOXBusEntity
Business Entity
SOXIssue
Issue
SOXTask
Action Item
SOXDocument, SOXExternalDocument
File, Link
SOXSignature
Signature
AuditableEntity
Auditable Entity
Auditor
Auditor
AuditPhase
Audit Section
AuditProgram
Audit
DataInput
Data Input
DataOutput
Data Output
ProcessDiagram
Process Diagram
Finding
Finding
Plan
Plan
Preference
Preference
PrefGrp
Preference Group
ReviewComment
Audit Review Comment
RiskAssessment
Risk Assessment
SOXControl
Control
SOXProcess
Process
SOXRisk
Risk
SOXSubprocess
Sub-Process
SOXTest
Test Plan
SOXTestResult
Test Result
35
Table 21. Role template object types (continued)
36
Object Type Name
Object Type Label
Timesheet
Timesheet
Workpaper
Workpaper
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service. This document may
describe products, services, or features that are not included in the Program or
license entitlement that you have purchased.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
37
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
Location Code FT0
550 King Street
Littleton, MA
01460-1250
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
This Software Offering does not use cookies or other technologies to collect
personally identifiable information.
38
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Copyright
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted
by GSA ADP Schedule Contract with IBM Corp.
This information contains sample application programs in source language, which
illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written.
These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these
programs. You may copy, modify, and distribute these sample programs in any
form without payment to IBM for the purposes of developing, using, marketing, or
distributing application programs conforming to IBM's application programming
interfaces.
Trademarks
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
The following terms are trademarks or registered trademarks of other companies:
v Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “ Copyright and
trademark information ” at www.ibm.com/legal/copytrade.shtml.
Notices
39
40
IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview
Index
A
Action items
object types (continued)
SOXRisk 25
24
R
D
RCSA Qualitative trigger 27
RCSA Quantitative trigger 25
RCSA Risk and Control Approval trigger 29
RCSA triggers 25
Risk and Control Self-assessments triggers
See RCSA triggers
Risk Approval Submission trigger 28
Data Input trigger 29
Data Output trigger 29
G
grid views
33
I
S
Impact values 25, 27
Issue (object type) 24
Issue and Action Bulletin notification
Issue Lifecycle trigger 24
Issues
management 24
Severity values 27
SOXRisk (object type)
L
Likelihood values 27
Liklihood values 25
N
notifications 19, 21
Issue and Action Bulletin
25
21
T
triggers
Issue Lifecycle 24
RCSA Qualitative 27
RCSA Quantitative 25
RCSA Risk and Control Approval
Risk Approval Submission 28
visualization 29
29
V
21
visualization triggers
29
O
object types
Issue 24
41
Fly UP