JP2010113389A - Information processing apparatus and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing apparatus which creates a common type where similar risks or controls are made common so as to reduce a user's burden in documentation or evaluation regarding the plurality of risks or controls when performing documentation including the risks or controls in internal control. <P>SOLUTION: A similarity extraction means of the information processing apparatus extracts the similar risks or controls among the plurality of risks or controls in the internal control. A common type creating means creates the common type having common items of a set of the risks or controls based on the risks or controls extracted by the similarity extracting means. A common type/risk control coordinating means coordinates the common type created by the common type creating means with at least one of the risks or controls extracted by the similarity creating means. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information processing apparatus and an information processing program.

In recent years, financial internal control has been required. With regard to the financial internal control, “Internal Control – Integrated Framework” announced by COSO (Treadway Committee Organizing Committee) in 1992 has become the de facto standard.・ Board of Directors, Management and other organizations intended to provide reasonable assurance to achieve three objectives: efficiency, (2) reliability of financial statements, and (3) compliance with relevant laws and regulations. It is defined as a single process carried out by staff.
In addition, in financial internal control (hereinafter also referred to as internal control), a maintenance evaluation (also called a walk-through) that checks the legitimacy and accuracy of a document that analyzes the work related to finance and summarizes the results. There are two types of evaluations (hereinafter also referred to as tests) that test whether the system is operating as documented.

  As a technology related to this, for example, in Patent Document 1, it is an object to provide a document processing apparatus that can be used as a template for a documenting process including a control document and can be reused. The duplicating means of the document processing apparatus duplicates the document, the attribute invalidating means invalidates the attribute value depending on the creator of the document, and the unapproved means can be accessed by a user other than the creator. The approval for publishing a part that can be a component of the document is unapproved, the link deletion unit deletes a link to another document in the document, the template storage unit is the attribute invalidation unit, It is disclosed that a document copied by the copying unit processed by the unapproved unit and the link deletion unit is stored as a template.

  In addition, for example, Patent Document 2 provides a document processing apparatus that can provide an overview of implementation contents, risks, and controls related to an activity based on the activity in a document used for financial internal control. The activity storage means of the document processing apparatus stores the activity identifier, the name of the activity, the subject of execution, and the contents of the execution corresponding to each other, and the business description storage means corresponds to the levels of multiple hierarchies and the activity identifiers representing the business process. The risk storage means stores the risk identifier, the risk name and the activity identifier in association with each other, the control storage means stores the control identifier, the control name and the activity identifier in association with each other, and the information extraction means stores the activity. The activity name corresponding to the identifier, the implementation subject, the implementation content, etc. are extracted, and the document creation output means Universal, proponents, exemplary contents, the level of multiple hierarchies that represent business processes that output to create a document for internal control list can display the name of the risk of name and control is disclosed.

Also, for example, Patent Document 3 can effectively link or support internal control documentation, evaluation procedures, etc. by using a reference to the documentation process in other existing control activities, and reduces the burden of documentation. It is an object to provide an information processing system that reduces and improves the effectiveness of controls. The process storage means of the information processing system stores the process of creating control documents used in internal control and refers to the process. The conversion means generates a process reference that can refer to the process stored in the process storage means, and the process reference storage means stores the process reference generated by the process reference means as a process of another control document. It is disclosed.
JP 2008-052346 A JP 2008-176769 A JP 2008-234574 A

  The present invention shares similar risks or controls in order to reduce the burden on users in the documentation or evaluation of risks or controls when documenting multiple risks or controls in internal controls. It is an object of the present invention to provide an information processing apparatus and an information processing program that generate a common type.

The gist of the present invention for achieving the object lies in the inventions of the following items.
According to the first aspect of the present invention, there is provided a similarity extraction means for extracting a similar one of a plurality of risks or controls in the internal control, and a set of the risk or control based on the risk or control extracted by the similarity extraction means. Common type / risk for associating at least one of the common type generated by the common type generation means and the risk or control extracted by the similarity extraction means with a common type generation means for generating a common type having common items An information processing apparatus including a control association unit.

  The invention according to claim 2 is the information processing apparatus according to claim 1, wherein the similarity extraction unit extracts similar ones of risks or controls based on a user's operation.

  The invention according to claim 3 is characterized in that the similarity extraction means extracts a similar risk or control based on a word included in the risk or control and an attribute value of an attribute constituting the risk or control. The information processing apparatus according to claim 1.

  The invention of claim 4 further comprises a risk control rewriting means for rewriting the risk or control associated by the common type / risk control association means based on the common type generated by the common type generation means. The information processing apparatus according to claim 1, wherein the information processing apparatus is an information processing apparatus.

  The invention according to claim 5 is acquired by a common type acquisition unit that acquires a common type associated with the risk or the control based on an evaluation for confirming the risk and control in the internal control, and is acquired by the common type acquisition unit. Risk control acquisition means for acquiring a risk or control associated with the common type, and evaluation association means for associating the risk or control acquired by the risk control acquisition means with the common type acquired by the common type acquisition means It is an information processing apparatus characterized by comprising.

  The invention of claim 6 is based on the association storage means for storing the association between the risk or control and the common type, and the association stored in the association storage means when the risk or control is modified. A common type extracting means for extracting a common type associated with the risk or control, and when the common type extracted by the common type extracting means is not corrected, the corrected risk or control and the common type An information processing apparatus comprising: an association changing unit that changes the association stored in the association storage unit so as to cancel the association.

  The invention according to claim 7 is based on the association storage means for storing the association between the risk or the control and the common type, and the association stored in the association storage means when the risk or the control is corrected. A common type extraction means for extracting a common type associated with the risk or control, and a common type extracted by the common type extraction means when correcting the common type extracted by the common type extraction means. Based on the correspondence stored in the association storage means, the risk type extraction means for extracting the risk or control associated with the common type modified by the common type modification means based on the association stored in the association storage means And the risk extracted by the risk control extraction unit based on the common type corrected by the common type correction unit. Or an information processing apparatus characterized by comprising a risk control correction means for correcting the control.

  The invention according to claim 8 is based on similarity extraction means for extracting a similar one of a plurality of risks or controls in internal control, and the risk or control based on the risk or control extracted by the similarity extraction means. A common type generating means for generating a common type having a common item of the set, a common type for associating at least one or more of the common type generated by the common type generating means and the risk or control extracted by the similarity extracting means An information processing program that functions as a mold / risk control correspondence means.

  The invention according to claim 9 provides a common type acquisition means for acquiring a common type associated with the risk or the control based on an evaluation for confirming the risk and the control in the internal control, and the common type acquisition means. A risk control acquisition unit that acquires a risk or control associated with the common type acquired by the evaluation, and an evaluation that associates the risk or control acquired by the risk control acquisition unit with the common type acquired by the common type acquisition unit An information processing program that functions as an association unit.

  The invention according to claim 10 is a correspondence storage unit that stores a common type of association between a risk or a control and a correspondence stored in the association storage unit when the risk or the control is corrected. Based on the common type extraction means for extracting the common type associated with the risk or control, and when the common type extracted by the common type extraction means is not corrected, the corrected risk or control and the An information processing program that functions as an association change unit that changes an association stored in the association storage unit so as to release a common type association.

  The invention according to claim 11 is a correspondence storage means for storing a correspondence between a risk or control and a common type, and a correspondence stored in the correspondence storage means when the risk or control is corrected. Based on the common type extraction means for extracting the common type associated with the risk or control, and when correcting the common type extracted by the common type extraction means, the common type extraction means A risk of extracting a risk or control associated with the common type corrected by the common type correcting means, based on the common type correcting means for correcting the common type and the correspondence stored in the association storage means Based on the control extraction means and the common type corrected by the common type correction means, the risk control extraction means An information processing program for causing to function as risk control correction means for correcting the extracted risk or control Te.

  According to the information processing apparatus according to claim 1, when documenting including a plurality of risks or controls in the internal control, the information is similar so that the burden on the user in documenting or evaluating the risks or controls can be reduced. Can create a common type with common risk or control.

  According to the information processing apparatus of the second aspect, it is possible to extract a similar risk or control according to the user's intention.

  According to the information processing apparatus of the third aspect, it is possible to extract a similar risk or control regardless of the user's operation.

  According to the information processing apparatus of the fourth aspect, it is possible to reduce the confirmation load for ensuring the consistency regarding the risk or control at the time of documentation.

  According to the information processing apparatus of the fifth aspect, when the evaluation is performed in the internal control, the load on the user in the evaluation regarding the risk or the control can be reduced.

  According to the information processing apparatus of the sixth aspect, when correcting a document including a plurality of risks or controls in the internal control, it is possible to reduce the load on the user in the correction.

  According to the information processing apparatus of the seventh aspect, when a document including a plurality of risks or controls is corrected in the internal control, the load on the user in the correction can be reduced.

  According to the information processing program according to claim 8, when documenting including a plurality of risks or controls in the internal control, the information is similar so that the burden on the user in the documentation or evaluation regarding the risks or controls can be reduced. Can create a common type with common risk or control.

  According to the information processing program of the ninth aspect, when the evaluation is performed in the internal control, the load on the user in the evaluation regarding the risk or the control can be reduced.

  According to the information processing program of the tenth aspect, when a document including a plurality of risks or controls is corrected in the internal control, it is possible to reduce the load on the user in the correction.

  According to the information processing program of the eleventh aspect, when a document including a plurality of risks or controls is corrected in the internal control, the load on the user in the correction can be reduced.

In order to carry out financial internal control, the relationship between activities / systems / resources / knowledge information is organized and business processes (hereinafter simply referred to as processes) are documented, and the documents are utilized and evaluated (maintenance evaluation, operational evaluation). We are building a system to
First, “Basic 4 Documents” of internal control to be documented will be described.
The four basic documents are basic documents created for each business process subject to internal control. Specifically, business description, business flow diagram, RCM (risk control matrix), separation of duties There is a table.
The business description is also called narrative. This is a documented flow of a series of operations from the start of the transaction to the final entry to the general ledger and reporting. Regulatory documents such as personnel regulations and accounting business regulations are higher-level documents of the business description, and the revision affects the business description. The business manual is a sub-document of the business description and is affected by the revision.
The business flow diagram is a visual flowchart of a series of business flows from the start of a transaction to the final entry to the general ledger and reporting. Risk and control are also placed in this workflow.
The RCM is a summary table of internal control activities related to business processes, the key control points (assertions) to be achieved, the assumed risks, and the corresponding internal control activities.
The segregation of duties table is used to check whether there is a duplication of processing by the same person in charge that causes a financial control problem in the flow of business processes.
Assertion is a precondition for financial information to be considered as reliable information. Specifically, it includes reality, completeness, evaluation, rights and obligations, period / allocation, and display. Items are commonly used. However, it may be partially changed, that is, customized by each company or audit corporation, and is not necessarily limited to the above-mentioned six items.
Risk refers to an impediment to assertions assumed in business processes.
Control (control) refers to internal control activities against risks. Control types include preventive and detective.
In addition, it is necessary to perform an evaluation using a trail to check whether the internal control is operating as documented, and as described above, there are two types of evaluation (maintenance evaluation and operation evaluation).

First, the documenting (including maintenance evaluation) processing in general internal control will be described using the examples shown in FIGS.
FIG. 2 is an explanatory diagram showing an example of the flow of work in internal control. The example here is for the company itself to build a system to ensure the efficiency and appropriateness of business.
The document 210, the test 220, and the correction 230 are performed in order within the fiscal year, and this is repeated in the next fiscal year.
The documenting 210 is a task of documenting each business process, activity in the company, the risk associated therewith, and control (control) for the risk. That is, the above-mentioned basic four document creation work. It may also include maintenance evaluation.
The test 220 is an operation for confirming whether the control over the risk generated in each business process really leads to a risk reduction, and whether the control is actually controlled in the actual business. Mainly falls under operational evaluation and may include maintenance evaluation.
The correction 230 is an operation for taking measures against new risks and inadequate controls that have been discovered based on the results of the test 220 and connecting them to the next fiscal year.

FIG. 3 is an explanatory diagram showing an example of the flow of process activities in internal control. In this example, there are two processes, a fixed asset purchase process 310 mainly performed in the A department and a consumables purchase process 360 mainly conducted in the B department.
In the fixed asset purchase process 310, the department A performs activities 311 to 314.
In activity 311, an estimate request is sent to the company's estimate agency department 341. Next, an estimate creation process is performed in the estimate agency department 341, and the department A receives the estimate. In activity 312, an estimate is confirmed, a request for approval is created, and an approval request is issued. Next, the approval approval process is performed by the approval approver 342, and the department A obtains the approval result. In activity 313, a purchase request is issued by an in-house article purchase system. Next, purchase processing is performed in the purchase agent department 343, and the department A receives the purchased product. In activity 314, the purchased item is confirmed and accepted.
The activity 311 is assigned risk 321 and control 331, the activity 313 is assigned risk 322, risk 323, control 332, and control 333, and the activity 314 is assigned risk 324 and control 334. ing.

In the consumable purchasing process 360, the department B performs activities 361 to 363.
In activity 361, a purchase item is selected by an in-house article purchase system and an approval request is sent to the superior 391. Next, the approval process is performed by the upper manager 391, and the department B obtains the approval result. In activity 362, a purchase request is issued by an in-house article purchasing system. Next, purchase processing is performed in the purchase agent department 392, and the department B receives the purchased product. In activity 363, the purchased product is confirmed and accepted.
A risk 371 and a control 381 are assigned to the activity 362, and a risk 372 and a control 382 are assigned to the activity 363.

FIG. 4 is an explanatory diagram showing an example of process activity risk and control in internal control. That is, the risk and control shown in the example of FIG. 3 are extracted and arranged.
The risk 322 is a risk assigned to the activity 313, and the content thereof is “a mistake in attaching the approval document”. The corresponding control 332 is “verify the application number of the request form with the application number of the form”. On the other hand, it is assumed that the tester 412 in the maintenance evaluation has evaluated that “the control 332 does not lead to risk reduction”.
The risk 323 is a risk assigned to the activity 313, and its content is “form filling error”. The corresponding control 333 is “print form contents and confirm by upper manager”. On the other hand, it is assumed that the tester 413 in the maintenance evaluation makes an evaluation that “this control 333 is sufficiently controlled against the risk 323”.
The risk 324 is a risk assigned to the activity 314, and the content thereof is “not confirmed”. The corresponding control 334 is “create checklist of confirmation items”. On the other hand, it is assumed that the tester 414 in the maintenance evaluation performs an evaluation that “the checklist needs to be created for each type of product”.

The risk 371 is a risk assigned to the activity 362, and its content is “form filling error”. The corresponding control 381 is “print the contents of the form and confirm the upper manager”. On the other hand, it is assumed that the tester 461 in the maintenance evaluation makes an evaluation that “this control 381 is sufficiently controlled against the risk 371”.
The risk 372 is a risk assigned to the activity 363, and the content is “not confirmed”. The corresponding control 382 is “create checklist of confirmation items”. On the other hand, it is assumed that the tester 462 in the maintenance evaluation makes an evaluation that “the checklist needs to be created for each type of product”.

Thus, although there are different processes, there are similar risks, controls or assessments.
Further, this embodiment is intended to manage similar risks, controls, and tests in an integrated manner.

FIG. 1 is a conceptual module configuration diagram of a configuration example of the present embodiment.
The internal control device 110 includes a template management module 111, a document management module 112, a test management module 113, a link DB (DataBase) 114, a template DB 115, a risk control DB 116, and a test DB 117. The client 120 is connected via the network 190. The internal control apparatus 110 may have a role as a server in a so-called server / client type model, for example.

  The document management module 112 is connected to the template management module 111, the test management module 113, and the risk control DB 116, and is also connected to the client 120 via the communication line 190. The processing of the documenting 210 shown in the example of FIG. 2 is mainly performed. An instruction for registration and the like regarding the basic four documents is received from the client 120. In this embodiment, an instruction for registration or the like related to risk or control will be described. Upon receipt of the instruction, data acquisition or data update is performed with the template management module 111 or the test management module 113, and data is registered and referred to the risk control DB 116, thereby performing a documenting process. Then, the processing result by the document management module 112 is displayed on the client 120.

  The risk control DB 116 is connected to the document management module 112 and stores risk or control definitions in the basic four documents by registration from the document management module 112. There is an access from the template management module 111 or the test management module 113 via the document management module 112 or the document management module 112.

  The test management module 113 is connected to the document management module 112 and the test DB 117, and is connected to the client 120 via the communication line 190. The test 220 shown in the example of FIG. 2 is mainly performed. An instruction such as test registration from the client 120 is received. Upon receipt of the instruction, data acquisition or data update is performed with the document management module 112, and data is registered and referred to the test DB 117, thereby performing test creation processing. Then, processing for displaying the processing result by the test management module 113 on the client 120 is performed.

  The test DB 117 is connected to the test management module 113, and stores data related to the test by registration from the test management module 113. There is an access from the template management module 111 or the document management module 112 via the test management module 113 or the test management module 113.

  The template management module 111 is connected to the document management module 112, the link DB 114, and the template DB 115, and is connected to the client 120 via the communication line 190. The processing mainly includes processing for generating risk or control in the document 210 shown in the example of FIG.

  A template as a common type of risk or control (hereinafter also referred to as risk) has a plurality of risks, etc., and has common items within the risk, etc., and the contents of those items are assigned. It is copied to the risk etc. Specifically, it has a link to a set of items, risks, and the like.

  An instruction for registering a template such as a risk from the client 120 is received. The instruction is received, data acquisition or data update is performed with the document management module 112, and data is registered and referenced with respect to the link DB 114 or the template DB 115 to perform template processing such as risk. Then, a process for causing the client 120 to display a processing result by the templating management module 111 is performed.

  The link DB 114 is connected to the templating management module 111 and stores link information by registering the association (link) between the risk and the like from the templating management module 111 and the template. There is an access from the document management module 112 or the test management module 113 via the template management module 111 or the template management module 111.

  The template DB 115 is connected to the templating management module 111 and stores data related to the template by registration from the templating management module 111. There is an access from the document management module 112 or the test management module 113 via the template management module 111 or the template management module 111.

  The client 120 is connected to the templating management module 111, the documentation management module 112, and the test management module 113 of the internal control apparatus 110 via the communication line 190. It has a role as a user interface with a user who uses the internal control device 110, and has, for example, an output device such as a display, and a reception device that accepts user operations using a mouse, a keyboard, and the like. . Based on display instructions from the templating management module 111, the documentation management module 112, and the test management module 113 of the internal control device 110, display is performed on the output device, and templating management of the internal control device 110 is performed according to the user's operation. The module 111, the document management module 112, and the test management module 113 are instructed to register.

  A processing example of the internal control apparatus 110 shown in the example of FIG. 1 will be described with reference to FIGS. Although control is mainly explained, it can be equally applied to risk.

FIG. 5 is an explanatory diagram showing an example of template generation processing according to this embodiment.
The templating management module 111 extracts the target control (control 1 501 to control 6 506) from the risk control DB 116 via the document management module 112. For example, the templating management module 111 displays the extracted controls as a control list 500 on the client 120, and selects similar controls according to user operations. That is, the user selects a similar one from the control list 500 displayed on the display device such as the display of the client 120 using the mouse or the like, and accepts the operation. Here, it is assumed that the control 1 501 to the control 3 503 are selected as being similar, and the control 4 504 and the control 5 505 are selected as being similar. For example, control 1 501 is “sales department manager / branch president / headquarters approves“ transaction condition application form ”” and control 2 502 is “sales department manager approves“ transaction condition application form ”” Yes, control 3 503 is a case where “the branch president finalizes the“ transaction condition application form ””. Further, the templating management module 111 may select a similar one based on the contents of the control without depending on the operation of the user. Further, the templating management module 111 may select a similar one based on the user's operation and the content of the control. That is, the user may be made to confirm after selecting a similar one based on the content of the control. It should be noted that the controls selected as being similar may be from different processes or from one process.

  Then, the templating management module 111 generates a template A 507 based on the control 1 501 to the control 3 503 selected as being similar. A template B 508 is generated based on the control 4 504 and the control 5 505. These are stored in the template DB 115.

FIG. 6 is an explanatory diagram showing an example of test creation processing according to the present embodiment.
The template control link DB 610 is a part of the link DB 114. That is, in the link DB 114, in addition to the template / control link DB 610, a database of correspondence between templates and risks is stored.
The template / control link DB 610 stores a template / control link table 620. The template / control link table 620 includes a template ID column 621 and a control ID column 622. That is, the template is associated with the control. In the example of FIG. 6, the template “TC001” is associated with the controls “C001”, “C002”, and “C003”.

  The test management module 113 creates a test A 631 corresponding to the control 1 501. The test management module 113 then extracts the template “TC001” associated with the control 1 501 with reference to the template / control link table 620 via the document management module 112 and the template management module 111. Conversely, controls “C002” and “C003” other than “C001” associated with the template “TC001” are extracted. Test A631 is associated with the extracted tests “C002” and “C003”. Thereby, in the test phase 630 (documentation processing or maintenance evaluation), the test of the control 1 501, the control 2 502, and the control 3 503 is performed by performing the test of the test A 631.

Hereinafter, an example of a preferred embodiment for realizing the present invention will be described with reference to the drawings.
FIG. 7 is a conceptual explanatory diagram of a module configuration example related to template generation in the present embodiment.
The module generally refers to components such as software (computer program) and hardware that can be logically separated. Therefore, the module in the present embodiment indicates not only a module in a computer program but also a module in a hardware configuration. Therefore, the present embodiment also serves as an explanation of a computer program, a system, and a method. However, for the sake of explanation, the words “store”, “store”, and equivalents thereof are used. However, when the embodiment is a computer program, these words are stored in a storage device or stored in memory. It is the control to be stored in the device. In addition, the modules correspond almost one-to-one with the functions. However, in mounting, one module may be composed of one program, or a plurality of modules may be composed of one program. A plurality of programs may be used. The plurality of modules may be executed by one computer, or one module may be executed by a plurality of computers in a distributed or parallel environment. Note that one module may include other modules. Hereinafter, “connection” is used not only for physical connection but also for logical connection (data exchange, instruction, reference relationship between data, etc.).
In addition, the system or device is configured by connecting a plurality of computers, hardware, devices, and the like by communication means such as a network (including one-to-one correspondence communication connection), etc., and one computer, hardware, device. The case where it implement | achieves by etc. is included. “Apparatus” and “system” are used as synonymous terms.

  Embodiments relating to template generation include a risk / control extraction module 711, a similar risk / control extraction module 712, a template generation module 713, a template risk / control correspondence module 714, a risk / control rewrite request module 715, and a risk / control rewrite. It has a module 716, a link DB 114, and a risk control DB 116.

The risk control DB 116 is connected to the risk / control extraction module 711 and the risk / control rewrite module 716, and stores a plurality of risks in internal control. You may memorize the risk etc. in a plurality of processes. The stored risk is read from the risk / control extraction module 711, and the stored risk is rewritten from the risk / control rewrite module 716.
The risk / control extraction module 711 is built in the document management module 112 and is connected to the similar risk / control extraction module 712 and the risk / control DB 116. Based on an instruction from the templating management module 111, a target risk or the like is extracted from the risk control DB 116, and the extracted risk or the like is passed to the similar risk / control extraction module 712.

  The similar risk / control extraction module 712 is constructed in the template management module 111, and is connected to the risk / control extraction module 711, the template generation module 713, and the template risk / control correspondence module 714. A similar risk is extracted from the risk passed from the risk / control extraction module 711. The extracted risk or the like is transferred to the template generation module 713 or the template risk / control correspondence module 714. It should be noted that the similar risk / control extraction module 712 may extract similar ones among risks and the like based on user operations. Further, the similar risk / control extraction module 712 may extract similar ones among the risks based on the words included in the risks and the like, and attribute values of the attributes constituting the risks and the like.

  The template generation module 713 is constructed in the template management module 111 and is connected to the similar risk / control extraction module 712 and the template risk / control association module 714. Based on the risk extracted by the similar risk / control extraction module 712, a template having a common item of a set of the risk and the like is generated. The generated template is passed to the template risk / control correspondence module 714.

The template risk / control association module 714 is built in the template management module 111 and is connected to the similar risk / control extraction module 712, the template generation module 713, the risk / control rewrite request module 715, and the link DB 114. Yes. The template generated by the template generation module 713 is associated with at least one of the risks extracted by the similar risk / control extraction module 712 and the like. The association relationship is stored in the link DB 114. The association or the associated template and risk are passed to the risk / control rewrite request module 715.
The link DB 114 is connected to the template / risk / control association module 714. The association between the template and the link by the template risk / control association module 714 is stored.

The risk / control rewrite request module 715 is constructed in the template management module 111 and is connected to the template / risk / control correspondence module 714 and the risk / control rewrite module 716. The risk / control rewriting module 716 is requested to rewrite the risk associated by the template risk / control association module 714 based on the template generated by the template generation module 713. That is, a plurality of links or the like associated with one template have at least one item having the same content as that template.
The risk / control rewrite module 716 is built in the document management module 112 and is connected to the risk / control rewrite request module 715 and the risk control DB 116. Based on the request to rewrite the risk from the risk / control rewrite request module 715, the risk stored in the risk control DB 116 is rewritten.

FIG. 8 is a flowchart showing an example of processing related to template generation in the present embodiment. Note that the example here is the final stage of the documentation 210, and it is assumed that the risk control DB 116 has already stored data relating to risks and the like.
In step S <b> 802, the client 120 requests the templating management module 111 to make a control template according to a user operation.
In step S804, the similarity risk / control extraction module 712 of the template management module 111 receives the request of step S802, and sends a list of target controls to the risk / control extraction module 711 of the document management module 112. Instruct acquisition.
In step S806, the risk / control extraction module 711 of the document management module 112 receives the instruction of step S804, acquires the target control from the risk control DB 116, and performs the similar risk / control of the template management module 111. The obtained control is provided to the extraction module 712.

In step S808, the similar risk / control extraction module 712 of the templating management module 111 causes the client 120 to display a list of controls acquired in step S806 on the screen.
In step S810, the user looks at the displayed list of controls, identifies commonality among the controls, and selects a control to be shared (corresponding to the same template). The client 120 receives the user's operation.
In step S812, the client 120 requests the template management module 111 to create a template for the selected control in accordance with a user operation.

In step S814, the template generation module 713 of the template management module 111 receives the request in step S812, generates a template, and the template risk / control association module 714 associates the template with the selected control. .
In step S816, the risk management control rewrite request module 715 of the template management module 111 rewrites the control associated with the template to be equivalent to the template based on the association in step S814. 112 is requested.
In step S818, the risk / control rewriting module 716 of the document management module 112 receives the request in step S816 and rewrites the related control information.

FIG. 9 is a conceptual explanatory diagram of a module configuration example relating to test creation in the present embodiment. That is, the process described using the example of FIG. 6 is performed.
The embodiment relating to test creation includes a test creation module 911, a related template acquisition module 912, a related risk / control acquisition module 913, a test correspondence module 914, and a template DB 115, which are built in the test management module 113. Yes.

The test creation module 911 is connected to the related template acquisition module 912. Create a test to confirm the target risk based on user operations. The created test is passed to the related template acquisition module 912.
The related template acquisition module 912 is connected to the test creation module 911, the related risk / control acquisition module 913, and the template DB 115. Based on the test created by the test creation module 911, a template associated with the risk or the like is acquired from the template DB 115. The acquired template is passed to the related risk / control acquisition module 913.
The related risk / control acquisition module 913 is connected to the related template acquisition module 912 and the test correspondence module 914. The risk associated with the template acquired by the related template acquisition module 912 is acquired. The acquired risk or the like is transferred to the test correspondence module 914.
The test association module 914 is connected to the related risk / control acquisition module 913. The risk acquired by the related risk / control acquisition module 913 is associated with the template acquired by the related template acquisition module 912.

FIG. 10 is a flowchart showing an example of processing related to test creation in the present embodiment.
In step S1002, the client 120 requests the test management module 113 to create a test in accordance with a user operation.
In step S1004, the test management module 113 receives the request in step S1002, and instructs the documentation management module 112 to acquire information on a control that is a target for creating a test.
In step S1006, the document management module 112 receives the instruction in step S1004, extracts information on the target control from the risk control DB 116, and sends the extracted control information to the test management module 113. provide.

In step S1008, the test management module 113 causes the client 120 to display a test creation screen using the control information acquired in step S1006.
In step S1010, the client 120 creates a test based on the contents described in the items in the test creation screen in accordance with the operation of the user.
In step S1012, the client 120 instructs the test management module 113 to create a test in which the item is described in step S1010.
In step S1014, the test management module 113 creates the test instructed in step S1012 and stores it in the test DB 117. The created test is related to the control used to create the test.

In step S1016, the related template acquisition module 912 of the test management module 113 instructs the template management module 111 to associate the template associated with the control associated with the test based on the test created in step S1014. The acquisition of is instructed.
In step S1018, the templating management module 111 receives the instruction in step S1016, acquires the template from the template DB 115, and provides the template to the test management module 113.
In step S1020, the related risk / control acquisition module 913 of the test management module 113 instructs the documentation management module 112 to acquire a control associated with the template acquired in step S1018.

In step S1022, the documentation management module 112 acquires the control associated with the template based on the instruction in step S1020, and provides the control to the test management module 113.
In step S1024, the test association module 914 of the test management module 113 associates the control acquired in step S1022 with the test created in step S1014. As a result, a plurality of controls are related to one test.

FIG. 11 is an explanatory diagram illustrating an example of a template generation process.
The fixed asset purchase process 310 includes risk 322, risk 323, and risk 324, and control 332, control 333, and control 334 respectively corresponding thereto. On the other hand, the consumables purchase process 360 has risks 371 and 372, and there are controls 381 and 382 corresponding to the risks 371 and 372, respectively. A risk template 1111 is generated from a risk 372 similar to the risk 324 (equivalent to “missing confirmation”). Then, using the template 1111, the contents of the risk 324 and the risk 372 are unified, and the template 1111 is associated with the risk 324 and the risk 372. Further, a control template 1112 is generated from a control 381 similar to the control 333 (equivalent to “print the form contents and confirm the superior”). Then, the template 1112 is used to unify the contents of the control 333 and the control 381, and the template 1112 is associated with the control 333 and the control 381. Similarly, templates may be generated from the risk 323 and the risk 371 and the control 334 and the control 382, respectively.

FIG. 12 is an explanatory diagram showing a display example of the detailed control setting screen 1200. The control detailed setting screen 1200 is displayed on the screen of the client 120 by the document management module 112 and sets control information (each item in the control detailed setting screen 1200) in accordance with a user operation. .
The detailed control setting screen 1200 is a control NO. A column 1201, a key control column 1202, a control status column 1203, a control type column 1204, a control frequency column 1205, a control implementation organization column 1206, a control implementation manager column 1207, and a user attribute column 1208.

Control NO. A column 1201 displays a code (control ID) that uniquely identifies the control in the process. In this embodiment, in order to uniquely identify a control within a plurality of processes, a control ID is used in combination with a process ID (a code for uniquely identifying a process) and a control ID. It may be uniquely identified in the process.
The key control column 1202 is an item for designating the control as a key control. The key control is a main control, which is indispensable for the operational control operation test.
The control status column 1203 is an item that describes the content of the control.
The control type column 1204 is an item for selecting the type of control. For example, “things to be performed manually”, “things to be performed by the system”, etc., such as “preventive”, “heuristic”, etc.
The control frequency column 1205 is an item for selecting the frequency of performing the control. For example, “several times a day”.
The control implementation organization column 1206 is an item that describes the organization that should execute the control.
The control execution person in charge column 1207 is an item in which a person in charge in executing the control is described.
The user attribute column 1208 is an item that can be set depending on the user's free will for the control.

  FIG. 13 is an explanatory diagram showing an example of the data structure of the control table 1310, the link table 1320, and the control template table 1330, and an example of their relationship. The control table 1310 is stored in the risk / control DB 116, the link table 1320 is stored in the link DB 114, and the control template table 1330 is stored in the template DB 115.

The control table 1310 includes a process ID column 1311, a control ID column 1312, a control status column 1313, and a control type column 1314. The contents described in the detailed control setting screen 1200 shown in the example of FIG. 12 are stored. For example, the contents described in the control status column 1203 are stored in the control status column 1313 corresponding to the corresponding control ID.
The link table 1320 has a template ID column 1321, a process ID column 1322, and a control ID column 1323. The control is associated with the template. A process ID column 1322 is provided to uniquely identify a control among a plurality of processes.
The control template table 1330 includes a template ID column 1331, a control status column 1332, and a control type column 1333. The contents of the template are stored. These are subsets of the control table 1310 (for example, the control status column 1313 and the control status column 1332 and the control type column 1333 respectively corresponding to the control type column 1314). However, all items other than the process ID column 1311 and the control ID column 1312 in the control table 1310 may be included, and they are common items of a set of similar controls.

Here, a processing example of the templating management module 111 will be described using these tables shown in the example of FIG.
In step S1352, for example, similar controls are extracted according to the operation of the operator. The control table 1310 is extracted assuming that the control on the first row (control ID: C001 with process ID: P001) and the control on the third row (control ID: C001 with process ID: P002) are similar.
In step S1354, a template is generated from the similar controls extracted in step S1352. A template (template ID: T001) in the first row of the control template table 1330 is generated from the control in the first row and the control in the third row of the control table 1310.

In step S1356, the control extracted in step S1352 is associated with the template generated in step S1354. The first row of the link table 1320 corresponds to the control of the first row of the control table 1310 and the template of the first row of the control template table 1330. The second row of the link table 1320 , The control in the third row of the control table 1310 and the template in the first row of the control template table 1330 correspond to each other.
In step S1358, the corresponding controls are unified using the template. Here, the contents of the template in the first row of the control template table 1330 are copied to the contents of the controls in the first row and the third row in the associated control table 1310.

FIG. 14 is an explanatory diagram showing a display example of the control list screen 1410. That is, the templating management module 111 displays a list of controls and selects a similar control according to a user operation. The control list is a list format of the contents of the detailed control setting screen 1200 shown in the example of FIG.
The control list screen 1410 includes a control list table 1420, a template button 1431, and a close button 1432. The control list table 1420 displays a list of controls. When the template button 1431 is selected by the user, a template is generated with the control checked in the check column 1421 as a similar control. When the close button 1432 is selected by the user, the display of the control list screen 1410 is deleted.

  The control list table 1420 includes a check column 1421, a process name column 1422, a process ID column 1423, a control number. It has a column 1424 and a control status column 1425. The check column 1421 is used to select the controls that are similar to each other by the user's operation. The process name column 1422 displays the process name to which the control belongs, the process name column 1422 displays the process ID, and the control No. A column 1424 and a control status column 1425 are control NO. These correspond to the column 1201 and the control status column 1203, respectively.

FIG. 15 is an explanatory diagram showing a display example of the control template screen 1510. That is, when the template selection button 1431 in the control list screen 1410 shown in the example of FIG. 14 is selected by the user, the template management module 111 displays on the client 120, and the control template (control template) is displayed. Table 1330) is generated.
The control template screen 1510 is a CT-No. A column 1511, a control status column 1512, a control type column 1513, a control frequency column 1514, an associated control table 1520, an update button 1531, and a cancel button 1532.

CT-No. A column 1511 displays a code for uniquely identifying the control template.
The control status column 1512 is an item that describes the content of the control in the template. This corresponds to the control status column 1203 of the detailed control setting screen 1200 shown in the example of FIG.
The control type column 1513 is an item for selecting a control type in the template. This corresponds to the control type column 1204 of the detailed control setting screen 1200 shown in the example of FIG.
The control frequency column 1514 is an item for selecting the frequency of control in the template. This corresponds to the control frequency column 1205 of the detailed control setting screen 1200 shown in the example of FIG.

The associated control table 1520 displays the control selected in the check column 1421 in the control list screen 1410 shown in the example of FIG. That is, it is a control associated with this template.
The associated control table 1520 includes a process ID column 1521, a control NO. A column 1522 and a control status column 1523 are provided.
Process ID column 1521, control NO. Column 1522 and control status column 1523 are a process ID column 1423 in the control list screen 1410 shown in the example of FIG. This corresponds to the column 1424 and the control status column 1425, respectively.
When the update button 1531 is selected by the user, the control template is updated with the value of each item in the current control template screen 1510.
When the cancel button 1532 is selected by the user, the control template is returned to the initial state.

FIG. 16 is an explanatory diagram illustrating another example of the template generation process.
An example of extracting similar risks etc. according to the user's operation is shown, but the template management module 111 has noun phrases included in the contents such as risks and each attribute value such as risks. Equivalent items may be collected and similar risk groups may be extracted.
For example, to generate a control template, morphological analysis is performed on the controls in the control collection 1610 to extract noun phrases, and controls having equivalent noun phrases are extracted as similar control sets 1611. To do. Here, the equivalent noun phrase includes the same noun phrase and is similar (when the only difference between two noun phrases is “-”, the two noun phrases are similar, etc.) You may make it include what you do.

  Then, the templating management module 111 generates a control template based on the similar control set 1611, but the related unnecessary check box column 1620 is added to the associated control table 1520 in the control template screen 1510 shown in the example of FIG. May be added. That is, the associated control table 1520 is a list of the control set 1611 having an equivalent noun phrase, but a control that does not need to be associated with the template is selected by the user's operation in the related unnecessary check box field 1620. Also good. A control for which the unneeded check box field 1620 is not selected is associated with the template.

FIG. 17 is an explanatory diagram showing an example of the data structure of the risk table 1710. In the above example, an example of generating a control template was mainly shown, but of course, the same is done for risk. The risk table 1710 illustrated in the example of FIG. 17 corresponds to the control table 1310 illustrated in the example of FIG. The risk table 1710 is stored in the risk control DB 116.
The risk table 1710 includes a process ID column 1711, a risk ID column 1712, a risk content column 1713, a risk occurrence probability column 1714, a risk degree column 1715, and the like. The process ID column 1711 stores the process ID, the risk ID column 1712 stores a code for uniquely identifying the risk, the risk content column 1713 stores the risk content, and the risk occurrence probability column 1714 stores the risk occurrence probability. The risk degree column 1715 stores the degree of influence of the risk. The risk table equivalent to the link table 1320 and the control template table 1330 shown in the example of FIG. 13 is used. That is, the risk template table has a template ID column, a risk content column, a risk occurrence probability column, a risk level column, and the like, and the link table has a template ID column, a process ID column, and a risk ID column. .

FIG. 18 is a conceptual explanatory diagram of a module configuration example relating to correction of a risk or the like in the present embodiment. This is intended for correction of risk and the like performed after the template is generated.
The embodiment relating to the correction of risk, etc. includes a corresponding template extraction module 1811, a template change confirmation module 1812, a template risk / control correspondence change module 1813, a template correction module 1814, a corresponding risk / control extraction module 1815, and a risk / control correction. A request module 1816, a risk / control correction module 1817, a link DB 114, and a template DB 115 are included. Corresponding template extraction module 1811, template change confirmation module 1812, template / risk / control correspondence modification module 1813, template modification module 1814, correspondence risk / control extraction module 1815, risk / control modification request module 1816 The risk / control modification module 1817 is constructed in the document management module 112.

The corresponding template extraction module 1811 is connected to the template change confirmation module 1812, the link DB 114, and the template DB 115. When a risk or the like is corrected, a template associated with the corrected risk or the like is extracted from the template DB 115 based on the association stored in the link DB 114.
The template change confirmation module 1812 is connected to a corresponding template extraction module 1811, a template / risk / control correspondence change module 1813, and a template correction module 1814. The template extracted by the corresponding template extraction module 1811 is not modified or confirmed to be modified according to the operation of the operator.
The template / risk / control correspondence change module 1813 is connected to the template change confirmation module 1812 and the link DB 114. When the template is not corrected by the confirmation by the template change confirmation module 1812, the association stored in the link DB 114 is changed so as to cancel the association between the modified risk and the template.

The template correction module 1814 is connected to the template change confirmation module 1812, the corresponding risk / control extraction module 1815, and the template DB 115. When a template is modified by confirmation by the template change confirmation module 1812, the template in the template DB 115 extracted by the corresponding template extraction module 1811 is modified.
The corresponding risk / control extraction module 1815 is connected to the template correction module 1814, the risk / control correction request module 1816, and the link DB 114. Based on the association stored in the link DB 114, the risk associated with the template modified by the template modification module 1814 is extracted.

The risk / control correction request module 1816 is connected to the corresponding risk / control extraction module 1815 and the risk / control correction module 1817. Based on the template corrected by the template correction module 1814, the risk / control correction module 1817 is requested to correct the risk extracted by the corresponding risk / control extraction module 1815.
The risk / control correction module 1817 is connected to the risk / control correction request module 1816. In accordance with a request from the risk / control correction request module 1816, the risk extracted by the corresponding risk / control extraction module 1815 is corrected based on the template corrected by the template correction module 1814.

The corresponding risk / control extraction module 1815 may extract risks, etc., excluding those already corrected.
In addition, when the risk / control correction module 1817 extracts the risk / control extraction module 1815 including the risk that has already been corrected, the risk / control correction module 1817 corrects the risk, etc., excluding the risk that has already been corrected. May be.

FIG. 19 is a flowchart showing an example of processing related to control correction in the present embodiment.
In step S1902, the client 120 requests the documentation management module 112 to correct the target control in accordance with the user's operation.
In step S 1904, the document management module 112 extracts a target control in the risk control DB 116 and displays the details of the control on the screen of the client 120.
In step S1906, the client 120 edits the control item according to the user's operation.
In step S1908, the client 120 requests the document management module 112 to update the control based on the editing in step S1906.

In step S1910, the documentation management module 112 updates the target control based on the request in step S1908.
In step S1912, the document management module 112 notifies the template management module 111 that the control has been corrected.
In step S1914, the corresponding template extraction module 1811 of the templating management module 111 extracts a template corresponding to the corrected control.
In step S1916, the template change confirmation module 1812 of the templating management module 111 instructs the client 120 to confirm whether or not the template corresponding to the corrected control needs to be corrected.

In step S1918, the client 120 selects whether correction is necessary based on the operation of the user. If it is selected that correction is necessary, the process proceeds to step S1930; otherwise, the process proceeds to step S1920.
In step S1920, the client 120 returns a response to the template change confirmation module 1812 of the templating management module 111 that the template does not need to be modified.
In step S1922, the template / risk / control correspondence changing module 1813 of the templating management module 111 separates the corrected control from the associated template. More specifically, the corresponding line in the link table 1320 is deleted.

In step S1930, the client 120 returns a response to the template change confirmation module 1812 of the template management module 111 that the template needs to be corrected.
In step S1932, the template correction module 1814 of the templating management module 111 corrects the target template based on the corrected control.
In step S1934, the corresponding risk / control extraction module 1815 of the template creation management module 111 extracts the control corresponding to the template modified in step S1932. The risk / control modification request module 1816 of the template management module 111 requests the document management module 112 to modify the extracted control based on the modified template.
In step S1936, the document management module 112 corrects the control based on the request in step S1934.

  The hardware configuration of the computer on which the program according to the present embodiment is executed is a general computer, specifically a personal computer, a computer that can be a server, or the like, as illustrated in FIG. That is, as a specific example, the CPU 2001 is used as a processing unit (calculation unit), and the RAM 2002, ROM 2003, and HD 2004 (for example, a hard disk can be used) are used as storage devices. Template management module 111, document management module 112, test management module 113, similar risk / control extraction module 712, template generation module 713, template risk / control correspondence module 714, test creation module 911, related template acquisition module 912 A CPU 2001 that executes programs such as a related risk / control acquisition module 913, a test correspondence module 914, a correspondence template extraction module 1811, a template change confirmation module 1812, a template risk / control correspondence modification module 1813, a template correction module 1814, and the like. , RAM 2002 for storing the program and data, and the computer are started Are connected to a communication network, a ROM 2003 storing a program for storing data, an HD 2004 as an auxiliary storage device, an input device 2006 for inputting data such as a keyboard and a mouse, an output device 2005 such as a CRT and a liquid crystal display, and the like. Communication line interface 2007 (for example, a network interface card can be used), and a bus 2008 for connecting them to exchange data. A plurality of these computers may be connected to each other via a network.

Among the above-described embodiments, the computer program is a computer program that reads the computer program, which is software, in the hardware configuration system, and the software and hardware resources cooperate with each other. Is realized.
Note that the hardware configuration illustrated in FIG. 20 illustrates one configuration example, and the present embodiment is not limited to the configuration illustrated in FIG. 20, and is a configuration capable of executing the modules described in the present embodiment. I just need it. For example, some modules may be configured by dedicated hardware (for example, ASIC), and some modules may be in an external system and connected via a communication line. A plurality of systems shown in FIG. 5 may be connected to each other via communication lines so as to cooperate with each other. In particular, in addition to personal computers, information appliances, copiers, fax machines, scanners, printers, and multifunction machines (image processing apparatuses having two or more functions of scanners, printers, copiers, fax machines, etc.) Etc. may be incorporated.

  In the embodiment described above, an example of maintenance evaluation is shown as a test (evaluation), but it may be applied to operation evaluation.

The program described above may be provided by being stored in a recording medium, or the program may be provided by communication means. In that case, for example, the above-described program may be regarded as an invention of a “computer-readable recording medium recording the program”.
The “computer-readable recording medium on which a program is recorded” refers to a computer-readable recording medium on which a program is recorded, which is used for program installation, execution, program distribution, and the like.
The recording medium is, for example, a digital versatile disc (DVD), which is a standard established by the DVD Forum, such as “DVD-R, DVD-RW, DVD-RAM,” and DVD + RW. Standard “DVD + R, DVD + RW, etc.”, compact disc (CD), read-only memory (CD-ROM), CD recordable (CD-R), CD rewritable (CD-RW), Blu-ray disc ( Blu-ray Disc (registered trademark), magneto-optical disk (MO), flexible disk (FD), magnetic tape, hard disk, read-only memory (ROM), electrically erasable and rewritable read-only memory (EEPROM), flash Includes memory, random access memory (RAM), etc. .
The program or a part of the program may be recorded on the recording medium for storage or distribution. Also, by communication, for example, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wired network used for the Internet, an intranet, an extranet, etc., or wireless communication It may be transmitted using a transmission medium such as a network or a combination of these, or may be carried on a carrier wave.
Furthermore, the program may be a part of another program, or may be recorded on a recording medium together with a separate program. Moreover, it may be divided and recorded on a plurality of recording media. Further, it may be recorded in any manner as long as it can be restored, such as compression or encryption.

It is a conceptual module block diagram about the structural example of this Embodiment. It is explanatory drawing which shows the example of the flow of work in internal control. It is explanatory drawing which shows the example of the flow of the process activity in internal control. It is explanatory drawing which shows the risk of the activity of the process in internal control, and the example of control. It is explanatory drawing which shows the example of a template production | generation process by this Embodiment. It is explanatory drawing which shows the example of a test creation process by this Embodiment. It is a conceptual explanatory drawing about the example of module composition about template generation in this embodiment. It is a flowchart which shows the process example regarding the template production | generation in this Embodiment. It is a conceptual explanatory view about an example of module composition about test creation in this embodiment. It is a flowchart which shows the process example regarding the test preparation in this Embodiment. It is explanatory drawing which shows the example of a template production | generation process. It is explanatory drawing which shows the example of a display of a control detailed setting screen. It is explanatory drawing which shows the data structure example of a control table, a link table, and a control template table, and the example of those relationship. It is explanatory drawing which shows the example of a display of a control list screen. It is explanatory drawing which shows the example of a display of a control template screen. It is explanatory drawing which shows the example of another template production | generation process. It is explanatory drawing which shows the data structure example of a risk table. It is a conceptual explanatory view about an example of a module composition about correction of a risk or control in this embodiment. It is a flowchart which shows the process example regarding correction of the control in this Embodiment. It is a block diagram which shows the hardware structural example of the computer which implement | achieves this Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 110 ... Internal control apparatus 111 ... Template management module 112 ... Document management module 113 ... Test management module 114 ... Link DB
115 ... Template DB
116 ... Risk control DB
117 ... Test DB
DESCRIPTION OF SYMBOLS 120 ... Client 190 ... Communication line 711 ... Risk / control extraction module 712 ... Similar risk / control extraction module 713 ... Template generation module 714 ... Template risk / control correspondence module 715 ... Risk / control rewrite request module 716 ... Risk / control Rewrite module 911 ... Test creation module 912 ... Related template acquisition module 913 ... Related risk / control acquisition module 914 ... Test correspondence module 1811 ... Corresponding template extraction module 1812 ... Template change confirmation module 1813 ... Template risk / control correspondence change module 1814 ... Template correction module 1815 ... Response risk / control Module 1816 ... Risk / control correction request module 1817 ... Risk / control correction module

Claims (11)

Similarity extraction means for extracting similar ones among a plurality of risks or controls in internal control,
Based on the risk or control extracted by the similar extraction means, a common type generating means for generating a common type having a common item of the set of the risk or control,
An information processing apparatus comprising: a common type / risk control association unit that associates at least one of the common type generated by the common type generation unit and the risk or control extracted by the similarity extraction unit. . The information processing apparatus according to claim 1, wherein the similarity extraction unit extracts a similar risk or control based on a user operation. The said similarity extraction means extracts a similar thing out of a risk or a control based on the word contained in a risk or a control, and the attribute value of the attribute which comprises this risk or a control. Information processing device. The risk control rewriting means which rewrites the risk or control matched by the said common type and risk control matching means based on the common type produced | generated by the said common type production | generation means, The further characterized by the above-mentioned. 4. The information processing apparatus according to any one of items 1 to 3. A common type acquisition means for acquiring a common type associated with the risk or the control based on an evaluation for confirming the risk and the control in the internal control;
Risk control acquisition means for acquiring a risk or control associated with the common type acquired by the common type acquisition means;
An information processing apparatus comprising: an evaluation association unit that associates the risk or control acquired by the risk control acquisition unit with the common type acquired by the common type acquisition unit. Corresponding storage means for storing a common type of risk or control and correspondence,
A common type extraction means for extracting a common type associated with the risk or control based on the correspondence stored in the correspondence storage means when a risk or control is modified;
When the common type extracted by the common type extraction unit is not modified, the association stored in the association storage unit is changed so as to cancel the association between the modified risk or control and the common type. An information processing apparatus comprising: a corresponding changing means. Corresponding storage means for storing a common type of risk or control and correspondence,
A common type extraction means for extracting a common type associated with the risk or control based on the correspondence stored in the correspondence storage means when a risk or control is modified;
When correcting the common type extracted by the common type extraction means, common type correction means for correcting the common type extracted by the common type extraction means;
Risk control extraction means for extracting a risk or control associated with the common type corrected by the common type correction means based on the correspondence stored in the association storage means;
An information processing apparatus comprising: a risk control correcting unit that corrects the risk or control extracted by the risk control extracting unit based on the common type corrected by the common type correcting unit. Computer
Similarity extraction means for extracting similar ones among a plurality of risks or controls in internal control,
Based on the risk or control extracted by the similar extraction means, a common type generating means for generating a common type having a common item of the set of the risk or control,
An information processing program that functions as a common type / risk control association unit that associates at least one of the common type generated by the common type generation unit and the risk or control extracted by the similarity extraction unit . Computer
A common type acquisition means for acquiring a common type associated with the risk or the control based on an evaluation for confirming the risk and the control in the internal control;
Risk control acquisition means for acquiring a risk or control associated with the common type acquired by the common type acquisition means;
An information processing program for causing a risk or control acquired by the risk control acquisition unit to function as an evaluation association unit for associating the common type acquired by the common type acquisition unit. Computer
Corresponding storage means for storing a common type of risk or control and correspondence,
A common type extraction means for extracting a common type associated with the risk or control based on the correspondence stored in the correspondence storage means when a risk or control is modified;
When the common type extracted by the common type extraction unit is not modified, the association stored in the association storage unit is changed so as to cancel the association between the modified risk or control and the common type. An information processing program that functions as an associated change means. Computer
Corresponding storage means for storing a common type of risk or control and correspondence,
A common type extraction means for extracting a common type associated with the risk or control based on the correspondence stored in the correspondence storage means when a risk or control is modified;
When correcting the common type extracted by the common type extraction means, common type correction means for correcting the common type extracted by the common type extraction means;
Risk control extraction means for extracting a risk or control associated with the common type corrected by the common type correction means based on the correspondence stored in the association storage means;
An information processing program that functions as a risk control correcting unit that corrects a risk or control extracted by the risk control extracting unit based on a common type corrected by the common type correcting unit.

Images