Self Assessments with ACL GRC
The modern business environment is in a constant state of flux, presenting new challenges for risk management within companies. Risk management must keep pace with the developments. Equally, controls must be repeatedly assessed to check that they are still relevant. These self-assessments are often performed using Excel, which is an extremely time-consuming and error-prone method. However, it is now possible to perform tool-based self-assessments using ACL, and to store the results directly online. This blog post discusses self-assessments using ACL and explains how you can shelve the tedious Excel-based query process.
Preparing an assessment
An assessment aims to check the effectiveness of controls. To start with, you need to have set up a project containing the objectives and the controls. In the results module, you then need to create a questionnaire and the location where the results will be stored. A new data collection is created for this. An analysis is then added, followed by a table, where “survey” is selected. You can now select an existing questionnaire or add a new one.
If the screenshot is connected, a table is created in which the responses are subsequently entered.
Once the preparations for the assessment have been completed, you can start the actual assessment. You can add an assessment directly in the “Fieldwork” tab in the projects module. A large blue button “Create an assessment for...” is located on the right-hand side. Then select your survey, followed by the controls to be assessed.
You can now assign one or more owners to each control. They don't have to be registered as ACL users. You can send the questionnaire to anyone. This is a major benefit as the experts for individual topic areas are not necessarily members of the Audit department. Once you have assigned the auditors and clicked confirm to send the survey, they will receive an e-mail detailing all of the controls to be checked.
The assessments for the individual controls can be carried out separately from each other. When the questionnaire is called up, the left-hand side shows the owner all important information on the questionnaire and on the control which is to be assessed. The questionnaire which is to be completed is placed in the centre.
Once the questions have been answered, they are incorporated into the prepared table. However, information is already created when the questionnaire is sent. The name of the control which is to be assessed, the description and the owner performing the assessment are already entered. This also allows you to see which assessments have already been completed and which have not.
My personal opinion of the GRC self-assessment
I have found the ability to perform self-assessments using ACL GRC extremely convenient. It involves significantly less work than the Excel-based process. If you use the projects module in any case, you already have the fundamentals for the assessment (the controls) and don't need to script anything else. Moreover, you only have to create the questionnaire once, after which it can be repeatedly re-used. This significantly streamlines the self-assessment process.
For me, another benefit lies in the fact that the responses are automatically stored in a single table of the results module. This removes the need for tedious copying and pasting from different tables in order to create one results table. You can also process your results directly in the results module in order to access results as quickly as possible. The tracking feature is also very useful. You can easily check who has already submitted their assessment, providing you with a simple control mechanism.
Personally, I find the self-assessment option described here a great help which offers major time savings compared to previous methods. The time saved can be used far more effectively to improve and carry out the controls and so guarantee an effective audit.