REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS

Transcription

1 IT GOVERNANCE SUMMIT OCTOBER, 2015 REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE, EDRP, ISO Lead Auditor, COBIT5. 1

2 IT GOVERNANCE SUMMIT OCTOBER, 2015 REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE, EDRP, ISO Lead Auditor, COBIT5. 2

3 What is GRC? A capability to reliably achieve objectives Governance while addressing uncertainty Risk Management GRC and acting with integrity. Compliance

4 What is GRC? Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organization meets its objectives Achieving Objectives GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps Acting with Integrity People Enabled by Processes & Technology Managing Uncertainty

5 Manual Approach vs GRC Tool Some organizations are carrying out GRC manually using spreadsheets and other documents, Spreadsheets and questionnaires are time-consuming and redundant, They place an enormous burden on those providing the information and on those who collect, correlate and analyze it. They don't have proper audit trails and it becomes unmanageable. Manual working paper management. 5

6 GRC Tools GRC Tools provide coordination and standardization of policies and controls They map policies and controls to regulations and standards. They automate information gathering They provide up-to-date, customizable, automated reporting and analysis 6

7 GRC Tools They improve security. Controls can be mapped against risk scores and vectors They enable enterprises to rapidly adapt to change Etc. 7

8 Some Options in the GRC tool landscape

9 Some Options in the GRC tool landscape

10 Selecting a GRC tool Businesses are increasingly relying on GRC platforms to achieve synergies across governance, risk and compliance. In the crowded landscape of GRC platforms, arriving at the right choice for an enterprise is a complex decision and require plenty of research. It is imperative that all applicable criteria are considered to ensure positive return on investment (ROI). It is also necessary to make the evaluation process as objective as possible. 10

11 Selecting a GRC tool Build the framework first, and clear requirements, then apply technology Software must meet the current requirement and can easily adapt to future needs Choose a deployment model: on-premises or offpremises (SaaS) / GRC as-a-service. Actual software is demonstrated Software is configurable or customizable. 11

12 Selecting a GRC tool Latest software releases is within the last 18 months and a future release is planned. Changes to software can be made easily, without vendor assistance. Platform is secure and ensures privacy and integrity of data. Knowledgeable implementation team. Vendor references and existing clients site visit Cost issues(tco). You can start small. 12

13 GRC Tools Selection Process

14 Selecting a GRC tool VENDOR MATRIX You can develop a Matrix and a scoring systems based on the following criteria Maturity Scalability Ease of use and access Cost Flexibility Collaboration 14

15 Selecting a GRC tool 15

16 16

17 What is ACL GRC? ACL GRC is a cloud-based governance, risk management and compliance (GRC) solution that simplifies your GRC processes with four integrated capabilities: Risk management, Project management and Results management Report Management that together provide the end-to-end coverage of data-driven GRC. ACL GRC provides teams with the ability to manage enterprise risks; plan, conduct, review and archive projects (Audits); and track status and findings automatically from fieldwork. Audit, risk and compliance teams can expect huge productivity gains, while executives and other business stakeholders gain peace of mind.

18 Modules of ACL GRC Enterprise Risks Mitigation Efforts Projects Objectives Risks Controls Tests Issues Reporting Risk Manager: Plan and Assess Risks Project Manager: Plan and Execute Projects Results Manager: Data Analysis Reports Manager: Advanced Reporting

19 Project Manager ACL's common language for audit, risk and compliance concepts

20 Risk Manager Risk Manager is used to help executives and risk managers catalog, assess, prioritize, and communicate enterprise-risks across the leadership team. Is used to assess and manage enterprise risks, and to associate risks with mitigation efforts and projects in Project Manager.

21 Risk Manager Defining the Organizational Map

22 Risk Manager Adding and Analyzing Risks

23 Risk Manager Adding of Mitigation Efforts

24 Risk Manager 4. Reporting on Risks

25 Project Manager Project Manager enables you to effectively plan, manage, execute, and report your audit work across your team and across your organization. Project Manager emphasizes organization and aggregation, so that auditors can capture all required information at the control/procedure level, creating links which are automatically aggregated for status tracking and reporting at both the project and organizational level.

26 Project Manager - Planning Active Audit Projects Creating a New Audit Project

27 Project Manager Pre Built Templates

28 Project Manager - Scheduling

29 Project Manager Dashboard View Per Audit Fieldwork Status per Objective or Process Audit Trail

30 Project Manager - Fieldwork Project Methodology Immediate Reporting Risk/Control Matrix Electronic Sign-Off

31 Project Manager - Task Management - Request List A Request Item is something that the Auditor needs from the Auditee in order to perform the audit. Common request items are: Policy & Procedure documents Transactional files, such as Payroll, T&E etc. Master files such as Master Employee, Master Vendor etc.

32 Project Manager - Task Management - To Do s TO DOs are tasks or requests between project members, commonly used for: Coaching notes from managers/reviewers Review notes/comments Collaboration between team members

33 Project Manager - Task Management - Review Notes Reviews are performed by Directors, Managers, Senior Staff or Peers. Some audit shops perform reviews at a high level; some like to review at the control/procedure level and then lock the control/procedure so no further changes can occur.

34 Project Manager - Staff Management - Project Status Managers often oversee a handful of audits with at least 5-7 staff. Tracking status of each project is important for reporting to executives. When audit shops work in MS Office, tracking of status requires manual touch points with staff for updates.

35 Project Manager - Staff Management - Timesheets Staff can capture summary level or detailed task level time, which is aggregated within the project for Managers to report.

36 Project Manager - Administration - Project Status Overview of all active projects Time Expired vs Work Completed

37 Project Manager - Administration - Issues and Remediation Personalized Filtering Tracking of all Issues and Management of Remediation activities

38 Project Manager Content Management - Project Archive and Roll-forward Creating re-usable content is accomplished by archiving a project at any desired stage of completion. Once archived, it is available for rollforward, similar to save as in MS office.

39 Project Manager Reporting Pre Built reporting templates

40 Project Manager Sample Reports Final Audit Report

41 Project Manager Sample Reports Risk Control Matrix

42 Project Manager Sample Reports Test Plan Report

43 Results Manager Results Manager is used to organize, track, and remediate issues identified by data analytics. Results Manager allows you to work with transactions identified in ACL Analytics and ACL Analytics Exchange and imported into Results Manager projects as test results. Before importing these test results, you need to create the Project, Test Set, and Test in Results Manager that you want to import the test results into.

44 Results Manager - Collections: primary way of organizing and providing access to test results in Results Manager

45 Results Manager Sample of Exceptions as viewed in Results Manager

46 Results Manager Allocation of Priority, Status and assignment of responsibilities per exception

47 Results Manager Triggering of Exceptions by Condition

48 What is Launchpad? 48

49 Thank you for listening Questions???