What is your GRC Tool’s Objective?

 

If the tools that were available were not the limitation, what would you really want from your GRC tool? The tools available today assume that all users have accepted the fact that compliance is defined as a subjective activity, dependent on the tried and true narratives, opinionated findings, and judgments of control effectiveness. GRC tools attempt to enhance a user’s ability to perform these universally accepted audit activities; the question is, do they really satisfy your ask for results that gain your confidence that you have accurately measured your level of compliance?

The Questions you are afraid to ask about Compliance?

The questions we get are, “How can we tell what our results will be when we are audited? It seems that no matter what we do, the auditors come back with findings that we can do better.” “We are doing a lot of work here; where is the ‘Sweet Spot’ for how much effort to put into compliance, and how can we reduce the work in a sustainable way?” “How can we validate the numbers we show in our GRC reporting? Aren’t the calculations really just a guess?” And my favorite question of all, “You say compliance, but to what exactly…someone’s opinion? We can’t just try to guess what is going to make the next auditor happy; how can you capture an opinion in your software without constantly changing?”

Challenge your Providers

You should write these extremely valid questions down and dare to query the experts of their answers in private and public forums. These are all valid questions, and they deserve a better answer than a laugh and a knowing nod of the head, followed by the sage advice of, “Yes, we are working on how to answer that, but this is the best we have right now.” As a user, you should demand to know how and why the GRC tool will be effective in telling the future to pinpoint accuracy. You may want to issue the challenge that your resources are very constrained, and that your time is limited to a few critical activities that must not go to waste. Finally, you might want to challenge your provider to go beyond the normal limitations of the status quo, showing you the differentiating attributes of the software that get to the core of your needs in the most innovative ways.

3 Innovative Solutions to look for in a GRC tool

The challenges are great, and the providers are few that can address the following solutions I am proposing:

Challenge #1: Base the GRC tool on a calculative basis that everyone already agrees upon. If you need to convince an auditor of a new practice in audit, this will be a hard sell. Although innovative, the methodology used needs to be instantly recognizable and acceptable.

Solution: Solid language elements are as consistent as a high-school English lesson; counting those elements are as understandable as basic arithmetic. Simplicity equals agreement. GRC technology should use well-known audit activities with such elements as these to eliminate the subjectivity and enable real-time calculations of compliance.

Challenge #2: The GRC tool needs to greatly reduce the amount of work that needs to be done, as well as sustain the progress that you have accomplished, rather than increase the amount of manual work. If your suspicion is that you are storing more information than you really need, you are probably correct. Your methodology needs to accurately identify critical information and eliminate non-sequiturs.

Solution: The standard, statute, or control objective for which you are attempting compliance already contains the exacting number of elements that determine data criticality or expandability. As the GRC tool maps the statute language or control objectives to the data, the becomes crystal clear.

Challenge #3: All external systems need to easily feed into the GRC tool to harness the breadth of digital audit evidence throughout the entire organization. The solution needs to be highly configurable so that there is minimal effort to interface with various systems.

Solution: SaaS solutions take advantage of innovation that can enable the sharing and interfacing of data. The use of data and web containers as a storage point for exported data from external systems as well as metadata imported to the GRC tool. Care should be taken not to use such containers for sensitive data, since open source code is currently the standard.

ColorCodeIT employs these solutions to deliver real-time compliance calculations with the objective of providing the user with what the user actually needs, beyond what is currently thought possible.

-Michael Adeeko