How GRC Factors into Audit Maturity

Goals for internal audit teams vary by company. In some companies, audit teams simply aim to show the company is compliant. Other companies want the departments or business units that are being audited to become better at what they do. And some companies are looking to improve the enterprise by better managing risk and achieving organizational goals.

In today’s business environment, companies moving to more efficient, agile and mature audit processes are all looking for the same things. They need a way to integrate and perform tasks more efficiently and need to be able to operate with agility as the business faces new risks or undertakes new strategic objectives.

That is where a governance, risk management and compliance (GRC) platform comes in. GRC platforms manage and integrate the risks and requirements found in complex enterprise processes. Strong solutions manage commercial standards, laws, regulations, and customer and vendor contracts in a granular manner so their individual requirements can be mapped to organizational controls.  In turn, these controls can be mapped to risks, policies, and incidents.  When mapping at this level – GRC platforms can bring together and manage risk metrics and compliance data in a meaningful manner. As this is the core information needed by internal audit, a GRC platform with audit management, assessment, workflow, and analytics capabilities can easily accomplish all of the following:

  • Manage the risk identification and acceptance process that drives audit coverage and audit priority
  • Gather requirements from standards, laws, regulations, policies and third-party contracts to create assessments and audit work papers
  • Gather evidence from across the enterprise required for audits
  • Create work papers and gather evidence in minutes instead of months.
  • Perform analysis through standardized or custom drag-and-drop reports.

One solution that can perform all of the above is the Keylight GRC platform.  Keylight manages risk – technology, third-party, business continuity and operational risk; it manages compliance – including regulatory management and policy management. Keylight also provides advanced audit management capabilities that allow companies to increase the effectiveness and efficiency of their audit process. These platform and audit features of Keylight streamline the chaos found in the manual processes in outdated audit management tools.  Many organizations using Keylight to audit their risk and compliance operations have saved multiple times the cost of Keylight.

One of those Keylight customers is a large manufacturing company. This company’s IT operations team bought Keylight to manage IT Risk and Compliance.

These specific IT operations were considered to have a high level of risk, so they were slated to be audited twice a year by internal audit.  This was a co-sourced audit, meaning the company augmented the internal audit team with big four auditors. Co-sourcing is common in information security, where internal auditors might not have the deep technical skills to complement their audit skills.

A team of four co-sourced auditors visited this company twice a year for this audit.  Their blended rate for the audit was about $350 an hour, plus expenses. Most of their time was spent emailing process owners, gathering data, populating spreadsheets, managing spreadsheets, and performing other low-value activities. All those hours added up to four weeks per audit and $400,000 a year in just the co-sourced cost. Time and cost was preventing this organization from advancing audit maturity and reducing or managing potentially unidentified risks.

When Keylight was implemented, the organization was preparing for its first audit and decided to give Keylight a try. The difference was night and day.

The co-sourced audit team showed up and after the third day they had no idea what to do since Keylight did a month of work in less than a week. The co-sourced auditors sent home 75 percent of their team. The last person left before week’s end.

Today, this company’s audits are performed with one co-sourced resource and it takes about three days to perform the audit.  Keylight uses the data found in policies, regulations, laws, and contracts to create the audit work papers.

The extra time and money Keylight saved this organization was reinvested to expand overall audit coverage and go more in depth on each audit. Capitalizing on Keylight’s audit functionality, the company has achieved more effective audits with more strategic recommendations from their audit teams – without increasing cost or time.

For more information on how GRC can fastrack audit maturity, watch the webinar Bringing Order to the Chaos of Audit Management.

Related Articles