• No results found

Functional and technical specifications. Background

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Functional and technical specifications. Background"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

1

Functional and technical specifications

Background

In terms of the Public Audit Act, 2004 (Act No. 25 of 2004) (PAA), the deputy auditor-general (DAG) is responsible for maintaining an effective, efficient and transparent system of finanical, risk management and internal controls. This provision in the PAA makes the DAG responsible and accountable for ensuring that processes exist to protect the institution against significant risks and control deficiencies.

In executing her duties, the DAG is assisted, among others, by the Risk and Compliance Centre located within the Planning, Monitoring, Evaluation and Risk (PMER) Business Unit. The centre is responsible for coordinating and supporting overall institutional risk management processes through facilitation and monitoring to ensure that the business units and functions within the AGSA are discharging their delegated responsibilities.

Currently the organisation’s risk management process is enabled through manual activities that are supported by Microsoft Excel spreadsheets and Word documents. The use of these relatively cost-effective tools is not wrong; however, considering the needs of the organisation this proccess is not efficient for the following reasons:

 It does not effectively facilitate collaboration. Organisational risks stem from multiple business areas and thus their capturing, management and their tracking as a form of monitoring must take place in a collaborative manner with the ultimate objective of proactively lowering the identified risk exposure to an acceptible level. The use of an Excel spreadsheet is limited to a single user at a time, with no version control attached to it.

 It does not allow for quick decision-making on risk-related matters, thus making it less agile for modern-day business activities. Inherently, Excel spreadsheets do not have validation mechanisms, making its use prone to error. Furthermore, the tool does not enable quick risk data analysis, thus compromising the completeness and timeliness of information required to proactively manage risks.

(2)

2 accumulated over the period they served in the role. With regard to data and in the event of a disaster, its recoverability for continuity may be compromised.

Thus, in the absence of an advanced fit for purpose software or more specifically a risk tool, for which we are putting a case forward, the following key risk management processes and activities take longer to complete and are onerous:

 Risk identification

 Risk assessment and the mapping of identified risks to existing and future internal controls  Monitoring of implementation of the mitigations

 Assessment of the design and operating effectiveness of the internal controls  Timeous and effective monitoring of response plans to reported control deficiencies  Complete and effective monitoring of responses to regulatory risks

 Timely access to information for those charged with risk management responsibilities  Reporting to different stakeholders (including oversight structures) on the above.

This business case thus seeks to fulfil the objectives of the AGSA’s risk management promise, which includes ensuring that the process is efficient and effective, and highlighting the benefits that can be derived from a GRC tool (also referred to as an enterprise risk management tool). The key benefits that can be highlighted in this respect include the following:

 The provision of meaningful risk information (risk, ratings, controls, etc.) within a short period of time to enable the management and executives to make timeous and informed business decisions.

 The ability to follow an integrated approach to the management of organisational risks, regardless of the risk type and the geographic location.

 Access to updated enterprise-wide risk and control information for key role players within the risk management process, namely process owners, business executives and Exco members.

 The ability to implement a uniform risk taxonomy, regardless of the risk type and category.  The linkage of business process risks to business process objectives and their alignment

(3)

3

Why is the Governance Risk and Compliance tool needed?

A GRC tool is a software application that frames and enables the organisation’s approach to risk management. The objective of a GRC can be found in its elements, namely:

 The oversight role and the process by which the organisation manages and mitigates its risks (governance)

 A structured process through which the organisation identifies, evaluates and monitors all relevant organsiational risks, including the mitigation actions proposed to manage the related risk exposure (risk management)

 Enabling self-assessment and continous monitoring as part of proactive management of risks  A process whereby the organisation ensures that it complies with regulatory/ legislative

requirements, by virture of being in a specific industry (compliance).

(4)

4

Functional and technical specifications

The GRC tool under consideration should be able to fulfil the following functions, at a minimum:

Table 1: Functional and technical requirements

Module Function Basic requirements Level of reporting

R

isk

mana

ge

ment

Risk assessment and management (including monitoring)

 Identification

 Risk rating and prioritisation

 Ability to pull information/data (i.e. controls) from the IT systems and map to risks

 Allocation of mitigations  Reporting

 Set-up and monitoring of key risk indicators through parameter settings, forecasting and alerts

 Reporting at all levels across modules

 Integration with existing IT systems in the AGSA (e.g. PeopleSoft ERP, Oracle database, Microsoft database, Active Directory, SharePoint, Exchange Email, Audit Software, etc.)

 Information/ data ownership  Enable business intelligence  Enables risk data mining

 Dashboard reporting, per business area Remedial action  Tracking of reported findings

 Assigning of action to owners  Verification of implemented actions

(5)

5

Module Function Basic requirements Level of reporting

Integration  The ability to collect, quickly analyse and present visual data sitting at granular level  The tool must be able to integrate with other

applications within the AGSA environment (i.e. PeopleSoft, Pastel, etc.)

 The tool must have the ability to enforce consistency and maintain a strong workflow capability

 The tool must be scalable –

capability/capacity to add multiple risks to multiple processes at multiple locations

 The tool must support MicroSoft Windows applications and programmes

 The tool must allow for risk-related data to be written to and draw data from the Oracle and Microsoft SQL Server databases

(6)

6

Module Function Basic requirements Level of reporting

C on trol se lf -as se ss me nt Control self-assessment

 Selection of key business processes (of the risk and control universe as per above [risk management module])

 Capturing of self-assessment outcomes by multiple persons across business units

 Enable analysis of self-assessment outcome, including trends analysis

 Enable escalation to respective process owners

Inc ide n t mana ge men

t Incident reporting and management

 Enable employees to report risks and incidents as they identify them or as they arise

 Enable continuous monitoring of implementation of mitigation plans relating to the reported incidents

 Automated exception identification and

escalation process V en do r an d thir d -pa rt y mana ge men

t Contract management  Tracking of service level agreements/ contract requirements

 Tracking of contract terms

(7)

7

Module Function Basic requirements Level of reporting

R eg ulat ory co mp li an ce mana ge men t Regulatory compliance management

 Identification and maintenance of regulatory universe (including alerts on changes within the regulatory environment)

 Maintenance of response plans (alignment of legal requirements to existing policies and processes)

 Maintenance of action plans (remedial actions per legislative gap)

P oli cy mana ge ment

Policy development and revision process

 Maintenance of a policy register, including the status of each policy

 Mapping of policies to relevant legislation (where applicable)

 Automated prompts for policies due for review  Dissemination and user training on introduced

(8)

8

Software (system) demonstrations

During the evaluation process, bidders who are successful post the technical evaluation process will be requested to demonstrate their software solutions. The purpose of the demonstration is for bidders to provide an overview of the software’s features, detailed and visual description of the functionalities of the solution proposed and its user interface.

What benefits will be achieved for the organisation?

The GRC tool, as required for the AGSA, should enable the organisation to manage its risks in an integrated manner, removing the existing silos, as risk and compliance processes are usually intertwined from a governance perspective (i.e. they overlap with one another).

Listed below are the benefits of implementing an enterprise-wide governance, risk and compliance management tool: start here

 Multiple processes will be run through a single software, providing for a single point of reference as regards the risks facing the organisation. The tool will provide management with a proactive, collaborative, real-time, context-aware approach to the management of risks that impact the achievement of objectives.

 Improved management decision-making emanating from real-time access to centralised and integrated risk management information from anywhere, anytime using the AGSA-approved user access devices.

 The toll will provide a map of internal controls that mitigate against all listed risks.

 Efficiencies will be introduced to the risk management process, freeing resources to focus on proactive risk management, including verifying inputs received on the implementation of mitigations and finding response actions, training, risk initiative roll-out and communication (elimination of the use of the manual Excel which in itself is inherently risky as a tool). The tool will also assist with a reduction of time, including costs of managing vendor risks and other third-party programs.

 An automated process to track, classify, respond to and route incidents as they occur organisation wide, will be introduced. The tool will make it possible to identify, organise, assess, escalate and mitigate risks across business units and domains.

 This will also provide a real-time dynamic process to update the risk register as changes occur within the key risk indicators.

(9)

9  The tool will empower risk managers, owners and champions with an appropriate

technology and knowledge to manage risks in an efficient and effective manner (risk taxonomy).

 The toll will provide a map of internal controls that mitigate against all listed risks.

(10)

References

Download now ( PDF - 10 Page - 264.77 KB )

Related documents

Oil spill risk assessment and response planning for offshore installations

For the purposes of oil spill response planning and determining oil spill response capability, the results from the OSRA will provide important input related to the likelihood

ODE TO JOY, Beethoven

10:00 Keeping Up Appearances 10:30 Rick Steves' Europe 11:00 Last Tango in Halifax.. 12:00 A The Durrells in Corfu

Racial Residential Segregation and Social Control: A Panel Study of the Variation in Police Strength Across U.S Cities, 1980–2010

In any case, this debate is central to the literature on a variety of social control outcomes, including race disparities in arrest (Ousey & Lee, 2008 ), jail

Easy Dichotomous Key Worksheet

Choices and classify an easy worksheet and build dichotomous keys focus on where the word dichotomous key is in this product online marketplace where the right or the students..

ARE YOU LOOKING FOR PRICE OR VALUE IN A PAR PRODUCT?

Assumes an EstateMax 100 plan for $100,000 of total coverage using maximum Enhanced Coverage dividend option, and an Optimax 100 plan for $100,000 of total coverage using

2014 Rider s Guide Northwest Demonstration Project Dial-a-Ride Transportation Services

College of Lake County Gurnee Mills Extension Antioch Township Fremont Township Grant Township Lake Villa Township Avon Township Wauconda Township Greenleaf Medical Offices

An economic analysis of the retail market for fever and malaria treatment in rural Tanzania

stocking in these outlets in general. However, only around half of general shops were licensed, possibly limiting the potential for interventions or collaboration with

Effect of substrate temperature on vapor-phase self-assembly of n-octylphosphonic acid monolayer for low-voltage organic thin-film transistors

The surface exposure of methylene groups in addition to the methyl groups previously resulted in lower water contact angle [29], which would explain the observed reduction in