Kontrolldefinitionen/en: Unterschied zwischen den Versionen

A control definition determines, at what intervals a control is to be executed. Implementers, examiners, and the approval behavior for the control are also determined. Control definitions can have the state "active", "suspended", or "deactivated". Only an active control definition triggers controls at the set intervals, provided it has been configured as a recurring control.

Controls traverse various phases when they are triggered, from the implementation of the control itself, through the exam of the control, to the finished or failed control.

Experts and professionals can see all control definitions created in the current management system under "Controls → Control definitions".

When creating a control definition, make sure that the correct management system has been selected, as control definitions are only created for the current management system.

To create a new control definition, click the "Plus" button.

To edit an existing control definition, double-click the desired control definition.

To copy an already existing control definition, click on the "copy" button next to the "plus". This will copy the control definition 1:1, but no control executions and links will be copied!

OrgUnit: Here, you enter the organizational unit in which the control is to be performed.

Code: This is the code under which the control definition and control can be found. (e.g. OrgUnit + sequence number Per_K_001).

State:

• Active: Control to be performed as soon as it is triggered.
• Suspended: The control is not to be performed for a specific reason, but it can be reactivated.
• Deactivated: The control definition is generally no longer active. This status is for control definitions that are not to be deleted for archiving purposes, because controls have already been performed.

Description: Here, you should briefly describe what topic the control definition deals with.

Control measure: In the control measure, describe the control and explain what to look for when performing it. This is a html field. The formatting is also applied in reports.

Note: Here, you enter additional information to be considered when performing the control.

Norm mapping: Here, you can map the control definition to a standard. Prefilling:

• When creating a control definition from a template, the template's mapping is adopted.
• When creating a control definition in the course of a review, the mapping of the review question/result is adopted, if set.
• When creating a control definition within a risk (tab Measures & controls), the mapping of the risk is adopted, if set.
• Note: Mappings from the review question/result or the risk are overwritten if a template is used for creation.

Control types:

• Organizational: organizational procedures are checked.
• Technical: technical processes are checked.
• Preventive: the control is used to prevent a risk/damage (e.g. checking a fire extinguisher).
• Corrective: The control is used to check a known problem and assess whether said problem has been reduced.
• Detective: The control is used to uncover a problem, which can then be reduced or solved.

Technical and organizational, as well as preventive, corrective, and detective are mutually exclusive, so only one of the respective options can be chosen at any time.

Priority:

• There is no official definition of a key control. However, a distinction can save time in documenting and testing controls that are not key.
  The following characteristics can help guide decisions:
  
  • It is required to provide reasonable assurance that material misstatements are prevented or detected on a timely basis.
  • It is the only control that covers the risk of material misstatement.
  • If it fails, it is highly unlikely that another control could detect the absence of the control.
  • It is a control that covers more than one risk or supports an entire process execution.
  .

Note: If no threshold has been defined for a key control, any failure of the control escalates to the management system owner!

Threshold:

• Alarmed if the threshold was exceeded:
  
  • Management System Responsible(s)
  • as well as persons and team leaders entered in the input field "Functional escalation to"
  Depending on the selected period is the review period of quick value violations:
  • Year: Since the beginning of the year,
  • Quarter: Since the last start of the quarter,
  • Month: Since the beginning of the month,
  • Week: Since the beginning of the week,
  • Day: Since the beginning of the day,
  • Hour: Since the beginning of the hour.
  Note: If an already violated threshold is violated again within the period, each new violation will escalate.

Implementer: Here, you enter the persons who are responsible for the implementation of the control.

Approval behavior:

• Here, you define when it is decided whether a control counts as performed when multiple examiners exist.

• All must accept
• First response applies
• Majority must accept
• All must agree in order of precedence

Examiner: Here, you enter the persons who check the implementation of the control.

Next control: Here you set the date of when the next control has to be carried out. Furthermore, you can decide whether the control is recurring and, if so, at what interval the control should be performed. You can choose a simple repetition for the interval, e.g., every 6 months, or a weekday-bound repetition, e.g., the last Friday of every quarter.

Deadline: If the control is to have a deadline, you must specify it and define which people will be informed when the deadline is exceeded.

E-mail notifications once pending: If this is enabled, as soon as a control is performed, the implementer is notified. This may be undesirable if a control is to be performed daily, for example.

Reminders: Here, you can configure multiple e-mail reminders for the implementer.

Attachments: Here, you can upload files or attach links that are visible to the implementer with each control. For example, this can be an control performance template that the implementer can download and fill out for each control and then return as evidence. Please note that the implementer cannot change the files uploaded here.

By clicking the button "Make a copy of this control definition" the control definition can be copied. The copy contains all the data of the original, i.e. description, implementers, mappings, attachments, etc. The only thing that will not be copied from the original are the controls already performed.

Professionals and Experts of the Doc-management have the option of creating review and approval workflows in addition to regular control definitions.

More on the approval of documents an links can be found here.

Switch to the "Executed controls" tab to get an overview of the controls already performed.

If you then click on a control, a dialog opens in which you can see the details of the control execution.

A control can be in various states:

• Pending: The performance of the control by the implementer has been triggered but not yet completed.
• Suspended: The control does not currently need to be performed.
• Needs approval: The control has been forwarded to the examiner(s) by the implementer.
• Finished: The control was accepted during approval.
• Failed: The control was not accepted during approval or the deadline was exceeded.
• Irrelevant: Controls must not be deleted. If they are to not be considered in KPIs or reports, they can instead be marked as irrelevant.

The status of a control can be changed manually on this page by experts and professionals. This can be usefor, for example, if a deadline was exceeded and the implementer or examiner is to be given more time. This is achieved by setting the status from "Failed" back to "Pending" or "Needs approval". Every manual change of the status is also shown in the change log.

Caution By changing the state to "Pending" or "Needs approval", the control is sent out to the implementer or the examiner(s) for a new execution/assessment.

If a control definition is assigned to a risk or a processing activity, for example, this link is displayed in this tab.

Important: This tab is only visible if the control definition is associated with entities.

Clicking on the blue link opens the respective entity.

Note: If the entity is not displayed in blue, you lack the authorization to view it or it is in another management system.

When creating a weekday-bound control frequency, make sure to select the correct day for the first control yourself. When setting the date, the monthly view makes it easy to identify the first/second/third/last weekday.

Example: If a control is to happen every Thursday, the set interval would be "every first Thursday every 1 week(s)". As weekdays can't occur more than once with a weekly frequency, the field "first/second/third/last" is automatically disabled.