Controls Assurance Program Management Use Case Design

Through the Compliance Engagement application, the Compliance Team can initiate and manage the testing life cycle, report the results of testing to executive management, and create engagements that target certain compliance scopes, control sets, or control instances.

Through the Compliance Scope application, users can define a testing scope for compliance so Compliance Teams can quickly generate and scope compliance engagements.

The Control Generator application allows users to create Control Procedures from Primary Controls. This allows Compliance Teams to view their controls broken down into several different options, such as Business Processes, Business Units, Applications, Devices, and Facilities.

The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information.

Note: The Contacts application is included in the Enterprise Catalog package.

The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Control Procedures application is included in the Enterprise Catalog package.

The Control Scoping Unit application is configured to house point-in-time snapshots of Control Procedure compliance information and related elements of the risk environment and business infrastructure.

Regulatory and customer requirements dictate the need to periodically capture information about the compliance posture of the control environments as well as the critical relationships between controls and the elements of the organization that they support. The Control Scoping Unit application is configured with fields to capture critical information about Control Procedures, as well as sub-form fields that enable users to capture historical information about related Business Units, Business Processes, Applications, and Devices that the control procedure supports. Users can leverage the Platform Archer-to-Archer data feed to enable the periodic capture of this information for record keeping and reporting purposes.

This application also works in background of the Compliance Engagement application and enables users to determine whether control instances are in or out of scope for a specific engagement.

Control Scoping Unit application will replace the Control Snapshot and Scoping Unit application in version 6.13.

The Evidence Repository application provides your compliance program with a way to capture evidence for controls that you want to continuously monitor. Through this application, you can upload attachments, documents, or evidence and have an access-controlled method for capturing updates to versions of documents that have been uploaded. You can use the included workflow to submit, reassign, approve, and re-initiate the workflow for evidence records.

The Primary Controls application serves as a central repository for procedures, baselines, and activities that are mapped to corporate control standards, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Primary Controls are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Primary Controls application is included in the Enterprise Catalog package.

The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library.

The Control Self Assessment application enables control owners to indicate whether the related control is still in operation and functioning as documented. The intent is that control owners would perform validation on an annual basis. If the owner indicates that the control has changed or is no longer in operation, the system flags the control as non-compliant, which prompts the organization to take follow-up action, with one possibility being removing the control from operation.

The Design Test Results application enables you to document an evaluator’s assessment of whether a control is properly designed to achieve stated objectives and mitigate related risks. If a control is properly designed, the control meets the stated objective and the evaluator proceeds to test the control’s operating effectiveness. If, however, a control is ineffectively designed, the control is flagged as non-compliant and remediation of any related issues becomes the next step. Similar to Control Self Assessment, the intent is that design effectiveness is assessed on an annual basis.

The Operating Test Results application enables you to document the results of the operating tests designed to evaluate whether the control procedure is indeed in place and operating as intended. For SOX testing purposes, key controls should be tested on a quarterly basis with the total annual sample size to be tested and dictated by the frequency of the control’s operation.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

Note: The Business Processes application is included in the Enterprise Catalog package.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

Serves as the administrator for the Controls Assurance Program Management use case, providing create, read, update, and delete access rights.

Provides create, read, update, and delete access rights.

Provides create, read, and update access to management stakeholders within the Controls Assurance Program Management use case.

Provides create, read, and update access to business process owners within the Controls Assurance Program Management use case.

Provides read-only access for the Controls Assurance Program Management use case.

• Determines the scope for testing a compliance project.
• Approves or rejects compliance projects.

• Creates compliance projects that are based on definitions from Compliance Director.
• Assigns and confirms controls that are based on scoping definitions.
• Reviews, finalizes, and submits compliance projects.

• Confirms procedures, tests, and records are appropriately created.
• Performs tests on procedures, reviews evidence, and documents and submits test results.

Edits and submits evidence for affected controls.

Note: This user can change user access to Evidence Repository records.

Can submit evidence with attachments.

This dashboard allows you to track the status and compliance of your Compliance Program, including active test work, assessments, and configuration check compliance by filtering work for both submitters and reviewers. Compliance by Control Set, a report in the Compliance Summary iView, is filtered by control sets that are tagged to control procedures. The report tracks compliance against different control sets that an organization attempts to comply with.

This dashboard allows you to track active control tests, submitting and reviewing control tests, assessment evidence, scope records, and configuration check compliance by filtering work for both submitters and reviewers. Users can only see results for which they have been granted access.

This dashboard allows you to track the status of ongoing evidence collection. This dashboard features metrics, such as evidence requests that are overdue, due today, or pending approval. This dashboard also uses interactive charts to show data, such as controls based on evidence requests, overdue evidence requests by evidence provider, and evidence submitted per month. Any user who is assigned to a CM or FCM role can access this dashboard.

Moves Control Procedure records to the Primary Controls application. Run this data feed once to populate Primary Controls. This data feed brings the top level of the Authoritative Sources (Source) and associates it to the Primary Control where applicable.

Moves the second level of the Authoritative Sources content (Topic) to the Primary Controls application and associates it to the newly created Primary Control, where applicable.

Moves the third level of the Authoritative Sources content (Section) to the Primary Controls application and associates it to the newly created Primary Control, where applicable.

Moves the fourth level of the Authoritative Sources content (Sub-Section) to the Primary Controls application and associates it to the newly created Primary Control, where applicable.

Runs against the Control Procedures application for any Control Procedures that have been queued for snapshot creation. This data feed creates a record in the Control Snapshots application using data that is selected from Control Procedures for historical reporting purposes and associates the record back to the Control Procedure so that users can look at point-in-time snapshots of their controls.

Runs against the Control Generator application. Users identify Primary Controls to be instantiated as Control Procedures and queue the Control Generator record for Control Procedure creation. This data feed generates Control Procedures using the selected variables in the Control Generator record.

The Evidence Repository data feed runs against records being re-initiated in the workflow. The function of this feed is to create a sub-form record in the Version History section of the Evidence Repository application and associate the current document with the sub-form record, so that if a new document is uploaded during re-initiation - users have a historical record via sub-form where they can view what the document used to look like.

Creates Control Self Assessments, Design Test Results, and Operating Test Results using variables selected in the Compliance Engagement record. This data feed always uses every Control Procedure that is identified in the Scope tab of the Compliance Engagement application record.

Creates Control Self Assessments, Design Test Results, and Operating Test Results using variables selected in the Compliance Engagement record. This data feed runs when Partial Scope is selected within a Compliance Engagement and uses Controls that are In Scope from the Partial Scope Selection section to generate assessments.

Uses identified Compliance Scope records and associates any related data to the Compliance Engagement Record. Control Procedures, Primary Controls, Business Processes, Applications, Devices, Storage Devices, Facilities, and Information Assets that are related to the Compliance Scope record are linked to the Compliance Engagement record. The data feed creates a Scoping Unit record for each Control Procedure that is associated to the Compliance Engagement.

Uses identified Compliance Scope records and associates any related data to the Compliance Engagement Record. Control Procedures, Primary Controls, Business Processes, Applications, Devices, Storage Devices, Facilities, and Information Assets that are related to the Compliance Scope record are linked to the Compliance Engagement record. The data feed creates a Scoping Unit record for each Control Procedure that is associated to the Compliance Engagement.

Uses identified Control Set values within Control Procedures records to identify Control Procedures matching the selected criteria and associates any related data to the Compliance Engagement Record. Business Processes, Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications. The data feed creates a Scoping Unit record for each Control Procedure that is associated to the Compliance Engagement.

Uses identified Business Process records and associates any related data to the Compliance Scope Record. Control Procedures are linked to Business Processes. Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications.

Uses identified Control Procedures records and associates any related data to the Compliance Scope Record. Business Processes, Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications.

Uses identified Control Set value within Control Procedures records to identify Control Procedures matching the selected criteria and associates any related data to the Compliance Scope Record. Business Processes, Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications.

This data feed automates the evidence repository records creation for Primary Control records when the Evidence Collection Method is 'automated', on a desired scheduled frequency.

This data feed automates the evidence repository records creation for Control Procedure records when the Evidence Collection Method is 'automated', on a desired scheduled frequency.

This data feed migrates the records from Scoping Unit application to Control Scoping Unit application. Run this data feed after upgrading to version 6.13.