Neftaly Human Capital Assurance Management Policy, Procedures, Processes, Templates, Documents and Forms NeftalyP041

Document Code: NeftalyP041
Approved By: Chief Executive Officer (CEO)

Date Approved: 29 October 2025

Review Date: 28 November 2026

Policy Owner: Neftaly Chief Human Capital Officer, NeftalyCHCR

---

NeftalyP041-1 Overview

NeftalyP041-1-1 The Neftaly Human Capital Assurance Management Policy (NeftalyP041) outlines the framework for ensuring that all Neftaly Human Capital operations, services, and internal processes meet the organization’s standards for quality, accountability, compliance, and continuous improvement.

NeftalyP041-1-2 This policy ensures that Human Capital operations within Neftaly are executed effectively, ethically, and in alignment with organizational objectives, while providing confidence to stakeholders that systems and resources function as intended.

---

NeftalyP041-2 Purpose

NeftalyP041-2-1 The purpose of this policy is to:

• NeftalyP041-2-1-1 Establish a structured system for assurance across Human Capital functions.
• NeftalyP041-2-1-2 Provide confidence that Neftaly operations meet internal and external compliance standards.
• NeftalyP041-2-1-3 Ensure effective monitoring, evaluation, and corrective action procedures.
• NeftalyP041-2-1-4 Foster a culture of accountability, quality, and transparency across Royal divisions.

---

NeftalyP041-3 Scope

NeftalyP041-3-1 This policy applies to:

• NeftalyP041-3-1-1 All Neftaly Human Capital, including Officers, Deputy Chiefs, Royal Directors, and Non-Executive Members.
• NeftalyP041-3-1-2 All processes related to performance, compliance, and quality assurance.
• NeftalyP041-3-1-3 All projects, programs, and digital systems managed by Neftaly Human Capital Division.

---

NeftalyP041-4 Policy Statement

NeftalyP041-4-1 Neftaly is committed to maintaining excellence through a consistent and measurable assurance management framework that validates the integrity, efficiency, and reliability of its Human Capital systems and services. Assurance activities will be integrated into all operations to ensure compliance, risk management, and continuous improvement.

---

NeftalyP041-5 Core Principles

• NeftalyP041-5-1 Accountability: Every Royal Division and Human Capital member is responsible for maintaining quality and compliance.
• NeftalyP041-5-2 Transparency: Assurance activities and results are openly communicated to stakeholders.
• NeftalyP041-5-3 Objectivity: Assurance reviews are conducted impartially and without bias.
• NeftalyP041-5-4 Consistency: Processes are standardized across divisions for accurate measurement.
• NeftalyP041-5-5 Continuous Improvement: Feedback and assurance findings are used to enhance processes.

---

NeftalyP041-6 Procedures and Processes

NeftalyP041-6-1 Assurance Planning

• NeftalyP041-6-1-1 Develop an Annual Assurance Plan (NeftalyT041-01) outlining key areas of focus, timelines, and responsible Officers.
• NeftalyP041-6-1-2 The plan must align with Neftaly’s strategic objectives and risk assessment outcomes.
• NeftalyP041-6-1-3 Obtain approval from the Chief Human Capital Officer (CHCO) and CEO.

NeftalyP041-6-2 Assurance Execution

• NeftalyP041-6-2-1 Conduct periodic assurance reviews to assess compliance, performance, and control effectiveness.
• NeftalyP041-6-2-2 Utilize the NeftalyF041-01 Assurance Review Checklist for uniform evaluation.
• NeftalyP041-6-2-3 Document findings, corrective actions, and responsible parties using the NeftalyR041-01 Assurance Review Report Template.

NeftalyP041-6-3 Quality and Compliance Audits

• NeftalyP041-6-3-1 Internal audits shall be scheduled quarterly by the CHCO.
• NeftalyP041-6-3-2 Focus areas include human capital performance, policy compliance, process adherence, and system integrity.
• NeftalyP041-6-3-3 Audit results are summarized in the NeftalyR041-02 Compliance Audit Report.

NeftalyP041-6-4 Corrective and Preventive Action (CAPA)

• NeftalyP041-6-4-1 Non-compliance issues identified must be logged in NeftalyD041-01 Non-Conformance Register.
• NeftalyP041-6-4-2 Responsible Officers must develop and submit corrective action plans within 10 working days.
• NeftalyP041-6-4-3 CAPA effectiveness will be verified by the CHCO during follow-up reviews.

NeftalyP041-6-5 Reporting and Monitoring

• NeftalyP041-6-5-1 Assurance outcomes are compiled into a quarterly NeftalyR041-03 Assurance Monitoring Report.
• NeftalyP041-6-5-2 Reports must include key risks, compliance scores, corrective actions, and performance trends.
• NeftalyP041-6-5-3 Findings are reviewed by the CEO and the Royal Board Committee for decision-making.

NeftalyP041-6-6 Continuous Improvement

• NeftalyP041-6-6-1 Regular training and awareness programs must be conducted to strengthen assurance practices.
• NeftalyP041-6-6-2 Lessons learned and feedback from audits and assessments must be integrated into policy updates.

---

NeftalyP041-7 Roles and Responsibilities

Role	Responsibilities
Chief Executive Officer (CEO)	Provides strategic oversight, approves assurance plans, and reviews major findings.
Chief Human Capital Officer (CHCO)	Leads the assurance function, monitors compliance, and coordinates corrective actions.
Royal Directors	Ensure division-level compliance and participate in assurance reviews.
Deputy Chiefs	Support assurance implementation and oversee quality management.
Officers	Conduct assurance checks and maintain records of compliance.
Human Capital	Comply with assurance standards and participate in corrective actions.

---

NeftalyP041-8 Documentation and Templates

• NeftalyP041-8-1 NeftalyT041-01: Annual Assurance Plan Template
• NeftalyP041-8-2 NeftalyF041-01: Assurance Review Checklist
• NeftalyP041-8-3 NeftalyR041-01: Assurance Review Report Template
• NeftalyP041-8-4 NeftalyR041-02: Compliance Audit Report
• NeftalyP041-8-5 NeftalyD041-01: Non-Conformance Register
• NeftalyP041-8-6 NeftalyR041-03: Assurance Monitoring Report

---

NeftalyP041-9 Compliance and Monitoring

• NeftalyP041-9-1 The CHCO conducts regular assurance reviews to ensure compliance with Neftaly standards.
• NeftalyP041-9-2 Findings are reviewed by the CEO and Royal Board Committee quarterly.
• NeftalyP041-9-3 Non-compliance will trigger immediate corrective actions and possible disciplinary measures.

---

NeftalyP041-10 Review and Evaluation

NeftalyP041-10-1 This policy will be reviewed annually by the CHCO in consultation with the CEO and Royal Board to ensure it remains relevant and aligned with Neftaly’s objectives and legal requirements.

---

NeftalyP041-11 Frequently Asked Questions (FAQs)

1. What is NeftalyP041?
   The Human Capital Assurance Management framework that ensures the quality, compliance, and effectiveness of all HC policies and practices through governance, risk management, and continuous audit.
2. How does NeftalyP041 differ from P039 and P040?
   P039 is Asset Management (strategic), P040 is Assistance Management (services), P041 is Assurance Management (governance, risk, compliance, and quality).
3. What is the primary purpose of HC Assurance Management?
   To provide independent assurance that human capital activities are conducted ethically, legally, efficiently, and in alignment with Neftaly’s strategic objectives.
4. Who owns NeftalyP041?
   The Head of Human Capital Governance, Risk & Compliance (HC GRC).
5. Who must comply with NeftalyP041?
   All employees, managers, HR staff, and third-party providers involved in HC processes.
6. Is NeftalyP041 mandatory?
   Yes, compliance is mandatory for all HC-related activities.
7. Where is NeftalyP041 documented?
   In the HC Assurance Portal on the Neftaly intranet.
8. What are the key components of HC Assurance?
   Governance, Risk Management, Compliance, Internal Audit, Quality Control, and Reporting.
9. How often is the framework reviewed?
   Annually, or following significant regulatory changes.
10. What standards does NeftalyP041 align with?
    ISO 30400 (Human Resource Management), ISO 31000 (Risk Management), ISO 19011 (Auditing), and relevant labor laws.
11. Who approves exceptions to NeftalyP041?
    The HC Assurance Committee.
12. Can departments customize their assurance approach?
    No, the framework is standardized, but risk assessments may be tailored to department-specific risks.
13. How is assurance integrated with other management systems?
    Through the Integrated Management System (IMS) overseen by Corporate Governance.
14. What is the HC Assurance Management System (HCAMS)?
    The digital platform used to manage all assurance activities (risks, audits, findings, actions).
15. How do I report a breach of HC assurance?
    Via the HC Breach Reporting Form (HCA-F001) or the Ethics Hotline.
16. Is there an assurance training program?
    Yes, “HC Assurance Fundamentals” (HCA-EL001) is mandatory for all managers and HR staff.
17. What is the HC Assurance Committee?
    A cross-functional committee (HC, Legal, Internal Audit, Risk) that oversees assurance activities.
18. How does assurance support Neftaly’s strategy?
    By ensuring human capital risks are managed and opportunities are captured to enable strategic execution.
19. What are the consequences of non-compliance?
    Escalation to management, disciplinary action, and reporting to relevant regulators where required.
20. How can I provide feedback on NeftalyP041?
    Use the HC Assurance Feedback Form (HCA-F005).

---

B. GOVERNANCE STRUCTURE & ACCOUNTABILITY

21. What is the governance structure for HC Assurance?
    Board > Audit & Risk Committee > HC Assurance Committee > HC GRC Team > Process Owners.
22. Who is the accountable executive for HC Assurance?
    The Chief Human Resources Officer (CHRO).
23. What is the role of the HC Assurance Committee?
    To set assurance strategy, review risk reports, approve audit plans, and oversee remediation.
24. How often does the HC Assurance Committee meet?
    Quarterly, or as needed for critical issues.
25. Who chairs the HC Assurance Committee?
    An independent non-executive director or the CHRO.
26. What is a “Process Owner” in HC assurance?
    The manager accountable for the design, execution, and control of a specific HC process (e.g., Recruitment Owner).
27. How are Process Owners assigned?
    Formally designated in the HC Process Ownership Matrix (HCA-D010).
28. What are the key responsibilities of a Process Owner?
    Ensure process compliance, manage risks, implement controls, and remediate audit findings.
29. What is the HC Governance Framework?
    Document HCA-D005 outlines principles, accountabilities, decision rights, and reporting lines.
30. How are governance decisions documented?
    In the HC Assurance Committee minutes and decision logs.
31. What is the delegation of authority for HC matters?
    Defined in the HC Authority Matrix (HCA-D015), specifying who can approve hires, promotions, expenditures, etc.
32. How are conflicts of interest in HC governance managed?
    Through the Conflict of Interest Policy and annual declarations by committee members.
33. What is the policy on HC data governance?
    Governed by the HC Data Governance Policy (HCA-D020), ensuring data quality, privacy, and lifecycle management.
34. Who approves new HC policies?
    The HC Assurance Committee, based on recommendations from the HC GRC team.
35. How is the effectiveness of HC governance measured?
    Through maturity assessments, control effectiveness testing, and stakeholder surveys.

---

C. RISK MANAGEMENT

36. What is HC risk management?
    The process of identifying, assessing, and mitigating risks that could impact people, culture, or compliance.
37. What is the HC Risk Management Framework?
    Document HCA-D025, aligned with ISO 31000 and integrated with the Enterprise Risk Management (ERM) framework.
38. What are the categories of HC risk?
    Strategic, Operational, Compliance, and Reputational.
39. What is a HC Risk Register?
    A living document (HCA-T005) listing identified risks, their ratings, owners, and mitigation actions.
40. Where is the HC Risk Register maintained?
    In the HC Assurance Management System (HCAMS).
41. How often is the HC Risk Register updated?
    Quarterly, or when triggered by a significant event or change.
42. Who is responsible for identifying HC risks?
    All employees, but primarily Process Owners and managers.
43. How do I report a new HC risk?
    Submit the HC Risk Identification Form (HCA-F010).
44. What risk assessment methodology is used?
    A 5×5 matrix based on Likelihood and Impact (Financial, Operational, Legal, Reputational).
45. What is the risk rating scale?
    Low (1-5), Medium (6-12), High (13-25).
46. What is a “risk owner”?
    The person responsible for managing a specific risk and implementing controls.
47. What are HC risk controls?
    Policies, procedures, systems, or activities that reduce risk likelihood or impact.
48. What is a Key Risk Indicator (KRI)?
    A metric used to monitor changes in risk exposure (e.g., high attrition rate, high grievance volume).
49. Where are KRIs reported?
    In the monthly HC Risk Dashboard (HCA-D030).
50. What is the process for risk treatment?
    Avoid, Reduce, Transfer, or Accept – documented in Risk Treatment Plans (HCA-T010).
51. Who approves risk treatment plans?
    The risk owner’s manager and the HC GRC team.
52. What is residual risk?
    The level of risk remaining after controls are applied.
53. What is risk appetite in HC?
    The amount of risk Neftaly is willing to accept in pursuit of its objectives, defined in the HC Risk Appetite Statement (HCA-D035).
54. How are emerging risks monitored?
    Through environmental scanning, regulatory updates, and industry benchmarking.
55. What is a risk culture assessment?
    An annual survey to gauge employee awareness and behavior regarding risk management.
56. How are third-party HC risks managed?
    Through due diligence in vendor onboarding and ongoing monitoring per the Third-Party Risk Management Procedure (HCA-PR005).
57. What is scenario analysis in HC risk?
    Stress-testing the impact of potential future events (e.g., pandemic, major strike, data breach).
58. How are risk management responsibilities included in job descriptions?
    Explicitly stated for relevant roles, especially managers and Process Owners.
59. What is the link between risk management and performance management?
    Risk management objectives are included in the KPIs of risk owners and managers.
60. How are risk management reports presented to the Board?
    Quarterly by the CHRO, covering top risks, mitigation status, and any material changes.

---

D. COMPLIANCE MANAGEMENT

61. What is HC compliance management?
    The system to ensure adherence to all applicable laws, regulations, standards, and internal policies.
62. What is the HC Compliance Framework?
    Document HCA-D040, outlining the compliance program structure, roles, and processes.
63. Which regulations are in scope?
    Labor laws, employment equity, data protection (GDPR, POPIA), health & safety, anti-discrimination, wage & hour laws, etc.
64. Who is the HC Compliance Officer?
    A designated role within the HC GRC team responsible for the compliance program.
65. How are regulatory changes monitored?
    Through subscription to legal updates, industry associations, and the Legal team.
66. What is the Regulatory Change Management Process?
    HCA-PR010: Impact assessment > Gap analysis > Implementation planning > Communication > Training.
67. What is a compliance obligation register?
    HCA-T015, a database of all applicable laws and regulations with assigned owners and review dates.
68. How often are compliance obligations reviewed?
    Annually, or when a regulatory change is announced.
69. What are mandatory compliance trainings?
    Annual trainings on Code of Conduct, Anti-Harassment, Data Privacy, and relevant labor law updates.
70. How is training completion tracked and enforced?
    In the LMS; non-completion is reported to managers and affects performance ratings.
71. What is a compliance self-assessment?
    A periodic questionnaire completed by Process Owners to assess adherence to controls.
72. How are compliance breaches reported?
    Through the HC Breach Reporting Form (HCA-F001) or directly to the HC Compliance Officer.
73. What is the breach investigation process?
    HCA-PR015: Immediate containment > Investigation > Root cause analysis > Corrective action > Reporting.
74. What are the consequences of a compliance breach?
    Disciplinary action, process correction, potential fines, and reputational damage.
75. How are compliance metrics reported?
    In the monthly HC Compliance Dashboard (HCA-D045) – breaches, training completion, audit findings.
76. What is the role of Internal Audit in compliance?
    To provide independent assurance on the effectiveness of the compliance program.
77. How is compliance with internal policies assured?
    Through periodic policy attestations by employees and managers.
78. What is a compliance hotline?
    The Ethics Hotline, managed independently for anonymous reporting.
79. How are compliance risks integrated with the overall risk register?
    Major compliance risks are assessed and included in the HC Risk Register.
80. What is the annual compliance certification process?
    Senior management certifies the effectiveness of the HC compliance program to the Board.

---

E. INTERNAL AUDIT & ASSURANCE

81. What is the scope of HC internal audit?
    All HC processes, systems, and controls to ensure they are effective, efficient, and compliant.
82. Who conducts HC internal audits?
    The Corporate Internal Audit (IA) function, in coordination with the HC GRC team.
83. What is the HC Audit Universe?
    HCA-T020, a comprehensive list of all auditable HC processes, ranked by risk.
84. How is the annual HC audit plan developed?
    Based on a risk assessment of the audit universe, input from management, and previous audit results.
85. Who approves the HC audit plan?
    The HC Assurance Committee and the Audit & Risk Committee of the Board.
86. What types of HC audits are conducted?
    Process audits, compliance audits, IT audits (HR systems), and investigative audits.
87. What is the typical audit process?
    Planning > Fieldwork (testing) > Reporting > Follow-up.
88. What is an audit finding?
    A documented non-conformance, weakness, or improvement opportunity.
89. How are audit findings categorized?
    Critical, Major, Minor, and Observation.
90. What is a Management Action Plan (MAP)?
    HCA-T025, the documented response from management to address an audit finding.
91. Who is responsible for creating the MAP?
    The Process Owner of the audited area.
92. What is the timeline for submitting a MAP?
    Within 10 business days of receiving the audit report.
93. How are MAPs tracked for closure?
    In the HCAMS, with monthly follow-up by the HC GRC team.
94. Who validates that audit findings are closed?
    The Internal Audit team performs follow-up audits to verify closure.
95. What if a MAP is delayed or ineffective?
    It is escalated to the HC Assurance Committee and the responsible executive.
96. Are audit reports confidential?
    Yes, distribution is restricted to authorized personnel.
97. Can a department request an audit?
    Yes, via the Audit Request Form (HCA-F015), subject to prioritization.
98. What is a control self-assessment (CSA)?
    A workshop where Process Owners and teams self-evaluate the effectiveness of their controls.
99. How does HC assurance interact with external audits?
    The HC GRC team coordinates with external auditors (financial, ISO) to provide evidence and manage findings.
100. What is continuous auditing?
     Using data analytics to monitor controls and transactions on an ongoing basis rather than periodically.

---

F. QUALITY MANAGEMENT & CONTINUOUS IMPROVEMENT

101. What is HC Quality Management?
     The systematic approach to ensuring HC processes meet defined standards and consistently achieve desired outcomes.
102. What is the HC Quality Policy?
     Document HCA-D050, committing to excellence, customer focus, and continual improvement in HC services.
103. What quality standards apply?
     ISO 9001 (Quality Management) principles and ISO 30400 series.
104. What are HC Quality Objectives?
     Measurable goals (e.g., reduce hiring cycle time by 10%, achieve 90% employee satisfaction with HR services) set annually.
105. How is process quality measured?
     Through Key Performance Indicators (KPIs) and process metrics defined in process maps.
106. What is a HC process map?
     A visual diagram (HCA-T030) showing the steps, inputs, outputs, controls, and roles for a HC process.
107. Where are process maps stored?
     In the Process Repository on the HC Assurance Portal.
108. Who is responsible for maintaining process maps?
     The Process Owner, with support from the HC GRC team.
109. What is a standard operating procedure (SOP)?
     Detailed, step-by-step instructions for executing a process, referenced in the process map.
110. How often are SOPs reviewed?
     Every 2 years, or when a process changes.
111. What is the Continual Improvement Process?
     HCA-PR020: Plan-Do-Check-Act (PDCA) cycle applied to all HC processes.
112. How are improvement ideas captured?
     Through the HC Improvement Suggestion Form (HCA-F020), team retrospectives, and audit findings.
113. What is a corrective action?
     Action taken to eliminate the cause of a detected nonconformity (reactive).
114. What is a preventive action?
     Action taken to eliminate the cause of a potential nonconformity (proactive).
115. What is the Nonconformity & Corrective Action Procedure?
     HCA-PR025 for logging, investigating, and addressing failures in the HC management system.
116. What is the HC Management Review?
     A quarterly meeting led by the CHRO to review the performance of the HC management system against objectives.
117. What inputs are required for the Management Review?
     Audit results, customer feedback, process performance, status of actions, and changes in context.
118. What outputs are generated from the Management Review?
     Decisions and actions related to improvement, resource needs, and strategic changes.
119. How is customer feedback (from employees/managers) collected?
     Via surveys, focus groups, service desk feedback, and exit interviews.
120. How is feedback analyzed and acted upon?
     The HC GRC team analyzes trends and assigns actions to Process Owners.
121. What is benchmarking in HC quality?
     Comparing Neftaly’s HC processes and metrics against industry best practices and peers.
122. How often is benchmarking conducted?
     Annually for key processes (e.g., time-to-fill, cost-per-hire, engagement scores).
123. What is the document control system for HC?
     The HC Document Management Procedure (HCA-PR030) ensures version control, approval, and distribution.
124. What is the records retention policy for HC?
     Defined in HCA-D055, specifying how long different HC records must be kept based on legal and business requirements.
125. How is the effectiveness of training evaluated?
     Using the Kirkpatrick model: Reaction, Learning, Behavior, Results.

---

G. CONTROLS & CONTROL TESTING

126. What is an internal control in HC?
     A process, policy, or system that helps ensure objectives are met and risks are mitigated.
127. What are the types of controls?
     Preventive (avoid errors), Detective (identify errors), Corrective (fix errors), and Directive (guide behavior).
128. What is the HC Controls Framework?
     HCA-D060, cataloging key controls for all critical HC processes.
129. What is a key control?
     A control that is essential to preventing or detecting a material error or fraud.
130. How are controls documented?
     In Control Activity Sheets (HCA-T035) detailing purpose, owner, frequency, and procedure.
131. What is control testing?
     The process of verifying that a control is operating as designed.
132. Who performs control testing?
     Process Owners (self-testing), the HC GRC team, or Internal Audit.
133. What is the control testing methodology?
     Inquiry, observation, inspection, and re-performance.
134. What is a sample size for testing?
     Determined based on risk and frequency, following the Sampling Methodology (HCA-D065).
135. What is a control deficiency?
     A weakness in the design or operation of a control.
136. How are control deficiencies reported?
     In Control Test Reports (HCA-T040) and escalated based on severity.
137. What is the Remediation Action Plan for control deficiencies?
     Similar to a MAP, with tasks, owners, and deadlines to fix the control.
138. What is the difference between a design deficiency and an operating deficiency?
     Design: The control is not properly designed to prevent/detect the risk. Operating: The control exists but is not being performed correctly.
139. How are IT controls over HR systems tested?
     By IT Audit or the HC GRC team in coordination with IT (e.g., access reviews, change management).
140. What is segregation of duties (SoD) in HC?
     Ensuring no single individual has control over all aspects of a critical process (e.g., the same person cannot create a new employee and approve their salary).
141. How are SoD conflicts identified and managed?
     Through user access reviews in HR systems and the SoD Matrix (HCA-D070).
142. What is a compensating control?
     A control that reduces risk when a primary control is not feasible or has failed.
143. How are controls monitored on an ongoing basis?
     Through control self-assessments, automated monitoring tools, and managerial supervision.
144. What is the role of data analytics in control monitoring?
     To analyze HR data for anomalies that indicate control failures (e.g., duplicate payments, unauthorized overtime).
145. How are control test results reported to management?
     In the quarterly Control Effectiveness Report (HCA-D075).

---

H. REPORTING & DASHBOARDS

146. What are the key HC assurance reports?
     HC Risk Dashboard, HC Compliance Dashboard, HC Audit Status Report, HC Control Effectiveness Report.
147. How often are assurance reports produced?
     Monthly for dashboards, quarterly for detailed reports to the HC Assurance Committee.
148. Who receives the HC Risk Dashboard?
     HC Leadership Team, HC Assurance Committee, Enterprise Risk Management.
149. What is in the HC Compliance Dashboard?
     Breaches reported, training completion %, open compliance actions, regulatory changes.
150. What is the Audit Findings Tracker?
     A real-time report in HCAMS showing status of all open audit findings and MAPs.
151. How are material issues escalated?
     Immediate notification to the CHRO and HC Assurance Committee Chair via the Issue Escalation Procedure (HCA-PR035).
152. What is the annual HC Assurance Report?
     A comprehensive report to the Board’s Audit & Risk Committee on the state of HC governance, risk, and control.
153. Who prepares the annual HC Assurance Report?
     The Head of HC GRC, in consultation with Internal Audit.
154. Are assurance reports shared with regulators?
     Only upon specific request or as part of a regulatory examination.
155. Can managers access assurance reports for their area?
     Yes, tailored reports are available in the HCAMS for relevant Process Owners.

---

I. TECHNOLOGY & DATA ASSURANCE

156. What is HC technology assurance?
     Ensuring HR systems (HRIS, ATS, LMS) are secure, reliable, and support controlled processes.
157. Who is responsible for HR system controls?
     The HR Systems Manager (first line), IT (second line), and Internal Audit (third line).
158. What is the HR System Change Management Process?
     HCA-PR040 ensures all changes are tested, approved, and documented to prevent errors and breaches.
159. How is access to HR systems granted and reviewed?
     Via the User Access Management Procedure (HCA-PR045), including annual access recertification.
160. What is an HR data integrity check?
     Periodic reconciliation and validation of data between HR systems and source documents.
161. How is personal data protected in accordance with privacy laws?
     Through Privacy Impact Assessments (PIAs), data mapping, and controls defined in the HC Data Privacy Control Framework (HCA-D080).
162. What is a data breach response plan for HC data?
     A subset of the corporate plan, detailing steps to contain, assess, notify, and remediate breaches of employee data.
163. How is the quality of HR data assured?
     Through data validation rules in systems, manual review samples, and data cleansing projects.
164. What is log monitoring for HR systems?
     Reviewing system logs for suspicious activity (e.g., unauthorized access attempts, bulk downloads).
165. How are system-generated reports controlled?
     Classified and access-restricted based on sensitivity; distribution is logged.

---

J. THIRD-PARTY & SUPPLY CHAIN ASSURANCE

166. What HC processes are often performed by third parties?
     Payroll processing, background checks, recruitment agencies, benefits administration.
167. What is the Third-Party Assurance Procedure?
     HCA-PR050 covers due diligence, contracting, ongoing monitoring, and termination.
168. What due diligence is performed on a new HC vendor?
     Financial stability, compliance history, security controls, references, and contract review.
169. What must be included in a contract with an HC vendor?
     SLAs, confidentiality clauses, data protection terms, audit rights, and compliance with Neftaly policies.
170. How are vendors monitored on an ongoing basis?
     Through quarterly reviews, SLA performance reports, and periodic re-audits.
171. Can Neftaly audit its HC vendors?
     Yes, audit rights are included in contracts; audits may be conducted directly or via third-party reports (e.g., SOC 2).
172. What is a critical vendor?
     A vendor whose failure would significantly disrupt HC operations (e.g., payroll provider).
173. Do vendor risks flow into the HC Risk Register?
     Yes, critical vendor risks are assessed and included.
174. What is the process for terminating a vendor?
     HCA-PR055 ensures secure data return, access revocation, and knowledge transfer.

---

K. INCIDENT MANAGEMENT & BREACH RESPONSE

175. What is considered an HC incident?
     Any event that disrupts HC operations, breaches policy/law, or causes harm (e.g., data breach, strike, workplace fatality).
176. What is the HC Incident Response Plan?
     HCA-D085, outlining roles and steps for responding to significant HC incidents.
177. Who declares a major HC incident?
     The CHRO or Head of HC GRC.
178. What is the Incident Management Team for HC?
     A cross-functional team (HC, Legal, Comms, IT Security) activated for major incidents.
179. What are the key steps in incident response?
     Identify, Contain, Investigate, Remediate, Communicate, Review.
180. How are incidents logged?
     In the HC Incident Register (HCA-T045) in HCAMS.
181. What is the timeline for reporting a serious breach to regulators?
     As mandated by law (e.g., 72 hours for GDPR data breaches); Legal provides guidance.
182. How are lessons learned from incidents captured?
     Through post-incident reviews and updating policies/controls accordingly.
183. What is a near-miss in HC?
     An event that did not cause harm but had the potential to (e.g., a caught payroll error before payment).
184. Should near-misses be reported?
     Yes, via the HC Incident/Near-Miss Form (HCA-F025) to enable proactive prevention.

---

L. MATURITY ASSESSMENT & BENCHMARKING

185. What is a maturity assessment?
     An evaluation of how advanced and capable HC processes and the assurance system are.
186. What maturity model is used?
     A 5-level model (Initial, Managed, Defined, Quantitatively Managed, Optimizing).
187. How often are maturity assessments conducted?
     Annually, by the HC GRC team or external consultants.
188. What is the HC Maturity Assessment Report?
     HCA-D090, detailing scores, gaps, and improvement roadmap.
189. How is external benchmarking used?
     To compare Neftaly’s HC assurance practices against industry leaders and standards.
190. What are common benchmarking sources?
     Professional bodies (SHRM, CIPD), consultancy reports, and peer networks.

---

M. ROLES & RESPONSIBILITIES (RACI)

191. What is a RACI matrix for HC assurance?
     HCA-T050 clarifies who is Responsible, Accountable, Consulted, and Informed for key assurance activities.
192. Who is accountable for overall HC assurance?
     The CHRO.
193. Who is responsible for day-to-day assurance operations?
     The Head of HC GRC.
194. What is the role of the HC Business Partner in assurance?
     To embed assurance practices in their client groups and act as a liaison.
195. What are the assurance responsibilities of every people manager?
     To understand and apply HC policies, identify and report risks, and ensure team compliance.

---

N. DOCUMENTATION & TEMPLATES

196. What is the master list of HC assurance documents?
     The HC Assurance Document Register (HCA-T055).
197. What is the template for a new HC policy?
     HCA-T060, ensuring all required sections (purpose, scope, principles, compliance) are included.
198. What is the template for a procedure?
     HCA-T065.
199. What is the template for a process map?
     HCA-T030 (BPMN standard).
200. What is the template for a risk assessment?
     HCA-T070.

---

(FAQs 201-500 would continue with highly specific procedural questions, scenario-based queries, detailed explanations of every form and template, and troubleshooting for the HC Assurance Management System (HCAMS). Here are examples from the next 300.)

Examples of FAQs 201-300 (Procedural Deep-Dive):

201. Step 1.2 of HCA-PR010 (Regulatory Change Management): What does “Preliminary Impact Assessment” entail?
     A rapid analysis by the HC Compliance Officer to determine if the change is relevant, its potential impact (High/Med/Low), and which Process Owners need to be engaged.
202. How do I complete Section 4 of the Risk Treatment Plan (HCA-T010) on “Cost-Benefit Analysis”?
     Estimate the cost of implementing the treatment (resources, time, money) versus the expected reduction in risk (financial, operational impact). A simple table format is sufficient.
203. During a control test (HCA-PR030), if my sample reveals an error, what is the threshold for escalating it to a deficiency?
     Any error that indicates the control objective was not met should be logged as a deficiency. The number of errors helps determine if it’s a design or operating deficiency.
204. When submitting a MAP (HCA-T025) for an audit finding, what level of detail is required in the “Corrective Action” column?
     Specific, measurable actions. Poor: “Train staff.” Good: “Develop and deliver a 1-hour training module on X to all recruiters by [date]. Track attendance in LMS.”
205. What is the difference between a “preventive action” form (HCA-F030) and a “corrective action” form?
     Corrective Action is for a problem that has already occurred. Preventive Action is for a potential problem you have identified before it happens (e.g., a risk assessment flags a future compliance gap).

Examples of FAQs 301-400 (Scenario-Based):

301. Scenario: A new data privacy law is passed. What is the full assurance process triggered?
     1. HC Compliance Officer logs change in Obligation Register (HCA-T015).
     2. Initiates HCA-PR010: Impact Assessment & Gap Analysis with Legal.
     3. HC GRC updates Risk Register (HCA-T005) with new compliance risk.
     4. Process Owners (Recruitment, HRIS) develop new controls.
     5. Controls are tested. Training is developed and delivered.
     6. Compliance is monitored and reported in the dashboard.
302. Scenario: An employee survey shows a sharp drop in trust in the promotion process in Region Y. What assurance actions are taken?
     1. HC GRC logs this as a reputational/operational risk in the Risk Register.
     2. Initiates a focused audit of the promotion process in Region Y (HCA-PR020).
     3. Audit tests fairness, consistency, and adherence to policy.
     4. Findings lead to MAPs (e.g., improve manager training, clarify policy, enhance transparency).
     5. Progress on MAPs is tracked to closure; sentiment is re-measured in next survey.
303. Scenario: A payroll error causes 100 employees to be underpaid. What is the incident response?
     1. Identify & Contain: Payroll Manager declares incident, stops any further incorrect runs.
     2. Investigate: Root cause analysis using HCA-PR015 (e.g., was it a failed control? a system error?).
     3. Remediate: Make manual corrections, issue apologies and corrected payments.
     4. Corrective Action: Update procedure, add a compensating control, retrain staff.
     5. Report: Log in Incident Register. Include in Compliance Dashboard as a breach.

Examples of FAQs 401-500 (Forms & System Troubleshooting):

401. Form HCA-F035 (Policy Exception Request): Who signs the “Business Justification” section?
     The requesting Department Head must sign, taking accountability for the risk of the exception.
402. I’m a Process Owner and I can’t see my audit findings in HCAMS. What do I do?
     Contact the HC GRC system administrator. Your user profile may not be linked to your assigned processes.
403. What does “Status: Pending Validation” mean on my Management Action Plan (MAP)?
     It means you have marked the action as complete, but Internal Audit or HC GRC has not yet verified the evidence and closed the finding.
404. The HC Risk Dashboard is showing a red KRI for “Unfilled Critical Roles.” As the Talent Acquisition Process Owner, what am I expected to do?
     Review the underlying data, update the Risk Register with current mitigation actions, and prepare to discuss the action plan at the next HC Assurance Committee meeting.
405. I need to archive a retired policy document (HCA-PR030). What is the process?
     Submit a Document Change Request in HCAMS, change status to “Obsolete,” and move it to the archive folder. The document remains searchable but is marked as not current.

---

Approved By:
Neftaly Malatjie
Chief Executive Officer