Integrated GRC platforms – Audit Management (part 2 of 3)
In the first of the three articles dealing with GRC platforms, I have described substantive and technical challenges in the area of auditing and audit management.
In today's second part, we deal with functionalities that audit management platforms should have. Some of these functionalities can be found in this blog post. However, they do not represent a complete catalogue, but are only an excerpt without claiming to be complete.
2. functionalities
The content challenges described in the first article can be combined with the requirement for specific functionalities listed here. Thematically it is divided into
- Planning of Audits
- Execution of audits
- Follow-Up
- Data protection
- General requirements
2.1 Planning
Planning should be sound and reliable, based on objective criteria, enable risks to be reduced and support the achievement of strategic goals.
Depiction of the Audit Universe
The solution must be suitable to map the existing Audit Universe. This includes the relevant organizational units as well as the corresponding business processes that are relevant for the respective organizational unit. In other words, you should be able to both map entity and process structures in the Audit Management Tool and assign them to the respective audits.
Risk Catalogue
A risk-oriented audit also includes the storage of a corresponding risk catalogue, extended if necessary by aspects such as risk scoring, and functionalities for sounding out and evaluating risks, so-called self-assessments. Ideally, corresponding controls can already be assigned and stored as RCM (Risk Control Matrix).
Annual & multi-year plan in connection with strategic goals
In addition to risks to be mitigated, it would be desirable to be able to formulate strategic objectives in the planning process, which can be used as a basis for multi-year planning. Concrete annual planning, on the other hand, should at least provide the necessary functionalities in the area of resource management with regard to the available staff, so that realistic planning can be placed on the time axis for the current year.
2.2 Executing audits
The performance of the audits should efficiently support teamwork. The status of the audit should be transparent for all team members, and the associated documentation should be created largely automatically, if possible.
Templates
For many recurring aspects (e.g. the announcement of audits, standard requirement catalogs, etc.), a repository of templates can ideally be created to which all relevant team members have access. In the case of updates of the templates, these should be versioned, ideally those responsible for certain areas can also be defined on the platform itself.
Checklists
Even if the term is not always positively associated - no revision is possible without good checklists. It makes sense to define certain questions for areas and/or processes as "mandatory". Only if the questions have a certain degree of standardisation can comparisons be made and synergy effects created. If, for example, in a global organization, you examine purchasing in 10 different subsidiaries, the relevant issues will probably be similar across all subsidiaries. Similar to the templates listed above, it should be possible to store these checklists in a central location so that they can then be assigned in full or in part to individual audits and processed.
Assigning work packages & Sign Off processes
If audits are carried out in teams, the work packages for the individual team members should be well delimited by the tools. Here, one could proceed in such a way that, for example, the questions of the checklist are assigned to individual colleagues for each question. A further possibility of division of labour is the differentiation by organisational units or process steps to be audited, where these are assigned to a team member, the relevant questions are then automatically the responsibility of the respective employee. Of course, sign-off processes are also conceivable, which enable a four-eye principle when conducting the audit.
Create working papers
The preparation of a classic audit report often presents a great challenge. If no audit management software is in use, in practice a classic Word document is usually created, which contains manually created report parts from the various team members. Here, deviations in writing style are still the smallest problem: Often it is simply the operational challenge to create a central document on which many people are working simultaneously. Here, the audit management platform should make it possible to create the final report at the push of a button. In terms of content, this should be possible because all necessary information, starting with planning information, the Audit Universe and the findings, supporting documents as attachments, and recommendations, have already been maintained and are available on the platform itself. The creation of the final report should therefore only be an automated, technical process.
2.3 Follow UP
In the follow-up process, it is crucial that key elements such as recommendations or deadlines are seamlessly exchanged with the contact persons to be involved. In addition, the contact persons should also be able to interact with the solution and communicate with it.
Making recommendations and assigning actions
As a rule, recommendations or actions for individual findings are specified by the audit. This includes aspects of how certain risks can be mitigated or weaknesses remedied. It is ideal here if these can already be shared with the audited colleagues from the specialist departments via the audit management platform. Since such measures often require internal coordination before they are published, it makes sense to have an activation functionality in the software.
Simple operability & accessibility
Not every user works with the platform every day. Particularly in the follow-up process and in the tracking of measures, contact persons from the specialist departments will only work with the platform on an irregular basis, for example to respond to recommendations from the auditors, to document measures or to implement defined actions and to-dos. This must be possible intuitively, without having to read extensive documentation and instructions. Intuitive operation greatly increases acceptance when rolling out an audit management solution. Ideally, accessibility is also possible without installation effort, as is the case with browser-based solutions with SSO (Single Sign On) functionality.
Due dates, deadlines and reminders
The measures are often accompanied by deadlines for the individual recommendations to be implemented. These vary according to the severity or category of the finding or the scope of the actions to be carried out for a finding. Deadlines can be set and communicated and followed up via the tool. In this context, an automatic reminder function also makes sense, which, in the case of inactivity at certain intervals or defined times before the deadline expires, notifies both the colleagues from the specialist department responsible for this and the team members from the audit department, who must follow up on the deadline.
Logging
Both within the team and in cooperation with the departments, it makes sense that changes to individual elements as well as work progress and corresponding statuses are logged by the platform. Especially with collaborative tools, this creates a transparency that is essential - especially in the area of auditing with regard to the audit log.
2.4 Data protection
The fact that we list data protection only after the functional requirements has nothing to do with prioritization. On the contrary, in today's world it is essential that data protection aspects are treated with the highest priority. Great importance should be attached to ensuring that data protection requirements are met. In the following we list some of the points that are important for this:
DSGVO/GDPR Compliance
It is of course essential that the requirements of the basic data protection regulation are met. Important for cloud solutions are the locations of the servers on which the data is stored and the cloud operators. This raises the question of compliance reports such as the SOC 2 report, the EU Standard Contractual Clauses SCC, the regulation of commissioned data processing, the availability of data and the transparency of data protection measures in general.
Roles and authorization concept
The platform is intended to be used by employees of different hierarchical levels and from different departments and specialist areas to work to varying degrees. In addition, the information processed, such as a list of corporate risks in the area of risk management, findings in the area of internal audit, identified weaknesses in processes and controls in the area of ICS, is sensitive and should not be accessible to every person in the company. For this reason, an authorization concept is required which - usually based on roles - allows an appropriately granular setting so that the requirement is met, users can work with the software without any obstacles and sensitive data is protected accordingly, and all this without a great deal of administrative effort.
2.5 General requirements
Multilingualism
Since both the audit teams are often international and the units to be audited are distributed worldwide in global organizations, multilingualism is usually a mandatory criterion. Especially for the connection of different groups of people, it can improve access and acceptance when working in environments where the own language is spoken.
Global support 24/7
For the same reason as the multi-language support that has just been requested, it also makes sense for the software vendor of the audit management platform to offer global support that is available across time zones; or at least to provide an equivalent, well-designed online documentation and self-service platform.
Migration possibility / Upload functionality
When an audit management solution is purchased, it usually either replaces an old construct, which can often be described as a conglomerate of SharePoint approaches and Microsoft Office documents. Alternatively, a proprietary audit management solution is replaced. In both cases, it would be helpful if the history, such as the findings of past audits, could be integrated into the new platform. An upload or migration functionality for elements such as findings, risk control matrices or audit checklists would be desirable.
Predefined evaluations & custom reports
Some requirements for internal reporting are probably of general application, such as the listing of findings of the various audits. These should already exist in the standard system in the audit management solution. Nevertheless, additional reporting options should be available so that experienced users can create additional evaluations, such as Findings by business area, overdue actions sorted by age, classification of Findings by severity, or create additional reports on their own.
MS Office integration & versioning of Office documents
Even if the majority of work is now to be done directly in the Audit Management Platform instead of in a multitude of Excel or Word files buzzing around, additional documents are often unavoidable. In these cases, it is desirable if the platform allows teamwork on the Office documents, such as attachments to a finding or to the planning phase of the audit, if the changes made are versioned and, similar to SharePoint solutions, redundancy-free working is possible. It can be particularly helpful if - for example when documenting findings - certain sources in the original documents can be referenced or linked ("citation mode").
Interim conclusion
The points just presented are intended to show you possible functional requirements for an Audit Management Platform. I hope the information is helpful. If you have any questions, please feel free to contact us at any time. If the topic is of interest to you, I recommend the latest article on GRC platforms. Furthermore, we will publish another article on this topic in the coming week!