Integrated GRC platforms – Audit Management (part 2 of 3)
In the first of the three articles dealing with GRC platforms, I have described substantive and technical challenges in the area of auditing and audit management.
In today's second part, we deal with functionalities that audit management platforms should have. Some of these functionalities can be found in this blog post. However, they do not represent a complete catalogue, but are only an excerpt without claiming to be complete.
The content challenges described in the first article can be combined with the requirement for specific functionalities listed here. Thematically it is divided into
- Planning of Audits
- Execution of audits
- Data protection
- General requirements
Planning should be sound and reliable, based on objective criteria, enable risks to be reduced and support the achievement of strategic goals.
2.3 Follow UP
In the follow-up process, it is crucial that key elements such as recommendations or deadlines are seamlessly exchanged with the contact persons to be involved. In addition, the contact persons should also be able to interact with the solution and communicate with it.
Making recommendations and assigning actions
As a rule, recommendations or actions for individual findings are specified by the audit. This includes aspects of how certain risks can be mitigated or weaknesses remedied. It is ideal here if these can already be shared with the audited colleagues from the specialist departments via the audit management platform. Since such measures often require internal coordination before they are published, it makes sense to have an activation functionality in the software.
Simple operability & accessibility
Not every user works with the platform every day. Particularly in the follow-up process and in the tracking of measures, contact persons from the specialist departments will only work with the platform on an irregular basis, for example to respond to recommendations from the auditors, to document measures or to implement defined actions and to-dos. This must be possible intuitively, without having to read extensive documentation and instructions. Intuitive operation greatly increases acceptance when rolling out an audit management solution. Ideally, accessibility is also possible without installation effort, as is the case with browser-based solutions with SSO (Single Sign On) functionality.
Due dates, deadlines and reminders
The measures are often accompanied by deadlines for the individual recommendations to be implemented. These vary according to the severity or category of the finding or the scope of the actions to be carried out for a finding. Deadlines can be set and communicated and followed up via the tool. In this context, an automatic reminder function also makes sense, which, in the case of inactivity at certain intervals or defined times before the deadline expires, notifies both the colleagues from the specialist department responsible for this and the team members from the audit department, who must follow up on the deadline.
Both within the team and in cooperation with the departments, it makes sense that changes to individual elements as well as work progress and corresponding statuses are logged by the platform. Especially with collaborative tools, this creates a transparency that is essential - especially in the area of auditing with regard to the audit log.
2.4 Data protection
The fact that we list data protection only after the functional requirements has nothing to do with prioritization. On the contrary, in today's world it is essential that data protection aspects are treated with the highest priority. Great importance should be attached to ensuring that data protection requirements are met. In the following we list some of the points that are important for this:
It is of course essential that the requirements of the basic data protection regulation are met. Important for cloud solutions are the locations of the servers on which the data is stored and the cloud operators. This raises the question of compliance reports such as the SOC 2 report, the EU Standard Contractual Clauses SCC, the regulation of commissioned data processing, the availability of data and the transparency of data protection measures in general.
Roles and authorization concept
The platform is intended to be used by employees of different hierarchical levels and from different departments and specialist areas to work to varying degrees. In addition, the information processed, such as a list of corporate risks in the area of risk management, findings in the area of internal audit, identified weaknesses in processes and controls in the area of ICS, is sensitive and should not be accessible to every person in the company. For this reason, an authorization concept is required which - usually based on roles - allows an appropriately granular setting so that the requirement is met, users can work with the software without any obstacles and sensitive data is protected accordingly, and all this without a great deal of administrative effort.
2.5 General requirements
Since both the audit teams are often international and the units to be audited are distributed worldwide in global organizations, multilingualism is usually a mandatory criterion. Especially for the connection of different groups of people, it can improve access and acceptance when working in environments where the own language is spoken.
Global support 24/7
For the same reason as the multi-language support that has just been requested, it also makes sense for the software vendor of the audit management platform to offer global support that is available across time zones; or at least to provide an equivalent, well-designed online documentation and self-service platform.
Migration possibility / Upload functionality
When an audit management solution is purchased, it usually either replaces an old construct, which can often be described as a conglomerate of SharePoint approaches and Microsoft Office documents. Alternatively, a proprietary audit management solution is replaced. In both cases, it would be helpful if the history, such as the findings of past audits, could be integrated into the new platform. An upload or migration functionality for elements such as findings, risk control matrices or audit checklists would be desirable.
Predefined evaluations & custom reports
Some requirements for internal reporting are probably of general application, such as the listing of findings of the various audits. These should already exist in the standard system in the audit management solution. Nevertheless, additional reporting options should be available so that experienced users can create additional evaluations, such as Findings by business area, overdue actions sorted by age, classification of Findings by severity, or create additional reports on their own.
MS Office integration & versioning of Office documents
Even if the majority of work is now to be done directly in the Audit Management Platform instead of in a multitude of Excel or Word files buzzing around, additional documents are often unavoidable. In these cases, it is desirable if the platform allows teamwork on the Office documents, such as attachments to a finding or to the planning phase of the audit, if the changes made are versioned and, similar to SharePoint solutions, redundancy-free working is possible. It can be particularly helpful if - for example when documenting findings - certain sources in the original documents can be referenced or linked ("citation mode").
The points just presented are intended to show you possible functional requirements for an Audit Management Platform. I hope the information is helpful. If you have any questions, please feel free to contact us at any time. If the topic is of interest to you, I recommend the latest article on GRC platforms. Furthermore, we will publish another article on this topic in the coming week!