Describing the Control-Based Engagement Risk Assessment Process

A control-based engagement risk assessment project involves the following stages.

1. Requesting the engagement and identifying the applicable risk controls: A user in your company who wants to engage with a supplier or other third party creates an engagement request. The engagement request includes the following steps:
   • Business Details, where the requester fills out a business details questionnaire to provide basic information such as the request title and the commodities, regions, and departments involved.
   • Inherent Risk Screening, where the requester fills out a screening questionnaire that determines which risk controls and assessment questionnaires are required for assessing the engagement's risk. The answers to questions in the business details questionnaire determine some of the questions included in the inherent risk screening, and the answers to those conditional questions in the inherent risk screening determine the required risk controls.
   • Select supplier, where the requester selects the engagement supplier. This step recommends active suppliers that have matching controls for all of the engagement's required controls or that are qualified for all of the engagement's commodities, and shows active suppliers that have at least 1 matching control.
   • Review request, where the requester reviews the information they have provided before submitting the request for approval.
2. Approving the request: Approvers review the submitted engagement request and approve or deny it.
3. Starting the evidence and control process: The responsible user sends the detailed assessment questionnaires for all of the engagement's open controls to recipients.
4. Collecting evidence: Assessment recipients are notified that they need to fill out their risk assessments. Depending on how the assessment questionnaires are set up, approvers might approve or deny individual questionnaires in this stage.
5. Reviewing risk control effectiveness: Control decision makers review the answers to submitted risk assessment questionnaires and mark associated controls as effective or ineffective.
6. Managing issues: Control decision makers raise issues if risk controls have problems that might require remediation, a policy exception, or other special handling.
7. Approving or denying the engagement: Approvers review the overall engagement risk assessment project, including the effectiveness of its controls, and approve or deny the engagement.