-
Intro
-
General Guidance
-
Tasks
-
Compliance
-
Controls
-
Meta Model
-
Administration
Controls
Controls
Role-Specific Access
Accessibility for Specific Roles
Controls are a vital, central part of each compliance framework. Since controls span over the entire organization in a best case, vucavoid allows for multiple roles to access and contribute to defined parts of the controls management.
To provide a first understanding:
- Targeted User Groups: This feature is tailored for specific roles within vucavoid, including Compliance Managers, Control Managers, and Control Performers.
-
Role-Based Accessibility:
- Compliance Manager: Full access to create, manage, and review controls.
- Control Manager: Capabilities similar to Compliance Managers.
- Control Performer (View): Access primarily for viewing and performing tasks related to controls, with limitations on creation and management functionalities.
Additionally, Watchers can be defined, to have read-only access to entities, i. e. specific controls.
Overview of Controls
In general, vucavoid's setup of controls management allows for all kinds of internal controls to be defined, reported on and tracked, not only for compliance-related controls.
Controls are the central tool for organizations to comply with internal and external requirements. First and foremost, controls are implemented into an organizations's process landscape to mitigate risks that are deemed to be relevant for the organization.
Usually, organizations start with laying out all risks (e. g. as high-level risk statements) and then create control objectives that are designed to mitigate the risk statements. Once that is done, controls are designed that match the organization's reality/ meta model and the relevant control objectives.
Excursus: Definition of controls, activities and other terms
In the context of corporate internal controls management, controls and activities are distinct yet interconnected concepts, particularly within the framework of organizational processes. To avoid confusion about the definition of controls in vucavoid, here’s how they differ:
Aspect | Controls | Activities |
---|---|---|
Definition | Specific mechanisms or procedures put in place to mitigate risks, ensure compliance, and achieve (control) objectives within a process. | The actual tasks, steps, or functions carried out within a business process to achieve its objectives. |
Purpose | To prevent (preventive), detect (detective), or correct (compensating) errors, fraud, or non-compliance with policies and regulations. | To execute the core operations of a process. |
Examples | Segregation of duties, authorization requirements, reconciliations, automated system checks, audits. | Processing invoices, recording transactions, preparing financial statements, manufacturing products. |
Focus | Ensuring that the process is completed correctly, safely, and in compliance with relevant standards. | What needs to be done to complete a process. |
Nature | Evaluative and corrective, ensuring that activities lead to desired outcomes without undue risk. | Operational in nature. |
Integration | Integrated within or around activities to monitor and manage the risks associated with those activities. | Steps performed to accomplish a process. |
Key differences:
- Focus: Activities focus on what needs to be done to complete a process, whereas controls focus on ensuring that the process is completed correctly, safely, and in compliance with relevant standards.
- Nature: Activities are operational in nature, while controls are evaluative and corrective, ensuring that activities lead to desired outcomes without undue risk.
- Integration: Controls are integrated within or around activities to monitor and manage the risks associated with those activities.
Additional terminology clarification: Often, there is a mix-up between 'controls' and 'measures', as well as 'requirements' and 'remediation'. In vucavoid, the following terms are present:
Term | Definition | Purpose | Context of Use | Examples |
---|---|---|---|---|
Control | Specific mechanisms or procedures put in place to mitigate risks, ensure compliance, and achieve (control) objectives within a process. | To prevent, detect, or correct errors, fraud, or non-compliance with policies and regulations. | Implemented as part of a process to manage risks and ensure objectives are met. | Segregation of duties, authorization checks, reconciliations, audits. |
Requirement | A condition or criterion that must be met to achieve compliance with laws, regulations, standards, or internal policies. | To ensure adherence to legal, regulatory, or organizational standards. | Defined by laws, regulations, industry standards, or internal policies that must be adhered to within processes. | Compliance with GDPR, SOX compliance, meeting ISO standards, internal company policies. |
Remediation | Actions taken to correct a deficiency, weakness, or non-compliance identified within a process or control. | To fix issues, mitigate risks, and bring processes or controls back into compliance with requirements. | Triggered by the identification of a control failure, deficiency, or audit finding. | Implementing stronger controls, retraining employees, updating policies, patching software vulnerabilities. |
Measure | Quantitative or qualitative metrics used to assess the effectiveness of controls, processes, or remediation efforts. Sometimes used as a synonym for a mitigation measure. | To evaluate performance, track progress, and ensure that controls and remediations are working as intended. | Applied to monitor and evaluate the effectiveness of controls, processes, or remediation actions. | Key performance indicators (KPIs), control effectiveness ratings, audit metrics, risk assessment scores. |
Role in vucavoid
Controls are a central connector between different entity types in vucavoid.
A tenant can use controls to fully reflect its internal control management in vucavoid and
- manage the accountability (ownership) and responsibility (performance) of each control individually,
- provide read-only access to controls individually,
- require regular reportings (with a multitude of frequency options) with or without evidence provision (per reporting),
- even do this for the past when transferring existing controls to vucavoid (e. g. shortly before an audit/attestation is about to start),
- ask for control owner reviews (suitability of control for internal and external factors,
- match the tenant's requirement base with controls (assess degree of fulfilment),
- manage findings around controls,
- map them with risks and incidents,
- map them with the vucavoid-documented meta model of the tenant's organiaztion
- and more.
Controls, as an entity type, are connected to the following others entity types in vucavoid (non-exhaustive list):
Entity type | Reason |
---|---|
Requirement | Determination of the coverage for all compliance requirements; including an ongoing indicator of the degree of fulfilment regarding the implementation of the controls. |
Risk | Being a link in the assessment of a specific risk or to provide evidence for a specific risk treatment plan. |
Incident | Showing a link to the presence of an incident or to provide evidence for the response to an incident. |
Finding | Showing a link to the presence of a finding or to provide evidence for the remediaton of a finding. |
Challenges | Link to show different degrees of fulfilment to requirements or the resilience level reagrding individually modeled cyber threats. |
Capabilities | Relevant coverage in the context of meta modeling. |
Objects | Relevant coverage in the context of meta modeling. |
Support role during audits
For internal and external audits, the documentation of controls in vucavoid can be not only a significant time-saver in the preparaton but also a crucial boost for the quality for the tenant's audit defense.
A tenant's organization can use vucavoid to be internally prepared, assuring swift response and lookups on a controls covervage and performance.
For those organizations who face more frequent audits or like to reduce the time spent with the actual audit defense, it is also possible to add the auditor/audit team members as external users to the organizations's tenant and provide access to a defined set of controls as "Watchers" (read-only access on a per-entity level).
The following advantages (non-exhaustive) can be listed:
- Performance of controls over time is documented.
- Evidence is uploaded to a central space.
- Reason for (temporary) missing effectiveness of control reportings is documented.
- Controls are linked to audit-relevant requirements and/or scope (meta model).
Back-to-back indicator
If a (relevant) compliance requirement has been identified by an organization, it is meaningful to cover the requirement with at least one control (which aims at imeplementing the requirement). This assures implementation of the requirements and hence compliance with internal and external requirements.
If a requirement is not back-to-back with a control, it can be questioned if the requirment has any (noticeable) relevance at all for the organization.
vucavoid is supporting this concept by providing a back-to-back indicator from both sides, the control and the requirement. Assuming a perfect world, every control is connected to at least one requirement and every requirement is connected to at least one control.
List view of controls
vucavoid offers a list view of all control that have been created in vucavoid.
Since controls are a context-rich entity type in vucavoid, the list view is not built with common columns but comes with multiple sub-rows per control. The following information is part of the view:
First row
- Title of the control
Second row
- Description of the control
Third row
- Status
- Full name of owner
- Owner review frequency
- Performance reporting frequency
- Full name of performers
- Back-to-back-indicator
Fourth row
- Number of performance reports due
Please note, not all information might be displayed per control. The visibility of some attributes depend on the configuration and status of a control.
Sorting, searching, grouping & filtering
To provide for a better overview, users can search, filter and group the control overview for multiple attributes. By combination of the features, the user can get down to any level of detail desired. Additionally, by clicking the table headings, the user can sort columns in descending and ascending order.
Please note, when grouping is activated, vucavoid sorts the controls in the context of the groups.
To remove grouping, the user can select the grouping option "Group by" which effectively does not group the table.
Attributes of Controls
Following, all attributes of controls in vucavoid will be presented.
Section: Basics
- Title: Choose a clear and descriptive title for the control.
- Description of Control: Detail the control's specific activities, its role in processes, and its main objectives. This is the actual control description. There is no need to describe entire processes in here but it is usually expected to describe the key aspects of the control and how it contributes to the control objective (what is the effect/ impact vector of the control).
- Control Objective: Link the control to to least one overarching control objective that it helps to achieve, aligning it with its broader risk vector.
- Starting Date: Set the date when the control was or will be implemented. This date can either be set to the day of edit or a day in the future. vucavoid also supports past dates, which primarily make sense if control reporting (see below) is activated. For such combinations (activated reporting with a past start date) vucavoid offers retroactive reporting, requiring control reports to be added also for past dates. For further information see below.
- Frequency: Determine how often the control shall be performed and potentially reported on (if activated), with options ranging from daily to annually or occasionally (and more options).
Control Performance Reporting
Control performance reporting refers to regular reports that provide information on the control's effectiveness. If control performance reporting is activated, vucavoid will ask either the performer(s) to regularly report on the control effectiveness/performance in vucavoid. For more information see dedicated section on reporting below.
Overview:
- Periodic Reporting Requirement: Enable regular prompts for control performers to report on the control's effectiveness, based on the chosen frequency.
- Retroactive Reporting: If applicable, vucavoid can retroactively create performance reporting tasks for the period since the control’s (actual) starting date.
- Evidence Requirement: Specify if and how evidence should be provided for each performance report, including the option to store evidence externally.
Control Owner Review
- Review Tasks: If activated, the control owner will receive regular tasks to review the control for accuracy and relevance.
- Review Frequency: Choose how often the review occurs, from monthly to annually.
Control Status
-
Lifecycle of a Control:
- Draft Status: Initially, when a control is created but not yet activated, no related tasks will be created.
- Implemented Status: Upon activation, indicating that the control is in effect. This is the expected status of every control that is an active part of an organization.
- Paused Status: If a control is temporarily inactive, this status can be set. For paused controls related tasks are halted. vucavoid recommends to not select this status for controls that are required by law or per regulation.
- Archived Status: For controls that are no longer relevant and thus removed from active visibility. Still, reports on these controls remain available.
Control Management
-
Owner and Performer Assignment:
- Owner: Assign a vucavoid user account that is accountable for the control.
- Performer(s): Designate one or more individuals responsible for executing the control and reporting on its performance. All performers will receive tasks on reporting reports (if activated for the respective control). Please note, this field will become mandatory, once performance reporting is activated for the respective control.
- Watcher(s): Select one or multiple user accounts that have read-only access to the control. Could also be used for external users like auditors, consultants, third parties or regulators.
Control Meta
These attributes do not have influence on automations of the application.
-
Nature and Type:
- Nature: Determine if the control is preventive or detective.
- Type: Specify the level of automation involved in the control’s execution.
Control Parameters
- Tagging and Categorization: Assign relevant criteria, domains, categories, domains, standards and assurances to the control for easier tracking and reporting.
Performance Reporting and Owner Review
vucavoid offers two major functions around controls. Performance reporting and owner reviews. Both functions contribute to a comprehensive compliance management inside the application.
Performance Reporting
Performance reporting in vucavoid is designed to continuously monitor and verify the effectiveness of each control. By collecting periodic reports, vucavoid maintains a dynamic assessment of the control's impact on compliance management. With the affiliation to requirements and meta model elements, the controls management in vucavoid can provide a comprehensive view on the compliance posture of the tenant's organization.
Reporting only works for controls in the status "Implemented", "Draft" and "Archived" do not create performance reports.
Once activated, vucavoid will automatically create regular performance control report requests (i. e. a task per due report in vucavoid) for every performer that is defined for the control.
This comes with the following specifications:
- If control performance reporting is activated, at least one performer needs to be defined (conditional mandatory field).
- If multiple performers are defined, all will receive the same task per report.
- Once any of the defined performers reported on the control, the respective task will be closed for all performers. This implies that every control report can only be handed in once, regardless if one or multiple performers are defined.
- Every performer will be notfied for each new control report via email as well as in-app that a new task has been created for the pending control report.
- vucavoid creates one task per reporting period; to assure standardization and traceability in years. In practical terms, this means vucavoid creates one task per performer per control frequency (daily, weekly, annually, ...).
For every control report, a new task is created per performer, informing the responsible user(s) about:
- Related control
- Related period to cover
- Due date
- If evidence is expected (and what kind of evidence)
The performer could go to the control itself and report on the specific period. The more convenient way is to directly report from the task. It takes three clicks per reporting period for a task without evidence provision to be reported (starting with the first click to call the reporting window from the task overview).
The performer(s) can decide, if the control has been proven effective or ineffective by selecting the performance status "Effective", "Ineffective" or "N/A". In case the performer selects "Ineffective" or "N/A" for a specific control period, vucavoid adds a mandatory text field for explaining deviations or ineffectiveness, fostering accountability and aiding in future corrective actions
vucavoid provides an option to define effectiveness indicators (free text) to offer more guidance to the performer(s) in deciding on the control's performance.
Evidence provision
vucavoid allows the tenant's organization to define on a control-per-control basis if the performance reporting requests shall incorporate evidence provision by the performer. This may include screenshots, files, system logs, or other verifiable materials - ensuring a traceable and verifiable record of the control’s execution.
Main use case to activate evidence provisions are (non-exhaustive):
- Significantly improved internal controls and risk management regarding its validty/expressiveness and resilience.
- Internal and/or external auditors rely on the information to evaluate the internal control's effectiveness.
- Collaboration between different parties/colleagues on the same control, mitigating key person risks by bridging information asynchronism.
When defining the control, it can be defined if the evidence shall be uploaded to vucavoid along with the control report or if the evidence is generally stored in an external storage (outside of vucavoid). This definition needs to be set once per control and cannot be altered per control report. In cases where evidence is stored outside vucavoid, performers are instructed to note the external storage location, ensuring traceability and accessibility of proof.
Additionally, vucavoid allows the organization to define what type of evidence is expected to be uploaded (standardization over time).
When a performer is reporting on a control period, it is also possible to point to previously uploaded evidence for the same control, e. g. because an automated control did not change and the compliance regime does not ask for evidence with specific timestamps on it.
Top priority is to always enable performers to place control performance reports in vucavoid. In case a control is defined to request evidence per control report directly in vucavoid, performers can select "No evidence available" to skip the step. This is not recommended.
Retroactive Reporting
If a control’s starting date is set in the past in relation to the date it's created in vucavoid, it is possible to activate retroactive performance reports. If this is set and the control is activated (set to "Implemented"), vucavoid will create all tasks for the performers related to fully concluded control periods (control cycles) since the set starting date for the control.
The task setup follows the same rules as for the common performance reporting in vucavoid (e. g. regarding evidence provision).
Please note, this can lead to a large amount of tasks and notifications for the impacted performers.
Per default, vucavoid will start with the first full control cycle after the control has been initiated in vucavoid. The main motivation for users to initiate the creation of back-dated performance reporting tasks is to ensure a complete historical record from the control’s implementation date (e. g. for migration purposes).
Retroactive reporting can only be activated when at least one full control cycle had been concluded (i. e. "Starting date" + "Control frequency" < "Date of control creation").
Owner Review
Controls are an integral part of an organization's meta model, e. g. as part of live processes. The meta model of an organization is dynamic by reacting to strategy, market needs, vendor offerings and different management facettes. Things are not stable and might differ significantly over time.
Controls might not always be a deeply integrated part of changing parts of the meta model and hence could become ineffective per design due to changes of the surroundings. A detective owner review is supposed to account for such occasions.
vucavoid advises all organizations to configure controls to ask for regular owner reviews. For every control, the organization can define to run owner reviews with four options for the frequency:
- Annually
- Semi-annually
- Quarterly
- Monthly
Usually, annual reviews are sufficient in common environments (i. e. common dynamics) since owner reviews should only be seen as a tool to detect changes in the control environment that are not yet refelected in controls as part of the overall meta model.
Once activated, the defined control owner receives a vucavoid task based on the defined frequency (user cannot be changes). The owner needs to close this task manually, confirming the review of the control.