We have noticed that several of our clients have begun to implement an approach to Internal Audit based on an assessment of the predominant risks present in the enterprise. This is known in the industry as “Risk Based Auditing”. This blog post serves to highlight some of the pertinent issues and terminology used when discussing this approach.

Risk Based Auditing

Risk based internal auditing is mainly defined by applying a method to planning and audit scoping to help appropriately focus the resources of an organization to mitigate the overall risk. These methods are primarily used after the audit universe is updated during planning, and through the scoping activity during an audit.

Audit Universe

An audit universe represents anything that has potential risk in your organization that you want to monitor or report on. Examples of these can include products, processes, business units or applications, and really depends on how an organization categorizes risk. We term these “Auditable Entities”.

Once the list of auditable entities is defined the next step is to compare them next to each other on a level playing field so that an organization can decide how to focus resources. As well, if this step is done correctly it can also save time during scoping by using the data collected here to focus the scope of an audit.

Scoping

During the scoping of an audit the same process would be used to help focus the risk and controls that will be reviewed during the audit.

There are many ways to assess a given auditable entity or scope of an audit and the organization would need to determine which is best for their needs. Typically the assessment comes from one or a combination of the following resources:

1. Internal Audit
2. Client
3. Other Risk Functions (e.g. ERM, Compliance, etc …)

It is important to sometimes have multiple perspectives on an area since you might not have the complete detailed picture or all the facts about the current state of an area.

Risk Assessment Methods

Some common methods for assessing risk:

1. Risk Factors

Risk factors typically represent a given set of questions that might not be tied to specific risks but more concerns or goals of management.

2. Risk Assessments

These are commonly used if there are high level or detailed risks that need to be assessed across areas. These risks can be categorized by a number of classifications such as theme, family, framework, etc… As well with the common structure of a proper risk assessment it can also be sent out to other areas such as a client to allow them to comment.

3. Risk / Control Assessments

In some cases it is important to quickly rate the detailed risk and controls that apply to a certain area. This is commonly done in the ERM function and by auditors during scoping of a particular audit. However, it is becoming increasingly common during summary reviews of a client or during a business process review to help set up the next audit period or scoring.

The methods above will all produce one or more scores that can be used for ranking auditable entities during planning, or risks and controls during scoping to help an organization better focus its resources.

The actual questions, risks, controls, scoring and weighting used in the methods above will vary by company and be unique to the goals and focus of management. Also typically they will be modified from year to year to reflect these changes in goals and focus.

Ultimately, it is the responsibility of Senior Management and eventually the CFO of an organization to Certify and sign off on compliance activities in their area of oversight.  GRC software systems are a great help in managing the process, but must also be sensitive to the needs of these managers. Unlike assessors, for example, who routinely evaluate controls and risks, attaching evidence and raising issues, Senior Management does not wish to spend a lot of time navigating a system to find things they are responsible for, nor do they wish to be bombarded with emails notifying them every time something new they need to act on is ready for them.  To solve this problem, GRC Software needs to present timely complete data to Senior Management as well as provide a mechanism for rapid acknowledgement of responsibilities from a simple interface.

There are a few ways that GRC Software Solutions can be used to aid in this process:

Management Dashboard Reporting

By providing concise summary reports of the current status of peoples compliance activities, the GRC Solution can keep Senior Management up to date on progress without constantly notifying them of changes.  This allows for Senior Management to poll the solution when they wish to get a status update on their own time.  To make this service even more valuable these reports should include drill-downs into the full details on the underlying data.  This allows Senior Management to not only get a current status, but to also drive into their responsible areas and actually complete their assigned work if that is required at the current time.

One Event Notification per Period

Senior Management may have multiple areas of responsibility and oversight and as such on a per period basis may have multiple tasks they are responsible for completing.  As tracking this through a GRC solution is not a full time job, there is little to no interest in receiving an event notification every time a work item is ready.  A solution must be intuitive enough to only notify a user when all tasks of a specific type are ready for them then it would become much more meaningful as then the user knows that they can access the system once and complete all of their assigned work at that time.

Amalgamated Task List by Type

Tying into the previous point, the GRC Solution should combine all tasks assigned to a specific user into one container allowing efficiencies to be gained and solution acceptance to increase.  Rather than having to go to multiple areas to do three different certifications, the solution should combine all certifications into one screen and separate them out in a user friendly manner (expandable sections, multiple tabs or the like) then users will be able to come into the system once all tasks are ready, select that group of tasks and complete them from one area, reducing time spent in the system and increasing efficiencies.

Assignment of Proxies

Should some users wish to have no system interaction, proxies may be used to complete the process flow without burdening Senior Managers with the system at all.  A proxy will actually interact with the system and complete the assigned work. The solution would be able to track that they were acting on behalf of the actual responsible party and provide a mechanism for the upload of documentation that the actual responsible party, in theory, had acknowledged which led to the task completion.

Depending on organizational structure and technological acceptance up the hierarchy tree, one or all of these solutions may be used to some degree in order to make for an Enterprise GRC Solution which is embraced by Senior Management and promoted throughout the organization.

BPS 7.0 RC 1 Availability

This is very exiting for the BPS team and our clients in the audit, compliance and controls space who will benefit from the upgrades available to our 6.x products. BPS 7.0 is really about making it easy for our users. To be successful, these types of systems need to match the way people want to work and achieving a higher level of excellence in usability was a key goal for the 7.0 product line.

Under the covers BPS is still the same solid architecture bringing together workflow, rules, document and project management, and reporting with a sophisticated security model all in a J2EE web-based product.

Our previous releases have seen the maturation of our risk management library that controls all the standard facilities used by risk managers, auditors and compliance functions. The RML also provides the central mechanism for creating enterprise level efficiency.

What’s new

User Interface and Usability Improvements

• A fresh user interface that provides even more configurability to the BPS product. Our aim was to reduce the complexity of information rich screens through improved use of white space and more logical grouping of information.

• The BPS menu system has also been improved to provide quick access to commonly used menu items, as well as being tailored to the user’s role.

• Views have been created that present the logical structure of projects in a way that users can relate to.

BPS 7.0 Question list edit screen with relationships

BPS 7.0 Control information screen

BPS 7.0 Configurable hierarchy manager

Data Warehouse

• BPS 7 ships with a data warehouse that aggregates information across multiple dimensions (risk ratings, control scores, issues and KRIs for example) across time for use in advanced reporting applications. To populate the data warehouse, BPS has bundled the Pentaho Data Integration ETL (Extract, Transform, Load) component with preconfigured scripts that interrogate and roll up production data. The ETL component is also a great way to pull information out of other enterprise data sources for use with the BPS data warehouse, or for use in continuous control monitoring or KRI alerts scenarios.

Offline capability

• In addition to the previous offline document management features BPS is known for, we have added the ability to export audit projects to your desktop and conduct work while not connected to the Internet. Work done using BPS Remote™ will synchronize back to the system ensuring that both offline and on-line data is optimally managed.

Importer

• BPS has converted its Excel based importer to use the REST based API provided as part of the BPS SDK. The net result of this is that it is now easier than ever for end users to safely move information into and out of the BPS system in a secure environment. BPS now makes it even easier to upgrade from Paisley. Team mate or other first generation systems.