internalaudit management module overviewand audit components from a library to the audit hierarchy...

IBM OpenPages GRC PlatformVersion 7.0.0

Internal Audit Management ModuleOverview

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 37.

Product Information

This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Module Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 3. Computed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Close Audit Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Add or Modify Plans Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Timesheet Entry Report Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Administrator Timesheet Entry Report Helper . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 5. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15IAM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Reports Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1919

Chapter 6. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2121Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23IAM-Specific Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Triggers Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Issue Management and Remediation trigger . . . . . . . . . . . . . . . . . . . . . . . 24Risk and Control Self-assessments triggers . . . . . . . . . . . . . . . . . . . . . . . . 25Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31OpenPages IAM 7.0.0 Master Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 9. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

iii

iv IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview

Document Release and Update Information

This topic lists information about this document and where updates to thisdocument can be found.

Document Release Information

Software Version: 7.0.0

Document Published: December, 2013

Document Updates

Supplemental documentation is available on the web. Go to the IBM® OpenPages®

GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).

v

http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp


vi IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview

Chapter 1. Introduction

Use this guide with the IBM OpenPages Internal Audit Management module.

Finding information

To find IBM OpenPages GRC Platform product documentation on the web,including all translated documentation, access the IBM OpenPages GRC PlatformInformation Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).Release Notes are published directly to the Information Center, and include linksto the latest technotes and APARs.

Accessibility features

Accessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use information technology products.

IBM HTML documentation has accessibility features. PDF documents aresupplemental and, as such, include no added accessibility features.

Module DescriptionIBM OpenPages Internal Audit Management (IAM) provides internal auditors witha uniquely configured view into organizational governance, risk, and compliance(GRC), affording audit the chance to supplement and coexist with broader risk andcompliance management activities.

As with all modules, IBM OpenPages Internal Audit Management is completelyintegrated with financial controls management, IT governance, policy andcompliance efforts and operational risk management programs. The internal auditteam has the capability to work as a fully integrated partner to businessstakeholders, completely independently, or anywhere in between, as determined bythe specific needs of the audit department or a particular audit being undertaken.

Key features include:v The capability to risk rank the audit universe, configured according to your

audit methodology– Powerful support for your risk assessment methodology– Full reporting across the entire audit universe

v The ability to define, plan, execute and report on audits across your business– Track and manage audits, audit sections, workpapers, and audit resource

requirements and allocations– Automate operations through fully configurable reporting and workflow

v The ability to provide independent assurance to the business or work as anintegrated part of GRC efforts– Opine on management’s GRC efforts independently– Control access to confidential audits, fields, and audit-only views

1



Object Type Licensing

For the IBM OpenPages Internal Audit Management module, you are licensed touse the object types listed in Chapter 2, “Object Types,” on page 3. Use of anyother object types is prohibited without prior written approval from IBM.

2 IBM OpenPages GRC Platform Version 7.0.0: Internal Audit Management Module Overview

Chapter 2. Object Types

The IBM OpenPages Internal Audit Management module includes object types thatare enabled or disabled by default, and subcomponents.

Object Types Enabled by DefaultThe following object types are available in the default IBM OpenPages InternalAudit Management configuration and are enabled by default.

Table 1. Object types enabled by default

Object type label Description

Business Entity Business entities are abstract representations of your businessstructure. A business entity can contain sub-entities (such asdepartments, business units, or geographic locations). The entitystructure that you create depends on your business needs. Forexample, you could create a parent entity for your businessheadquarters then a sub-entity for each location or department.You may also want to represent both a legal entity structure and abusiness entity structure.

Business entities are also used to organize library data such asrisk and control libraries, or regulatory content (for example,laws, regulations, and standards).

When setting up your business entity hierarchy, you should workwith your OpenPages consultant as the structure of your businessentities will greatly impact the type and quality of the informationthat can be extracted from the application.

In IBM OpenPages Internal Audit Management, Business Entitiesare also used to model the Internal Audit organizational structure,which facilitates reporting and security for the Internal Auditteam. The Internal Audit organizational structure is typically a toplevel entity to minimize the chance of accidentally granting abusiness user access to Internal Audit information. The elementsof the Audit Universe which are "owned" by a given InternalAudit team are typically associated to that teams’ Business Entity.

Another top level Business Entity structure can be created toorganize confidential Audits, providing the ability to give specialsecurity to these Audits. Business Entity can also be used toorganize a Library of template audit content.

Process Processes represent the major end-to-end business activitieswithin a business entity that are subject to risk. The processes willtypically reside in areas such as financial reporting, compliance,information security, and so forth.

Processes are also used in scoping audits. Audit can associate toProcesses created by the Business, can make their own copy, cancreate their own Processes from scratch or any mixture of these.

3

Table 1. Object types enabled by default (continued)


Sub-Process A Sub-Process is a component of a Process. It is used todecompose Processes into smaller granularity units for assessmentpurposes.

This object is not expected to be used in audit scoping, but maybe used in documenting Process details.

Risk Risks are potential liabilities. Risks can be associated with, forexample, business processes, business entities, or compliance witha particular mandate. Each Risk has one or more Controlsassociated with it that provide safeguards against the Risk andhelp mitigate any consequences that may result from the Risk.You can use the Risk object to categorize risks; capture thefrequency, rating, and severity of inherent and residual risk data;and view reports that help identify your top risk items.

A Risk instance shared between Internal Audit and the Businesscan be rated separately by Audit and by the Business.

Control Controls are typically policies and procedures (procedures areactions that implement the policies), to help ensure that riskmitigation responses are carried out.

Once you have identified the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications,and so forth) that remove, limit, or transfer these potential risks.

Controls should be designed to provide either prevention ordetection of risks. Controls are usually associated with tests thatensure a control is effective.

In IBM OpenPages Internal Audit Management, Controls can beused to create a detailed model of the Controls that exist or thatshould exist on the activities being Audited. If shared with theBusiness, the Controls can be rated separately by Internal Auditand by the Business.

Test Plan, Test Result You can determine the operating effectiveness of a Control byconducting one or more detailed tests of a Control and thendocumenting the results. Test Plans are mechanisms thatdetermine whether or not a Control is effective. A Test Result isthe information obtained from running a Test Plan.

IBM OpenPages Internal Audit Management is configured bydefault to use the Workpaper object in place of the Test Plan andTest Result objects. Audit needs access to these objects since theyare often used by the Business to document their testing,

Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. Youcan use the Risk Assessment object - which contains the names ofthe assessor and reviewer, the time frames for the assessment, andthe status of the assessment - to manage your risk self-assessmentprocess.




Preference Group,Preference

The Preference Group object is used for grouping Preferenceobject instances together. Without this grouping object, eachPreference object instance would need to be associated separatelyto each of the relevant Business Entities.

The group object helps to minimize the associated maintenance.The Preference object is a child of Business Entity, and is used forholding variable values that can drive reports, workflows andcomputed fields (it has entity-specific variable values whichenable different behavior for the same workflows). For example,to determine the behavior for review and approval workflows(e.g. who the appropriate users are for each level of review andapproval, and what the thresholds are for determining how manylevels of review and approval are required).

In the default IBM OpenPages Internal Audit Managementconfiguration, these objects are used to hold weights for RiskFactors used in Annual Assessment Risk Ranking. Since theweights and factors can be different for each type of audit(financial, operational, strategic, etc.) there is a separate Preferenceinstance for each audit type. As a child of Business Entity, thisprovides the ability to have entity-specific variable values.

Auditable Entity Auditable Entity is a child of Business Entity. Typically, anInternal Audit Business Entity Hierarchy would be establishedunder which all of the Auditable Entities would live. AuditableEntities which are aligned with one or more elements of theBusiness Entity Organizational Hierarchy are typically alsoassociated to those Business Entities.

An Auditable Entity represents a single element of the AuditUniverse – the collection of things in the Business that might beaudited. Typically, the majority of Auditable Entities represent oneor more business or legal entities, but they can also represent oneor more processes, long-running projects or initiatives, complianceprograms, shared IT Services, and so on.

Auditable Entities are risk ranked every year to determine thepriority of performing an audit that year. A Weighted Risk Scoreis calculated and an ability to manually override the score isprovided.

Chapter 2. Object Types 5



Audit An Audit represents each execution of an "audit" against anAuditable Entity. For example, if an Auditable Entity will beaudited every two years, there would be separate child Auditinstances for 2006, 2008, 2010, etc.

The Audit object is configured to be a self-contained object type,meaning that a folder will be automatically created for eachinstance of it. This facilitates the ability to copy template auditsand audit components from a library to the audit hierarchywithout object naming conflicts.

Planning and Scheduling of the Audit Resources is typically doneat the Audit level.

High level Audit progress can be tracked by monitoring theStatus values and Date values on the Audit. Key audit milestonescan be tracked by adding fields on the Audit that representcompletion dates for each of the key milestones they wish totrack.

You use the Audit object to manage the audit process across yourenterprise. The Audit object identifies a holding point where youcan capture information such as scope, objectives, timinginformation, review, execution and approval roles. If wanted, youcould track only those audits you will be undertaking in a givenplanning horizon, or all audits in the audit universe.

Audit Section Audit Sections can be used to represent the phases of the audit,work programs within the audit, or other components of theaudit at the desired level of granularity.

Typically organizations have a number of standard componentsfor each audit. Template audits that include Sections for each ofthese standard components can be created in a Library. Plannedand Actual Start and End Dates for these sections can be used toreport progress on key milestones in the audits.

Detailed Audit progress can be tracked by including an AuditSection that represents each milestone. Alternatively, someorganizations may choose to add fields on the Audit thatrepresent completion dates for each of the key milestones theywish to track.

Although Audit Sections can be used as the basis for planningand scheduling Audit resources, most organizations will find thisto be too detailed.

Workpaper A workpaper is any artifact or deliverable you want to track inthe scope of an audit. It can represent an engagement letter, atesting matrix, interview notes or anything else appropriate to theaudit in question. The workpaper itself can be attributes stored onthe Workpaper object, or it can be a Word, Excel or other type offile attached to a Workpaper object. When Workpaper is used fortest evidence, it documents both the test planning and the testresults.

Typically, you create a Workpaper object from the detail page ofan Audit Section. Workpaper objects can also be copied from alibrary, where they represent templates of different types ofworkpapers generated by an internal audit department.




Finding Findings can be used to represent observations which arereportable to the business, to the Audit Committee, or both.Alternatively, Findings can be used to represent individual factualobservations, while Issues are used to represent consolidatedthemes/systemic problems, which are then reported to thebusiness, to the Audit Committee, or both.

A Finding represents anything uncovered in the course of anaudit that needs to be accounted for and addressed bymanagement. You can use a finding to track management’sprogress in addressing the underlying issue identified. The Issueobject can be used in place of, or in conjunction with, the Findingobject.

Plan, Timesheet A Plan object type facilitates audit resource scheduling andallocation at any level. For example, you can create a single Planobject for an entire audit, or you can create one Plan object pertask for each auditor involved with the audit. Plan objects areused to determine the availability, skills, and experience requiredof the desired resource. OpenPages Audit Activity Views, reports,etc. are aligned with Planning at the Audit level. Plans caninstead be associated to Audit Sections, in which case thesecomponents would need to be modified.

Plan objects also drive time tracking – all time is tracked againstPlans. A Timesheet object type is used to record weekly actualhours and expenses expended against a Plan object for an Audit.Because Timesheet objects are associated with Plans, it is easy totrack deviations between planned and actual time and expenses.The Timesheet Entry interactive report should always be used toenter or modify time and expense data. For this reason, there isno Timesheet top menu item in the default IBM OpenPagesInternal Audit Management configuration.

You typically create or modify a Plan object using the Add orModify Plans helper, accessed from a link on the Audit detailpage

Auditor Resource planning and allocating requires key information abouteach individual who may perform audit work. The Auditor objectis used to create a pool of Auditors who can be assigned toAudits.

Each user who may be assigned to audit work is represented asan Auditor instance. Auditors are then available for resourceallocation. The Auditor object includes attributes for which youevaluate and select Auditors for audit engagements, such asspecialties, languages, and certifications. Typically, Auditor objectsare associated with the relevant component of the Internal Auditorganizational hierarchy. It is a best practice that the Name fieldon the Auditor object matches the user's username.

Audit ReviewComment

The Audit Review Comment object type is used to providefeedback during the review process for an audit and itscomponents. It is associated as a child to the instance of theAudit, Section, Workpaper or Finding for which feedback is beingprovided




Signature A signature generally indicates agreement that the object meetsyour approval. It has no enforcement powers, and does notprevent the item from being modified after approval has beengiven. An object with a signature has a signature icon next to thesigner's name on the Signatures tab.

Depending on your system configuration, signatures (with orwithout associated locks) can be applied to an object in thefollowing ways:

v Manually from the detail page of an object.

v Automatically through a workflow task.

v Some combination of both automatic and manual.

If signature locks are configured on your system, when you signoff on an object, the object and all its associated child objects arelocked and cannot be modified until you either revoke yoursignature or an administrator unlocks the object.

Issue, Action Item Although issues typically result from areas where internalcontrols are not properly implemented or designed, you can usethe Issue object to document a concern associated with any objecttype.

An issue is resolved through one or more Action Items. You canuse an Action Item object or a series of related Action Item objectsto form an action plan. Each Action Item can be assigned to auser for resolution, and progress can be tracked from the detailpage of the parent Issue. Once all Action Items for an Issue arecomplete (an assignee sets the value to 100%), you can close theIssue.

In IBM OpenPages Internal Audit Management, Issues and ActionItems may be used instead of, or in conjunction with, Findings.

File The File object type is used to embed a reference to a file (such asa document, flow chart or spreadsheet) in the OpenPages system,and associate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in theOpenPages system, and associate it to one or more relevantobjects.

Process Diagram A Process Diagram is a child object of the Process and can havemany diagrams per process. It is used to store the sequence ofsub-processes or activities within a process with associated Risksand Controls along with any annotations such as decision nodes.All attributes of the Business Process visualization are stored inthe Process Diagram object.

Data Input, DataOutput

The Data Input Object and Data Output Object are child objects ofthe Process and can have associations only to existing Risks. Theyrepresent elements of a flow to depict an Input into the BusinessFlow or an Output from various activities within a process, suchas running a report or updating a CRM system or getting anexternal data source feed.


Object Types Disabled by DefaultThe following object types are available in the default IBM OpenPages InternalAudit Management configuration and are disabled by default.

Table 2. Object types disabled by default

Object Type Label Description

Questionnaire, Section,Question

Questionnaire, Section and Question are three objects that areused together to implement questionnaires.

Control Objective A Control Objective is an assessment object that helps define therisk categories for a Process or Sub-Process. For each Process orSub-Process, an organization sets the Control Objectives.

Control Objectives define the COSO compliance categories thatthe Controls associated with the Risks are intended to mitigate.For example, Control Objectives can be classified into one or morecategories such as Compliance, Financial Reporting, Strategic,Operations, or Unknown.

Once a Control Objective is identified, the Risks belonging to thatControl Objective can then be identified and defined. In mostcases, each Control Objective will have one Risk associated withit. However, Control Objectives can have more than one Riskassociated with them, so they are separated into their own objecttype.

The default behavior is for Control Objective to be disabled. Thisobject is not expected to be used in a typical IBM OpenPagesInternal Audit Management deployment, except to align withother modules which may use it.

Milestone, MilestoneAction Item

A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use themto signify the completion of a portion of the entire project.Milestones can contain other Milestones or Milestone ActionItems. You cannot associate a Milestone with other objects in theobject hierarchy.

A Milestone Action Item is a specific objective that must becompleted in order to reach a Milestone. In general, all MilestoneAction Items associated with a Milestone must be completed inorder to reach a Milestone. When you are assigned a MilestoneAction Item object, it is displayed (if configured) in the MyMilestone Action Items section of your My Work tab.

Risk Eval Risk Evaluation objects are children of Risk objects and they areused to capture risk measurement values for trending purposes.Often reporting periods do not line up with risk evaluation cyclesand so Risk Eval objects can be used to capture multipleevaluation cycles within a single reporting period.

Control Eval Control Evaluation objects are similar to Risk Evaluation objectsexcept that they are instantiated as children of Controls. Theystore control assessment data.

Risk Assessment Eval Risk Assessment Evaluation objects are similar to Risk Evaluationobjects except that they are instantiated as children of RiskAssessments. They store risk assessment data.


Table 2. Object types disabled by default (continued)

Object Type Label Description

Process Eval Process Evaluation objects are children of Process objects and theyare used to capture process measurement values for trendingpurposes.

When the reporting periods do not align with the evaluationcycles, you can use Process Eval objects to capture multipleevaluation cycles within a single reporting period.

SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of object types that support a logical function within a module. Thefollowing tables list the subcomponents for the IBM OpenPages Internal AuditManagement module.

Table 3. Subcomponents shared with other modules

Subcomponent Object Types

Organization Business Entity

Preference Preference Group, Preference

Risk Assessment Risk Assessment, Risk Assessment Eval

Process Process, Process Eval, Sub-Process, Control Objective

Risk Risk, Risk Eval

Control Control, Control Eval

Test Test Plan, Test Result

Issue Issue, Action Item

Questionnaire Questionnaire, Section, Question

Milestone Milestone, Milestone Action Item

Visualization Process Diagram, Data Input, Data Output

Table 4. IAM-specific subcomponents

Subcomponent Object Types

Annual Plan Auditable Entity, Audit

Engagement Plan Plan, Timesheet, Auditor

Findings Finding

Field Work Audit Section, Workpaper, Audit Review Comment

In addition to the subcomponents listed in the tables, the following object types areincluded in each module and can be accessed by any authorized user:v Signaturev Filev Link


Chapter 3. Computed Fields

By default, the IBM OpenPages Internal Audit Management module includescomputed fields, such as Weighted Risk Score and Plans.

Table 5. Computed fields

Object TypeLabel

Field GroupName

Field NameLabel Description of Computation

Auditable Entity OPSS-AudEnt Weighted RiskScore

Calculates the sum of theproducts of each relevant RiskFactor value and its associatedRisk Factor Weight. Risk Factorvalues are entered on theAuditable Entity. Risk FactorWeights are from the "nearest"Audit Risk Factor Preferenceobject, matching the Audit Typespecified on the Auditable Entity.

Audit OPSS-Aud Close Audit Creates a link to launch the CloseAudit helper.

Audit OPSS-Aud Plans Creates a link to launch the AuditPlans helper.

Audit OPSS-Aud Actual T&E Calculates the sum of the T&Eentries on all of the Timesheetsfor all of the Plans for this Audit.

Audit OPSS-Aud Actual Hours Calculates the sum of the Hoursentries on all of the Timesheetsfor all of the Plans for this Audit.

Plan OPSS-Plan Actual Hours Calculates the sum of the Hoursentries on all of the Timesheetsfor this Plan.

Plan OPSS-Plan Actual T&E Calculates the sum of the T&Eentries on all of the Timesheetsfor this Plan.

11

Chapter 4. Helpers

IBM OpenPages Internal Audit Management includes the following helpers bydefault: Close Audit, Add or Modify Plans, Timesheet Entry, and AdministratorTimesheet Entry

Refer to IBM OpenPages GRC Platform IAM Module Details for more information onthese helpers.

Close Audit HelperLaunched from a computed field link on the Audit object, the Close Audit helperfacilitates automation of the Audit Close process.

It provides a summary and optionally details of the readiness for close status ofthe audit from which this helper was launched, and all of its components. Whenall components are ready, provides a Close Audit button which automates theactions taken when an audit is closed, such as setting and clearing field values,deleting object instances and locking objects.

IBM OpenPages or the customer can configure this component to behave asappropriate for the customer methodology via registry and application textsettings.

Add or Modify Plans HelperLaunched from a computed field link on the Audit object, the Add or ModifyPlans helper facilitates creating and editing Audit Plans, and finding andpopulating Auditors to assign to the Plans.

These processes are time consuming, error prone and cumbersome to performusing the platform user interface.

The helper provides a summary of and the ability to modify, the existing Plans forthis Audit. It provides the ability to add a new Plan for this Audit. It also enablessearch of the Auditor pool or a selected portion of it, for Auditors who match theskills, attributes and availability requirements identified in the Plan. It provides theability to view details of other Plans for each found Auditor, and to select andauto-populate the appropriate auditor from the search results.

IBM OpenPages or the customer can configure this component to behave asappropriate for the customer methodology via registry and application textsettings.

Timesheet Entry Report HelperLaunched from the reporting menu, the Timesheet Entry Report helper allows anAuditor to enter or review their time.

It defaults to the current week. Weeks start on Mondays which is consistent withthe GANTT chart reports. This interactive report is used for reviewing yourpreviously entered time and expenses, and also for entering your actual time and

13

expenses. The report automatically filters itself to the current user, and to includePlans for which the user is the assigned Auditor.

User can move to a different nearby week using Previous Week and Next Weekbuttons. User can move to a different week that isn’t nearby by using a calendarwidget to select a date in the desired week and then clicking the Go To Weekbutton.

Time and expenses can only be entered against Plans with assigned Auditors. Theuser can navigate to the Week for which they want to enter or view time andexpenses. There is no restriction on creating or editing Timesheets in advance or inarrears other than by Status. Timesheet rows with Status Submitted or Approvedcan not be edited.

When the user clicks Save, Timesheet objects are created and populated for anynew rows, and values are saved in any existing Timesheets. T&E expenses are asingle entry per row per week; they are not broken down into expense categories.T&E is always entered and displayed in Base Currency.

IBM OpenPages or the customer can configure this component to behave asappropriate for the customer methodology.

Administrator Timesheet Entry Report HelperLaunched from the reporting menu, the Administrator Timesheet Entry Reporthelper is an extension to the Timesheet Entry Report helper which includes ascoping page that allows a user with access to this report to select a different userfor whom to enter time.

The Administrator version of the helper includes Approve and Reject buttons andassociated functionality.

IBM OpenPages or the customer can configure this component to behave asappropriate for the customer methodology.


Chapter 5. Reports

The IBM OpenPages Internal Audit Management module includes a set of defaultreports.

IBM OpenPages GRC Platform Modules Report Details provides additional details onthe reports described here. For a description of additional reports installed with theIBM OpenPages GRC Platform and available to all modules, see the IBMOpenPages GRC Platform Administrator's Guide.

IAM-Specific ReportsDescriptions are provided for reports that are available only from the IBMOpenPages Internal Audit Management module.

Table 6. Audit Management reports

Name Drill-Through Description

Audit Universe For the selected audit organization, view AuditableEntities, including information about risk rankingand previous audit results.

List of Auditable Entities, including informationabout risk ranking and previous audit results.Scoped by Business Entity, user can choose sortorder. If the selected Business Entity is in theInternal Audit business hierarchy then the reportwill show the portion of the audit universe ownedby that internal audit team(s). If the selectedBusiness Entity is in the organizational hierarchy,then the report shows all elements of the audituniverse which are associated with that BusinessEntity or any descendent Business Entities. Used inthe early annual planning stages to help determinewhich elements of the audit universe should beaudited this year.

Audit Plan Audit Plan Detail For the selected audit organization and date range,provides a GANTT chart view of the Audit Plan.

A GANTT chart view of the Audit Plan, for theselected date range. Scope by Business Entity andDate Range, and indicate whether to display bydays, weeks, months or quarters. Selected date rangeprovides ability to view the current year plan, or a 3or 5 year plan, or to zero in on a particular planningtimeframe. After report displays, can toggle betweenDetail View (shows details for each audit scheduledfor each Auditable Entity) and Summary View(shows only a rollup of the audits for each AuditableEntity). If the Audit Scheduled Start Date andScheduled End Date overlap with a cell, then thatentire cell is colored. Summary cells colored Redindicate more than one audit scheduled during thattime for that Auditable Entity. Report is filtered toinclude only Audits where the Status is Planned orScheduled.

15

Table 6. Audit Management reports (continued)


Auditor Plan Auditor PlanDetail

For the selected audit organization, Auditors anddate range, provides a GANTT chart view of Plans.

A GANTT chart view of the plans for the selectedAuditor(s), for the selected date range. Scope byBusiness Entity, Auditor and Date Range, andindicate whether to display by days, weeks, monthsor quarters. The Auditors available are those whoare associated to the selected Business Entity or itsdescendents. Selected date range provides ability toview the current year plan or to zero in on aparticular planning timeframe. After report displays,can toggle between Detail View (shows details foreach Plan for each Auditor) and Summary View(shows only a rollup of the Plans for each Auditor).If an Auditor is scheduled for more than one Plan ina given column, then that entire cell is colored.Summary cells colored red indicate more than onePlan assigned during that time for that Auditor. Thereport does not utilize the Percent Allocatedinformation on the Plan to determine if there is aconflict.

Audit Overview v Audit FindingsDetail

v Audit IssuesDetail

v Audit ReviewCommentsDetail

For the selected Audit, view the status of its AuditSections and Workpapers, and view associatedFindings, Issues and Audit Review Comments.

For the selected Audit, view the status of itscomponents, and view associated Findings, Issuesand Review Comments. Scoped by Audit. IncludesFindings, Issues and Review Comments that aredirect children of the Audit, Sections andWorkpapers included in the report. Clicking on thenumber of Issues, Findings or Audit ReviewComments launches a detail report which includesmore details and provides links to the objects in theapplication.

Internal AuditReport

Complete report for the selected Audit, including anexecutive summary and associated Findings andIssues.

Complete report for the selected audit, including anexecutive summary, reportable Findings and Issues.Scoped by Auditable Entity and then by Audit.Includes Findings associated to Audits, AuditSections and Workpapers, and Issues associated withthe Audit.


Table 6. Audit Management reports (continued)


Audit Deviation For the selected Audit, view its Plans and AuditSections, including schedule and budget information,with highlights for significant deviations.

This report lists the plans and sections for theselected Audit. It includes schedule and budgetinformation and highlights significant deviations.Cells colored yellow indicate missing keyinformation. Cells colored red indicate anunfavorable deviation from plan of more than 20%.Scoped by Auditable Entity and then by Audit.Includes the selected Audit, and Plans and AuditSections associated directly to the Audit.

AuditorDeviation

For the selected Auditors, view their planned andactual dates, hours and expenses. Scope by AuditorsBusiness Entity, Auditor and Date Range. TheAuditors available are those who are associated tothe selected Business Entity or its descendents.Selected date range provides ability to zero in on aparticular timeframe. Report shows Plans for eachselected Auditor including the Scheduled, Expectedand Actual Start and End Dates, the number ofplanned hours for each, and the number of actualtimesheet hours, and the amount of planned andactual T&E recorded against each Plan during eachtime period. Cells shaded red indicate actualamounts that are 20% or more larger than plannedamounts. Includes all Plans where the Auditor is theselected Auditor; Plans that do not have an assignedAuditor are not included in this report. The reportincludes a summary row for each Auditor and forthe entire report. It defaults to html format and isalso available in Microsoft Excel format.

Timesheet Entry See “Timesheet Entry Report Helper” on page 13.

AdministratorTimesheet Entry

Timesheet Entry See “Administrator Timesheet Entry Report Helper”on page 14.

Reports Shared with Other ModulesThe IBM OpenPages Internal Audit Management module contains a number ofreports that are shared with other IBM OpenPages GRC Platform modules.

Table 7. Risk Assessment reports


Risk AssessmentList

Shows Risk Assessment details for a specifiedBusiness Entity and all of its descendents.

Risk AssessmentStatus

Risk AssessmentStatus Detail

Displays a stacked column chart showing the statusof Risk Assessments for the specified Business Entityand its direct descendents.

Risk AssessmentSummary

Risk AssessmentIssues and ActionItems

Displays Risk Assessment details along with allassociated Risks and Controls. A drill through reportdisplays Issues and Action Items that are related tothe Risk Assessments, Risks, or Controls.

Chapter 5. Reports 17

Table 7. Risk Assessment reports (continued)


Risk AssessmentIssues and ActionItems

Shows all Issues and Action Items that are related tothe selected Risk Assessment and its associated Risksand controls. Parent Object shows only the RiskAssessment, Risk, and Control parents. The reportprompts for two values: Business Entity and RiskAssessment.

Data is filtered on the selected entity. Users canselect from all Risk Assessments that are associated,whether directly or indirectly, to the selectedbusiness entity.

Table 8. Risk reports


Risk Analysis Shows Risks grouped by Process for a specifiedBusiness Entity.

Risk Heat Map Risk Detail Displays a table that aggregates Risks by ResidualImpact and Likelihood for a specified BusinessEntity.

Risk Rating byEntity

Risk Rating byEntity Detail

Displays Residual Risk Rating summary informationfor the selected Business Entity and its descendents,with the ability to drill-through to risk details

Risk Rating byCategory

Risk Rating byCategory Detail

Displays Risk Category and Residual Risk Ratingsummary information for the selected BusinessEntity, with the ability to drill-through to Riskdetails.

Top Risks Summary of the top Risks ranked by Residual RiskExposure, and also shows the Inherent RiskExposure.

Table 9. Control reports


Risk and ControlMatrix

Shows Risk and Control data for specified BusinessEntity and Process(es).

ControlEffectivenessMap

ControlEffectivenessDetail

Control map shows counts of Controls grouped byProcess(es) and Operating Effectiveness, with theability to drill-through to a sub-report for detailinformation.

Table 10. Testing reports


TestingDashboard

Testing Details Displays summary Test Result information for theselected Business Entity, with the ability todrill-through to detail and trend information.


Table 11. Visualization reports

Name Description

Process Analysis Displays Risk and Controls in the context of a processdiagram. Provides an aggregated view of Risk andControls with risk rating and control effectiveness at theProcess and Business Entity level.

NotificationsNotifications are email notifications sent to owners of a process as a reminder toact. These notifications can occur at different stages of a process or as a final stepin a trigger.

All notifications that are sent from IBM OpenPages IAM use the sender addressidentified below. Configure the email address and server settings.v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notificationsv /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notificationsv /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications

Notifications are part of the Issue Management and Remediation process.

Chapter 5. Reports 19

Chapter 6. Notifications

Notifications are email notifications sent to owners of a process as a reminder toact. These notifications can occur at different stages of a process or as a final stepin a trigger.

All notifications that are sent from IBM OpenPages IAM use the sender addressidentified below. Configure the email address and server settings.v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notificationsv /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notificationsv /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications

Notifications are part of the Issue Management and Remediation process.

Issue and Action Bulletin notificationDuring the closedown phase of the Issue Management and Remediation (IMR)process, an Issue and Action Bulletin is sent as an email notification to the users.The bulletin highlights important areas such as overdue issues and Actions that aredue for closure. The administrator can set the frequency of this notification byusing the Issue Management and Remediation (IMR) bulletin.

When the Issue is defined, its status is Open and the user must enter a value inthe Current due date field. The due date is copied to a read-only field thatcontains the original due date. When the user creates an Issue, the Issue Owner(who might not be the same person who created the Issue) receives an emailnotification.

The Issue Owner must record the appropriate actions to resolve an identified Issue.The following data is captured in an Action Item:v Descriptionv Assigneev Start Datev Due Datev Actual Closure datev Status (Read Only)v A comment field to record the latest updates

The Issue Owner receives an email that summarizes the Actions that must beapproved for closure. The owner can either Accept Closure or Reject Closure.When Actions are completed, the Issue Owner must review the Issue and updatethe status to Closed. If any child actions are Open or Awaiting Approval, theIssue Owner cannot close the issue.

Users receive email notifications through the consolidated Issue and Actionbulletins. The bulletin consolidates the following information in an email:v Issues Assigned to the recipient in the past number days

21

v Actions Assigned to recipient in the past number daysv Issues due for Closure in the next number daysv Actions due for Closure in the next number daysv Overdue Issuesv Overdue Actionsv Actions awaiting closure approval


Chapter 7. Triggers

The IBM OpenPages modules contain several available triggers.

IBM OpenPages GRC Platform Module Trigger Details provides additional details onthe triggers described here.

Triggers must be disabled before loading XML instance data via Object Manager toany object types which are configured to have triggers by default.

Object types that are configured for IBM OpenPages Internal Audit Management tohave triggers by default include:v Auditv Audit Sectionv Workpaperv Planv Timesheetv Findingv Audit Review Commentv Action Itemv Issuev Data Inputv Data Outputv Risk

Object types that are configured for other Modules to have triggers by defaultinclude:v Loss Impactv Loss Recoveryv Loss Eventv KRI Valuev KPI Valuev File (SOXDocument)v Policy

IAM-Specific TriggersDescriptions of triggers that are specific to the Internal Audit Management moduleare included in this section.

Audit Risk Rating Computations Trigger

The RCSA Quantitative trigger and the RCSA Qualitative trigger apply to theAudit Risk Rating Computations trigger. For more information, see “RCSAQuantitative trigger” on page 25 and “RCSA Qualitative trigger” on page 27.

23

Audit Close Automation Triggers

The Audit Close Automation trigger assesses close readiness for each of theconfigured components of an audit. By default, the trigger is configured for thefollowing object types: Audit, Audit Section, Workpaper, Finding, Audit ReviewComment, Plan, and Timesheet.

When an instance of a configured object type is created or updated, the triggerevaluates all of the criteria which are configured for that object type. If all of thecriteria have been met, then the trigger sets the Ready To Close field value to Yes.This field value is used by the Audit Close helper to determine if all of the auditcomponents are ready to close.

Configured ready to close criteria categories include fields that are required, datefields that must be set to on or before today's date, date fields that must be set tovalues on or before other date field values, and user fields that cannot be set thesame as other user fields.

Triggers Shared with Other ModulesSeveral triggers are shared with other IBM OpenPages GRC Platform modules.

Issue Management and Remediation triggerIn an Issue Management and Remediation (IMR) framework, you can effectivelydocument, monitor, remediate, and audit identified Issues.

Issues are items that are identified against the documented framework and aredeemed to negatively affect the ability to accurately manage and report risk. In itslifecycle, an issue can have only one of two states: Open or Closed.

To resolve the identified Issue, the Issue Owner establishes and records theappropriate actions. When the Action is complete, the Assignee sets the Submit forClosure field to Yes. When this field is saved, a trigger is started and completesthe following actions:v Copies the value in the Issue Owner field from the parent Issue to the Actionv Sets the Action field to Awaiting Approval

The Issue owner reviews the Action and can specify to either Accept Closure orReject Closure. If the Action is saved with Reject Closure, the status reverts toOpen and the Action returns to the Action Assignee.

Several triggers are used to automate the Issue management process.

Issue Lifecycle triggerThe Issue Lifecycle trigger sets the Original Due date on the first instance of Saveof Issue and checks for any Open Actions when the Issue is saved with a status ofClosed.

When an Issue object type is created or updated, and the status of the Issue objecttype is set to Closed, the trigger completes the following actions:v The trigger checks all direct child Actions and determines whether they are all

closed. If any Actions have a status of Open or Awaiting Approval, the triggergenerates an error message. If all Actions are closed, the trigger saves thechanges.


Note: As an administrator, you can configure the error message under theAdministrator > Settings menu.

v If the Original Due date field on the Issue is blank, the trigger populates theOriginal Due date with the Current Due date value.

Risk and Control Self-assessments triggersThe Risk Assessments process is used to identify, assess, and quantify a risk profileof the business. Each Risk is assessed on either a Qualitative or Quantitative basis.

When a Risk is saved, the Qualitative risk rating trigger determines a Risk Ratingof Low, Medium, High, or Very High. The trigger also populates the hiddenQuantitative fields: Severity, Frequency, and Exposure.

When a Risk is saved, the Quantitative risk rating trigger completes the followingactions:1. Computes the Exposure (Frequency x Severity)2. Computes the Risk Rating as Low, Medium, High, or Very High3. Derives the Impact value (1 - 10) based on a mapping table for each Business

Unit that is stored in its Preference record.4. Derives the Likelihood value (1 - 10) based on a mapping table for each

Business Unit that is stored in its Preference record

RCSA Quantitative triggerThe Risk and Control Self-assessments (RCSA) Quantitative trigger sets the RiskRating and establishes impact, likelihood, and exposure for risks that are enteredby using the Quantitative method. The trigger occurs only if the values for theImpact or Likelihood fields for Risk were modified.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose qualitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Obtains the parent Preference object.

The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Determines the Impact fields of the Risk object.The Impact is calculated by identifying the threshold range in which the SeverityValue falls. If any Severity value is null, the previous value is managed as theMAX Severity.

Table 12. Impact value based on severity value

Severity value Impact value

>= 0 and <= Severity 1 1

> Severity 1 and <= Severity 2 2


> Severity 3 and <= to Severity 4 4

Chapter 7. Triggers 25

Table 12. Impact value based on severity value (continued)

Severity value Impact value




> Severity 7 and<= Severity 8 8


> Severity 9 10

v Determines the Liklihood fields on the SOXRisk object.The Likelihood is calculated by identifying the threshold range in which theFrequency value falls. If any Frequency value is null, the previous value ismanaged as the MAX frequency.

Table 13. Likelihood value based on frequency value

Frequency value Likelihood value

>= 0 and <= Frequency 1 1

> Frequency 1 and <= Frequency 2 2








> Frequency 9 10

v Calculates the Exposure as Severity multiplied by Frequencyv Where the Impact value is X and the Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 14. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)


Table 14. Risk ratings based on rating values (continued)


76-100 % VERY HIGH (red)

RCSA Qualitative triggerThe Risk and Control Self-assessments (RCSA) Qualitative trigger sets the RiskRating and establishes severity, frequency, and exposure for risks that are enteredby using the Qualitative method.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose quantitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Evaluates the Preference record for the entity, or its parent entity if no Preference

record exists.The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Evaluates the Severity fields of the Risk object.The Severity is determined by the Impact Value mappings that are specified inthe Preference object.

Table 15. Severity based on impact values

Impact value Severity

1 Severity 1

2 Severity 2

3 Severity 3

4 Severity 4

5 Severity 5

6 Severity 6

7 Severity 7

8 Severity 8

9 Severity 9

10 Severity 10

v Based on the Likelihood, evaluates the Frequency fields of the Risk object.The Frequency is determined by the Likelihood Value mappings that arespecified in the Preference object.

Table 16. Frequency based on Likelihood values

Likelihood value Frequency

1 Frequency 1

2 Frequency 2


Table 16. Frequency based on Likelihood values (continued)

Likelihood value Frequency

3 Frequency 3

4 Frequency 4

5 Frequency 5

6 Frequency 6

7 Frequency 7

8 Frequency 8

9 Frequency 9

10 Frequency 10

v Calculates the Exposure as Severity multiplied by Frequency.v Where the Impact value is X, Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 17. Risk ratings based on rating values


0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)

Risk Approval Submission triggerThe Risk Approval Submission trigger updates the Status field on Risk andControls so that the Process Owner can process the Approval.

When a Risk object is created or updated, and the Submit for Approval field valueis set to Yes, the trigger completes the following actions:v Obtains all associated child Control objects and applies validation rules.

All child Control objects are assessed and the Status field is set to AwaitingAssessment.

v Updates the Status field on the Risk object and all associated control objectsfrom Awaiting Assessment to Awaiting Approval.

v Obtains the parent Process object to obtain all Risk objects and checks whetherall risks for a Process are Awaiting Approval.

v Determines whether all risks for a Process are awaiting approval, and continuesbased on the following status:


– If the status is Yes, the trigger ends its process.– If the status is No, the trigger sets the Status of the parent Process object to

Awaiting Approval, and sends an email notification to the Process Owner.

RCSA Risk and Control Approval triggerThe RCSA Risk and Control Approval trigger allows the Process Owner to approveor reject an assessment of a risk and its controls.

When a Risk object Approve/Reject field is set to Approve or Reject, the triggercompletes the following actions:v If the Approve/Reject field is set to Reject, the trigger updates the Status field

value of the Risk and associated Controls to Awaiting Assessment, and sends anemail notification to the Risk Owner.

v If the Approve/Reject field is set to Approve, the trigger continues with thefollowing processes:– Updates the Status field value of the Risk and associated Controls to

Approved.– Updates the Process status to Approved, sets the Approval Date, and sends

an email notification to the RCSA coordinator.

Visualization triggersThe Visualization triggers prevent the user from adding new Risks as children ofthe Data Input and Data Output object types.

Risks can only be made children of these object types by associating existing Risksto them. Data Input and Data Output object types are not allowed to be primaryparents of Risks.


Chapter 8. Profiles

The IBM OpenPages Internal Audit Management module includes the OpenPagesIAM 7.0.0 Master profile by default.

OpenPages IAM 7.0.0 Master ProfileThe OpenPages IAM 7.0.0 Master profile includes the fields and configuration forall of IBM OpenPages Internal Audit Management.

This profile includes:v Filtersv My Work Home page tab and Home page tabsv Dependent fields and dependent pick listsv Computed fieldsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List

Views

Subsets of this profile that are appropriate for a Lead Auditor, Audit Director, etc.are created during the implementation project.

Home Page Filtered ListsThe following filtered lists are defined for the My Work home page for users ofthe OpenPages IAM 7.0.0 Master profile.

Table 18. IBM OpenPages Internal Audit Management Home page filtered lists

Filter Description Object Type

My Open Issues Home page access to your open Issues. Issue

My Audits In Progress Home page access to the Audits you own whichyou are likely to be working on now.

Audit

My Open Audit ReviewComments

Home page access to Audit Review Commentsrequiring action, where you are the Owner.

Audit ReviewComment

My Findings forReview

Home page access to Open Findings where youare the Reviewer.

Finding

My Open Findings Home page access to Open Findings where youare the Preparer.

Finding

My Workpapers InProgress

Home page access to Workpapers requiringaction, where you are the Preparer.

Workpaper

Workpapers Ready forMy Review

Home page access to Workpapers requiringaction, where you are the Reviewer.

Workpaper

31

Activity ViewsBy default, the OpenPages IAM 7.0.0 Master profile includes the following activityviews.

Table 19. IBM OpenPages Internal Audit Management activity views

Activity ViewName

StartingObject Type Description

Audit Planning BusinessEntity

Allows for entry of Schedule Dates and EstimatedHours and T&E for each audit in the Universe. Filteredto 2008 and beyond Audits where Status is any exceptCompleted.

Scope Matrix Audit Identify the activities within the Auditable Entity anddecide whether each one is in or out of scope for thisaudit. Refer to the risks for each activity to assist inmaking the scope decision.

Scope MatrixView

Audit Scope Matrix Activity View with all fields configured asread only.

Audits andSections

AuditableEntity

View the sections for an audit and update ScheduledStart and End Dates.

All ReviewComments

AuditableEntity

View Review Comments associated to the selectedAudit and its Audit Sections, Workpapers andFindings.

Audit Overview Audit Select each Audit Section to view all of its Workpapersand Findings, and then update key information.

Section EditChecklist

Audit Provides a consolidated view of the work program andfacilitates rapid Audit Section update for an audit.

Workpaper EditChecklist

Audit Provides a consolidated view of the Workpapers andfacilitates rapid Workpaper update for an audit.

Section Checklist AuditableEntity

Provides an at-a-glance read only view of the Sectionsin the work program.

WorkpaperChecklist

AuditableEntity

Provides an at-a-glance read only view of theWorkpapers in the work program.

Control TestingSummary

Control Used to indicate Control Operating Effectiveness.Provides Test Plan and Test Result information thatinforms the Operating Effectiveness decision.

Questionnaire SetUp

Questionnaire Used to create and modify questionnaires using theQuestionnaire, Section, Question object model.

Questionnaire Questionnaire Used to respond to questionnaires using theQuestionnaire, Section, Question object model.

Process RCSAView

Process Facilitates conducting Process-based Risk and ControlSelf Assessments.

Process Approval Process Used by the Process Owner to confirm the assessmentof each Risk and Control.

RCSA Approval Used by Risk Coordinator to approve Risk and ControlSelf Assessments.

Project MgmtPlanning

Workpaper Used when planning workpapers.

Test Planning Workpaper Used when creating test plans for workpapers.

Test Execution Workpaper Used when executing workpaper tests during fieldwork.


Table 19. IBM OpenPages Internal Audit Management activity views (continued)

Activity ViewName

StartingObject Type Description

Review andApproval

Workpaper Used when reviewing workpapers.

Project MgmtUpdate

Workpaper Used when finalizing workpaper status.

Grid ViewsBy default, grid views are defined for users of the OpenPages IAM 7.0.0 Masterprofile.

Table 20. Grid Views

Grid View Description Object Type

PRSA Update Use to update Process Risk Self Assessments. Process, Risk,Control

PRSA Review Use to review Process Risk Self Assessments. Process, Risk,Control

Chapter 8. Profiles 33

Chapter 9. Role Templates

The following role templates are available, by default, for the IBM OpenPagesInternal Audit Management module.

OpenPages IAM 7.0 - All PermissionsFull Read, Write, Delete, Associate (R/W/D/A) access to all defaultInternal Audit Management object types that are present and enabled bydefault. Full administrator rights.

OpenPages IAM 7.0 - All Data - No AdminFull Read, Write, Delete, Associate (R/W/D/A) access to all defaultInternal Audit Management object types that are present and enabled bydefault. No administrator rights except those associated with workflows,files and folders.

The above role templates provide read, write, delete and associate access to thefollowing object types.

Table 21. Role template object types

Object Type Name Object Type Label

SOXBusEntity Business Entity

SOXIssue Issue

SOXTask Action Item

SOXDocument, SOXExternalDocument File, Link

SOXSignature Signature

AuditableEntity Auditable Entity

Auditor Auditor

AuditPhase Audit Section

AuditProgram Audit

DataInput Data Input

DataOutput Data Output

ProcessDiagram Process Diagram

Finding Finding

Plan Plan

Preference Preference

PrefGrp Preference Group

ReviewComment Audit Review Comment

RiskAssessment Risk Assessment

SOXControl Control

SOXProcess Process

SOXRisk Risk

SOXSubprocess Sub-Process

SOXTest Test Plan

SOXTestResult Test Result

35

Table 21. Role template object types (continued)

Object Type Name Object Type Label

Timesheet Timesheet

Workpaper Workpaper


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

37

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationLocation Code FT0550 King StreetLittleton, MA01460-1250U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.


Copyright

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.

These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

Trademarks

IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.

The following terms are trademarks or registered trademarks of other companies:v Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.

Notices 39

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Index

AAction items 24

DData Input trigger 29Data Output trigger 29

Ggrid views 33

IImpact values 25, 27Issue (object type) 24Issue and Action Bulletin notification 21Issue Lifecycle trigger 24Issues

management 24

LLikelihood values 27Liklihood values 25

Nnotifications 19, 21

Issue and Action Bulletin 21

Oobject types

Issue 24

object types (continued)SOXRisk 25

RRCSA Qualitative trigger 27RCSA Quantitative trigger 25RCSA Risk and Control Approval trigger 29RCSA triggers 25Risk and Control Self-assessments triggers

See RCSA triggersRisk Approval Submission trigger 28

SSeverity values 27SOXRisk (object type) 25

Ttriggers

Issue Lifecycle 24RCSA Qualitative 27RCSA Quantitative 25RCSA Risk and Control Approval 29Risk Approval Submission 28visualization 29

Vvisualization triggers 29

41

internalaudit management module overviewand audit components from a library to the audit hierarchy...

Documents