Integrated GRC platforms – Audit Management (part 1 of 3)
In a first blog post on GRC platforms titled "GRC and Governance Platforms - Introduction", we took a bird's eye view of the topic. Now I would like to continue the article series with the topic "Audit Management", which will consist of three consecutive articles. I will address the following topics:
- Challenges: What do you have to struggle with in your daily business?
a) Content challenges
b) Technical challenges
- Functionalities: What should the solution cover?
a) Planning of audits
b) Conducting audits
d) Data protection
e) General requirements
- Examples of use
Of course, there are some overlaps in content between the chapters "Challenges" and "Functionalities", as the latter can be derived from the former.
Many of the challenges listed below are not new; however, some are given additional depth by changing technologies, increasing globalization and the demand for leaner, more efficient processes. For this reason, we distinguish here between content and more technical aspects.
External interfaces & integration of contact persons
However, the preparation of an audit also requires external persons who do not belong to the own audit department. Thus, possibilities must be created to connect them. For example, the audit is usually formally announced (Announcement), there are requirements for documents that should at best be provided in advance (Information Request) and persons from the audited unit who are involved in the audit project from the very beginning, be they guest auditors, contact persons or persons responsible from the audited unit.
The actual implementation should be structured. Test topics are divided within the team, efficiently processed and the results are documented in a comprehensible way. On the one hand, data analysis is indispensable here, on the other hand it rarely makes up 100% of an audit. Notes from interviews, Excel files, Word documents, scans and photos are just as much a part of an audit as (partially) automated audit procedures based on data from ERP systems, such as SAP.
One of the most time-consuming work steps is usually the consolidation of the results of the individual audit staff members in the form of a final report. The findings recorded for each audit subject must be listed together with the corresponding recommended measures. These are to be agreed between the auditor in charge and the audit project manager, summarized and provided with an assessment, which often corresponds to a classification. Even if it has become easier to work together on, for example, an audit report in the form of a Word document, this is not enough, since the references to the findings (evidence) should also be available accordingly. In addition, the report must be coordinated with the audited unit or department(s), as this is where the responsibility for implementing the measures lies.
Realistic planning also includes the knowledge that the audit cannot, as a rule, be fully concluded with the final report. The monitoring of measures or the follow-up process of all findings and recommendations may certainly take some time due to deadlines and may require coordination during this period.
If we now look one level higher again, from a bird's eye view a target-oriented management reporting across all audit projects is important. How many audits were conducted during the period under review? How many findings in the respective categories resulted from this? What are the subject areas in which the most weaknesses were identified? How many of the proposed measures have already been completed, how many are still open? This is also an aspect that plays an important role in the cooperation with the auditor.
Teamwork and Collaboration
As far as the content aspects are concerned, we have already highlighted the need for internal and external interfaces. Internally in the audit team, various employees must work closely together. But external contacts such as guest accountants, auditors or colleagues from specialized departments must also be integrated without problems. This should be possible in a simple manner by means of a suitable authorization concept without generating too much administrative overhead during setup. Collaboration should also be supported in a technically up-to-date manner, for example by enabling joint work on a document such as the final report without generating version conflicts, or by sharing information simply and transparently within the team. comparable to the Sharing Information Economy within the platform. For team members who do not regularly work with the audit management solution, such as the contact persons from the departments, the user interface should be designed to be simple and intuitive.
Seamless integration of data and data analysis
The close connection between internal audit and data analysis is now indispensable. This applies not only to areas such as continuous auditing, but also to support for standard audits. Data analyses help to make audits more efficient and create added value. Various levels can also be identified here: For individual questions, critical transactions (findings) are identified, such as invoices without a purchase order reference, which should actually have a reference, one-time postings whose amount has been exceeded according to the guidelines, or violations of the 4-eye-principle (SoD Segregation of Duties) when releasing transactions. In addition, it is possible to determine KPIs or KRIs in order to make certain circumstances measurable and, if necessary, to communicate at higher reporting levels. However, this is where the drilldown requirement becomes particularly apparent, i.e. to go from the respective KRI to the individual transactions. Technically, it makes sense that the data analysis information from the data analysis system can be linked to avoid redundancies. From a technical point of view, it is usually the case that the data analysis components are also part of the GRC platform to enable seamless integration. A GRC platform, which also covers the topic of audit management, must also reflect this matter of course in terms of technology.
Scalability is a central point, especially when it comes to connecting the departments. This applies to the audit area, but even more so to the ICS area, especially if control performers are to work directly in the system. The solution should be able to support smaller central teams as well as a global company with thousands of colleagues throughout the organization. Only in this way can the platform approach be lived. This point is indirectly related to cloud-readyness, because scalability is often easier to handle with these solutions than with locally installed client-server solutions, where additional hardware, such as storage space, is needed to further roll out the software.
The aspects just described are intended to give you an overview of the substantive and technical challenges in the field of auditing and audit management. I hope the information provided was helpful. If you have any questions, please feel free to contact us at any time. Should the topic be of interest to you, you can look forward to further blog articles on this topic. We will publish further blog posts on a weekly basis. I would be happy if you would also participate in the following articles again!