REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND

COMPLIANCE (GRC) TOOLS

Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE,

EDRP, ISO 27001 Lead Auditor, COBIT5.

1

IT GOVERNANCE SUMMIT OCTOBER, 2015

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND

COMPLIANCE (GRC) TOOLS

Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE,

EDRP, ISO 27001 Lead Auditor, COBIT5.

2

IT GOVERNANCE SUMMIT OCTOBER, 2015

What is GRC?

A capability to reliably achieve

objectives… Governance

…while addressing

uncertainty…

Risk Management

…and acting with integrity.

Compliance

GRC

What is GRC?

Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organization meets its objectives

GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps

People Enabled by Processes

& Technology

Achieving Objectives

Managing Uncertainty

Acting with Integrity

Manual Approach vs GRC Tool

• Some organizations are carrying out GRC manually using spreadsheets and other documents,

• Spreadsheets and questionnaires are time-consuming and redundant,

• They place an enormous burden on those providing the information and on those who collect, correlate and analyze it.

• They don't have proper audit trails and it becomes unmanageable.

• Manual working paper management…….

5

GRC Tools

• GRC Tools provide coordination and

standardization of policies and controls

• They map policies and controls to regulations and standards.

• They automate information gathering

• They provide up-to-date, customizable, automated reporting and analysis

6

GRC Tools

• They improve security.

• Controls can be mapped against risk scores and vectors

• They enable enterprises to rapidly adapt to change

• Etc.

7

Some Options in the GRC tool landscape

Some Options in the GRC tool landscape

Selecting a GRC tool

• Businesses are increasingly relying on GRC platforms to achieve synergies across governance, risk and compliance.

• In the crowded landscape of GRC platforms, arriving at the right choice for an enterprise is a complex decision and require plenty of research.

• It is imperative that all applicable criteria are considered to ensure positive return on investment (ROI). It is also necessary to make the evaluation process as objective as possible.

10

Selecting a GRC tool

• Build the framework first, and clear requirements, then apply technology

• Software must meet the current requirement and can easily adapt to future needs

• Choose a deployment model: on-premises or off-premises (SaaS) / GRC –as-a-Service.

• Actual software is demonstrated

• Software is configurable or customizable.

11

Selecting a GRC tool

• Latest software releases is within the last 18 months and a future release is planned.

• Changes to software can be made easily, without vendor assistance.

• Platform is secure and ensures privacy and integrity of data.

• Knowledgeable implementation team.

• Vendor references and existing clients site visit

• Cost issues(TCO). You can start small.

12

GRC Tools Selection Process

Selecting a GRC tool

VENDOR MATRIX

• You can develop a Matrix and a scoring systems based on the following criteria

– Maturity

– Scalability

– Ease of use and access

– Cost

– Flexibility

– Collaboration

14

Selecting a GRC tool

15

16

What is ACL GRC?

ACL GRC is a cloud-based governance, risk management and compliance

(GRC) solution that simplifies your GRC processes with four integrated

capabilities:

Risk management,

Project management and

Results management

Report Management

that together provide the end-to-end coverage of data-driven GRC.

ACL GRC provides teams with the ability to manage enterprise risks; plan,

conduct, review and archive projects (Audits); and track status and findings

automatically from fieldwork.

Audit, risk and compliance teams can expect huge productivity gains, while

executives and other business stakeholders gain peace of mind.

Modules of ACL GRC

Enterprise Risks

Mitigation

Efforts Objectives

Risk Manager: Plan and Assess Risks

Project Manager:

Plan and Execute Projects

Results Manager: Data Analysis

Projects Risks Controls Tests Issues Reporting

Reports Manager: Advanced Reporting

Project Manager

ACL's common language for audit, risk and compliance concepts

Risk Manager

• Risk Manager is used to help executives and risk managers catalog, assess, prioritize, and communicate enterprise-risks across the leadership team.

• Is used to assess and manage enterprise risks, and to associate risks with mitigation efforts and projects in Project Manager.

Risk Manager

Defining the Organizational Map

Risk Manager

Adding and Analyzing Risks

Risk Manager

Adding of Mitigation Efforts

Risk Manager

4. Reporting on Risks

Project Manager

• Project Manager enables you to effectively plan, manage, execute, and report your audit work across your team and across your organization.

• Project Manager emphasizes organization and aggregation, so that auditors can capture all required information at the control/procedure level, creating links which are automatically aggregated for status tracking and reporting at both the project and organizational level.

Project Manager - Planning

Active Audit Projects

Creating a New Audit Project

Project Manager – Pre Built Templates

Project Manager - Scheduling

Project Manager – Dashboard View Per Audit

Audit Trail

Fieldwork Status per Objective or Process

Project Manager - Fieldwork

Risk/Control Matrix

Electronic Sign-Off

Immediate Reporting

Project Methodology

Project Manager - Task Management

- Request List

A Request Item is something that the Auditor needs from the Auditee in order to perform the audit. Common request items are:

• Policy & Procedure documents • Transactional files, such as Payroll, T&E etc. • Master files such as Master Employee, Master Vendor etc.

Project Manager - Task Management

- To Do’s

TO DOs are tasks or requests between project members, commonly used for:

• Coaching notes from managers/reviewers • Review notes/comments • Collaboration between team members

Project Manager - Task Management

- Review Notes

Reviews are performed by Directors, Managers, Senior Staff or Peers.

Some audit shops perform reviews at a high level; some like to review at the control/procedure level and then lock the control/procedure so no further changes can occur.

Project Manager - Staff Management

- Project Status

Managers often oversee a handful of audits with at least 5-7 staff.

Tracking status of each project is important for reporting to executives.

When audit shops work in MS Office, tracking of status requires manual touch points with staff for updates.

Project Manager - Staff Management

- Timesheets

Staff can capture summary level or detailed task level time, which is aggregated within the project for Managers to report.

Project Manager - Administration

- Project Status

Overview of all active projects Time Expired vs Work Completed

Project Manager - Administration

- Issues and Remediation

Tracking of all Issues and Management of Remediation activities

Personalized Filtering

Project Manager – Content Management

- Project Archive and Roll-forward

Creating re-usable content is accomplished by archiving a project at any desired stage of completion. Once archived, it is available for rollforward, similar to save as in MS office.

Project Manager – Reporting

Pre Built reporting templates

Project Manager – Sample Reports

Final Audit Report

Project Manager – Sample Reports

Risk Control Matrix

Project Manager – Sample Reports

Test Plan Report

Results Manager

• Results Manager is used to organize, track, and remediate issues

identified by data analytics.

• Results Manager allows you to work with transactions identified in

ACL Analytics and ACL Analytics Exchange and imported into Results

Manager projects as test results.

• Before importing these test results, you need to create the Project,

Test Set, and Test in Results Manager that you want to import the test

results into.

Results Manager

- Collections: primary way of organizing and providing access to test results in Results Manager

Results Manager

Sample of Exceptions as viewed in Results Manager

Results Manager

Allocation of Priority, Status and assignment of responsibilities per exception

Results Manager

Triggering of Exceptions by “Condition”

What is Launchpad?

48

Thank you for listening

Questions ???