Review and Remediation

Review capabilities allow select users, such as a global process owner, global review board or Internal Audit to perform reviews on various objects in the system. The review process establishes accountability for the execution of evaluations by the process owner. Reviews also provide a change control mechanism.

The following objects may be reviewed:

Risk Control Matrix
Process (process evaluation)
Objective (objective evaluation)
Risk (design effectiveness and adequacy of controls evaluation)
Control (operating effectiveness evaluation)
Organizational unit, process, IT application, and project/event documentation
Risk Event Categories
Action Plans
RCM Tests
Findings
Work Papers
Audits
Audit Tests

Users must be assigned a reviewer role for the select object to perform a review. Review responsibilities include the ability to comment, provide review status and lock further edits of the given object. See Roles for additional information on the various review roles available in the Governance Portal.

One of the main purposes of a review is to lock down information so that documentation or evaluations are not modified in the time between performing a review and certification. The lock feature allows the project team to manage changes to documentation, risk event categories and the overall control structure. If selected, the lock feature prevents changes to documentation as well as changes to all aspects of the RCM, objectives, risks and controls including the evaluation information. Reviewers or project teams may want to employ this feature after evaluations have been completed to prevent any further changes. Evaluations can be unlocked at later dates.

The lock feature behaves slightly different depending on the object being locked, as defined in the table below:

Object	Lock Feature
Documentation	Prevents users from: adding new documentation editing existing documentation deleting existing documentation
Risk Control Matrix	Prevents users from: Adding or editing any information within the risk control matrix including objectives, risks, controls, tests and risk event categories. Note: Users are still able to edit checklists.
Risk Control Matrix - Process	Prevents users from: editing attributes of the process or process evaluation deleting the Risk Control Matrix adding new objectives, risks, controls, testing detail editing existing objectives, risks, controls, testing detail linking objectives, risks, controls or testing details deleting objectives, risks, controls, or testing details Note: Users will be able to respond to individual checklist questions as well as the checklist summary.
Risk Control Matrix - Objective	Prevents users from: editing attributes of the objective or objective evaluation deleting the given objective adding / linking risks to the objective
Risk Control Matrix - Risks	Prevents users from: editing attributes of the risk or risk evaluation deleting the given risk adding / linking objectives or controls to the risk
Risk Control Matrix - Controls	Prevents users from: editing attributes of the control or control evaluation deleting the given control adding / linking testing detail or risks to the control Note: Users with appropriate access can continue to edit existing tests.
Risk Event Category	Prevents users from: editing attributes or the evaluation of the risk event category deleting the risk event category (check on this) adding/linking risks to the risk event category
Action Plans	Prevents users from: editing the initiation or resolution section of the action plan deleting the action plan adding tasks or notes to the action plan uploading/linking/editing files or URLs to the action plan
Findings	Prevents users from: editing audit finding attributes deleting the audit finding adding, editing, or deleting audit activities relating to the particular audit finding
Audits	Prevents users from: editing the audit attributes, scope, auditor or auditee information changing to the analysis section of all work papers included in the audit activity list
Work Papers	Prevents users from changing the work paper analysis section
Tests	Prevents users from: editing attributes of the test editing the Test Results section Note: A Test form displays Completed check box instead of the Lock check box.

In This Section

Perform a Review