Managing controls using frameworks
Use frameworks to maintain a master copy of risks and controls for your projects.
What is a framework?
A framework is a master copy of risks and controls that you can use to build projects. Frameworks are helpful for managing changes to risks and controls in an evolving regulatory and business environment.
How it works
First, you create a framework and define objectives, risks and controls in the framework. Then, you import controls from a framework into one or more projects.
When you import a control from a framework to a project, you also import associated risks and test plans. Any risks and controls imported to a project are linked to the risks and controls in the framework.
Syncing frameworks with projects
There is a one-way sync between frameworks and projects. You must edit the risk or control in the framework in order to sync changes to the risk or control in the project. Editing the risk or control in the project does not prompt you to sync changes to the risk or control in the framework.
For more information, see Syncing projects with frameworks.
Backing up and exporting frameworks
To backup or export a framework, you must first import the framework into a project. Then, you can backup and export the project containing the framework information, and archive the project.
Depending on the project type, the terms for objective, risk, or control may vary. The terminology used in the project is prioritized over the terminology used in the framework.
Different ways of using frameworks
You can use frameworks to manage risk and control changes in multiple projects, or to build the main structure of alike projects, and customize those projects as needed. You can also build frameworks from projects.
|Manage changes to risks and controls in a framework and sync changes to projects
|Initially build projects using a framework and then customize projects as needed
|Build a master copy of risks and controls from multiple projects
Importing controls from a project to a framework does not create an association between the project and framework, and allows you to efficiently populate your framework with relevant data.
Other best practices for using frameworks
There are a variety of strategies you can use to effectively make use of frameworks.
Group controls for reporting purposes
When you set up a framework, consider grouping controls within a process for an optimal reporting experience. Your organization may report on different types of entities (business units, departments, locations, or key initiatives that are within the scope of the organization's project function), so ensure that your framework is set up to reflect the desired reporting experience.
Define fields but keep values blank
Frameworks dictate the fields the project(s) must use, but the values in the fields can be specific to each project.
To use the framework as a template, define the fields you need within the framework, but keep the values blank. For example, you may need to define several control attributes. You can define these fields within the framework, and specify the values for these fields within the relevant projects.
Use frameworks to source alike projects
If your organization performs different types of projects (such as SOX Audits, IT Audits, and Operational Audits), you can set up a framework that corresponds with each type of project. You can also use frameworks to source a subset of processes that apply to multiple projects. For example, most Operational Audits include a planning and wrap-up section. Using a framework, you can contain the subset of common processes (planning and wrap-up), and import these processes to the relevant Operational Audits.
Keep language generic
Where possible, keep descriptive language used in risks and controls generic so you can easily apply updates to multiple projects. If the language used is too specific, you will need to decide on what to sync vs. what not to sync - which could potentially lead to a burdensome maintenance process.
Building projects using frameworks
Previously, you created three projects that are all IT related:
- IT General Controls Review
- IT Compliance Issue Management
- Cybersecurity Review
You recognize that there are similar controls that need to be set up within each project, and you want to be able to create one set of controls that can be used across all projects.
You create a new framework called IT General Controls Framework, and you define the objectives, risks, and controls within the framework. Then, you import the controls from the framework into each project.
The risks and controls in the framework are linked to the risks and controls in the projects. You can now either update the projects as needed, or ensure that updates made to risks and controls in a framework propagate to the appropriate projects by syncing projects with frameworks.
Projects Admins, Project Creators, and users assigned the Professional Manager or Professional Users role within a framework can create frameworks and sync projects with frameworks.
Users assigned the Contributor Manager, Contributor Tester, or Contributor Users role within a framework can edit all controls within an objective if they have been assigned objective owner, or specific controls if they have been assigned control owner on individual controls.
Create a framework
Interface terms are customizable. Depending on your organization's settings, some terms may be different.
- From the Projects homepage, under Planning And Results, click Frameworks.
- Click Start a New Framework.
- Enter a name and description for the framework.
- Select a project type from the drop-down list.
Ensure that you select a workflow (Internal Control or Workplan) that matches the workflow of the project you want to build. For more information, see Workflows and project types.
- Click Save.
Result The new framework is created.
Use this simple workflow to build a project using a framework: Frameworks quick start