As audit, risk, and compliance professionals, there is a seemingly never-ending battle to provide assurance that strategic objectives are met, risks are mitigated, and controls activities are carried out. In order to ensure that these deliverables are properly met, there will always be a substantive need to incorporate stakeholder input. Managers, control owners, executives, and clients alike can be the gateway to valuable input, data, and results.
Access to this information can be the difference between reliable, timely reporting or incomplete and improperly investigated remediation efforts. Beyond streamlining stakeholder input processes, the broadcasting of information back to the business may also need to be approached in a different manner.
Let’s look at three techniques for how we can improve this two-way communication between the Business Line and the second and third lines of defense.
As valuable as data can be in creating a true representation of how business objectives are being met, there is still another source of data that can be just as necessary: humans. Yes, how people respond and provide beliefs and insights can add another illuminating layer of information alongside the structured data from ERP systems and data-sources. By incorporating “human analytics” with data analysis, we can understand risks and control effectiveness in a more meaningful way (to learn more, read “What is Human Analytics”). Rather than sitting down with every stakeholder and manager, why not use electronic and automated routines to gather that human data? A more efficient method could involve applying surveys across a number of potential areas. This can both save time and aggregate valuable business input to tie that data into other audit, governance, risk management, and compliance (GRC) related activities. These surveys could be set up to kick-off at pre-determined intervals or against user-defined criteria.
As an example, how about sending an Audit Closing Survey to gather insight into team performance results? SOX 302 Certifications tend to follow a simple layout that can be applied across multiple process areas and collated to a common report. This use-case is also perfect for the survey component included in ACL GRC. Further to that, why not add in a notification trigger, alerting you when surveys are not meeting your deadlines?
Whether you are creating a risk and control matrix, populating a narrative, or simply needing policy documentation, getting documents from managers can be a pain. Missed emails, lost documents, and revised spreadsheets can often be the norm.
To better increase collaboration efforts, a dedicated process for collecting request list items and notifying relative parties can be a massive time-saver. Although emails can be effective at placing communication in some form of database, this process does not allow for direct tying to working papers, controls, or procedures.
By using a system that notifies both groups of ongoing comments and document updates, we can eliminate a high-risk stopgap and close off unnecessary items. Link requests to the audits themselves, run reports based on live two-way communication, and even set up defined request list reminders if those clients are not getting back to you!
“I need to see this report every X.” – Mr./Ms. Executive
Yes, this is all too common in a world where everyone loves their reports. It is true that reports can relay valuable information around objectives, performance, execution, and findings. However, they are only as effective in relation to the time that they are created. Agility is paramount, when looking at reports and taking appropriate and responsive actions.
Let’s move away from cutting and pasting every week or month into a reporting template and then emailing out to the report consumer, shall we?
Software can play a major part in automating the process of collecting time-validated data and pushing that out to the right interpreters. With ACL GRC, users can build unlimited report libraries off of selected system data and then set up flexible broadcast schedules via email templates.
What is the end result?: An end-to-end reporting machine which broadcasts out to stakeholders instantly in any number of formats.
These are just a few tips and tricks to eliminate those annoying workflow stopgaps and prescribe accountability and ownership in a fun way. Collaboration has never been so easy.
(Source: ACL Blog)