Audit Planning & Quality Use Case Guide

Transcription

1 RSA Archer GRC Audit Planning & Quality Use Case Guide 6.1

2 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: Trademarks RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and EMC are either registered trademarks or trademarks of EMC Corporation ("EMC") in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to License agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-party licenses This product may include software developed by parties other than RSA. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Note on Section 508 Compliance The RSA Archer GRC is built on web technologies which can be used with assistive technologies, such as screen readers, magnifiers, and contrast tools. While these tools are not yet fully supported, RSA is committed to improving the experience of users of these technologies as part of our ongoing product road map for the RSA Archer GRC. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright EMC Corporation All Rights Reserved. Published in the USA.

3 Contents Audit Planning & Quality Release Notes 5 Chapter 1: Audit Planning & Quality 6 RSA Archer Audit Planning & Quality 6 Get started 7 Chapter 2: Audit Planning & Quality Design 8 Architecture Diagram 8 Applications and Questionnaires 9 Personas, Access Roles and Record Permissions 13 Dashboards 14 Data Feeds 14 Offline Access 16 Chapter 3: Installing Audit Planning & Quality 17 Step 1: Prepare for the Installation 17 Step 2: Update the License Key 17 Step 3: Install the Package 18 Step 4: Perform Post-Installation Cleanup 18 Step 5: Set up Data Feeds 18 Step 6: Set up Offline Access (Optional) 18 Step 7: Resolve Dependencies Between Packages 19 Step 8: Test the Installation 19 Installing the Audit Planning & Quality Package 19 Step 1: Back Up Your Database 19 Step 2: Import the Package 19 Step 3: Map s in the Package 20 Step 4: Install the Package 29 Step 5: Review the Package Installation Log 30 Performing Post-Installation Cleanup for Audit Planning & Quality 31 Step 1: Review and Fix Dependencies on Other Use Cases 31 Step 2: Delete Obsolete s 34 3

4 Step 3: Validate Formulas and Calculation Orders 35 Step 4: Verify Key s 36 Step 5: Update Inherited Record Permissions s 36 Setting Up Audit Planning & Quality Data Feeds 36 Import a Data Feed 37 Schedule a Data Feed 37 Appendix A: Package Installation Log Message Examples 40 4

5 Wh a t's Ne win Re le a s e 6.1 RSA Archer GRC Audit Planning & Quality Audit Planning & Quality Release Notes The following items have been changed in the 6.1 release: Enhancement Description Dashboards A new Audit Issue Management dashboard has been created. For a complete list of iviews and reports in this dashboard, see the Data Dictionary. The Audit Executive Management dashboard has been rearranged and a new report (Audit Entities Due For An Audit By Year (Group By Next Audit Due Date)) has been added. Offline Access Offline Access is no longer displayed in the navigation menu. The Offline Access functionality remains the same. Audit Planning & Quality Release Notes 5

6 Chapter 1: Audit Planning & Quality According to PwC s 2015 State of Internal Audit Survey of more than 1,300 chief audit executives, internal audit mangers, and board members, 60% said that in the next five years internal audit should have a bigger role in the enterprise risk management process. However, internal audit s main challenge is not having access to broad, dynamic enterprise risk and control information and analysis and instead relying only on their static audit universe risk assessment (AURA) to evaluate risk and drive audit work. This prevents internal audit from adjusting their audit plans to rapidly changing risks and business concerns. With decentralized audit plan and risk assessment documentation captured in multiple tools and systems that are difficult to integrate, there is no easy, fluid way to manage audit plans, let alone coordinate objectives among risk and compliance groups. Finally, internal audit is under pressure from audit committees and management to improve their processes; yet their quality control procedures are sporadic, inconsistent and difficult to follow up on. RSA Archer Audit Planning & Quality RSA Archer Audit Planning & Quality enables internal audit teams to define their audit entities and universe, risk assess them, plan for audit engagements during the coming periods and manage their audit staff and schedule. Since Audit Planning & Quality integrates rich management risk and control information, internal audit can ensure their audit objectives are aligned with enterprise risk management and other related groups. Audit Planning & Quality puts you in control of the entire audit planning lifecycle, enabling improved governance of audit-related activities while also providing integration with your risk and control functions. Key Features Complete workflow to create and assess audit entities, perform risk assessments and manage audit plans Workflow to manage your audit staff and scheduling of audits Centralized location for storing and managing audit plans, audit entities, and assessment results Audit quality assurance and review checklists Key Benefits With RSA Archer Audit Planning & Quality, you will be able to: Execute on a dynamic, risk-driven audit plan that is aligned with the organization s priorities and focuses on the most important risks Chapter 1: Audit Planning & Quality 6

7 Easily provide Board-level reporting that keeps the audit committee well-informed of the status of audit plans, risk and critical findings Demonstrate the strategic value of internal audit and more efficient use of audit resources Reduce external auditor fees by providing access to self-serve information they need Get started Learn more about the use case design Install and set up the use case Chapter 1: Audit Planning & Quality 7

8 Chapter 2: Audit Planning & Quality Design Architecture Diagram The following diagram shows the relationships between the applications and questionnaires in the Audit Planning & Quality use case. Chapter 2: Audit Planning & Quality Design 8

9 Applic a tions a ndque s tionna ir e s RSA Archer GRC Audit Planning & Quality Applications and Questionnaires Application/Questionnaire Audit Entity Description The Audit Entity application provides a single, centralized location to capture details about each area that could be the subject of audit scrutiny, such as business processes, organizational units (such as departments), specific topics (for example, a regulation, such as FFIEC), IT infrastructure and applications, and other individual areas. Through the Audit Entity application, you can: Define each audit entity and create a "universe" of audit entities. Scope each audit entity by relating the entity to crossreferenced records in the Business Processes, Applications, Devices, and Facilities applications. Assign audit and business ownership to each audit entity. Perform audit entity risk assessments. Compare audit risk assessments to management assessments of risk. IA Engagement and Assessment Results Audit Engagement The IA Engagement and Assessment Results application captures historical audit engagement and risk assessment results for the Audit Entity application for maintaining audit integrity, reporting, and comparing historical information. The application uses trending charts and historical data from a data feed. Trending charts capture two years of data and allow you to view and capture any changes to risk assessment questions before the historical record is created through an Archer to Archer data feed. The Audit Engagement application serves as an Internal Audit mechanism for creating, managing, tracking, and reporting on individual audit engagements. The application allows users to determine the audit engagement s scope, schedule and staff resources for the audit, create and manage workpapers, perform audit testing, document findings, and draft the audit report. This can be done in an online or offline mode. Chapter 2: Audit Planning & Quality Design 9

10 Application/Questionnaire Audit Plan Plan Entity Description The Audit Plan application allows you to create and manage audit plans. The audit plan includes a plan name, description, and estimated start and end date. To include items in the plan, you associate records from the Plan Entity application. The plan entity record creates a link between previously defined audit entity records and the audit plan record. The audit plan enables you to capture and track other information for the audit plan, such as plan hours and expenses. The audit plan contains a workflow for review and approval, links to audit engagements, and enables ongoing management and reporting on the audit plan. This structure facilitates approving the plan and reporting to the Audit Committee, communicating with management, and monitoring the overall status of the audit plan on an ongoing basis. Once an audit entity is identified as a target for an audit engagement, based on factors such as risk (from the audit entity risk assessment), regulatory scrutiny, or strategic value, the entity is included in an audit plan. The Plan Entity application allows you to associate an audit entity with an audit plan and audit engagement by creating an individual plan entity that can be edited and updated as necessary. The plan entity is a record designed to capture the name of the plan entity, planned hours and expenses, as well as the type of audit engagement and resource type. The plan entity record cross-references the audit entity to the audit plan. Base Availability The Base Availability application allows you to capture the general availability of each member of your audit team and view information related to the contact record, such as position start and end dates, employment type (full, part time), and days and hours per week the contact typically works. Records in the Base Availability application affect the calculation in the Estimated Resource Utilization report, which helps you effectively determine the utilization of and allocate resources to audit engagements. Chapter 2: Audit Planning & Quality Design 10

11 Application/Questionnaire Degrees and Certifications Expense Reports Expense Slips Internal Audit Customer Survey Internal Audit Department Review Description The Degrees and Certifications application allows you to capture information about team members' education, certifications, and degrees. You can track issue and expiration dates, whether Continuing Professional Education (CPE) is required, and other information. This information helps you assign audit staff with the appropriate background to specific audit engagements and tasks. The Expense Reports application stores and maintains all expense reports, which are composed of individual records called expense slips. This application also contains workflow for review, where a designated reviewer may approve or deny expenses and provide review comments. The Expense Slips application is sub-component of the expense report and is hidden from the layout. The application includes detailed line items in an expense report. These line items are integrated into the Expense Reports application, where they can be submitted for review. The Internal Audit Customer Survey questionnaire documents the results of customer surveys that are sent to the audit customer at the conclusion of the audit. The feedback can be utilized to evaluate the performance and effectiveness of the audit procedures and staff that conducted it. During the Wrap Up phase of the engagement, the Internal Audit Customer Survey and the Internal Audit Quality Assurance Review Checklist questionnaires allow you to evaluate the audit team performance on the engagement. You can create reports or display the Wrap Up tab in the engagement to communicate the results with the Audit Committee. At the end of the year, the Internal Audit Department Annual Review is completed to evaluate the audit team across multiple engagements. With the Executive Management access role, Audit Committee members can view the results of the Internal Audit Annual Review and all other surveys on their dashboards and create reports. Chapter 2: Audit Planning & Quality Design 11

12 Application/Questionnaire Internal Audit Quality Assurance Review Checklist Question Library Timesheet Tasks Training Description The Internal Audit Quality Assurance Review Checklist questionnaire allows you to document the quality assurance review of both the audit engagement and the audit team at the conclusion of the engagement. The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library. The Timesheet Task application allows auditors to capture their actual time spent on audit tasks and in each phase of an engagement. The time reported rolls up through an appointment to the audit engagement as billable or non-billable categories, such as vacation, sick time, or training. The Training application allows you to capture team members' training history and the Continuing Professional Education (CPE) credits they have obtained toward renewing professional certifications. This application is used to help assign audit staff with the appropriate background to specific audit engagements and tasks. Note: The Audit Planning & Quality package includes applications that are licensed as part of Audit Engagements & Workpapers. These applications are included for the following scenarios: If you have not already installed Audit Engagement & Workpapers, you do not need to install that package before installing Audit Planning & Quality. If you are upgrading from Audit Engagements & Workpapers and have made alterations to Business Processes, Devices, Facilities or Applications, you can simply install the Audit Planning & Quality package to get the updated versions. All other applications included in the package should be reinstalled as part of the upgrade process. Chapter 2: Audit Planning & Quality Design 12

13 Pe r s ona s,a c c e s s r ole s a ndr e c or dpe r mis s ions RSA Archer GRC Audit Planning & Quality Personas, Access Roles and Record Permissions The following table describes the general audit industry functions that make up the IA organization of a company. Depending on the audit organization of your company, these functions and responsibilities may vary. Function Chief Audit Executive (CAE) or Internal Audit Director (IAD) Audit Committee Internal Audit managers Lead auditor Internal auditor External auditor Description Manages the IA organization and oversees the audit team, the assessment of the audit universe, and subsequent planning. The CAE or IAD works with audit management and teams in the planning and performing of audit engagements, reports to the Audit Committee and executive management, and coordinates work with external auditors. Works with the CAE or IAD to oversee IA, receives audit results focusing on critical matters, selects external auditors, and provides recommendations to the board of directors. Consists of multiple levels in an organization, such as vice presidents, directors, and managers. IA managers oversee a functional area within the IA department, such as a region, discipline, product lines, or subject matter areas. IA managers report to the CAE or IAD and are responsible for helping assess the audit universe, determine the audit plan, oversee audit engagements, and lead audit teams. Scopes and plans engagements and testing, reviews testing, drafts reports, and oversees internal auditors on engagements. The lead, sometimes called an audit senior, reports to a manager or director. Works on audit engagements. The internal auditor reports to a lead, auditor, manager, or director for specific engagements and may be a subject matter expert for certain audit types or areas. Evaluates the accuracy of the company s financial statements. The external audit firm is engaged by the Audit Committee and Board of Directors to review the work of IA. For a complete list of access roles and detailed, page-level access rights, see the Data Dictionary. For a complete list of application record permission fields, including which user/groups fields populate the fields and where the fields inherit permissions from, see the Data Dictionary. Chapter 2: Audit Planning & Quality Design 13

14 Da s hboa r ds Da ta F e e d s RSA Archer GRC Audit Planning & Quality Dashboards The use case provides the following dashboards. Dashboard Audit Business Owner Audit Executive Management Audit Issue Management Description Provides Audit Business Owners with information about audit entities created by IA pertaining to their organization, internal audit customer surveys that they need to complete, and open findings assigned to them from audit engagements. Provides Audit Executives an aggregate view of the audit universe, including planning, scheduling, risk-based prioritization, staffing, and management of audit entities. From the dashboard, Audit Executives can view details around audit plans and their performance; audit entity status, prioritization, and risk profile; open findings generated by audit engagements; and management risk coverage of audit plans. Provides information about findings, remediation plans, and exception requests that are related to the audit program. Note: You may want to add this dashboard to the Issues Management workspace. It is not displayed there by default. Audit Management Audit Team Estimated Resource Utilization External Auditor Provides Audit Managers an aggregate view of the audit universe, including planning, scheduling, risk-based prioritization, staffing, and management of audit entities. Provides a portal for auditors to access their recurring or ongoing tasks. Displays the Estimated Resource Utilization report, which calculates an estimated percentage allocation and an estimated percentage billable for all qualified resources over the date range of the report. Provides External Auditors with an aggregate view of the audit universe, including planning, scheduling, risk-based prioritization, staffing, and management of audit entities. Data Feeds The use case provides the following data feeds. Note: For instructions on setting up the feeds, see Setting Up Audit Planning & Quality Data Feeds. Chapter 2: Audit Planning & Quality Design 14

15 Data Feed Scope_Audit_ Entities_1 Scope_Audit_ Entities_2 Scope_Audit_ Entities_3 Audit_ Entities_ Relationship_ 1 Audit_ Entities_ Relationship_ 2 Audit_ Entities_ Relationship_ 3 Audit_ Entities_ Relationship_ 4 Link_Audit_ Engagements_ to_audit_ Plans Create_ Audit_ Workpapers_ By_Audit_ Program Description These feeds allow you to auto-scope an audit entity by gathering controls, risks, information assets, facilities, applications, and devices based on selected business processes. Note: Controls, risks, and information assets are only available through additional use cases. These feeds copy the audit universe relationships from the audit entity down to the audit engagement, allowing you to determine which elements will be in scope for the audit engagement and remove any relationships that you want to exclude from the engagement. This feed identifies any audit engagement tied to an open audit plan (via the plan entity records), and links those audit engagements directly to the audit plan. This feed creates audit workpapers (both levels) based on the audit grouping attribute that is defined in the audit engagement and audit program library. Chapter 2: Audit Planning & Quality Design 15

16 Oflin e Ac c e s s RSA Archer GRC Audit Planning & Quality Data Feed Create_ Additional_ Audit_ Workpapers Clear_ Additional_ Library_Link Audit_Entity_ Historical_ Content Description These feeds create audit workpapers (both levels) from the audit program library based on a individual selection in an audit engagement. This feed makes a copy of the audit entity record in the IA Engagements and Assessment Results application, for purposes of maintaining integrity, reporting, and comparing historical information. Offline Access Offline access enables you to conduct audit engagements in an offline mode on a laptop. Working offline does not require a connection to the RSA Archer GRC Platform. You can add and update records just as if you were working directly in the GRC Platform. Data is stored in a local RSA Archer instance on the laptop and then synchronized to the GRC Platform later. Chapter 2: Audit Planning & Quality Design 16

17 Ste p1 :Pr e pa r e for the ins ta la tion Ste p 2 :Up d a te th e lic e n s e k e y RSA Archer GRC Audit Planning & Quality Chapter 3: Installing Audit Planning & Quality Complete the following tasks to install the Audit Planning & Quality use case. Step 1: Prepare for the Installation 1. Ensure that your RSA Archer GRC system meets the following requirements: RSA Archer GRC Platform version 6.1. Valid license for Audit Planning & Quality 6.1. You have already installed the following use case: Issues Management. A user account on the Platform with access rights to the Data Feed Manager. User account on RSA Link to download the use case files. 2. Download the use case file(s) from the Archer Customer/Partner Community on RSA Link on the "Archer GRC 6.1 Software and Documentation" page ( The following files are included in the RSA_Archer_Audit_Planning_6_1.zip file: Use case install package, RSA_Archer_Audit_Planning_6_1_Install_Package.zip. Data feed file, RSA_Archer_Audit_Planning_&_Quality_6_1_Data_Feeds.zip. 3. Obtain the Data Dictionary for the use case by contacting your RSA Archer Account Representative or calling EGRC. The Data Dictionary contains the configuration information for the use case. 4. Read and understand the "Packaging Data" section of the RSA Archer GRC Online Documentation. 5. Review the Release Notes to understand any known issues before installing and configuring the use case. Step 2: Update the License Key You must update the license key if you are installing a new application, questionnaire, workspace, or dashboard. Note: All customers are required to get a new license key for 6.1. Ensure that you are using a valid 6.1 license key prior to installing packages. Chapter 3: Installing Audit Planning & Quality 17

18 Ste p 3 :In s ta lth e p a c k a g e Ste p4 :Pe r for mpos t-ins ta lc le a nup Ste p 5 :Se tu p d a ta fe e d s Ste p 6 :Se tu p o flin e a c c e s s (o p tio n a l) RSA Archer GRC Audit Planning & Quality The administrator (a web or database administrator) on the server on which the Archer Control Panel resides must update the license key in the Archer Control Panel before the application package is imported in order for the new items to be available for use. 1. Open the RSA Archer Control Panel. 2. From the Instance Management list, click to expand the Instances list. 3. Right-click the instance that you want to update, and click Update License Key. 4. Update the applicable information: Serial Number, Contact Info, and Activation Method. 5. Click Activate. Important: If you do not update the license key prior to installing the package, you will not be able to access workspaces, dashboards and applications in 6.1. Step 3: Install the Package Installing a package requires that you import the package file, map the objects in the package to objects in the target instance, and then install the package. See Installing the Package. Step 4: Perform Post-Installation Cleanup The package installation does not update some attributes of objects, or delete obsolete objects that are not included in the current use case. RSA recommends that you compare the objects in your database with the information in the Data Dictionary to determine which objects are obsolete or have been updated. See Post-Installation Cleanup. Step 5: Set up Data Feeds You must import and schedule each use case data feed that you want to use. See Setting Up Data Feeds. Step 6: Set up Offline Access (Optional) Offline access enables users to conduct audits offline on a laptop. If you plan to use offline access, you must install it separately from the RSA Archer GRC installation. See "Installing Offline Access" in the RSA Archer Online Documentation. Chapter 3: Installing Audit Planning & Quality 18

19 Ste p 7 :Re s o lv e d e p e n d e n c ie s b e twe e n p a c k a g e s Ste p 8 :T e s th e in s ta la tio n Ste p1 :Ba c k upy our da ta ba s e Ste p2 :Impor the pa c k a ge RSA Archer GRC Audit Planning & Quality Step 7: Resolve Dependencies Between Packages After completing the initial installation, you must re-install the use case package and any applicable prerequisite use case packages to resolve any dependencies between them. 1. Install the Issues Management package file. See the RSA Archer Issues Management Use Case Guide. 2. Install the Audit Planning & Quality package file. Step 8: Test the Installation Test Audit Planning & Quality according to your company standards and procedures, to ensure that the use case works with your existing processes. Installing the Audit Planning & Quality Package Step 1: Back Up Your Database There is no Undo function for a package installation. Packaging is a powerful feature that can make significant changes to an instance. RSA strongly recommends backing up the instance database before installing a package. This process enables a full restoration if necessary. An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. New objects created by the package installation must be manually deleted. Step 2: Import the Package 1. Go to the Install Packages page. a. From the menu bar, click. b. Under Application Builder, click Install Packages. 2. In the Available Packages section, click Import. 3. Click Add New, then locate and select the package file that you want to import. Chapter 3: Installing Audit Planning & Quality 19

20 Ste p 3 :Ma p o b je c ts in th e p a c k a g e RSA Archer GRC Audit Planning & Quality 4. Click OK. The package file is displayed in the Available Packages section and is ready for installation. Step 3: Map s in the Package 1. In the Available Packages section, select the package you want to map. 2. In the Actions column, click for that package. The analyzer runs and examines the information in the package. The analyzer automatically matches the system IDs of the objects in the package with the objects in the target instances and identifies objects from the package that are successfully mapped to objects in the target instance, objects that are new or exist but are not mapped, and objects that do not exist (the object is in the target but not in the source). Note: This process can take several minutes or more, especially if the package is large, and may time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings set to less than 60 minutes. When the analyzer is complete, the Advanced Package Mapping page lists the objects in the package file and corresponding objects in the target instance. The objects are divided into tabs, depending on whether they are found within Applications, Solutions, Access Roles, Groups, Subforms, or Questionnaires. 3. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each object name to determine which objects require you to map them manually. Icon Name Description Awaiting Mapping Review Mapping Completed Indicates that the system could not automatically match the object or children of the object to a corresponding object in the target instance. s marked with this symbol must be mapped manually through the mapping process. Important: New objects should not be mapped. This icon should remain visible. The mapping process can proceed without mapping all the objects. Indicates that the object and all child objects are mapped to an object in the target instance. Nothing more needs to be done with these objects in Advanced Package Mapping. Chapter 3: Installing Audit Planning & Quality 20

21 Icon Name Description Do Not Map Undo Indicates that the object does not exist in the target instance or the object was not mapped through the Do Not Map option. These objects will not be mapped through Advanced Package Mapping, and must be remedied manually. Indicates that a mapped object can be unmapped. This icon is displayed in the Actions column of a mapped object or object flagged as Do Not Map. Note: You can execute the mapping process without mapping all the objects. The for informational purposes only icon is 4. For each object that requires remediation, do one of the following: To map each item individually, on the Target column, select the object in the target instance to which you want to map the source object. If an object is new or if you do not want to map an object, select Do Not Map from the drop-down list. For Audit Planning & Quality, the following objects may not map without additional use cases licensed. Application Type Action Audit Engagements Audit Engagements Audit Engagements Audit Engagements Audit Engagements Audit Engagements Audit Engagements Authoritative Sources Do Not Map Control Procedures Do Not Map Corporate ives Do Not Map Information Assets Do Not Map Policies Do Not Map Product and Services Do Not Map Risk Register Do Not Map Chapter 3: Installing Audit Planning & Quality 21

22 Application Type Action Audit Engagements Third Parties Do Not Map Audit Entity Authoritative Sources Do Not Map Audit Entity Control Procedures Do Not Map Audit Entity Corporate ives Do Not Map Audit Entity Information Assets Do Not Map Audit Entity Policies Do Not Map Audit Entity Product and Services Do Not Map Audit Entity Risk Register Do Not Map Audit Entity Third Parties Do Not Map Audit Entity Management Risk Information Summary Section Do Not Map Audit Program Library Control Procedures Do Not Map Audit Workpaper Control Procedures Do Not Map Question Library Authoritative Sources Do Not Map Question Library Control Procedures Do Not Map Question Library Control Standards Do Not Map Question Library Policies Do Not Map Question Library Risk Register Do Not Map Contacts Activated Plans (Recovery Team) Do Not Map Contacts BIA (Audit Participant) Do Not Map Contacts BIA (Finance Participant) Do Not Map Contacts BIA (IT Participant) Do Not Map Chapter 3: Installing Audit Planning & Quality 22

23 Application Type Action Contacts BIA (Process Owner) Do Not Map Contacts BIA (Real Estate Participant) Do Not Map Contacts BIA (Regulatory Participant) Do Not Map Contacts Business Continuity Plans (BCP Team Members) Do Not Map Contacts Business Continuity Plans (External Contacts) Do Not Map Contacts Business Continuity Plans (Plan Declaration Authority) Do Not Map Contacts Emergency Notifications (Call Initiator) Do Not Map Contacts Emergency Notifications (Call Recipient) Do Not Map Contacts Loss Events (RCA Analysts) Do Not Map Contacts Loss Events (Transactions) Do Not Map Contacts Participant Do Not Map Contacts Product/Service Contact Do Not Map Contacts RCA Analyst Do Not Map Contacts Risk Project (Participant) Do Not Map Contacts Roles and responsibilities (Primary Lead) Do Not Map Contacts Roles and responsibilities (Secondary Contact) Do Not Map Contacts Roles and responsibilities (Tertiary Contact) Do Not Map Contacts Security Alerts (Related Contact) Do Not Map Chapter 3: Installing Audit Planning & Quality 23

24 Application Type Action Contacts Storage Devices (Contacts) Do Not Map Contacts Team Membership Do Not Map Contacts Transaction Do Not Map Contacts Vendor Profile Do Not Map Business Processes Business Processes Activated Plans (Applications) Do Not Map Assessment Campaign Do Not Map Business Processes Assessment Campaign (Previously Processed Business Processes) Do Not Map Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes BCM Risk Register Do Not Map Business Continuity Plans Do Not Map Business Impact Analysis Do Not Map Business Process Assessment History Do Not Map Control Procedures Do Not Map Crisis Events (Process(es)) Do Not Map Engagements (Business Processes) Do Not Map Business Processes Link To Risk Library By Business Theme Do Not Map Chapter 3: Installing Audit Planning & Quality 24

25 Application Type Action Business Processes Link To Risk Library By Risk Event Category Do Not Map Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Business Processes Information Assets Do Not Map Loss Events Do Not Map Metrics Do Not Map Product and Services Do Not Map Risk Projects Do Not Map Risk Register Do Not Map Risk Register Library Do Not Map Threat Project (Business Process) Do Not Map Business Processes Vulnerability Trending (Business Process)(1) Do Not Map Applications Activated Plans (Applications) Do Not Map Applications Application Assessment Do Not Map Applications BCM Risk Register (Applications) Do Not Map Applications Business Continuity Plans Do Not Map Applications Control Procedures Do Not Map Applications Crisis Events (Applications) Do Not Map Chapter 3: Installing Audit Planning & Quality 25

26 Application Type Action Applications Information Asset Do Not Map Applications Product and Services Do Not Map Applications Requirements (Applications) Do Not Map Applications Risk Project (Applications) Do Not Map Applications Threat Project (Applications) Do Not Map Applications Vulnerability Scans (Application) Do Not Map Applications Vulnerability Trending (Application) (1) Do Not Map Devices Activated Plans Do Not Map Devices Baseline Control Procedures Do Not Map Devices BC/DR Plans Do Not Map Devices BCM Risk Register Do Not Map Devices Breaches (Asset(s) Involved) Do Not Map Devices Configuration Scan Results Do Not Map Devices Crisis Events (Devices) Do Not Map Devices Device Risk Assessment Do Not Map Devices Installed Technologies Do Not Map Devices Products and Services Do Not Map Devices Requirements (Device Implemented) Do Not Map Devices Risk Projects Do Not Map Devices Security Alerts (Destination Device) Do Not Map Devices Security Alerts (Device Name) Do Not Map Devices Security Alerts (Source Device) Do Not Map Chapter 3: Installing Audit Planning & Quality 26

27 Application Type Action Devices Security Events (Copy of Destination Device - Enterprise Management Context) Do Not Map Devices Security Events (Destination Device - Enterprise Management Context) Devices Security Events (Source Device - Enterprise Management Context) Do Not Map Do Not Map Devices Storage Devices Do Not Map Devices Technical Control Manual Assessment Do Not Map Devices Threat Projects (Devices) Do Not Map Devices Vulnerability Scan Results Do Not Map Devices Vulnerability Scans (Devices) Do Not Map Facilities Activated Plans (Facilities) Do Not Map Facilities BC/DR Plans Do Not Map Facilities BCM Risk Register (Facilities) Do Not Map Facilities Crisis Events (Facilities) Do Not Map Facilities Engagements (Facilities) Do Not Map Facilities Facilities Assessment Do Not Map Facilities Incidents Do Not Map Facilities Information Do Not Map Facilities Investigations Do Not Map Facilities Requirements (Affected Facilities) Do Not Map Facilities Requirements (Facility) Do Not Map Facilities Risk Project (Facilities) Do Not Map Chapter 3: Installing Audit Planning & Quality 27

28 Application Type Action Facilities Security Controls (Site Location) Do Not Map Facilities Security Incidents (Affected Facility) Do Not Map Facilities Threat Project (Facility) Do Not Map Facilities Vendors Do Not Map Facilities Vulnerability Scans (Facility) Do Not Map Facilities Vulnerability Trending (Facility)(1) Do Not Map Important: Ensure that you map all objects to their lowest level. When objects have child or related objects, a drill-down link is provided on the parent object. Child objects must be mapped before parent objects are mapped. For more details, see "Mapping Parent/Child s" in the RSA Archer Online Documentation. To automatically map all objects in a tab that have different system IDs but the same object name as an object in the target instance, do the following: a. In the toolbar, click Auto Map. b. Select an option for mapping objects by name. Option Ignore case Ignore spaces Description Select this option to match objects with similar names regardless of the case of the characters in the object names. Select this option to match objects with similar names regardless of whether spaces exist in the object names. c. Click OK. The Confirmation dialog box opens with the total number of mappings performed. These mappings have not been committed to the database yet and can be modified in the Advanced Package Mapping page. d. Click OK. To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map. Note: To undo the mapping settings for any individual object, click in the Actions column. Chapter 3: Installing Audit Planning & Quality 28

29 Ste p 4 :In s ta lth e p a c k a g e RSA Archer GRC Audit Planning & Quality When all objects are mapped, the icon is displayed in the tab title. The icon is displayed next to the object to indicate that the object will not be mapped. 5. Verify that all other objects are mapped correctly. 6. (Optional) To save your mapping settings so that you can resume working later, see "Exporting and Importing Mapping Settings" in the RSA Archer Online Documentation. 7. Once you have reviewed and mapped all objects, click. 8. Select I understand the implications of performing this operation and click OK. The Advanced Package Mapping process updates the system IDs of the objects in the target instance as defined on the Advanced Package Mapping page. When the mapping is complete, the Import and Install Packages page is displayed. Important: Advanced Package Mapping modifies the system IDs in the target instance. Any Data Feeds and Web Service APIs that use these objects must be updated with the new system IDs. Step 4: Install the Package All objects from the source instance are installed in the target instance unless the object cannot be found or is flagged to not be installed in the target instance. A list of conditions that may cause objects not to be installed is provided in the Log Messages section. A log entry is displayed in the Package Installation Log section. 1. Go to the Install Packages page. a. From the menu bar, click. b. Under Application Builder, click Install Packages. 2. In the Available Packages section, locate the package file that you want to install, and click Install. 3. In the Configuration section, select the components of the package that you want to install. To select all components, select the top-level checkbox. To install only specific global reports in an already installed application, select the checkbox associated with each report that you want to install. Chapter 3: Installing Audit Planning & Quality 29

30 Ste p 5 :Re v ie wth e p a c k a g e in s ta la tio n lo g RSA Archer GRC Audit Planning & Quality Note: Items in the package that do not match an existing item in the target instance are selected by default. 4. In the Configuration section, under Install Method, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list. Note: If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package. 5. In the Configuration section, under Install Option, select an option for each selected component. To use the same Install Option for all selected components, select an option from the top-level drop-down list. Note: If you have any custom fields or formatting in a component that you do not want to lose, select Do not Override Layout. You may have to modify the layout after installing the package to use the changes made by the package. 6. To deactivate target fields and data-driven events that are not in the package, in the Post- Install Actions section, select the Deactivate target fields and data-driven events that are not in the package checkbox. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for cleanup post-install. 7. Click Install. 8. Click OK. Step 5: Review the Package Installation Log 1. Go to the Package Installation Log tab of the Install Packages page. a. From the menu bar, click. b. Under Application Builder, click Install Packages. c. Click the Package Installation Log tab. 2. Click the package that you want to view. 3. In the Package Installation Log page, in the Details section, click View All Warnings. Chapter 3: Installing Audit Planning & Quality 30

31 Ste p1 :Re v ie wa ndfix de pe nde nc ie s onothe r us e c a s e s RSA Archer GRC Audit Planning & Quality For a list of packaging installation log messages and remediation information for common messages, see Package Installation Log Messages. Performing Post-Installation Cleanup for Audit Planning & Quality Step 1: Review and Fix Dependencies on Other Use Cases After you have installed the use case, certain items may not appear or function as designed because they are dependent on use cases that you have not licensed. For example, a calculated field that references an application outside of this use case will not validate unless you have also licensed another use case that contains that application. The following sections list the most common dependencies and provide steps to resolve the dependencies. In each section, the Related Use Case column lists the use case(s) that you may or may not have licensed. If you have licensed any of the listed use cases, you can skip that row. If you have not licensed any of the listed use cases, then the dependencies apply to your installation and you may want to resolve them. Note: Resolving these dependencies is not required. You may opt to skip this step, but leaving these fields as-is may cause confusion or generate calculation errors. Review the following sections and resolve any dependencies that apply to your installation. You only need to resolve any dependencies that apply to use cases that you have not licensed. Audit Program Library Related Use Case Unlicensed Module Dependency Resolution Any use case that contains the Control Procedures application Control Procedures The Control Procedures reference field is not available. Audit Workpapers Related Use Case Unlicensed Module Dependency Resolution Any use case that contains the Control Procedures application Control Procedures The Control Procedures reference field is not available. Chapter 3: Installing Audit Planning & Quality 31

32 Audit Engagements Related Use Case Unlicensed Module Dependency Resolution Any use case that contains the Corporate ives application Corporate ives The Corporate ives reference field is not available. Policy Program Management or Controls Monitoring Program Management Authoritative Sources The Authoritative Sources reference field is not available. Policy Program Management Policies The Policies reference field is not available. Any use case that contains the Products and Services application Products and Services The Products and Services reference field is not available. Risk Catalog, IT Risk Management, or Top-Down Risk Assessment Risk Register The Risk Register reference field is not available. Any use case that contains the Control Procedures application Control Procedures The Control Procedures reference field is not available. Any use case that contains the Information Assets application Information Assets The Information Assets reference field is not available. Any use case that contains the Third Parties application. Third Party Profile The Third Parties reference field is not available. Audit Entity Related Use Case Unlicensed Module Dependency Resolution Any use case that contains the Corporate ives application Corporate ives The Corporate ives reference field is not available. Policy Program Management or Controls Monitoring Program Management Authoritative Sources The Authoritative Sources reference field is not available. Chapter 3: Installing Audit Planning & Quality 32

33 Related Use Case Unlicensed Module Dependency Resolution Policy Program Management Policies The Policies reference field is not available. Any use case that contains the Products and Services application Products and Services The Products and Services reference field is not available. Any use case that contains the Control Procedures application Control Procedures The Control Procedures reference field is not available. Any use case that contains the Information Assets application Information Assets The Information Assets reference field is not available. Any use case that contains the Third Parties application Third Parties The Third Parties reference field is not available. Risk Catalog, IT Risk Management, or Top-Down Risk Assessment Risk Register The Risk Register reference field is not available. Risk Catalog, IT Risk Management, or Top-Down Risk Assessment Risk Register The following calculations do not validate: Mgmt Avg Inherent Risk Drag off layout / delete. Mgmt Avg Residual Risk Mgmt Avg Calculated Residual Risk Mgmt Max Calculated Residual Risk Mgmt Max Inherent Risk Mgmt Max Residual Risk Chapter 3: Installing Audit Planning & Quality 33

34 Ste p 2 :De le te o b s o le te o b je c ts RSA Archer GRC Audit Planning & Quality Contacts Related Use Case Unlicensed Module Dependency Resolution Any use case that contains the Third Parties application Third Party Profile The Third Party Profile reference fields are not available. Security Operations & Breach Management Teams The Team Membership reference field is not available. Any use case that contains the Products and Services application Products and Services All reference fields to the Products and Services application are not available. Clean up layout. Business Impact Analysis Business Impact Analysis All reference fields to the BIA application are not available. Loss Events / Bottom- Up Risk Assessment Loss Events All reference fields to the Loss Events application are not available. BC/DR Planning Roles and Responsibilities BC/DR Plans All reference fields to the Roles and Responsibilities and BC/DR Plans applications are not available. BC/DR Planning or Security Operations & Breach Management Notifications and Call Trees All references to the Notifications and Call Trees application are not available. Security Incident Management Security Alerts The Security Alerts (Related Contact) reference field is not available. Any use case that contains the Storage Devices application Storage Devices The Storage Devices (Contacts) reference field is not available. Step 2: Delete Obsolete s Packaging does not delete obsolete objects. RSA recommends that you delete these objects because they may affect how the applications function. For the following examples, follow these guidelines: Chapter 3: Installing Audit Planning & Quality 34

35 Ste p3 :Va lida te for mula s a ndc a lc ula tionor de r s RSA Archer GRC Audit Planning & Quality If you select Override Layout when you install the package, the package installation process removes old fields from the layout, if those fields do not also exist on the Source Package layout. All fields removed from the layout are in the Available s list. Evaluate your need for certain data driven events (DDE), pre-existing rules, and actions that were not updated through Packaging. Delete any obsolete rules and actions. Verify the DDE and calculation order and update it if necessary. Evaluate pre-existing notifications and reports that Packaging did not update. Delete obsolete notifications and reports. To ensure that all obsolete objects are deleted, compare the Data Dictionary to your environment. For more information about objects, see the "Packaging" section of the RSA Archer GRC Online Documentation. Step 3: Validate Formulas and Calculation Orders Follow these guidelines on validating formulas and calculation orders: The packaging process logs an error if a formula does not validate. This error may be caused by a formula that references applications or fields that do not exist in the instance and were not part of the package (for example, fields in applications that are part of a different use case). Review those fields to determine if they are o o If a field is needed, modify the formula to remove references to applications or fields that do not existing in your instance. s that do not exist in your instance are identified with an exclamation mark. If a field is not needed, delete the field or remove it from the layout. If the field is not deleted, removing the formula prevents errors from being written in the log files when records are saved. Verify the order of calculations for each application and sub-form in the use case. See the Data Dictionary for calculation orders for each individual application or sub-form. Update the order of calculations as needed for each application and subform in the use case. For more information about deleting objects, see "Deleting s" in the RSA Archer GRC Online Documentation. Chapter 3: Installing Audit Planning & Quality 35