internal audit management (iam) module overviewpublic.dhe.ibm.com/.../op_iam_module_overview.pdf ·...

IBM OpenPages GRC Platform Version 6.1.0

Internal Audit Management (IAM) Module Overview

IBM OpenPages GRC Platform 6.1.0 IAM Module Overview 2 of 25

NOTE Before using this information and the product it supports, read the information in the “Notices” section of this document.

Product Information This document applies to IBM OpenPages GRC Platform 6.1.0 and may also apply to subsequent releases. Licensed Materials – Property of IBM Corporation. Copyright IBM Corporation, 2003, 2012.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Documentation Release Information Last Modified: March 12, 2012 10:36:38 AM

IBM OpenPages GRC Platform 6.1.0 IAM Module Overview 3 of 25

Table of Contents Introduction......................................................................................................................... 4

Module Description...................................................................................................4 Document Contents .................................................................................................4 Object Type Licensing...............................................................................................4

Object Types ....................................................................................................................... 5 Object Types Enabled by Default................................................................................5 Object Types Disabled by Default ............................................................................. 10

Computed Fields ............................................................................................................... 11 Helpers .............................................................................................................................. 12

Close Audit Helper ................................................................................................. 12 Add or Modify Plans Helper...................................................................................... 12 Timesheet Entry Report Helper ................................................................................ 12 Administrator Timesheet Entry Report Helper............................................................. 13

Reports .............................................................................................................................. 14 IAM-Specific Reports .............................................................................................. 14

Audit Management Reports ................................................................................ 14 Reports Shared with Other Modules.......................................................................... 17

Risk Assessment Reports ................................................................................... 17 Risk Reports .................................................................................................... 17 Control Reports ................................................................................................ 17 Testing Reports ................................................................................................ 17

Triggers ............................................................................................................................. 18 IAM-Specific Triggers ............................................................................................. 19

Audit Risk Rating Computations Trigger ............................................................... 19 Audit Close Automation Trigger........................................................................... 19

Triggers Shared with Other Modules ......................................................................... 19 Risk Rating Computations Trigger ....................................................................... 19

Profiles .............................................................................................................................. 20 OpenPages IAM 6.1 Master Profile ............................................................................ 20 Home Page Filtered Lists......................................................................................... 20 Activity Views........................................................................................................ 21

Role Templates ................................................................................................................. 22 Documentation Updates.................................................................................................... 23 Notices .............................................................................................................................. 23

IBM OpenPages GRC Platform 6.1.0 IAM Module Overview 4

Introduction

Module Description IBM OpenPages Internal Audit Management (IAM) provides internal auditors with a uniquely configured view into organizational governance, risk, and compliance (GRC), affording audit the chance to supplement and coexist with broader risk and compliance management activities. As with all Modules, IAM is completely integrated with financial controls management, IT governance, policy and compliance efforts and operational risk management programs. The internal audit team has the capability to work as a fully integrated partner to business stakeholders, completely independently, or anywhere in between, as determined by the specific needs of the audit department or a particular audit being undertaken. Key features include: The capability to risk rank the audit universe, configured according to your audit methodology

Powerful support for your risk assessment methodology

Full reporting across the entire audit universe The ability to define, plan, execute and report on audits across your business

Track and manage audits, audit sections, workpapers, and audit resource requirements and allocations

Automate operations through fully configurable reporting and workflow The ability to provide independent assurance to the business or work as an integrated part of GRC efforts

Opine on management’s GRC efforts independently

Control access to confidential audits, fields, and audit-only views

Document Contents This document contains the following sections: - Object Types: the set of objects that are licensed to be used with this module. - Computed Fields: the computed fields that are provided with this module. - Helpers: the JSP helpers included with this module. - Reports: the Cognos reports that are provided for this module. - Triggers: the triggers included with this module. - Profiles: the profiles, home page filtered lists and activity views included with this module. - Role Templates: the role templates that are provided with this module.

Object Type Licensing For the IAM module you are licensed to use the object types listed in the "Object Types" section of this document. Use of any other object type not listed in the Object Type section is prohibited without prior written approval from OpenPages.


Object Types

Object Types Enabled by Default The following object types are available in the default IAM configuration and are enabled by default.

Object Type Label Description

Business Entity

Business entities are abstract representations of your business structure. A business entity can contain sub-entities (such as departments, business units, or geographic locations). The entity structure that you create depends on your business needs. For example, you could create a parent entity for your business headquarters then a sub-entity for each location or department. You may also want to represent both a legal entity structure and a business entity structure. Business entities are also used to organize library data such as risk and control libraries, or regulatory content (for example, laws, regulations, and standards). When setting up your business entity hierarchy, you should work with your OpenPages consultant as the structure of your business entities will greatly impact the type and quality of the information that can be extracted from the application. In IAM, Business Entities are also used to model the Internal Audit organizational structure, which facilitates reporting and security for the Internal Audit team. The Internal Audit organizational structure is typically a top level entity to minimize the chance of accidentally granting a business user access to Internal Audit information. The elements of the Audit Universe which are “owned” by a given Internal Audit team are typically associated to that teams’ Business Entity. Another top level Business Entity structure can be created to organize confidential Audits, providing the ability to give special security to these Audits. Business Entity can also be used to organize a Library of template audit content.

Process Processes represent the major end-to-end business activities within a business entity that are subject to risk. The processes will typically reside in areas such as financial reporting, compliance, information security, and so forth. Processes are also used in scoping audits. Audit can associate to Processes created by the Business, can make their own copy, can create their own Processes from scratch or any mixture of these.

Sub-Process A Sub-Process is a component of a Process. It is used to decompose Processes into smaller granularity units for assessment purposes. This object is not expected to be used in audit scoping, but may be used in documenting Process details.

Risk Risks are potential liabilities. Risks can be associated with, for example, business processes, business entities, or compliance with a particular mandate. Each Risk has one or more Controls associated with it that provide safeguards against the Risk and help mitigate any consequences that may result from the Risk. You can use the Risk object to categorize risks; capture the frequency, rating, and severity of inherent and residual risk data; and view reports that help identify your top risk items. A Risk instance shared between Internal Audit and the Business can be rated separately by Audit and by the Business.



Control Controls are typically policies and procedures (procedures are actions that implement the policies), to help ensure that risk mitigation responses are carried out. Once you have identified the risks in your practices, you need to establish controls (such as approvals, authorizations, verifications, and so forth) that remove, limit, or transfer these potential risks. Controls should be designed to provide either prevention or detection of risks. Controls are usually associated with tests that ensure a control is effective. In IAM, Controls can be used to create a detailed model of the Controls that exist or that should exist on the activities being Audited. If shared with the Business, the Controls can be rated separately by Internal Audit and by the Business.

Test Plan, Test Result

You can determine the operating effectiveness of a Control by conducting one or more detailed tests of a Control and then documenting the results. Test Plans are mechanisms that determine whether or not a Control is effective. A Test Result is the information obtained from running a Test Plan. IAM is configured by default to use the Workpaper object in place of the Test Plan and Test Result objects. Audit needs access to these objects since they are often used by the Business to document their testing,

Risk Assessment

Risk assessments give you the ability to evaluate and report on potential liabilities for a set of business entities or processes. You can use the Risk Assessment object - which contains the names of the assessor and reviewer, the time frames for the assessment, and the status of the assessment - to manage your risk self-assessment process.

Preference Group, Preference

The Preference Group object is used for grouping Preference object instances together. Without this grouping object, each Preference object instance would need to be associated separately to each of the relevant Business Entities. The group object helps to minimize the associated maintenance. The Preference object is a child of Business Entity, and is used for holding variable values that can drive reports, workflows and computed fields (it has entity-specific variable values which enable different behavior for the same workflows). For example, to determine the behavior for review and approval workflows (e.g. who the appropriate users are for each level of review and approval, and what the thresholds are for determining how many levels of review and approval are required). In the default IAM configuration, these objects are used to hold weights for Risk Factors used in Annual Assessment Risk Ranking. Since the weights and factors can be different for each type of audit (financial, operational, strategic, etc.) there is a separate Preference instance for each audit type. As a child of Business Entity, this provides the ability to have entity-specific variable values.



Auditable Entity

Auditable Entity is a child of Business Entity. Typically, an Internal Audit Business Entity Hierarchy would be established under which all of the Auditable Entities would live. Auditable Entities which are aligned with one or more elements of the Business Entity Organizational Hierarchy are typically also associated to those Business Entities. An Auditable Entity represents a single element of the Audit Universe – the collection of things in the Business that might be audited. Typically, the majority of Auditable Entities represent one or more business or legal entities, but they can also represent one or more processes, long-running projects or initiatives, compliance programs, shared IT Services, and so on. Auditable Entities are risk ranked every year to determine the priority of performing an audit that year. A Weighted Risk Score is calculated and an ability to manually override the score is provided.

Audit An Audit represents each execution of an “audit” against an Auditable Entity. For example, if an Auditable Entity will be audited every two years, there would be separate child Audit instances for 2006, 2008, 2010, etc. The Audit object is configured to be a self-contained object type, meaning that a folder will be automatically created for each instance of it. This facilitates the ability to copy template audits and audit components from a library to the audit hierarchy without object naming conflicts. Planning and Scheduling of the Audit Resources is typically done at the Audit level. High level Audit progress can be tracked by monitoring the Status values and Date values on the Audit. Key audit milestones can be tracked by adding fields on the Audit that represent completion dates for each of the key milestones they wish to track. You use the Audit object to manage the audit process across your enterprise. The Audit object identifies a holding point where you can capture information such as scope, objectives, timing information, review, execution and approval roles. If wanted, you could track only those audits you will be undertaking in a given planning horizon, or all audits in the audit universe.

Audit Section

Audit Sections can be used to represent the phases of the audit, work programs within the audit, or other components of the audit at the desired level of granularity. Typically organizations have a number of standard components for each audit. Template audits that include Sections for each of these standard components can be created in a Library. Planned and Actual Start and End Dates for these sections can be used to report progress on key milestones in the audits. Detailed Audit progress can be tracked by including an Audit Section that represents each milestone. Alternatively, some organizations may choose to add fields on the Audit that represent completion dates for each of the key milestones they wish to track. Although Audit Sections can be used as the basis for planning and scheduling Audit resources, most organizations will find this to be too detailed.



Workpaper A workpaper is any artifact or deliverable you want to track in the scope of an audit. It can represent an engagement letter, a testing matrix, interview notes or anything else appropriate to the audit in question. The workpaper itself can be attributes stored on the Workpaper object, or it can be a Word, Excel or other type of file attached to a Workpaper object. When Workpaper is used for test evidence, it documents both the test planning and the test results. Typically, you create a Workpaper object from the detail page of an Audit Section. Workpaper objects can also be copied from a library, where they represent templates of different types of workpapers generated by an internal audit department.

Finding Findings can be used to represent observations which are reportable to the business, to the Audit Committee, or both. Alternatively, Findings can be used to represent individual factual observations, while Issues are used to represent consolidated themes/systemic problems, which are then reported to the business, to the Audit Committee, or both. A Finding represents anything uncovered in the course of an audit that needs to be accounted for and addressed by management. You can use a finding to track management’s progress in addressing the underlying issue identified. The Issue object can be used in place of, or in conjunction with, the Finding object.

Plan, Timesheet

A Plan object type facilitates audit resource scheduling and allocation at any level. For example, you can create a single Plan object for an entire audit, or you can create one Plan object per task for each auditor involved with the audit. Plan objects are used to determine the availability, skills, and experience required of the desired resource. OpenPages Audit Activity Views, reports, etc. are aligned with Planning at the Audit level. Plans can instead be associated to Audit Sections, in which case these components would need to be modified. Plan objects also drive time tracking – all time is tracked against Plans. A Timesheet object type is used to record weekly actual hours and expenses expended against a Plan object for an Audit. Because Timesheet objects are associated with Plans, it is easy to track deviations between planned and actual time and expenses. The Timesheet Entry interactive report should always be used to enter or modify time and expense data. For this reason, there is no Timesheet top menu item in the default IAM configuration. You typically create or modify a Plan object using the Add or Modify Plans helper, accessed from a link on the Audit detail page.

Auditor Resource planning and allocating requires key information about each individual who may perform audit work. The Auditor object is used to create a pool of Auditors who can be assigned to Audits. Each user who may be assigned to audit work is represented as an Auditor instance. Auditors are then available for resource allocation. The Auditor object includes attributes for which you evaluate and select Auditors for audit engagements, such as specialties, languages, and certifications. Typically, Auditor objects are associated with the relevant component of the Internal Audit organizational hierarchy. It is a best practice that the Name field on the Auditor object matches the user's username.

Audit Review Comment

The Audit Review Comment object type is used to provide feedback during the review process for an audit and its components. It is associated as a child to the instance of the Audit, Section, Workpaper or Finding for which feedback is being provided.



Signature A signature generally indicates agreement that the object meets your approval. It has no enforcement powers, and does not prevent the item from being modified after approval has been given. An object with a signature has a signature icon next to the signer's name on the Signatures tab. Depending on your system configuration, signatures (with or without associated locks) can be applied to an object in the following ways: - Manually from the detail page of an object. - Automatically through a workflow task. - Some combination of both automatic and manual. If signature locks are configured on your system, when you sign off on an object, the object and all its associated child objects are locked and cannot be modified until you either revoke your signature or an administrator unlocks the object.

Issue, Action Item

Although issues typically result from areas where internal controls are not properly implemented or designed, you can use the Issue object to document a concern associated with any object type. An issue is resolved through one or more Action Items. You can use an Action Item object or a series of related Action Item objects to form an action plan. Each Action Item can be assigned to a user for resolution, and progress can be tracked from the detail page of the parent Issue. Once all Action Items for an Issue are complete (an assignee sets the value to 100%), you can close the Issue. In IAM, Issues and Action Items may be used instead of, or in conjunction with, Findings.

File The File object type is used to embed a reference to a file (such as a document, flow chart or spreadsheet) in the OpenPages system, and associate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in the OpenPages system, and associate it to one or more relevant objects.


Object Types Disabled by Default The following object types are included in the default IAM configuration and are disabled by default.


Questionnaire, Section, Question

Questionnaire, Section and Question are three objects that are used together to implement questionnaires.

Control Objective

A Control Objective is an assessment object that helps define the risk categories for a Process or Sub-Process. For each Process or Sub-Process, an organization sets the Control Objectives. Control Objectives define the COSO compliance categories that the Controls associated with the Risks are intended to mitigate. For example, Control Objectives can be classified into one or more categories such as Compliance, Financial Reporting, Strategic, Operations, or Unknown. Once a Control Objective is identified, the Risks belonging to that Control Objective can then be identified and defined. In most cases, each Control Objective will have one Risk associated with it. However, Control Objectives can have more than one Risk associated with them, so they are separated into their own object type. The default behavior is for Control Objective to be disabled. This object is not expected to be used in a typical IAM deployment, except to align with other Modules which may use it.

Milestone, Milestone Action Item

A Milestone represents a significant point in the development of your project. You can tie Milestones to specific dates, or use them to signify the completion of a portion of the entire project. Milestones can contain other Milestones or Milestone Action Items. You cannot associate a Milestone with other objects in the object hierarchy. A Milestone Action Item is a specific objective that must be completed in order to reach a Milestone. In general, all Milestone Action Items associated with a Milestone must be completed in order to reach a Milestone. When you are assigned a Milestone Action Item object, it is displayed (if configured) in the My Milestone Action Items section of your Classic Home Page.

Risk Eval Risk Evaluation objects are children of Risk objects and they are used to capture risk measurement values for trending purposes. Often reporting periods do not line up with risk evaluation cycles and so Risk Eval objects can be used to capture multiple evaluation cycles within a single reporting period.

Control Eval Control Evaluation objects are similar to Risk Evaluation objects except that they are instantiated as children of Controls. They store control assessment data.

Risk Assessment Eval

Risk Assessment Evaluation objects are similar to Risk Evaluation objects except that they are instantiated as children of Risk Assessments. They store risk assessment data.


Computed Fields IAM includes the following computed fields by default.

Object Type Label

Field Group Name

Field Name Label Description of Computation

Auditable Entity

OPSS-AudEnt Weighted Risk Score

Calculates the sum of the products of each relevant Risk Factor value and its associated Risk Factor Weight. Risk Factor values are entered on the Auditable Entity. Risk Factor Weights are from the "nearest" Audit Risk Factor Preference object, matching the Audit Type specified on the Auditable Entity.

Audit OPSS-Aud Close Audit Creates a link to launch the Close Audit helper.

Audit OPSS-Aud Plans Creates a link to launch the Audit Plans helper.

Audit OPSS-Aud Actual T&E Calculates the sum of the T&E entries on all of the Timesheets for all of the Plans for this Audit.

Audit OPSS-Aud Actual Hours Calculates the sum of the Hours entries on all of the Timesheets for all of the Plans for this Audit.

Plan OPSS-Plan Actual Hours Calculates the sum of the Hours entries on all of the Timesheets for this Plan.

Plan OPSS-Plan Actual T&E Calculates the sum of the T&E entries on all of the Timesheets for this Plan.


Helpers IAM includes the following helpers by default. Refer to IBM OpenPages GRC Platform 6.1.0 IAM Module Details for more information on these helpers.

Close Audit Helper Launched from a computed field link on the Audit object, this helper facilitates automation of the Audit Close process. It provides a summary and optionally details of the readiness for close status of the audit from which this helper was launched, and all of its components. When all components are ready, provides a Close Audit button which automates the actions taken when an audit is closed, such as setting and clearing field values, deleting object instances and locking objects. OpenPages or the customer can configure this component to behave as appropriate for the customer methodology via registry and application text settings.

Add or Modify Plans Helper Launched from a computed field link on the Audit object, this helper facilitates creating and editing Audit Plans, and finding and populating Auditors to assign to the Plans. These processes are time consuming, error prone and cumbersome to perform using the platform user interface. The helper provides a summary of and the ability to modify, the existing Plans for this Audit. It provides the ability to add a new Plan for this Audit. It also enables search of the Auditor pool or a selected portion of it, for Auditors who match the skills, attributes and availability requirements identified in the Plan. It provides the ability to view details of other Plans for each found Auditor, and to select and auto-populate the appropriate auditor from the search results. OpenPages or the customer can configure this component to behave as appropriate for the customer methodology via registry and application text settings.

Timesheet Entry Report Helper Launched from the reporting menu, this helper allows an Auditor to enter or review their time. It defaults to the current week. Weeks start on Mondays which is consistent with the GANTT chart reports. This interactive report is used for reviewing your previously entered time and expenses, and also for entering your actual time and expenses. The report automatically filters itself to the current user, and to include Plans for which the user is the assigned Auditor. User can move to a different nearby week using Previous Week and Next Week buttons. User can move to a different week that isn’t nearby by using a calendar widget to select a date in the desired week and then clicking the Go To Week button. Time and expenses can only be entered against Plans with assigned Auditors. The user can navigate to the Week for which they want to enter or view time and expenses. There is no restriction on creating or editing Timesheets in advance or in arrears other than by Status. Timesheet rows with Status Submitted or Approved can not be edited. When the user clicks Save, Timesheet objects are created and populated for any new rows, and values are saved in any existing Timesheets. T&E expenses are a single entry per row per week; they are not broken down into expense categories. T&E is always entered and displayed in Base Currency. OpenPages or the customer can configure this component to behave as appropriate for the customer methodology.


Administrator Timesheet Entry Report Helper Launched from the reporting menu, this helper is an extension to the Timesheet Entry Report helper which includes a scoping page that allows a user with access to this report to select a different user for whom to enter time. The Administrator version of the helper includes Approve and Reject buttons and associated functionality. OpenPages or the customer can configure this component to behave as appropriate for the customer methodology.


Reports This section describes the reports that are available for this Module. IBM OpenPages GRC Platform 6.1.0 Modules Report Details provides additional details on the reports described here. There are additional reports installed with the OpenPages Platform and available to all Modules, which are described in the IBM OpenPages GRC Platform Administrators Guide.

IAM-Specific Reports

Audit Management Reports

Name Drill-

Through Description

Audit Universe For the selected audit organization, view Auditable Entities, including information about risk ranking and previous audit results. List of Auditable Entities, including information about risk ranking and previous audit results. Scoped by Business Entity, user can choose sort order. If the selected Business Entity is in the Internal Audit business hierarchy then the report will show the portion of the audit universe owned by that internal audit team(s). If the selected Business Entity is in the organizational hierarchy, then the report shows all elements of the audit universe which are associated with that Business Entity or any descendent Business Entities. Used in the early annual planning stages to help determine which elements of the audit universe should be audited this year.

Audit Plan Audit Plan Detail

For the selected audit organization and date range, provides a GANTT chart view of the Audit Plan. A GANTT chart view of the Audit Plan, for the selected date range. Scope by Business Entity and Date Range, and indicate whether to display by days, weeks, months or quarters. Selected date range provides ability to view the current year plan, or a 3 or 5 year plan, or to zero in on a particular planning timeframe. After report displays, can toggle between Detail View (shows details for each audit scheduled for each Auditable Entity) and Summary View (shows only a rollup of the audits for each Auditable Entity). If the Audit Scheduled Start Date and Scheduled End Date overlap with a cell, then that entire cell is colored. Summary cells colored Red indicate more than one audit scheduled during that time for that Auditable Entity. Report is filtered to include only Audits where the Status is Planned or Scheduled.


Name Drill-

Through Description

Auditor Plan Auditor Plan Detail

For the selected audit organization, Auditors and date range, provides a GANTT chart view of Plans. A GANTT chart view of the plans for the selected Auditor(s), for the selected date range. Scope by Business Entity, Auditor and Date Range, and indicate whether to display by days, weeks, months or quarters. The Auditors available are those who are associated to the selected Business Entity or its descendents. Selected date range provides ability to view the current year plan or to zero in on a particular planning timeframe. After report displays, can toggle between Detail View (shows details for each Plan for each Auditor) and Summary View (shows only a rollup of the Plans for each Auditor). If an Auditor is scheduled for more than one Plan in a given column, then that entire cell is colored. Summary cells colored red indicate more than one Plan assigned during that time for that Auditor. The report does not utilize the Percent Allocated information on the Plan to determine if there is a conflict.

Audit Overview

Audit Findings Detail Audit Issues Detail Audit Review Comments Detail

For the selected Audit, view the status of its Audit Sections and Workpapers, and view associated Findings, Issues and Audit Review Comments. For the selected Audit, view the status of its components, and view associated Findings, Issues and Review Comments. Scoped by Audit. Includes Findings, Issues and Review Comments that are direct children of the Audit, Sections and Workpapers included in the report. Clicking on the number of Issues, Findings or Audit Review Comments launches a detail report which includes more details and provides links to the objects in the application.

Internal Audit Report

Complete report for the selected Audit, including an executive summary and associated Findings and Issues. Complete report for the selected audit, including an executive summary, reportable Findings and Issues. Scoped by Auditable Entity and then by Audit. Includes Findings associated to Audits, Audit Sections and Workpapers, and Issues associated with the Audit.

Audit Deviation

For the selected Audit, view its Plans and Audit Sections, including schedule and budget information, with highlights for significant deviations. This report lists the plans and sections for the selected Audit. It includes schedule and budget information and highlights significant deviations. Cells colored yellow indicate missing key information. Cells colored red indicate an unfavorable deviation from plan of more than 20%. Scoped by Auditable Entity and then by Audit. Includes the selected Audit, and Plans and Audit Sections associated directly to the Audit.


Name Drill-

Through Description

Auditor Deviation

For the selected Auditors, view their planned and actual dates, hours and expenses. Scope by Auditors Business Entity, Auditor and Date Range. The Auditors available are those who are associated to the selected Business Entity or its descendents. Selected date range provides ability to zero in on a particular timeframe. Report shows Plans for each selected Auditor including the Scheduled, Expected and Actual Start and End Dates, the number of planned hours for each, and the number of actual timesheet hours, and the amount of planned and actual T&E recorded against each Plan during each time period. Cells shaded red indicate actual amounts that are 20% or more larger than planned amounts. Includes all Plans where the Auditor is the selected Auditor; Plans that do not have an assigned Auditor are not included in this report.

The report includes a summary row for each Auditor and for the entire report. It defaults to html format and is also available in Microsoft Excel format.

Timesheet Entry

(see Helpers)

Administrator Timesheet Entry

Timesheet Entry

(see Helpers)


Reports Shared with Other Modules

Risk Assessment Reports Name Drill-Through Description

Risk Assessment List

Shows Risk Assessment details for a specified Business Entity and all of its descendents.

Risk Assessment Status

Risk Assessment Status Detail

Displays a stacked column chart showing the status of Risk Assessments for the specified Business Entity and its direct descendents.

Risk Assessment Summary

Risk Assessment Issues and Action Items

Displays Risk Assessment details along with all associated Risks and Controls. A drill through report displays Issues and Action Items that are related to the Risk Assessments, Risks, or Controls.

Risk Reports Name Drill-Through Description

Risk Analysis Shows Risks grouped by Process for a specified Business Entity.

Risk Heat Map Risk Detail Displays a table that aggregates Risks by Residual Impact and Likelihood for a specified Business Entity.

Risk Rating by Entity

Risk Rating by Entity Detail

Displays Residual Risk Rating summary information for the selected Business Entity and its descendents, with the ability to drill-through to risk details.

Risk Rating by Category

Risk Rating by Category Detail

Displays Risk Category and Residual Risk Rating summary information for the selected Business Entity, with the ability to drill-through to Risk details.

Top Risks Summary of the top Risks ranked by Residual Risk Exposure, and also shows the Inherent Risk Exposure.

Control Reports Name Drill-Through Description

Risk and Control Matrix

Shows Risk and Control data for specified Business Entity and Process(es).

Control Effectiveness Map

Control Effectiveness Detail

Control map shows counts of Controls grouped by Process(es) and Operating Effectiveness, with the ability to drill-through to a sub-report for detail information.

Testing Reports Name Drill-Through Description

Testing Dashboard

Testing Details Displays summary Test Result information for the selected Business Entity, with the ability to drill-through to detail and trend information.


Triggers This section describes the triggers which are available for this Module. IBM OpenPages GRC Platform 6.1.0 Module Trigger Details provides additional details on the triggers described here. Triggers must be disabled before loading XML instance data via Object Manager to any object types which are configured to have triggers by default. Object types which are configured for IAM to have triggers by default include:

Audit

Audit Section

Workpaper

Plan

Timesheet

Finding


Risk Object types which are configured for other Modules to have triggers by default include:

Loss Impact

Loss Recovery

KRI Value

KPI Value

File (SOXDocument)

Policy


IAM-Specific Triggers

Audit Risk Rating Computations Trigger The Audit Risk Rating Computations trigger calculates and persists the Audit Inherent and Residual Risk Rating field values on the Risk object. The calculations are performed on a Risk object instance whenever that instance is created or updated. The calculations are performed as follows:

Audit Risk Rating Fields (Inherent and Residual) Impact and Likelihood values of High, Medium and Low are combined to give Rating values of High, Medium, Low or Not Determined. If either or both input values are low, then the rating is Low. If both are Medium, or one is Low and the other is High, the rating is Medium. If both are High or one is High and the other is Medium, the rating is High. If either or both values are missing or are another value that has been added to the configuration, then the rating is Not Determined.

Audit Close Automation Trigger The Audit Close Automation trigger assesses close readiness for each of the configured components of an audit. By default, the trigger is configured for the following object types: Audit, Audit Section, Workpaper, Finding, Audit Review Comment, Plan and Timesheet. When an instance of a configured object type is created or updated, the trigger evaluates all of the criteria which are configured for that object type. If all of the criteria have been met, then the trigger sets the Ready To Close field value to Yes. This field value is used by the Audit Close helper to determine if all of the audit components are ready to close. Configured ready to close criteria categories include fields that are required, date fields that must be set to on or before today's date, date fields that must be set to values on or before other date field values, and user fields that cannot be set the same as other user fields.

Triggers Shared with Other Modules

Risk Rating Computations Trigger The Risk Rating Computations trigger calculates and persists the Inherent and Residual Risk Rating, and Inherent and Residual Risk Exposure field values on the Risk object. The calculations are performed on a Risk object instance whenever that instance is created or updated. The calculations are performed as follows:

Risk Rating Fields (Inherent and Residual) Impact and Likelihood values of High, Medium and Low are combined to give Rating values of High, Medium, Low or Not Determined. If either or both input values are low, then the rating is Low. If both are Medium, or one is Low and the other is High, the rating is Medium. If both are High or one is High and the other is Medium, the rating is High. If either or both values are missing or are another value which has been added to the configuration, then the rating is Not Determined.

Risk Exposure Fields (Inherent and Residual) Frequency and Severity values are multiplied together to give an Exposure currency amount, expressed in Base Currency.


Profiles

OpenPages IAM 6.1 Master Profile This profile includes the fields and configuration for all of IAM. It includes Filters, Classic Home Page tab and Home Page tabs, Dependent Fields, Dependent Picklists, Computed Fields; and Activity, Detail, Context, Folder, Overview, Filtered List and List Views. Subsets of this profile that are appropriate for a Lead Auditor, Audit Director, etc. are created during the implementation project.

Home Page Filtered Lists The following filtered lists are defined for the Classic Home Page for users of the OpenPages IAM 6.1 Master profile.

Filter Description Object Type

My Open Issues Home Page access to your open Issues. Issue

My Audits In Progress Home Page access to the Audits you own which you are likely to be working on now.

Audit

My Open Audit Review Comments

Home Page access to Audit Review Comments requiring action, where you are the Owner.


My Findings for Review Home Page access to Open Findings where you are the Reviewer.

Finding

My Open Findings Home Page access to Open Findings where you are the Preparer.

Finding

My Workpapers In Progress Home Page access to Workpapers requiring action, where you are the Preparer.

Workpaper

Workpapers Ready for My Review

Home Page access to Workpapers requiring action, where you are the Reviewer.

Workpaper


Activity Views The OpenPages IAM 6.1 Master profile includes the following Activity Views by default.

Name Starting Object Type Description

Audit Planning Business Entity Allows for entry of Schedule Dates and Estimated Hours and T&E for each audit in the Universe. Filtered to 2008 and beyond Audits where Status is any except Completed.

Scope Matrix Audit Identify the activities within the Auditable Entity and decide whether each one is in or out of scope for this audit. Refer to the risks for each activity to assist in making the scope decision.

Scope Matrix View Audit NEW: Scope Matrix Activity view with all fields configured as read only.

Audits and Sections Auditable Entity View the sections for an audit and update Scheduled Start and End Dates.

All Review Comments Auditable Entity View Review Comments associated to the selected Audit and its Audit Sections, Workpapers and Findings.

Audit Overview Audit Select each Audit Section to view all of its Workpapers and Findings, and then update key information.

Section Edit Checklist Audit Provides a consolidated view of the work program and facilitates rapid audit section update for an audit.

Workpaper Edit Checklist

Audit Provides a consolidated view of the Workpapers and facilitates rapid Workpaper update for an audit.

Section Checklist Auditable Entity Provides an at-a-glance read only view of the Sections in the work program.

Workpaper Checklist Auditable Entity Provides an at-a-glance read only view of the Workpapers in the work program.

Control Testing Summary

Control Used to indicate Control Operating Effectiveness. Provides Test Plan and Test Result information that informs the Operating Effectiveness decision.

Questionnaire Set Up Questionnaire Used to create and modify questionnaires using the Questionnaire, Section, Question object model.

Questionnaire Questionnaire Used to respond to questionnaires using the Questionnaire, Section, Question object model.

Process RCSA View Process Facilitates conducting Process-based Risk and Control Self Assessments.

RCSA View Risk Assessment Facilitates conducting Risk Assessment-based Risk and Control Self Assessments.


Role Templates The following two role templates for IAM are available by default.

Name Description

OpenPages IAM 6.1 - All Permissions

Full R/W/D/A access to all default IAM objects. Full admin rights.

OpenPages IAM 6.1 - All Data - No Admin

Full R/W/D/A access to all default IAM objects. No admin rights except those associated with workflows, files and folders.

The above role templates provide read, write, delete and associate access to the following object types.

Object Type Name Object Type Label SOXBusEntity Business Entity SOXIssue Issue SOXTask Action Item SOXDocument, SOXExternalDocument File, Link SOXSignature Signature AuditableEntity Auditable Entity Auditor Auditor AuditPhase Audit Section AuditProgram Audit Finding Finding Plan Plan Preference Preference PrefGrp Preference Group ReviewComment Audit Review Comment RiskAssessment Risk Assessment SOXControl Control SOXProcess Process SOXRisk Risk SOXSubprocess Sub-Process SOXTest Test Plan SOXTestResult Test Result Timesheet Timesheet Workpaper Workpaper


Documentation Updates You can download the latest revision to the IBM® OpenPages® GRC Platform 6.1.0 documentation set from the IBM information server at: http://www.ibm.com/support/docview.wss?uid=swg27023798

Notices This information was developed for products and services offered in the U.S.A. IBM® may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

http://www.ibm.com/support/docview.wss?uid=swg27023798


Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Corporation Location Code FT0 550 King Street Littleton, MA 01460-1250 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT

Licensed Materials – Property of IBM Corporation. Copyright IBM Corporation, 2003, 2012. This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.


Trademarks

IBM, the IBM logo, OpenPages, AIX, Cognos, ReportNet and WebSphere are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Other product and service names might be trademarks of IBM, OpenPages, Inc., or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/ copytrade.shtml.

http://www.ibm.com/legal/

http://www.ibm.com/legal/

internal audit management (iam) module overviewpublic.dhe.ibm.com/.../op_iam_module_overview.pdf ·...

Documents