Executing procedures and testing controls

Execute procedures (Workplan workflow) or perform walkthroughs and tests (Internal Control workflow) to determine if controls are designed and operating effectively.

Note

Interface terms are customizable, and fields and tabs are configurable. In your instance of HighBond, some terms, fields, and tabs may be different.

How it works

You can record the outcome of procedures you have executed, perform walkthroughs to evaluate the design of controls, and perform tests to evaluate the effectiveness of controls. You can also update test plans to identify the testing method or type of evidence obtained, specify the total sample size (split amongst testing rounds), or record test steps or attributes.

If the control was created in a framework and imported into a project, you can edit it in a project, and a user who has sync access to the framework can sync those changes back to the framework and to other projects that use it.

Specifying how many testing rounds need to be performed

When you create or rollforward a project associated with an Internal Control workflow, you can configure the number of testing rounds you need to test control effectiveness:

Note

When you first create or rollforward a project, the number of testing rounds you choose becomes locked in. You can't change the number of testing rounds after saving the project.

Under the Fieldwork tab, the testing round tabs are located to the right of the Test Plan tab. The names of the available tabs depend on the number of testing rounds for the project:

Rounds of testing Tab labels
One Testing
Two Interim, Final
Four Q1, Q2, Q3, Q4

Sample size logic in test plans

Sample size is set when a test plan is created the first time, which occurs when you define a control. The table below describes the logic used to automatically set the sample size field based on two control attribute fields: Frequency and Type. You can specify the values for both fields when you define controls.

Note

If you manually update the sample size in the test plan, and subsequently update the Frequency and Type values of the control, the sample size in the test plan is not overridden.

If Then

Type = Application/System Control

Max Sample Size is set to 1

Type <> Application/System Control

AND

Frequency is listed to the right

Sample size is set to the corresponding value:

  • Continuous 1
  • Weekly 6 
  • Bi-Weekly 3
  • Monthly 2
  • Quarterly 1
  • Semi-Annually 1
  • Annually 1

Neither of the above conditions are met

Max Sample Size defined at the project level (Settings) is used

Note

If you import a control from a framework to a project or to another framework, the max sample size is defined at the framework level (Test Plan > Total Sample Size).

Assurance

As you execute procedures or perform walkthroughs and tests, the Projects app automatically aggregates testing results and issues, and calculates assurance in real-time. As controls pass, assurance increases, and as controls fail, assurance decreases.

For more information, see Getting started with assurance for risk.

Examples

Note

The examples in this panel are connected. The first tab presents the start of the scenario.

Scenario

You are an Audit Manager that owns an entire IT General Controls Review (IA Context) project. Previously, you created a project from a project template. Now, you need to test one of the controls in the Physical Security objective to evaluate the design of the control.

Process

You perform a walkthrough and determine that the walkthrough passes.

Result

You document the walkthrough as follows:

  • Walkthrough Results On May 24, 2018, inquired with Mark Manning (Manager) to ascertain that policies exists and are communicated to employees. As per inquiry, policy documents have been distributed to employees, and a recurring physical security training session takes place semi-annually to ensure employees are aware of their responsibilities.
  • Is the control designed appropriately? Designed appropriately

Scenario

Now that you performed a walkthrough, you have a better understanding of how the control is designed to mitigate risk.

Process

Before you launch into testing the effectiveness of the control, you need prepare a test plan that identifies how you will test the control. You define the testing method, the total sample size (split amongst testing rounds), and test steps that need to be performed to test the control.

Result

You document the test plan as follows:

  • Testing Method Inspection
  • Total Sample Size 1
  • Test Steps / Test Attributes

    1. Obtain a copy of the organization's physical security policy document.
    2. Evaluate documentation for the following:
      1. Coverage of critical pieces of the organization's plans and procedures
      2. Documentation of incidents

Scenario

Since you documented the testing method and steps in your test plan, you know how you are going to test the control.

Process

You perform the test to evaluate the operational effectiveness of the control and determine that the test passes.

Result

You document the test as follows:

  • Are you testing this Control as part of this testing round? Yes
  • User Assigned yourName
  • Testing Results There is a formally documented and communicated physical security policy and control structure in place.
  • Did this Control operate effectively? Operating Effectively

Permissions

Only Professional Managers and Professional Users can execute procedures, perform walkthroughs and tests, and update test plans.

If a test plan was created in a framework, imported into a project, and then modified, Project Admins, Project Creators, and users assigned the Professional Manager or Professional User role within a framework can sync those changes back to the framework for distribution into other projects.

Get context about a control or procedure with Control X-Ray or Procedure X-Ray

If your team does routine testing, you might need to execute procedures or test controls with little background knowledge. Information like previous testing results and key attributes will help you gain a fuller understanding of what you're working on.

The following contextual information is available:

  • A link to the procedure or control
  • A link to the source framework, if applicable
  • Its attributes
  • Previous testing results and sample sizes
  • Related risks, if any have been associated with this control or procedure
  • Previous issues, if there were any; issues do not appear if they were not published or were not created on the related procedure or control page
  • Related narratives, if any have been linked to this control or procedure
  • Related compliance maps, if this procedure or control is mapped to any requirements
  • Related assets, if you have a subscription to IT Risk Management (previously ITRMBond), have associated assets to a risk category in a project, and view a control associated with that risk category

View and navigate to your controls and results in Projects

In Projects, on the Controls tab, you can see an overview of the controls that are either assigned to you or associated with control tests or objectives that are assigned to you. You can also navigate to the procedures, or walkthroughs and test plans associated with those controls, and see their results at a glance.

You can show or hide the Controls tab in your project type settings. For more information, see Risks and Controls tab.

The Controls tab consists of two parts:

  • Pie charts View a breakdown of the procedures, or walkthroughs and test plans, associated with your controls.
  • Controls table A customizable table that contains your controls and shows the results associated with them. You can navigate to your controls or results directly from the table.

    Note

    In archived projects, controls don't appear in the table.

Execute a procedure

In projects with a Workplan workflow, you can record the outcome of an executed procedure.

  1. Open the Projects app.

    The Projects homepage opens.

  2. Open a project. The project dashboard opens.
  3. Click the Fieldwork tab.
  4. Click Go To next to the objective you want to work with and select Execute Procedures.
  5. Click View/Edit beside the appropriate procedure.
  6.  To get more context about this procedure, click Procedure X-Ray.
  7. Enter the relevant information, and click Save:
    FieldDescription

    Planned Milestone Date

    optional

    specifies the planned date of a milestone associated with the execute procedure

    Project Admins can enable and customize this field under Manage project types.

    Actual Milestone Date

    optional

    specifies the actual date of a milestone associated with the execute procedure

    Project Admins can enable and customize this field under Manage project types.

    Attributes

    optional

    specifies the attributes associated with the execute procedure

    Project Admins can define custom attributes for execute procedures under Manage project types.

    Procedure Results

    optional

    a description about the procedure results

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    Were issues identified when completing this procedure?

    optional

    • Issue(s) noted specifies that the procedure has failed
    • No Issues  specifies that the procedure has passed

    You can use the Issues panel to record issues.

    Tip

    You can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.

  8. Optional. Under Supporting Files, upload any necessary files. For more information, see Working with attachments.

    Note

    For security reasons, HighBond does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  9. Optional. Link evidence to the procedure. For more information, see Linking evidence from Results.

Perform a walkthrough

In projects with an Internal Control workflow, you can evaluate the design of controls.

  1. Open the Projects app.

    The Projects homepage opens.

  2. Open a project. The project dashboard opens.
  1. Click the Fieldwork tab.
  2. Click Go To next to the appropriate process and select Walkthroughs.
  3. Click View/Edit beside the appropriate walkthrough.
  4. To get more context about this control, click Control X-Ray.
  5. Enter the relevant information, and click Save:

    Field Description

    Planned Milestone Date

    optional

    Specifies the planned date of a milestone associated with the walkthrough.

    Project Admins can enable and customize this field under Manage project types.

    Actual Milestone Date

    optional

    Specifies the actual date of a milestone associated with the walkthrough.

    Project Admins can enable and customize this field under Manage project types.

    Attributes

    optional

    Specifies the attributes associated with the walkthrough.

    Project Admins can define custom attributes for walkthroughs under Manage project types.

    Walkthrough Results

    optional

    A description about the walkthrough results

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    Is the control designed appropriately?

    optional

    • Designed Appropriately specifies that the control designed has passed
    • Design Failure specifies that the control design has failed

    You can use the Issues panel to record issues.

    Tip

    You can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.

  6. Optional. Under Supporting Files, upload any necessary files. For more information, see Working with attachments.

    Note

    For security reasons, HighBond does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  7. Optional. Link evidence to the walkthrough. For more information, see Linking evidence from Results.

Update a test plan

In projects with an Internal Control workflow, you can identify the testing method or type of evidence obtained, specify the total sample size (split amongst testing rounds), or record test steps or attributes.

If the test plan was created in a framework and imported into a project, you can edit it in a project, and a user who has sync access to the framework can sync those changes back to the framework and to other projects that use it.

  1. Open the Projects app.

    The Projects homepage opens.

  2. Open a project. The project dashboard opens.
  3. Click the Fieldwork tab, or within a framework, click the Sections tab.
  4. Click Go To beside the appropriate process, and select Test Plan.
  5. Click Edit Plan beside the appropriate test plan.
  6. To get more context about this control, click Control X-Ray.
  7. Enter the relevant information and click Save:
    FieldDescription

    Testing Method

    optional

    Specifies how you obtained the evidence.

    Total Sample Size

    optional

    Specifies a numerical value that defines the total sample size (split among testing rounds). For more information, see Sample size logic in test plans.

    Test Steps/Test Attributes

    optional

    Specifies the steps or attributes associated with the test plan.

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

Perform a test

In projects with an Internal Control workflow, you can evaluate the operating effectiveness of controls.

  1. Open the Projects app.

    The Projects homepage opens.

  2. Open a project.

    The project dashboard opens.

  3. Click the Fieldwork tab.
  4. Click Go To next to the appropriate process and select Testing.
  5. Click the tab for the testing round you want to work with.
  6. Click Update Test beside the appropriate test.
  7. To get more context about this control, click Control X-Ray.
  8. Enter the relevant information, and click Save:
    FieldDescription

    Are you testing this key control as part of this testing round?

    • Yes specifies that the testing results are applicable to the testing round
    • No specifies that the testing results are not applicable to the testing round

    User Assigned

    optional

    specifies the team member responsible for testing the control

    Clicking Update Assignment sends an email notification to the specified team member.

    Note

    Only Professional Managers, Professional Users, and Contributor Testers can assign control tests, and only Professional Managers, Professional Users, and Contributor Testers can be selected from this field.

    Planned Milestone Date

    optional

    specifies the planned date of a milestone associated with the test

    Project Admins can enable and customize this field under Manage project types.

    Actual Milestone Date

    optional

    specifies the actual date of a milestone associated with the test

    Project Admins can enable and customize this field under Manage project types.

    Attributes

    optional

    specifies the attributes associated with the test

    Project Admins can define custom attributes for tests under Manage project types.

    Testing Results

    optional

    specifies details about the test results

    Note

    Rich text fields cannot exceed 524,288 characters.

    Tip

    To enable spell check on rich text fields, do one of the following:

    • Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
    • Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

    Is this Control operating effectively?

    optional

    • Operating Effectively specifies that the control test has passed
    • Exception(s) Noted specifies that the control test has failed

    You can use the Issuespanel to record issues.

    Tip

    You can automatically populate the value of this field based on a Results metric. For more information, see Automating control assessments.

  9. Optional. Under Supporting Files, upload any necessary files. For more information, see Working with attachments.

    Note

    For security reasons, HighBond does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  10. Optional. Link evidence to the test. For more information, see Linking evidence from Results.