Integrated GRC platforms – Audit Management (part 1 of 3)
In a first blog post on GRC platforms titled "GRC and Governance Platforms - Introduction", we took a bird's eye view of the topic. Now I would like to continue the article series with the topic "Audit Management", which will consist of three consecutive articles. I will address the following topics:
- Challenges: What do you have to struggle with in your daily business?
a) Content challenges
b) Technical challenges - Functionalities: What should the solution cover?
a) Planning of audits
b) Conducting audits
c) Follow-up
d) Data protection
e) General requirements - Examples of use
Of course, there are some overlaps in content between the chapters "Challenges" and "Functionalities", as the latter can be derived from the former.
1. Challenges
Many of the challenges listed below are not new; however, some are given additional depth by changing technologies, increasing globalization and the demand for leaner, more efficient processes. For this reason, we distinguish here between content and more technical aspects.
1.1 Content challenges
There are many aspects of audit work that represent challenges. This begins with resource management, extends to deciding how often certain entities are audited and deals with the question of whether the audit must take place on site or can be done remotely.
Risk-oriented allocation of resources
Business life is getting faster and faster. This means that where in the past the audit department perhaps audited an entity on average every 3-5 years to test the effectiveness of the internal control system, this is no longer up to date. On the other hand, in times of globalized supply chains, it is questionable whether the requirement for shorter audit cycles can be reconciled with lengthy on-site audits. Even if, ideally, enough resources should be available, these must be used in a targeted manner in the form of risk-based audit planning.
Audit planning vs. Planning an audit
Audit work consists to a large extent of planning. On the one hand, audit planning at the meta-level: Which units are to be audited and which topics are in the foreground; is it a general audit or should a special process be examined in more detail? The audit that then follows is a project with a clearly defined start and end date and the phases of preparation, implementation, documentation and follow-up. Seen in an abstract way, the performance of the audit requires nothing more than solid project management.
The preparation includes an internal briefing, which should clarify the following questions, among others:
- Have there been previous audits of the corresponding unit, and what were the results?
- Which are relevant additional informations about the Corresponding Entity?
- Are there interesting facts or special features regarding the audit topics or the audit methodology?
These mentioned questions are individual aspects of knowledge management and know-how transfer.
External interfaces & integration of contact persons
However, the preparation of an audit also requires external persons who do not belong to the own audit department. Thus, possibilities must be created to connect them. For example, the audit is usually formally announced (Announcement), there are requirements for documents that should at best be provided in advance (Information Request) and persons from the audited unit who are involved in the audit project from the very beginning, be they guest auditors, contact persons or persons responsible from the audited unit.
Implementation
The actual implementation should be structured. Test topics are divided within the team, efficiently processed and the results are documented in a comprehensible way. On the one hand, data analysis is indispensable here, on the other hand it rarely makes up 100% of an audit. Notes from interviews, Excel files, Word documents, scans and photos are just as much a part of an audit as (partially) automated audit procedures based on data from ERP systems, such as SAP.
Report preparation
One of the most time-consuming work steps is usually the consolidation of the results of the individual audit staff members in the form of a final report. The findings recorded for each audit subject must be listed together with the corresponding recommended measures. These are to be agreed between the auditor in charge and the audit project manager, summarized and provided with an assessment, which often corresponds to a classification. Even if it has become easier to work together on, for example, an audit report in the form of a Word document, this is not enough, since the references to the findings (evidence) should also be available accordingly. In addition, the report must be coordinated with the audited unit or department(s), as this is where the responsibility for implementing the measures lies.
Follow-Up processes
Realistic planning also includes the knowledge that the audit cannot, as a rule, be fully concluded with the final report. The monitoring of measures or the follow-up process of all findings and recommendations may certainly take some time due to deadlines and may require coordination during this period.
Management reporting
If we now look one level higher again, from a bird's eye view a target-oriented management reporting across all audit projects is important. How many audits were conducted during the period under review? How many findings in the respective categories resulted from this? What are the subject areas in which the most weaknesses were identified? How many of the proposed measures have already been completed, how many are still open? This is also an aspect that plays an important role in the cooperation with the auditor.
1.2 Technological challenges
No matter whether ERP, CRM or GRC platforms, besides the content aspects, technological aspects also play an important role.
Cloud-readyness
The cloud is an essential component of a healthy corporate strategy, and not just in the wake of the COVID-19 pandemic. Indeed, a cloud-based platform can solve many problems, which are listed below.
Easy adaptability of process and terminology
Audit processes have a certain degree of standardization, also influenced by the Institute of Internal Audit, Global information systems association ISACA and The Institute of Internal Auditors (IIA). Nevertheless, a GRC platform that supports the audit management area must be adapted to the company's own processes. As a further aspect, it is often simply terms and naming conventions that have been used historically in companies for years, and which should also be reflected in an audit management platform. For example, the terms Finding, Issue and Statement are used as synonyms, but within the platform and also in the final report a consistent term should be used, which has possibly been lived in the company for years and by which all parties involved understand the same. Extensive customizing, i.e. the possible even source code-side adaptation of a software to user-specific requirements, is no longer up-to-date nowadays, and this also apart from the costs incurred and the impairment in the course of later updates and upgrades of the platform. Sometimes this is also described with the expression "Configuration over Customization". Accordingly, modern platforms should offer configuration options that ensure adaptation to the respective usage scenario and make complex
Accessibility via web browser
Accessibility via the web browser is not necessarily associated with the cloud aspect, but is usually covered by it. Instead of installing extensive programs ("fat clients"), the web browser is used. Web technology now offers many possibilities to design user interfaces responsive, i.e. optimized for mobile devices and without much additional development effort, and interactive, i.e. dynamic, such as drag & drop. In contrast, conventional programs often appear sluggish and stale. Instead of complex administrative processes, the user of the GRC platform simply receives a link and can log on to the platform immediately, assuming he has the appropriate authorization. But accessibility also means that the platform can be used from different end devices without having to keep the data redundant or copy it, or to establish a connection to a dedicated database.
Teamwork and Collaboration
As far as the content aspects are concerned, we have already highlighted the need for internal and external interfaces. Internally in the audit team, various employees must work closely together. But external contacts such as guest accountants, auditors or colleagues from specialized departments must also be integrated without problems. This should be possible in a simple manner by means of a suitable authorization concept without generating too much administrative overhead during setup. Collaboration should also be supported in a technically up-to-date manner, for example by enabling joint work on a document such as the final report without generating version conflicts, or by sharing information simply and transparently within the team. comparable to the Sharing Information Economy within the platform. For team members who do not regularly work with the audit management solution, such as the contact persons from the departments, the user interface should be designed to be simple and intuitive.
Seamless integration of data and data analysis
The close connection between internal audit and data analysis is now indispensable. This applies not only to areas such as continuous auditing, but also to support for standard audits. Data analyses help to make audits more efficient and create added value. Various levels can also be identified here: For individual questions, critical transactions (findings) are identified, such as invoices without a purchase order reference, which should actually have a reference, one-time postings whose amount has been exceeded according to the guidelines, or violations of the 4-eye-principle (SoD Segregation of Duties) when releasing transactions. In addition, it is possible to determine KPIs or KRIs in order to make certain circumstances measurable and, if necessary, to communicate at higher reporting levels. However, this is where the drilldown requirement becomes particularly apparent, i.e. to go from the respective KRI to the individual transactions. Technically, it makes sense that the data analysis information from the data analysis system can be linked to avoid redundancies. From a technical point of view, it is usually the case that the data analysis components are also part of the GRC platform to enable seamless integration. A GRC platform, which also covers the topic of audit management, must also reflect this matter of course in terms of technology.
Scalability
Scalability is a central point, especially when it comes to connecting the departments. This applies to the audit area, but even more so to the ICS area, especially if control performers are to work directly in the system. The solution should be able to support smaller central teams as well as a global company with thousands of colleagues throughout the organization. Only in this way can the platform approach be lived. This point is indirectly related to cloud-readyness, because scalability is often easier to handle with these solutions than with locally installed client-server solutions, where additional hardware, such as storage space, is needed to further roll out the software.
Interim conclusion
The aspects just described are intended to give you an overview of the substantive and technical challenges in the field of auditing and audit management. I hope the information provided was helpful. If you have any questions, please feel free to contact us at any time. Should the topic be of interest to you, you can look forward to further blog articles on this topic. We will publish further blog posts on a weekly basis. I would be happy if you would also participate in the following articles again!