Control library

The control library is the central repository where you can view, document, and maintain your controls. The control library is part of the Compliance module. This article explains the setup of the control library and shows how you can create and maintain your controls.

Introduction

A control library is a collection of (pre-approved) internal controls that an organization can use to help ensure compliance with laws and internal and external regulations, and to help achieve its strategic goals. These controls can be used to prevent or detect errors or fraud, and to ensure that financial and other information is accurate and reliable.

Process

The 3rdRisk platform enables you to manage the full lifecycle of a control. This lifecycle consists of 6 steps: planning, designing, implementing, executing, testing, and finally, evaluating and improving. Each step is explained below. We also created a diagram to visualize the process.

Plan control

Control planning includes four steps:

  • Identify the risk: The first step in planning for a control is to identify the risk that the control is intended to mitigate. This may include identifying the specific regulations or laws that apply to the organization, as well as any internal policies or procedures that need to be followed. It also encompasses gathering threat intelligence and horizon-scanning activities.
  • Assess the risk: Once the risk has been identified, it is essential to assess its likelihood and potential impact. This might include evaluating the likelihood of a particular event occurring, as well as the potential impact on the organization if the event were to occur.
  • Determine the control: Once the risk has been assessed, the next step is determining the appropriate control to mitigate the risk. This may include identifying existing controls that can be used or developing new controls as needed.
  • Create control action plan: After the appropriate control is selected, an action plan should be drafted that describes the activities, timelines, and resources needed to design, implement and execute the control.

In the 3rdRisk platform, steps 1-2 are performed by using the risk management module. After the risk is identified and assessed, a new or existing Issue can be created or linked. This issue can be used to create one or more action plans for designing and implementing the control.

If you already have sufficient information, you can add the control to the control library by clicking [+Add control} and selecting the Plan status to indicate that the control is still in planning. Other available statuses are design, implement and execute. Please note that you can always change the status of a control, e.g, from implement to design, when needed.

 

Design control

Designing the control refers to the process of creating and defining the specific policies, procedures, and processes that will be used to mitigate a particular risk to the organization. This includes identifying the objectives of the control, assessing the risk that the control is intended to mitigate, identifying the specific control activities that will be used, and selecting the most appropriate control procedures that will be implemented.

You can assign or re-assign the status to Design when creating a new or editing a control. This helps you to keep track of all controls that are in the same phase and may require follow-up.

Implement control

Control implementation refers to the process of putting the control procedures and policies that have been designed into action. This includes ensuring that the control procedures are communicated to all relevant parties, training employees on the procedures, and monitoring the control to ensure that it is being implemented correctly and effectively. Control implementation also includes the process of performing checks to ensure that the control as designed works as intended.

When creating a new or editing a control, you can assign or re-assign the status to Implement. This helps you to keep track of all controls that are in the same phase and may require follow-up.

Execute control

Control execution refers to the process of actually carrying out the control procedures and policies that have been designed and implemented. This includes ensuring that employees understand and follow the procedures, monitoring the control to ensure that it is being executed correctly and effectively, and taking corrective action as necessary. Control execution is the final step in the internal control process. It is the point at which the control is actually put into action to mitigate risks and achieve the organization's objectives.

You can assign or re-assign the status to Execute when creating a new or editing a control. This helps you to keep track of all controls that are in the same phase and may require follow-up.

Test control

Control testing refers to the process of evaluating the effectiveness of the controls that have been designed and implemented. This includes testing the controls to determine if they are working as intended and providing the level of protection necessary to mitigate the identified risks. More about internal control testing can be found in this support article.

Evaluate and improve control

Control evaluation and improvement include analyzing the cost/benefit of the control and making adjustments to improve the efficiency and effectiveness of the control. Control evaluation and improvement can be managed by creating or linking an existing issue and action plans.

Adding a control

To add a new control, go to [left menu] Compliance and click Control library. You'll find the Add control button at the top of the page.

Description

Upon clicking the Add control button, a new window appears, asking you to provide descriptive information about the control.

FieldExplanation
Control ID*Add the ID of the control for future reference. You can pick any ID you want. Please note that you can't change the ID once the control is added.
Control title*You can define the control title yourself. You can always change the control title.
Framework section*A control always belongs to one or more framework sections. If you have not inserted a framework section, please check out this support article for instructions.
Location within the organisation*You have to pinpoint the applicability of the control within the organisation. For this end, a new popup will appear which shows the organisational modal as defined in the platform's configuration module.
Risk*A control always mitigates one or more risks. Therefore you need to indicate the risk that is mitigated by the control. This information is retrieved from the Risk management module. Just start typing to get an overview of the applicable risks.
Control objective IDAs one control can be linked to multiple control objectives, it is possible to add your own control objective ID. This will help you to maintain an overview of the objectives that you want to achieve.
Control objectiveHere you can add the control objective.
Control description*Here you can add the control description. Please note that this description is shown to the control tester, validator and auditor when testing the control.
Test procedure*

Provide the testing procedure with clear instructions how to test the control. Please note that this procedure is shown to the control tester, validator and auditor when testing the control.

You do also have the option to upload an explainer video. More about this feature will be released soon.

Status*Select the status of the control. You can choose between plan, design, implement and execute.

Ownership

The next fields cover the ownership of the control.

FieldDescription
Control owner*This representative is end-responsible for the design, implementation and execution of the control.
Control executor*This representative is responsible for executing the control on a daily basis. This is usually a delegate of the control owner.
Control validator*This representative is responsible for validating the self-test results by the control owner or control executor. This can be somebody from the 2nd or 3rd line of defense.
Control auditor*This representative is responsible for verifying the self-test results of the control owner and control validator. This is usually somebody from the internal or external audit team.

Control attributes

The next fields cover the attributes of the control.

FieldDescription
Frequency*

You have the following options:

  • Continious
  • On occurance
  • Daily
  • Weekly
  • 4-weekly
  • Monthly
  • Quarterly
  • Annually
Nature*You can choose between automated, IT dependent, manual and autorisation.
Activity type*This dropdown gives you two options: preventive or detective control.
Relevance*Here you can indicate whether the control is a key control or not.

Relations

The next and final fields cover the relations of the control.

FieldDescription
Third-partyIf applicable, you can link an existing third party that is involved with the control.
AssetsIf the control protects one or more assets specifically, you can link them here.
Associated issues

You can create a new issue or link an existing one. For instance, when adding a control that is in implementation phase, you can link an existing issue and add an action plan to initiate and monitor the implementation process. When you click on the Add issue button, you will get a small popup showing you the 5 latest issues or the options to create a new issue or search a specific one.

 

Section tagsYou can define a tag which you can use to label certain data.

Subcontrols

Some controls are performed at multiple locations or systems. Think of a business continuity plan that has to be implemented and maintained at three locations. In these cases, you can add one or more subcontrols to a control.

To add a new subcontrol, go to the right side of the data table and click on the three dots {...} to trigger the actions menu of a control.

Click Create subcontrol to add a subcontrol. A new window appears in which certain fields are already prefilled based on the main control. Check the prefilled information and complete the empty fields.

In the data table, the (number of) subcontrols are indicated in the first column.

Upon clicking on the number, the subcontrols will unfold, as shown in the picture below.

Searching controls

The control library includes advanced filters to quickly search for the right control(s). You have two options. The first option is to activate the filters and use the dropdowns to find the control(s) that you are looking for.

The second option is to use the diagram at the top of the data table. Each bar represents a framework section. You can click on each colored segment to filter the controls.

Editing controls

You can easily edit an existing control or subcontrol via the actions menu. This menu is located at the right side of the data table and indicated by the three dots {...}. Edit control is the first option in the list.

Monitoring controls

The control library includes various indicators helpful for control monitoring. The status indicator shows you the status of the control: plan, design, implement or execute.

Another important indicator is the control heartbeat. This line represents the performance of the control over time. You can hover over to learn how the control performed during the last self-assessment(s).