Control definitions

Experts and professionals can see all controls created in the active management system under "Controls → Control definitions".

When creating a control, make sure that the correct management system has been selected, as controls are only created for the active management system.

To create a new control, click the "Plus" button.

To edit an existing control, double-click the desired control.

OrgEh:

• Here you enter the organizational unit in which the control is to be performed.

Abbreviation:

• This is the abbreviation under which the control can be found. (e.g. Orgeh + sequence number Per_K_001).

Status:

• Active: Control to be performed as soon as it occurs.
• Suspended: The control is not to be performed for a specific reason, but it can be reactivated.
• Disabled: The control is no longer active under normal circumstances. This status stands for controls that can no longer be deleted for archiving purposes because controls have already been performed.

Description:

• Here you should briefly describe what topic the control deals with.

Control measure:

• In the control measure, describe the control and explain what to look for when performing it.

Note:

• Here you enter additional information to be considered when performing the control.

Norm mapping:

• Here you can map the control to a standard. But normally this field is filled because the control is selected from a knowledge base template (Blue button next to the "shortcut" field).

Control types:

• Organizational: organizational procedures are checked.
• Technical: Technical processes are checked.
• Preventive: the control is used to prevent a risk/damage (e.g. checking a fire extinguisher).
• Corrective: The control is used to check a known problem and assess whether said problem has been reduced.

Priority:

• There is no official definition of a key control. However, a distinction can save time in documenting and testing controls that are not key.
  The following characteristics can help guide decisions:
  
  • It is required to provide reasonable assurance that material misstatements are prevented or detected on a timely basis.
  • It is the only control that covers the risk of material misstatement.
  • If it fails, it is highly unlikely that another control could detect the absence of the control.
  • It is a control that covers more than one risk or supports an entire process execution.
  
  .

Note: If no threshold has been defined for a key control, any failure of the control escalates to the management system owner!

Threshold:

• Alarmed if the threshold was exceeded:
  
  • Management System Responsible(s)
  • as well as persons and team leaders entered in the input field "Functional escalation to"
  
  Depending on the selected period is the review period of quick value violations:
  • Year: Since the beginning of the year,
  • Quarter: Since the last start of the quarter,
  • Month: Since the beginning of the month,
  • Week: Since the beginning of the week,
  • Day: Since the beginning of the day,
  • Hour: Since the beginning of the hour.
  
  Note: If an already violated threshold is violated again within the period, each new violation will escalate.

Implements:

• Here you enter the persons who are responsible for the implementation of the control.

Control behavior:

• Here you define when it is decided whether a check counts as performed when multiple checkers exist.

• All must accept
• First feedback decides
• The majority decides
• All must accept in turn

Inspector:

• Here you enter the persons who check the implementation of the control.

First time:

• Here you set the date of the first control. Furthermore, you can decide whether the control is Recurring and if so, at what interval the control should be performed.

Deadline:

• If the control is to have a deadline, you must specify it and define which people will be informed when the deadline is exceeded.

Email notifications once pending:

• If this is enabled, as soon as a control is performed, the implementer is notified. This may be undesirable if a control is to be performed daily, for example.

Reminders:

• Here you can configure multiple email reminders for the converter.

Attachments:

• Here you can upload files that are visible to the implementer at each control. For example, this can be an audit trail template that the implementer can download and fill out at each inspection and then return as evidence. Please note that the implementer cannot change the files uploaded here.

Switch to the "Checks performed" tab to get an overview of the checks already performed.

If you then click on a control, a dialog opens in which you can see the details of the control execution.

Caution By changing the status, the control is sent out to the person responsible for execution or to the inspector for a new execution/assessment.

If a control is assigned to a risk or a processing activity, for example, this link is displayed in this tab.

Important: This tab is only visible if the control is associated with entities.

Clicking on the blue link opens the respective entity.

Note: If the entity is not displayed in blue, then you lack the authorization to view it or it is in another management system.