Toronto, Canada. BPS (Business Propulsion Systems Inc.) (see www.bpsinc.com) and Resolver Inc. (see www.resolver.ca) today announced a merger which took effect on January 1, 2010 to form BPS Resolver Inc.

This merger brings together two highly successful governance, risk, and compliance (GRC) software product offerings. The new company’s combined offering will provide a complete product suite of planning, execution & refinement solutions for GRC and Sustainability best practices.  Together, they will focus on rapid delivery of software-as-a-service (SaaS) compliance solutions, as well as large scale more customized enterprise licensed solutions, to utilities, financial institutions and healthcare markets worldwide. The merged company’s increased scale and combined expertise will enhance, accelerate and strengthen our responsiveness to client software requirements and service needs.

BPS provides GRC software solutions to many of the world’s best-managed companies. The highly successful BPS Suite™ has proven itself best-in-class in terms of completeness, functional depth, ease of use, adaptability and sophistication of technology.  Resolver provides a comprehensive suite of quickly deployed SaaS solutions to address governance, risk management and compliance.  Resolver’s GRC Suite of products is used by many Fortune 1000 organizations to maintain successful and effective enterprise wide GRC programs. The combination of these two offerings to suit the differing needs of different clients will make BPS Resolver increasingly attractive.

The combined entity, BPS Resolver, is also taking a significant new money investment of growth capital from Covington Capital in order to continue to aggressively pursue market share.  According to BPS CEO, Mr. Mark Opausky, and Resolver CEO, Mr. Steve Taylor, the merger will provide clients with a greatly expanded set of GRC solutions.  “Both organizations are recognized as leaders in their respective market segments and have a history of outperforming expectations. As a combined company, we bring the strength of both product suites and our employees’ industry expertise to our customers.”

Top industry analyst Michael Rasmussen of Corporate Integrity LLC says “The market for GRC software is blossoming as companies look for solutions to support processes to consolidate risk and compliance activities.”  He also stated that “The combination of BPS and Resolver provides significant synergies to enhance the economies of risk and compliance processes within organizations.  Together they provide a stronger solution for audit, risk management, compliance and finance roles in today’s dynamic business environment.”

“BPS Resolver  has a unique combination of product strength and agility that can now reach wider varieties of customers and deliver superior value” says Mark Opausky.  “Many companies already see us as the go to provider for GRC technology and knowledge, we are confident that we can expand this perception quickly in the coming year”

Gartner GRC research vice president  French Caldwell states “a new competitive vendor has arisen…”

The merger was completed effective January 1st, 2010.  BPS Resolver is to be headquartered in Toronto, Canada at 703 Evans Ave.

About BPS
BPS is an industry-leading provider of enterprise governance, risk and compliance (GRC) software, including internal audit, compliance, operational risk management, and enterprise risk management.   A best-in-breed, risk-based planning and execution tool, BPS Audit’s™ robust functionality helps internal auditors achieve their objective more efficiently.  With BPS Compliance™, a single repository of risks and controls can be used to support multiple regulations, reducing overlap and duplicative costs.  BPS Compliance™ also includes a full document and evidence management facility and our powerful Risk Management Library (RML) enabling users to incorporate all types of documents, policies and evidence to manage financial, information technology and operational controls.  BPS OpRisk™ enables risk managers to integrate loss data from a variety of sources to develop a comprehensive view of operational risk exposure.  For questions or more information about BPS, please contact us directly at 1-877-755-3716 or visit us at www.bpsinc.com.

About Resolver Inc.
Resolver Inc. provides a comprehensive suite of software and services for risk managers, internal auditors, compliance managers and strategic planners. Its products include Resolver*Risk, Governance, Risk, and Compliance Software; Resolver*Ballot, a risk and control self-assessment system; and Resolver*Net, an Internet-based platform for enterprise-wide risk identification and assessment. Resolver also provides facilitation, training, and consulting services in the areas of risk management, corporate governance, and regulatory needs. In business since 1994, Resolver’s clients span all fields, including services, utilities,
government, education, natural resources, consumer goods, and manufacturing with a client base that includes Cardinal Healthcare, EnCana, Philips, TD Bank Financial and others

Audits are an important and essential part of managing risk and control effectiveness within an organization. Audit Management Software simplifies the entire auditing process, from planning and scheduling to performing the audit. What Audit Management Software offers you is an easy way to perform the most challenging and complex audits simply and more efficiently.

Why?

Audit Management Software is vital in letting you do more with less. In addition to the existing internal audit requirements, Auditors are now being asked to be proactive with risk management and provide insights into government regulations. It is no wonder that companies are looking for solutions to make these tasks easier and more time efficient. Being able to execute the audit process quickly and effectively to a high standard reduces the risk of non-compliance and provides insights into any potential problems or issues much quicker than conventional approaches to auditing.

Audit Management Software provides you with a system to support all types of audits in your company and seamlessly customize how you would like that information delivered to and viewed by key staff, management and any other authorized users.

All aspects of auditing can become automated to save time and improve productivity and efficiency. As you create them, audit checklists can be saved and used for any future audits. Saved audit checklists can be modified and updated or saved under new titles to prevent you from wasting time by having to start from scratch each time. Checklists can easily be printed off to ensure that your off-line record keeping meets regulations.

Audit Management Software can run audits at any time of the day or night and with any desired frequency. Audits can be scheduled across different departments simultaneously that use the same audit checklist across the entire company without conflict.

Audit Management Software reminds the auditors and their auditees a few days before the audit is due. On the first day of the new audit, the software flags the audit to the auditor and remains on their system until the audit is completed. This helps auditors stay on top of their audit commitments. The software allows auditors to make amendments even when the program is running, which means that alterations can be made as matters arise when the audit is in progress.

The Audit Management software will ‘remember’ previous audits and authorized staff members can have access to this information when and wherever necessary. Since previous audits are stored, the final results of a current audit can easily be compared to past audits.

Once the Audit Management software has completed its cycle, a list of issues and problems will be reported back to the auditor, clearly stating the necessary actions required to remain compliant. The software can track and acknowledge when these tasks have been completed.

It is easy to see why using Audit Management Software can enhance your auditing. With the software at hand you can easily audit any specific area over the whole of your organization.

Where?

To find out more about the latest in professional Audit Management Software, please contact us. We have implemented software solutions across a number of industries including Finance, Utilities and Health. We would love to discuss your auditing processes and how we might be able to help you utilize our Audit Management Software product BPS Audit.

At present, the Alternative Investment Fund Manager (AIFM), of which Hedge Funds come under, are regulated predominantly by a number of national financial and company legal regulations. The global financial crisis has highlighted much stronger hazards than initially thought, especially in reflecting cross-border risk.

Hedge Funds have been directly linked to the growth of structured credit markets and asset price inflation resulting in market turbulence throughout the credit crunch. Many have been struggling to withdraw cash for their investors, as they are unable to liquidate assets promptly.

One of the key requirements from the directive is that an AIFM cannot provide services to a Fund unless they have been registered and authorised by ‘a competent authority in the Member State’. In the UK this means the Hedge Fund Manager must be authorised by the FSA (Financial Services Authority) and comply to all Directive requirements in order to continue to provide the service.

There are also stricter requirements for AIFMs to prove that they have risk procedures in place and that they carry out regular ‘stress tests’ and annual reviews on all portfolios and risk management. An annual report for each Fund will be required within four months of the end of the financial year and include a full financial breakdown with all activities to be disclosed. An independent valuator will also be appointed to review each fund on a minimum of an annual basis.

Some of the most controversial changes involve Fund Managers (AIFM) making ‘pre-investment disclosures’ to investors and will also be required to disclose details of any leverage on which they use, which could be restricted by the FSA if it is seen as being high on a regular basis. The requirement for Hedge Fund Managers to disclose all their positions has been met with great resistance by the industry and it remains unclear as to when and how it will be enforced if the Directive is approved.

Where matters get murky is whether or not the Directive applies to the Fund Manager. There are a number of exemptions, for example an AIFM who is managing a Fund portfolio of less than 100 million euro (or 500 million euro with a five year lock in) is not applicable.

The increased level of reporting expected by the new Directive will raise the amount and thoroughness of administrative time required at the very least, although at this point it is unclear how much of the Directive will go through as it stands currently in draft form. If approved later in 2009, it is expected to be enforced by 2011 with a third of countries joining in by 2014; but there is clearly a lot of work to be done in assisting Hedge Fund Managers in complying with the new Directive, if the new compliance regulations do indeed apply to them.

Here are 5 reasons why you need audit management software to improve and enhance your audit management processes:

1. Total Control

When auditors have the power of audit management software at their desks, they can easily plan and execute any required audits across the entire organisation.  It’s then easy to present specific, clustered or company-wide audit data in a range of different formats.  Each area of audit tracking, management and the phases of an audit can all be processed through the software, leaving audit staff to focus on the task at hand.  Furthermore, by automating some of the audit operations, auditors will be more productive and spend less time on repetitive tasks.

2.  Preventing Fraud/Security

Occupational fraud by its very nature can be hard to detect and prevent.  When you use Audit Management Software, it actively helps auditors to keep an analytical eye on the overall organisation.  This gives auditors a complete 360-degree perspective on your business, in a way that will flag up potential fraud and deception and prevent it happening in the future.  The software will actively look for irregularities and report them to you, which means that you and your auditing team will no longer spending hours and hours looking for potential problems.

Audit software also allows auditors and management to have secure, controlled access to confidential audits, keeping private data away from prying eyes.

3. Cost Saving

When you use professional audit management software, you can employ its powerful tools to help identify cost savings at every level.   This type of software will pay for itself time and time again by helping you to find potential costs that can be saved at all levels of your organisation.

4. Flexible Functionality

The very best audit management software can work not only in a stand-alone online/offline capacity, but also plugs directly into other software solutions.  You can capture audit data alongside details of financial management, risk and compliance managements and regulatory issues.  Audit Management can also risk-rank your entire organisational audit to offer you vital support during your risk management analysis.

5. Decision Making

By using audit management software, you change the relationship that you and the audit team have with the audit data.  Once it’s been electronically collated, you’ll be able to analyse, assess and disseminate this information up the chain in more useful formats so that company decision making can actually be based on the real audit data.

If you’re looking to benefit from the effective tools available from audit management software, why not watch our free software demo or contact us today.

Toronto, Canada – August 1st, 2009 – BPS Inc., a leading provider of software solutions for enterprise governance, risk, compliance (GRC), and internal audit,  and TOTVS Financial Services, the leading provider of asset management systems and services in Latin America,  today announced an exclusive distribution agreement to provide the BPS Product Suite  to the Brazilian market. The partnership will significantly expand BPS’s footprint in the Americas and enable Brazilian financial institutions to acquire world-class technology to manage operational risk.

About BPS

BPS is an industry-leading provider of enterprise governance, risk and compliance (GRC) software, including internal audit, compliance, operational risk management, and enterprise risk management.   A best-in-breed, risk-based planning and execution tool, BPS Audit’sTM robust functionality helps internal auditors achieve their objective more efficiently.  With BPS Compliance™, a single repository of risks and controls can be used to support multiple regulations, reducing overlap and duplicative costs.  BPS Compliance™ also includes a full document and evidence management facility and our powerful Risk Management Library (RML) enabling users to incorporate all types of documents, policies and evidence to manage financial, information technology and operational controls.  BPS OpRisk™ enables risk managers to integrate loss data from a variety of sources to develop a comprehensive view of operational risk exposure.  For questions or more information about BPS, please contact us directly at 1-877-755-3716 or visit us at www.bpsinc.com.

About TOTVS

TOTVS is the absolute leader in Brazil and the 1st ERP company in the world located in emerging countries. With 38.03% of market share, it is a company of software, innovation, relationship and management support. The word TOTVS comes from Latin and means everyone, everything or totality. Meaning that TOTVS provides solutions for companies of all sizes and types, in four business segments: software, technology, consulting, and added-value services (infrastructure, BPO, education and Service Desk) and operates in 10 market segments. Therefore, TOTVS acts as an Administrative Operator, allowing customers to focus on their core businesses, while helping them throughout the entire management process. With 26 years of operations, TOTVS was the first company of the sector to go public in Latin America. Currently, the company is present in 23 countries, with 23.7 thousand active customers and employs 9,000 participants (5,000 direct employees and 4,000 employees of its franchisees). For more information about TOTVS, please visit us at www.totvs.com

About TOTVS Financial Services

Financial Services is one of the market segments that TOTVS has a strong presence as a consequence of two acquisitions: YMF in 2007 and TOOLS in 2008. The customer base is made of the most important local and international financial institutions operating in Brazil: 8 of top 10 custodians, 7 of the top 10 asset managers, the top 5 insurance companies, 6 of the top 12 pension funds and most of the biggest credit retail institutions.

I recently read the vendor section of the IIA quarterly magazine and saw all the usual software companies (including BPS) lined up one next to the other with their respective ad copy.  It seems every one of us are “the world’s best”, “the new standard”, or “most comprehensive” tool available.  I’m going to go out on a limb here and say that all of these companies are good at what they do and you should not feel afraid to engage any of them in a discussion about your audit software needs.  As a person who has been in this market for a long time, I can also tell you that the products are generally not the same. The confusing part for most buyers is that if you line each product up next to your standard set of requirements, each product will have a reasonable answer for everything.  Most vendors, for instance, offer assessment management and planning, issues management and reporting with ad hoc facilities.  Think of these products as cars.  They all have wheels, an engine, seats and provide a nice way to start and stop.  So what is the difference?  What is the best choice?

Ok there is no simple answer other then the obvious. The best software is the one that is right for you and for what you are trying to do.  I know this doesn’t sound helpful, but it’s true.  Think of the car analogy. Next time you are on the highway (carefully) take note of the vehicles around you and think about their designs.  Each is clearly doing the basics well, that is, driving on the highway.  But each is also purpose built.  Trucks are different than compact cars, which are different than motorcycles.  If you have lots of stuff you need to haul, but still want to commute every day, maybe you have a pickup.  If your life compels you to drive with speed and style, then a sports car may be the obvious choice.  Just going from A to B for as little money as possible? Get a small car.  For those in between people, you have one of those small sporty SUV’s that are so popular and kind of do everything OK.

The simplest audit tools basically give you a file tree structure and some standard templates that you can fill out to record your work, attach documents and the like. You rename and reuse these concepts if you want to create an issue or a review note, or if you want to get specific about listing risks, controls, objectives and so forth.  When you finish filling out the forms and completing the tree structure, you are done and can save your audit for future reference.  Most vendors will create some good looking reports including a final audit report which takes your information and re-organizes it into a friendly output. Some of the same tools are applicable to SOX testing and certain regulatory compliance checklists that your company may need to run.  Justifying the expense seems easy and there appears to be little in the way of start-up costs. Let call this system Type A

By contrast, the more sophisticated tools give you the options to set up complete living-breathing pictures of your audit universe through some form of multi-hierarchical system.  You can separate your legal, organizational and auditable entities and create elaborate relationships between processes, risk, controls, etc.  You can run risk assessments across hierarchies (say, processes), have the results roll up using rules you define, then conduct formal targeted audits using other structures (say, your traditional auditable units). You can even compare year-over-year results.  Systems like these expect that auditors may work in teams with junior and senior positions so scheduling and workflow (approvals, notifications etc) and secure roles are well developed concepts in the software.  Some have centralized controls libraries with the ability to reference policy, risk, KRIs, losses and other data create a rich central control point from which audits are spawned by the system. These features also lend themselves well to integrated controls initiatives, secure and specific sharing of information between risk management and compliance groups and even some advanced analytical reporting. Let’s call this system Type B.

If your needs are strait forward and will always be that way.  I think the choice is obvious. Type A.  Even if you’re somewhere in the middle you will be able to stretch the A type of system pretty far.  It will (with a little help from the vendor) do quite a bit for you. Say it’s a small car, you can get a roof rack for it and haul home a living room set from IKEA on the highway and it will work.  Do this every weekend, however, and your going to be longing for a pick up truck.

The second type of system, delivers the more sophisticated and heavier duty functionality because it is designed from the frame up to do so.  This system, however, will take a bit more effort to get up and running and for administrators of the system will require more focus and training.  It has more moving parts, and is most likely be more expensive.  On the other hand, you will most likely never find yourself constrained; it will be easy to modify to meet diverse needs of a larger group and will integrate well into your IT infrastructure. For some companies, buying for the long term, means choosing a system like this one.

Both systems will work for you but they are built on different frames.  You can’t turn one into the other any more that you can turn a small car into a pick-up. The car analogy is a bit silly, I grant you that but I use it because it’s easy to tell a compact car from a pickup truck.  It is less easy to distinguish audit software tools during an RFP. If the difference is critical to you and your organization, then I would like to offer you some points to consider when looking at audit software:

1 – Do you need a centralized facility to model your audit universe? For many companies this is a lot more than creating a couple of hierarchies and attaching testing plans to them.  You may also need to classify and rate risks, controls, processes and other artifacts in multiple ways (principle risk, organizational unit, key business process, key control, etc.).  If you are a global organization you may conduct risk assessments at a different granularity than you conduct audits. Add in geography, departmental risk scoring, results from previous audits and assessments, SOX testing, confidentiality requirements and the whole thing can no longer be managed reliably without a more sophisticated tool.  A tool that has built all of these elements properly will ensure that you can make the necessary cross references and connection between these elements and that these connections will drive the behaviour and automation you would expect.  Less sophisticated audit tools can, in fact, still work for you.  The danger is that they are stretching their concepts to achieve the functionality –  meaning you may have unexpected compromises in your future. These compromises usually lead to abandoning part of your system in favor of spreadsheets or some other flexible tool.

2 – What are your expectations with respect to work papers automation? Remember that the goal here should be to make it easier for auditors to conduct their work in a complete fashion and support the final report with credibility. If you only need a system of record, then a less sophisticated tool will do.  As long as there are plenty of places to type and an easy way to categorize and link things, you will have little problem ensuring that your work is stored electronically and is easy to access and report on.

Work paper automation, however, can also get quite deep. In fact, I recently sat in on a study of audit tools and found that only a handful of vendors (by their own admission) had actually invested to create specific work paper management functionality. These vendors have created dedicated concepts for things like audit approach, key control matrix, risks, controls, tests, assertions, scoping, issues and evidence.  Each of these concepts has their own workflows, collaborative facilities and configurable automation that presents to the auditor as needed. The features are designed to streamline the work, minimize the typing and allows for re-use of standard components and knowledge in the company. By far one of the biggest differentiators in the audit tool space is the amount of support for work papers management or automation. It is basically the difference between a general assessment tool and an audit tool and is always present when comparing Type A tools (basic audit functionality) to Type B tools (sophisticated audit functionality).

3 – Audit planning. Many of the tools available to auditors and compliance folks have some concept that allows for planning. From the audit perspective, we are trying to ensure that the effort of auditing is concentrated in the areas of the business that need it most.  For many shops, this means a tool that helps them conduct mini-audits or self-assessments so that they can rank each auditable unit in terms of risk.  Ultimately this information is used to design an audit plan for the year.  Once again, bigger is not always better here. There are Type A products out there that do a fine job of helping auditors with this task.  In fact, many of the products that completely fall down in terms of work paper automation actually have great risk assessment and planning features. Given this fact, please ensure that you understand what your real requirements might be. For instance, are the “assessable units” in your company (the smallest unit that you will risk assess) the same as your auditable units (the organization you will plan and execute an audit on)? Larger or more sophisticated shops often do not bring these two concepts into alignment.  Ensure that your candidate system can separately handle the ideas of auditable unit, assessments and organizational unit.  Ensure that the scoring rules, and how they roll-up, are not dependant on any single hierarchical relationship.  This is all sounding quite technical, but it can be an important subtlety for some companies. All I am saying is that one should take extra care to ensure that you don’t buy a system and then find yourself longing for the flexibility of spreadsheets once again. A few other points on audit planning: Do you desire multi-year planning?  And do you consider your staffing and resource availability in the planning process? Finally, is the audit plan a living thing that you are constantly updating based on changing conditions?  Or is it a static plan that you re-build every year?  The final considerations tend to lead prospective buyers to more elaborate audit Type B tools.

4 – ERM and Compliance. Recently I had a conversation with some thinkers at OCEG and they confirmed for me that auditors are being asked to deal with more compliance testing and enterprise risk management information gathering.  The discussion of how tools manage this, or should manage this, is so long that it should be broken up over the course of several blogs (this being already too long as it is).  I will say that if the first three items that I have discussed in this piece are built with care and appropriate sophistication, then you will most likely be set up well to help manage ERM and compliance problems for your company.  Remember that risk definitions vary depending on the regulation or ERM framework you may be adopting.  Control definitions are not any exception either.  We have seen risks be defined as root causes (supplier ships bad parts), events (company product fails when customer tires to use it) or consequences (lawsuit and bad press).  Similarly controls can be preventative (catch bad parts before they get into our product), or mitigating (ensure we have enough insurance). A unified set of definitions and frameworks on which to hang your company policies will always leave gaps, so ensure your audit product has a way to deal with multiple interpretations of the concept of risk and control. Without this ability, your ERM initiative will  be divorced from your audit universe.

In conclusion, please forgive the car analogy (it was the best one I had going for now) and I hope you find some of the points here helpful.

First: The ability to create sophisticated hierarchical relationships that model all the different ways your company looks at governance risk and compliance.  In the RML you build any conceivable structure that expresses where you are today: legal hierarchies, operational, process organization, GL accounts, policy and procedure, auditable and assessable units, regions and the like.

Second: The ability to profile risks and controls in a way that different groups can score and report against them.  This recognizes the common fields and descriptors between say audit and sox groups, but also allows additional attributes to be defined that are specific to each. These risk and controls are can be connected to one another in a many-to-many fashion. They are also connected to KRIs, loss information, policy and procedures and the like. These relationships persist in the system and provide some neat automation and data richness when it comes to assessment scoring and reporting.

Third: A way to group risks and controls non-exclusively and attach testing programs, certification protocols and scoring rules to this group. As before these groupings are placed at the intersection of the appropriate hierarchical structures (say a testing program for certain risk and control profiles existing in legal hierarchy of corporate risk, for the Americas as related to the money transfer process)

Using combinations of these three concepts, we have seen our clients accurately build living models of how their GRC functions work today and automate their testing and compliance activities around this structure.  This has helped add value without required too much process re-engineering up front.

The real value however, comes from one simple and rather non-trivial ability.  With our tool, you can manipulate any of the aforementioned concepts without breaking your ongoing activities or historical reporting.  This means that our clients are able to use the system to optimize their approaches over time.  Standardizing testing plans where possible, refining definitions and achieving the balance between methodological imperatives for regulatory compliance and internal efficiencies and information value (a fancy way of saying doing what you have to do and also what you think will be the most valuable for the company).

More than an few of our customers convene risk management working committee meetings around our RML and work together to establish common ground and refine their activities directly in the system.  The meetings, we are told, are high impact because they can visualize the structures and data, make  adjustments right away, test them and bring them into practice safely when they are ready.

We are pleased our RML facility is being used this way.  Making it a “living thing” that adds value to multiple groups and helps companies move to a common set of practices was our ultimate goal. Naturally we are still investing in this part of our product and working hard to make it better every day.  The feedback from our clients and some of the analyst that follow us has been invaluable.

a developer’s point of view

I’m a software engineer. As such I spend a lot of time working with and thinking about the end users of the software that I am implementing. At BPS many of my end clients are auditors. Auditors are a very unique group of customers to write software for. While most people familiar with the development of software have a tendency to believe in the old saying that “No software is perfect, there are always defects” – auditors are a different breed. No matter how thorough your software is tested, there is always something to be improved upon. During the delivery of an audit product to any major audit customer, you discover more corner cases and software quirks than you’d ever expect. Auditors need to quickly sift through huge amounts of information and have a tendency to use software in ways that makes their lives easier, regardless of whether the software was designed with that functionality in mind. The result of auditor testing is always a more robust piece of software that can handle anything you can throw at it – which is what we strive for at BPS.

One of the other unique things about working with auditors is how they define their audit processes. Auditors as a whole have a tendency to be prescriptive with their methodologies, and they will defend an elaborate  process (if it works for them) until the end of time. Here at BPS, we go to great lengths to keep our customers happy – and our audit customers are no exception. Having such meticulous customers demands a higher level of configurability in our software than the industry norm. With audit software, something as simple as the life cycle of an evidence document may have to go through a four step approval process with very specific requirements for each step – and of course no two clients are ever the same. At BPS we do our best to help our clients adapt their processes to be more efficient and standard, but when all else fails our powerful workflow engine, configurable entitlements model, extendable and fully modular architecture and fully developed REST APIs ensure that we are well poised to meet all the requirements that auditors can throw our way – no matter how particular they may seem to a technologist like myself.

The BPS Suite™ is a comprehensive offering used to manage compliance, internal audit and operational risk needs across the enterprise.  SymSure™ Monitor is an advanced risk and controls monitoring solution.  Integration between the two products will enhance the client’s abilities to easily access a host of enterprise risk data and metrics directly from multiple sources and apply analytics to inform risk management.   Users will then be able to access the monitoring results from their desktops and put their judgments to work using the BPS Suite™.

About SymSure Limited

SymSure Limited is a software company providing solutions and services for monitoring and managing organizational risks and controls. The company’s flagship product is SymSure™ Monitor, a sophisticated risk and controls monitoring solution. With SymSure™ Monitor, audit, risk and control professionals can quickly and confidently monitor any automated system. This enables executives and operation managers to decrease risk levels and increase regulatory compliance across the organization.  For more information visit SymSure on the Web at www.symsure.com

About BPS

BPS is an industry-leading provider of enterprise governance, risk and compliance (GRC) software, including internal audit, compliance, operational risk management, and enterprise risk management.   A best-in-breed, risk-based planning and execution tool, BPS Audit’s™ robust functionality helps internal auditors achieve their objective more efficiently.  For questions or more information about BPS, please contact us directly at 1-877-755-3716 or visit us at www.bpsinc.com.

We have noticed that several of our clients have begun to implement an approach to Internal Audit based on an assessment of the predominant risks present in the enterprise. This is known in the industry as “Risk Based Auditing”. This blog post serves to highlight some of the pertinent issues and terminology used when discussing this approach.

Risk Based Auditing

Risk based internal auditing is mainly defined by applying a method to planning and audit scoping to help appropriately focus the resources of an organization to mitigate the overall risk. These methods are primarily used after the audit universe is updated during planning, and through the scoping activity during an audit.

Audit Universe

An audit universe represents anything that has potential risk in your organization that you want to monitor or report on. Examples of these can include products, processes, business units or applications, and really depends on how an organization categorizes risk. We term these “Auditable Entities”.

Once the list of auditable entities is defined the next step is to compare them next to each other on a level playing field so that an organization can decide how to focus resources. As well, if this step is done correctly it can also save time during scoping by using the data collected here to focus the scope of an audit.

Scoping

During the scoping of an audit the same process would be used to help focus the risk and controls that will be reviewed during the audit.

There are many ways to assess a given auditable entity or scope of an audit and the organization would need to determine which is best for their needs. Typically the assessment comes from one or a combination of the following resources:

1. Internal Audit
2. Client
3. Other Risk Functions (e.g. ERM, Compliance, etc …)

It is important to sometimes have multiple perspectives on an area since you might not have the complete detailed picture or all the facts about the current state of an area.

Risk Assessment Methods

Some common methods for assessing risk:

1. Risk Factors

Risk factors typically represent a given set of questions that might not be tied to specific risks but more concerns or goals of management.

2. Risk Assessments

These are commonly used if there are high level or detailed risks that need to be assessed across areas. These risks can be categorized by a number of classifications such as theme, family, framework, etc… As well with the common structure of a proper risk assessment it can also be sent out to other areas such as a client to allow them to comment.

3. Risk / Control Assessments

In some cases it is important to quickly rate the detailed risk and controls that apply to a certain area. This is commonly done in the ERM function and by auditors during scoping of a particular audit. However, it is becoming increasingly common during summary reviews of a client or during a business process review to help set up the next audit period or scoring.

The methods above will all produce one or more scores that can be used for ranking auditable entities during planning, or risks and controls during scoping to help an organization better focus its resources.

The actual questions, risks, controls, scoring and weighting used in the methods above will vary by company and be unique to the goals and focus of management. Also typically they will be modified from year to year to reflect these changes in goals and focus.