-
Intro
-
General Guidance
-
Tasks
-
Compliance
-
Controls
-
Meta Model
-
Administration
Controls
Control Objectives
Role-Specific Access
Compliance Manager
- Ability to define and link control objectives to specific controls.
- Responsible for ensuring that control objectives align with compliance requirements.
Control Manager
- Ability to define and link control objectives to specific controls.
- Plays a key role in structuring control sets and verifying the completeness of controls.
Purpose of Control Objectives
Control objectives are an essential part of control management. Assigning a control objective to a new control is mandatory, since control objectives provide essential governance to controls management. They can act as a two-way mean of verfication for the completeness and validity of an organization's control set:
- From the perspective of the control objective: Did my organization implement all relevant (key) controls to address the control objective holistically?
- From the perspective of the control: Does my control affect the right vector to contribute to the control's objective?
Specifically in vucavoid, control objectives serve two primary functions:
These high-level objectives define the intended outcomes of implementing controls within the organization.
Example of a Control Objective and associated controls
- Control Objective Example: "Ensure accurate and timely processing of customer orders."
-
Associated Controls:
- Validation of customer information and order details.
- Dual approval for large orders.
- Verification of inventory levels before processing orders.
- Timely and accurate data entry into the order management system.
- Monitoring of order processing to detect and resolve errors promptly.
- Regular reconciliation of order data with financial records.
- Documentation of order processing procedures and training of personnel.
- Performance reviews to assess compliance with established order processing procedures.
How to start with Control Objectives?
Commonly, control objectvies are built around high-level risk statements of organiazions, essentially aiming at covering the relevant risk statements with control objectives.
Now, if there is no reviewed list of risk statements for the tenant's organization available, the risk management in vucavoid might offer a basis to start off with. This process can be time-consuming though, effectively waiting for the risk landscape to materialize over time.
For those, who prefer a headstart to builing a control landscape, vucavoid is offering blueprints for such. Once blueprints are activated to a tenant, its users can browse, import and map blueprints to the tenant. This can be done from both ways, the control objectives or the controls. When importing specific control blueprints, vucavoid will ask the importing user if connected control objective blueprints shall also be imported or be replaced with existing control objectives of the tenant.
Refer to the documentation about blueprints to understand this concept (basically, it's templates for controls, control objectives and more).
Another possible use case is to ask a consultant to share his/her personal blueprints. Personal blueprints can be share with tenants once a vucavoid user account has been invited to a tenant, using the vucavoid identity (email address). Once share with the tenant, the organization can import all available blueprints to the own tenant. As soon as a blueprint is imported to the tenant, it becomes a tenant-specific entity and is not subject to the availability of the blueprint/user account of the consultant.
Actions
To add a new control objective, the user has to click the green button New control objective that is placed top right above the table. Importing one or multiple control objectives from blueprints can be done by clicking the grey button Blueprints placed next to the green button, placed top right above the table.
List view of Control Objectives
The list view shows all control objectives in the form of a table.
The list can be searched and filtered for multiple attributes (e. g. domains and standards).
To describe each control objective in the table, the following columns are available:
- Title: The title of the control objective.
- Controls: Showing the number of controls linked to this control objective.
- Domains: Showing the number of domains linked to this control objective.
- Categories: Showing the number of categories linked to this control objective.
- Standards: Showing the number of standards linked to this control objective.
Actions
At the end of each row, the user can decide to edit or to delete a control objective.
Editing a control will open a slide-over window showing all editable attributes of the objective as well as a table of all controls that are linked to it.
Please note: It is not possible to delete a control objective when there is at least one control connected to it. Connected controls need to be re-distributed before deleting the control objective.
This can be easily done by opening the control objective and review all connected controls.
Attributes of Control Objective
In the following part, we shortly disuss the attributes of a control objective.
Control Objective Basics
Title: The title should succinctly describe the control objective, typically confined to the length of one sentence. It directly represents the control objective itself.
For blueprints, vucavoid applies the basic rule to always start a control objective with "It has to be ensured...". By using this rule, the content/effect of the control objectives are easier to grasp. Also, using a standardized approach to it helps organizations making sure, to establish control objectives in a coherent manner.
Control Objective Categorization
Domains, Standards & Categories (Structures): List any relevant domains, standards, or categories that are associated with the control objective. Assigning them aids in aligning the control objective with specific compliance frameworks or organizational requirements. Also, it makes filering and searching control objectives easier.
Connecting Objectives
As outlined earlier, control objectives could (colloquially) be described as a 'purpose umbrella' for controls within an organization's internal control framework. They provide context and direction, but do not hold relevant standalone significance until they are linked with specific controls.
Linking controls and control objectives has to be done from the side of a control. Since control objectives are a mandatory attribute for a new control, the only way to assign them is by doing this from inside the edit form of a control.
All controls that are linked to a control objective are visible from the edit/view page of a control objective.