REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND
COMPLIANCE (GRC) TOOLS
Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE,
EDRP, ISO 27001 Lead Auditor, COBIT5.
1
IT GOVERNANCE SUMMIT OCTOBER, 2015
REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND
COMPLIANCE (GRC) TOOLS
Presented by Ralph Ugbodu CGEIT, CISA, CRISC, CISSP, CFE,
EDRP, ISO 27001 Lead Auditor, COBIT5.
2
IT GOVERNANCE SUMMIT OCTOBER, 2015
What is GRC?
A capability to reliably achieve
objectives… Governance
…while addressing
uncertainty…
Risk Management
…and acting with integrity.
Compliance
GRC
What is GRC?
Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organization meets its objectives
GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps
People Enabled by Processes
& Technology
Achieving Objectives
Managing Uncertainty
Acting with Integrity
Manual Approach vs GRC Tool
• Some organizations are carrying out GRC manually using spreadsheets and other documents,
• Spreadsheets and questionnaires are time-consuming and redundant,
• They place an enormous burden on those providing the information and on those who collect, correlate and analyze it.
• They don't have proper audit trails and it becomes unmanageable.
• Manual working paper management…….
5
GRC Tools
• GRC Tools provide coordination and
standardization of policies and controls
• They map policies and controls to regulations and standards.
• They automate information gathering
• They provide up-to-date, customizable, automated reporting and analysis
6
GRC Tools
• They improve security.
• Controls can be mapped against risk scores and vectors
• They enable enterprises to rapidly adapt to change
• Etc.
7
Some Options in the GRC tool landscape
Some Options in the GRC tool landscape
Selecting a GRC tool
• Businesses are increasingly relying on GRC platforms to achieve synergies across governance, risk and compliance.
• In the crowded landscape of GRC platforms, arriving at the right choice for an enterprise is a complex decision and require plenty of research.
• It is imperative that all applicable criteria are considered to ensure positive return on investment (ROI). It is also necessary to make the evaluation process as objective as possible.
10
Selecting a GRC tool
• Build the framework first, and clear requirements, then apply technology
• Software must meet the current requirement and can easily adapt to future needs
• Choose a deployment model: on-premises or off-premises (SaaS) / GRC –as-a-Service.
• Actual software is demonstrated
• Software is configurable or customizable.
11
Selecting a GRC tool
• Latest software releases is within the last 18 months and a future release is planned.
• Changes to software can be made easily, without vendor assistance.
• Platform is secure and ensures privacy and integrity of data.
• Knowledgeable implementation team.
• Vendor references and existing clients site visit
• Cost issues(TCO). You can start small.
12
GRC Tools Selection Process
Selecting a GRC tool
VENDOR MATRIX
• You can develop a Matrix and a scoring systems based on the following criteria
– Maturity
– Scalability
– Ease of use and access
– Cost
– Flexibility
– Collaboration
14
Selecting a GRC tool
15
16
What is ACL GRC?
ACL GRC is a cloud-based governance, risk management and compliance
(GRC) solution that simplifies your GRC processes with four integrated
capabilities:
Risk management,
Project management and
Results management
Report Management
that together provide the end-to-end coverage of data-driven GRC.
ACL GRC provides teams with the ability to manage enterprise risks; plan,
conduct, review and archive projects (Audits); and track status and findings
automatically from fieldwork.
Audit, risk and compliance teams can expect huge productivity gains, while
executives and other business stakeholders gain peace of mind.
Modules of ACL GRC
Enterprise Risks
Mitigation
Efforts Objectives
Risk Manager: Plan and Assess Risks
Project Manager:
Plan and Execute Projects
Results Manager: Data Analysis
Projects Risks Controls Tests Issues Reporting
Reports Manager: Advanced Reporting
Project Manager
ACL's common language for audit, risk and compliance concepts
Risk Manager
• Risk Manager is used to help executives and risk managers catalog, assess, prioritize, and communicate enterprise-risks across the leadership team.
• Is used to assess and manage enterprise risks, and to associate risks with mitigation efforts and projects in Project Manager.
Risk Manager
Defining the Organizational Map
Risk Manager
Adding and Analyzing Risks
Risk Manager
Adding of Mitigation Efforts
Risk Manager
4. Reporting on Risks
Project Manager
• Project Manager enables you to effectively plan, manage, execute, and report your audit work across your team and across your organization.
• Project Manager emphasizes organization and aggregation, so that auditors can capture all required information at the control/procedure level, creating links which are automatically aggregated for status tracking and reporting at both the project and organizational level.
Project Manager - Planning
Active Audit Projects
Creating a New Audit Project
Project Manager – Pre Built Templates
Project Manager - Scheduling
Project Manager – Dashboard View Per Audit
Audit Trail
Fieldwork Status per Objective or Process
Project Manager - Fieldwork
Risk/Control Matrix
Electronic Sign-Off
Immediate Reporting
Project Methodology
Project Manager - Task Management
- Request List
A Request Item is something that the Auditor needs from the Auditee in order to perform the audit. Common request items are:
• Policy & Procedure documents • Transactional files, such as Payroll, T&E etc. • Master files such as Master Employee, Master Vendor etc.
Project Manager - Task Management
- To Do’s
TO DOs are tasks or requests between project members, commonly used for:
• Coaching notes from managers/reviewers • Review notes/comments • Collaboration between team members
Project Manager - Task Management
- Review Notes
Reviews are performed by Directors, Managers, Senior Staff or Peers.
Some audit shops perform reviews at a high level; some like to review at the control/procedure level and then lock the control/procedure so no further changes can occur.
Project Manager - Staff Management
- Project Status
Managers often oversee a handful of audits with at least 5-7 staff.
Tracking status of each project is important for reporting to executives.
When audit shops work in MS Office, tracking of status requires manual touch points with staff for updates.
Project Manager - Staff Management
- Timesheets
Staff can capture summary level or detailed task level time, which is aggregated within the project for Managers to report.
Project Manager - Administration
- Project Status
Overview of all active projects Time Expired vs Work Completed
Project Manager - Administration
- Issues and Remediation
Tracking of all Issues and Management of Remediation activities
Personalized Filtering
Project Manager – Content Management
- Project Archive and Roll-forward
Creating re-usable content is accomplished by archiving a project at any desired stage of completion. Once archived, it is available for rollforward, similar to save as in MS office.
Project Manager – Reporting
Pre Built reporting templates
Project Manager – Sample Reports
Final Audit Report
Project Manager – Sample Reports
Risk Control Matrix
Project Manager – Sample Reports
Test Plan Report
Results Manager
• Results Manager is used to organize, track, and remediate issues
identified by data analytics.
• Results Manager allows you to work with transactions identified in
ACL Analytics and ACL Analytics Exchange and imported into Results
Manager projects as test results.
• Before importing these test results, you need to create the Project,
Test Set, and Test in Results Manager that you want to import the test
results into.
Results Manager
- Collections: primary way of organizing and providing access to test results in Results Manager
Results Manager
Sample of Exceptions as viewed in Results Manager
Results Manager
Allocation of Priority, Status and assignment of responsibilities per exception
Results Manager
Triggering of Exceptions by “Condition”
What is Launchpad?
48
Thank you for listening
Questions ???