Executing procedures and testing controls
Execute procedures (Workplan workflow) or perform walkthroughs and tests (Internal Control workflow) to determine if controls are designed and operating effectively.
Note
- Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
- If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
How it works
You can record the outcome of procedures you have executed, perform walkthroughs to evaluate the design of controls, and perform tests to evaluate the effectiveness of controls. You can also update test plans to identify the testing method or type of evidence obtained, specify the total sample size (split amongst testing rounds), or record test steps or attributes.
If the control was created in a framework and imported into a project, you can edit it in a project, and a user who has sync access to the framework can sync those changes back to the framework and to other projects that use it.
Specifying how many testing rounds need to be performed
When you create or rollforward a project associated with an Internal Control workflow, you can configure the number of testing rounds you need to test control effectiveness:
When you first create or rollforward a project, the number of testing rounds you choose becomes locked in. You can't change the number of testing rounds after saving the project.
Under the Fieldwork tab, the testing round tabs are located to the right of the Test Plan tab. The names of the available tabs depend on the number of testing rounds for the project:
Rounds of testing | Tab labels |
---|---|
One | Testing |
Two | Interim, Final |
Four | Q1, Q2, Q3, Q4 |
Sample size logic in test plans
Sample size is set when a test plan is created the first time, which occurs when you define a control. The table below describes the logic used to automatically set the sample size field based on two control attribute fields: Frequency and Type. You can specify the values for both fields when you define controls.
If you manually update the sample size in the test plan, and subsequently update the Frequency and Type values of the control, the sample size in the test plan is not overridden.
If | Then |
---|---|
Type = Application/System Control |
Max Sample Size is set to 1 |
Type <> Application/System Control AND Frequency is listed to the right |
Sample size is set to the corresponding value:
|
Neither of the above conditions are met |
Max Sample Size defined at the project level (Settings) is used Note If you import a control from a framework to a project or to another framework, the max sample size is defined at the framework level (Test Plan > Total Sample Size). |
Assurance
As you execute procedures or perform walkthroughs and tests, the Projects app automatically aggregates testing results and issues, and calculates assurance in real-time. As controls pass, assurance increases, and as controls fail, assurance decreases.
For more information, see Getting started with assurance for risk.
Examples
The examples in this panel are connected. The first tab presents the start of the scenario.
Scenario
You are an Audit Manager that owns an entire IT General Controls Review (IA Context) project. Previously, you created a project from a project template. Now, you need to test one of the controls in the Physical Security objective to evaluate the design of the control.
Process
You perform a walkthrough and determine that the walkthrough passes.
Result
You document the walkthrough as follows:
- Walkthrough Results On May 24, 2018, inquired with Mark Manning (Manager) to ascertain that policies exists and are communicated to employees. As per inquiry, policy documents have been distributed to employees, and a recurring physical security training session takes place semi-annually to ensure employees are aware of their responsibilities.
- Is the control designed appropriately? Designed appropriately
Scenario
Now that you performed a walkthrough, you have a better understanding of how the control is designed to mitigate risk.
Process
Before you launch into testing the effectiveness of the control, you need prepare a test plan that identifies how you will test the control. You define the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.
Result
You document the test plan as follows:
- Testing Method Inspection
- Total Sample Size 1
-
Test Steps / Test Attributes
- Obtain a copy of the organization's physical security policy document.
- Evaluate documentation for the following:
- Coverage of critical pieces of the organization's plans and procedures
- Documentation of incidents
Scenario
Since you documented the testing method and steps in your test plan, you know how you are going to test the control.
Process
You perform the test to evaluate the operational effectiveness of the control and determine that the test passes.
Result
You document the test as follows:
- Are you testing this Control as part of this testing round? Yes
- User Assigned yourName
- Testing Results There is a formally documented and communicated physical security policy and control structure in place.
- Did this Control operate effectively? Operating Effectively
Permissions
Only Professional Managers and Professional Users can execute procedures, perform walkthroughs and tests, and update test plans. If the Contributor Tester is assigned as the Control Owner, they have read/write to the controls, walkthroughs, and testing. If you only want the Contributor Tester to handle testing, assign them to the control test and then make sure that the Allow Contributor Tester to manage Walkthroughs toggle is turned off in the Project Application, Settings. For details on the toggle, see Projects app settings.
If a test plan was created in a framework, imported into a project, and then modified, Project Admins, Project Creators, and users assigned the Professional Manager or Professional User role within a framework can sync those changes back to the framework for distribution into other projects.
Get context about a control or procedure with Control X-Ray or Procedure X-Ray
If your team does routine testing, you might need to execute procedures or test controls with little background knowledge. Information like previous testing results and key attributes will help you gain a fuller understanding of what you're working on.
- When executing a procedure, click Procedure X-Ray to view critical contextual information about the procedure.
- When performing a walkthrough, updating a test plan, or testing a control, click Control X-Ray to view critical contextual information about a control.
The following contextual information is available:
- A link to the procedure or control
- A link to the source framework, if applicable
- Its attributes
- Previous testing results and sample sizes
- Related risks, if any have been associated with this control or procedure
- Previous issues, if there were any; issues do not appear if they were not published or were not created on the related procedure or control page
- Related narratives, if any have been linked to this control or procedure
- Related compliance maps, if this procedure or control is mapped to any requirements
- Related assets, if you have a subscription to IT Risk Management, have associated assets to a risk category in a project, and view a control associated with that risk category
View and navigate to your controls and results in Projects
In Projects, on the Controls tab, you can see an overview of the controls that are either assigned to you or associated with control tests or objectives that are assigned to you. You can also navigate to the procedures, or walkthroughs and test plans associated with those controls, and see their results at a glance.
You can show or hide the Controls tab in your project type settings. For more information, see Risks and Controls tab.
The Controls tab consists of two parts:
- Pie charts View a breakdown of the procedures, or walkthroughs and test plans, associated with your controls.
- Controls table A customizable table that contains your controls and shows the results associated with them. You can navigate to your controls or results directly from the table.
Note
In archived projects, controls don't appear in the table.
Execute a procedure
In projects with a Workplan workflow, you can record the outcome of an executed procedure.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Open a project. The project dashboard opens.
- Click the Fieldwork tab.
- Click Go To next to the objective you want to work with and select Execute Procedures.
- Click View/Edit beside the appropriate procedure.
- To get more context about this procedure, click Procedure X-Ray.
- Enter the relevant information as described in the following table:Note
After entering any data in a field, wait for the confirmation that it is saved successfully before you fill out any other fields. Else, you get an error indicating that your changes conflict with those made concurrently by another user.
Field Description Planned Milestone Date
Specifies the planned date of a milestone associated with the execute procedure. This is an optional field.
Project Admins and Project Type Admins can enable and customize this field under Managing project types (see Projects app settings).
Actual Milestone Date
Specifies the actual date of a milestone associated with the execute procedure. This is an optional field.
Project Admins and Project Type Admins can enable and customize this field under Managing project types (see Projects app settings).
Attributes
Specifies the attributes associated with the execute procedure. This is an optional field.
Project Admins and Project Type Admins can enable and customize this field under Managing project types (see Projects app settings).
Procedure Results
A description about the procedure results. This is an optional field.
NoteRich text fields cannot exceed 524,288 characters.
Tip
To enable spell check on rich text fields, do one of the following:
- Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
- Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words
Were issues identified when completing this procedure?
Dispalys the following options:
- Issue(s) noted specifies that the procedure has failed
- No Issues specifies that the procedure has passed
You can use the Issues panel to record issues.
This is an optional field.
TipYou can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.
Perform a walkthrough
In projects with an Internal Control workflow, you can evaluate the design of controls.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Open a project. The project dashboard opens.
Update a test plan
In projects with an Internal Control workflow, you can identify the testing method or type of evidence obtained, specify the total sample size (split amongst testing rounds), or record test steps or attributes.
If the test plan was created in a framework and imported into a project, you can edit it in a project, and a user who has sync access to the framework can sync those changes back to the framework and to other projects that use it.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Open a project. The project dashboard opens.
- Click Go To beside the appropriate process, and select Test Plan.
- Click Edit Plan beside the appropriate test plan.
- To get more context about this control, click Control X-Ray.
- Enter the relevant information as described in the following table:
Field Description Testing Method
Specifies how you obtained the evidence.
This is an optional field.
Total Sample Size
Specifies a numerical value that defines the total sample size (split among testing rounds). For more information, see Sample size logic in test plans.
This is an optional field.
Test Steps/Test Attributes
Specifies the steps or attributes associated with the test plan.
NoteRich text fields cannot exceed 524,288 characters.
Tip
To enable spell check on rich text fields, do one of the following:
- Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
- Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words
This is an optional field.
- Select Save.
Perform a test
In projects with an Internal Control workflow, you can evaluate the operating effectiveness of controls.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Open a project.
The project dashboard opens.