Executing procedures and testing controls

Execute procedures (Workplan workflow) or perform walkthroughs and tests (Internal Control workflow) to determine if controls are designed and operating effectively.

Note

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

How it works

You can record the outcome of procedures you have executed, perform walkthroughs to evaluate the design of controls, and perform tests to evaluate the effectiveness of controls. You can also update test plans to identify the testing method or type of evidence obtained, specify the total sample size (split amongst testing rounds), or record test steps or attributes.

If the control was created in a framework and imported into a project, you can edit it in a project, and a user who has sync access to the framework can sync those changes back to the framework and to other projects that use it.

Specifying how many testing rounds need to be performed

When you create or rollforward a project associated with an Internal Control workflow, you can configure the number of testing rounds you need to test control effectiveness:

Note

When you first create or rollforward a project, the number of testing rounds you choose becomes locked in. You can't change the number of testing rounds after saving the project.

Under the Fieldwork tab, the testing round tabs are located to the right of the Test Plan tab. The names of the available tabs depend on the number of testing rounds for the project:

Rounds of testing Tab labels
One Testing
Two Interim, Final
Four Q1, Q2, Q3, Q4

Sample size logic in test plans

Sample size is set when a test plan is created the first time, which occurs when you define a control. The table below describes the logic used to automatically set the sample size field based on two control attribute fields: Frequency and Type. You can specify the values for both fields when you define controls.

Note

If you manually update the sample size in the test plan, and subsequently update the Frequency and Type values of the control, the sample size in the test plan is not overridden.

If Then

Type = Application/System Control

Max Sample Size is set to 1

Type <> Application/System Control

AND

Frequency is listed to the right

Sample size is set to the corresponding value:

  • Continuous 1
  • Weekly 6 
  • Bi-Weekly 3
  • Monthly 2
  • Quarterly 1
  • Semi-Annually 1
  • Annually 1

Neither of the above conditions are met

Max Sample Size defined at the project level (Settings) is used

Note

If you import a control from a framework to a project or to another framework, the max sample size is defined at the framework level (Test Plan > Total Sample Size).

Assurance

As you execute procedures or perform walkthroughs and tests, the Projects app automatically aggregates testing results and issues, and calculates assurance in real-time. As controls pass, assurance increases, and as controls fail, assurance decreases.

For more information, see Getting started with assurance for risk.

Examples

Note

The examples in this panel are connected. The first tab presents the start of the scenario.

Scenario

You are an Audit Manager that owns an entire IT General Controls Review (IA Context) project. Previously, you created a project from a project template. Now, you need to test one of the controls in the Physical Security objective to evaluate the design of the control.

Process

You perform a walkthrough and determine that the walkthrough passes.

Result

You document the walkthrough as follows:

  • Walkthrough Results On May 24, 2018, inquired with Mark Manning (Manager) to ascertain that policies exists and are communicated to employees. As per inquiry, policy documents have been distributed to employees, and a recurring physical security training session takes place semi-annually to ensure employees are aware of their responsibilities.
  • Is the control designed appropriately? Designed appropriately

Scenario

Now that you performed a walkthrough, you have a better understanding of how the control is designed to mitigate risk.

Process

Before you launch into testing the effectiveness of the control, you need prepare a test plan that identifies how you will test the control. You define the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.

Result

You document the test plan as follows:

  • Testing Method Inspection
  • Total Sample Size 1
  • Test Steps / Test Attributes

    1. Obtain a copy of the organization's physical security policy document.
    2. Evaluate documentation for the following:
      1. Coverage of critical pieces of the organization's plans and procedures
      2. Documentation of incidents

Scenario

Since you documented the testing method and steps in your test plan, you know how you are going to test the control.

Process

You perform the test to evaluate the operational effectiveness of the control and determine that the test passes.

Result

You document the test as follows:

  • Are you testing this Control as part of this testing round? Yes
  • User Assigned yourName
  • Testing Results There is a formally documented and communicated physical security policy and control structure in place.
  • Did this Control operate effectively? Operating Effectively

Permissions

Only Professional Managers and Professional Users can execute procedures, perform walkthroughs and tests, and update test plans. If the Contributor Tester is assigned as the Control Owner, they have read/write to the controls, walkthroughs, and testing. If you only want the Contributor Tester to handle testing, assign them to the control test and then make sure that the Allow Contributor Tester to manage Walkthroughs toggle is turned off in the Project Application, Settings. For details on the toggle, see Projects app settings.

If a test plan was created in a framework, imported into a project, and then modified, Project Admins, Project Creators, and users assigned the Professional Manager or Professional User role within a framework can sync those changes back to the framework for distribution into other projects.

Get context about a control or procedure with Control X-Ray or Procedure X-Ray

If your team does routine testing, you might need to execute procedures or test controls with little background knowledge. Information like previous testing results and key attributes will help you gain a fuller understanding of what you're working on.

The following contextual information is available:

  • A link to the procedure or control
  • A link to the source framework, if applicable
  • Its attributes
  • Previous testing results and sample sizes
  • Related risks, if any have been associated with this control or procedure
  • Previous issues, if there were any; issues do not appear if they were not published or were not created on the related procedure or control page
  • Related narratives, if any have been linked to this control or procedure
  • Related compliance maps, if this procedure or control is mapped to any requirements
  • Related assets, if you have a subscription to IT Risk Management, have associated assets to a risk category in a project, and view a control associated with that risk category

View and navigate to your controls and results in Projects

In Projects, on the Controls tab, you can see an overview of the controls that are either assigned to you or associated with control tests or objectives that are assigned to you. You can also navigate to the procedures, or walkthroughs and test plans associated with those controls, and see their results at a glance.

You can show or hide the Controls tab in your project type settings. For more information, see Risks and Controls tab.

The Controls tab consists of two parts:

  • Pie charts View a breakdown of the procedures, or walkthroughs and test plans, associated with your controls.
  • Controls table A customizable table that contains your controls and shows the results associated with them. You can navigate to your controls or results directly from the table.

    Note

    In archived projects, controls don't appear in the table.

Execute a procedure

In projects with a Workplan workflow, you can record the outcome of an executed procedure.

  1. From the Launchpad home page (www.highbond.com), select the Projects app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.

    The Projects home page opens.

  2. Open a project. The project dashboard opens.
  3. Click the Fieldwork tab.
  4. Click Go To next to the objective you want to work with and select Execute Procedures.
  5. Click View/Edit beside the appropriate procedure.
  6.  To get more context about this procedure, click Procedure X-Ray.
  7. Enter the relevant information as described in the following table:
    Note

    After entering any data in a field, wait for the confirmation that it is saved successfully before you fill out any other fields. Else, you get an error indicating that your changes conflict with those made concurrently by another user.

    FieldDescription

    Planned Milestone Date

     

     

    Specifies the planned date of a milestone associated with the execute procedure. This is an optional field.

    Project Admins and Project Type Admins can enable and customize this field under Managing project types (see Projects app settings).

    Actual Milestone Date

    Specifies the actual date of a milestone associated with the execute procedure. This is an optional field.

    Project Admins and Project Type Admins can enable and customize this field under Managing project types (see Projects app settings).

    Attributes

    Specifies the attributes associated with the execute procedure. This is an optional field.

    Project Admins and Project Type Admins can enable and customize this field under Managing project types (see Projects app settings).

    Procedure Results

    A description about the procedure results. This is an optional field.

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    Were issues identified when completing this procedure?

    Dispalys the following options:

    • Issue(s) noted specifies that the procedure has failed
    • No Issues  specifies that the procedure has passed

    You can use the Issues panel to record issues.

    This is an optional field.

    Tip

    You can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.

  8. Optional. Under Supporting Files, upload any necessary files. For more information, see Working with attachments.

    Note

    For security reasons, Diligent One does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  9. Optional. Link evidence to the procedure. For more information, see Linking evidence from Results.
  10. Select Save.

Perform a walkthrough

In projects with an Internal Control workflow, you can evaluate the design of controls.

  1. From the Launchpad home page (www.highbond.com), select the Projects app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.

    The Projects home page opens.

  2. Open a project. The project dashboard opens.
  1. Click the Fieldwork tab.
  2. Click Go To next to the appropriate process and select Walkthroughs.
  3. Click View/Edit beside the appropriate walkthrough.
  4. To get more context about this control, click Control X-Ray.
  5. Enter the relevant information as described in the following table:

    Note

    After entering any data in a field, wait for the confirmation that it is saved successfully before you fill out any other fields. Else, you get an error indicating that your changes conflict with those made concurrently by another user.

    Field Description

    Planned Milestone Date

     

    Specifies the planned date of a milestone associated with the walkthrough.

    Project Admins and Project Type Admins can enable and customize this field under Manage project types.

    This is an optional field.

    Actual Milestone Date

    Specifies the actual date of a milestone associated with the walkthrough.

    Project Admins and Project Type Admins can enable and customize this field under Manage project types.

    This is an optional field.

    Attributes

     

    Specifies the attributes associated with the walkthrough.

    Project Admins and Project Type Admins can define custom attributes for walkthroughs under Manage project types.

    This is an optional field.

    Walkthrough Results

     

    A description about the walkthrough results

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    This is an optional field.

    Is the control designed appropriately?

    Select one of a maximum of 10 selections set by your organization. Each option corresponds to a pass or fail state. For example:

    • Designed Appropriately specifies that the control designed has passed
    • Design Failure specifies that the control design has failed

    You can use the Issues panel to record issues.

    Tip

    You can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.

    This is an optional field.

  6. Optional. Under Supporting Files, upload any necessary files. For more information, see Working with attachments.

    Note

    For security reasons, Diligent One does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  7. Optional. Link evidence to the walkthrough. For more information, see Linking evidence from Results.
  8. Select Save.

Update a test plan

In projects with an Internal Control workflow, you can identify the testing method or type of evidence obtained, specify the total sample size (split amongst testing rounds), or record test steps or attributes.

If the test plan was created in a framework and imported into a project, you can edit it in a project, and a user who has sync access to the framework can sync those changes back to the framework and to other projects that use it.

  1. From the Launchpad home page (www.highbond.com), select the Projects app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.

    The Projects home page opens.

  2. Open a project. The project dashboard opens.
  3. Click the Fieldwork tab, or within a framework, click the Sections tab.
  4. Click Go To beside the appropriate process, and select Test Plan.
  5. Click Edit Plan beside the appropriate test plan.
  6. To get more context about this control, click Control X-Ray.
  7. Enter the relevant information as described in the following table:
    FieldDescription

    Testing Method

     

    Specifies how you obtained the evidence.

    This is an optional field.

    Total Sample Size

     

    Specifies a numerical value that defines the total sample size (split among testing rounds). For more information, see Sample size logic in test plans.

    This is an optional field.

    Test Steps/Test Attributes

     

    Specifies the steps or attributes associated with the test plan.

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    This is an optional field.

  8. Select Save.

Perform a test

In projects with an Internal Control workflow, you can evaluate the operating effectiveness of controls.

  1. From the Launchpad home page (www.highbond.com), select the Projects app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.

    The Projects home page opens.

  2. Open a project.

    The project dashboard opens.

  3. Click the Fieldwork tab.
  4. Click Go To next to the appropriate process and select the test option you want, Interim Testing or Final Testing.
  5. Make sure the tab for the testing round you want to work with is selected.
  6. Click Update Test beside the appropriate test.
  7. To get more context about this control, click Control X-Ray.
  8. Enter the relevant information as described in the following table:
    Note

    After entering any data in a field, wait for the confirmation that it is saved successfully before you fill out any other fields. Else, you get an error indicating that your changes conflict with those made concurrently by another user.

    FieldDescription

    Are you testing this key control as part of this testing round?

    Displays the following options:

    • Yes Specifies that the testing results are applicable to the testing round
    • No Specifies that the testing results are not applicable to the testing round

    User Assigned

    Specifies the team member responsible for testing the control.

    Clicking Update Assignment sends an email notification to the specified team member.

    This is an optional field.

    Note

    Only Professional Managers, Professional Users, and Contributor Testers can assign control tests, and only Professional Managers, Professional Users, and Contributor Testers can be selected from this field.

    Planned Milestone Date

    Specifies the planned date of a milestone associated with the test (if configured in the Project Type).

    This is an optional field.

    Project Admins and Project Type Admins can enable and customize this field under Manage project types.

    Actual Milestone Date

    Specifies the actual date of a milestone associated with the test (if configured in the Project Type).

    This is an optional field.

    Project Admins and Project Type Admins can enable and customize this field under Manage project types.

    Attributes

    Specifies the attributes associated with the test (if configured in the Project Type).

    This is an optional field.

    Project Admins and Project Type Admins can define custom attributes for tests under Manage project types.

    What is the testing sample size? Total sample size for all testing rounds is 0. Add the total sample size split among testing rounds.

    Testing Results

     

    Specifies details about the test results.

    This is an optional field.

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    Did this control operate effectively?

    Testing conclusion

    Select a value. This is an optional field.

    You can use the Issues panel to record issues.

    Tip

    You can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.

  9. Optional. Under Supporting Files, upload any necessary files. For more information, see Working with attachments.

    Note

    For security reasons, Diligent One does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  10. Optional. Link evidence to the test. For more information, see Linking evidence from Results.
  11. Select Save.