Audit and compliance professionals today have an ever increasing mandate to accurately depict critical risks and report on material or damaging issues to the executive suite in a timely manner.
In particular, fraud prevention and the monitoring of key regulatory requirements can help keep the business at a safe distance from reputational risk and potential fines. These programs should align well to the overall Governance and policy structure as defined by the Board.
Establishing a culture of awareness is essential in order to deploy new initiatives which combat potential threats to the company. Internal Audit teams are often the quarterbacks of these initiatives, resulting in the difficult task of program communication, tracking and reporting alongside their current Audit plan. In order to facilitate increased efficiency, routines can be put in place to ensure that information flows appropriately from managers and employees to the professionals monitoring these key risks and controls.
Let’s investigate the merits of an automated incident reporting tool and the suggested measures to deploy a system efficiently.
Addressing culture and anonymity
Whether you have a well-defined Governance structure in your business or not, potential threats need to be collected and routed to the right stakeholders. Using an Incident Reporting system, such as a hotline or whistleblower channel, can be an extremely effective way to collect sensitive data from your business and evaluate and investigate its validity. Often, the biggest roadblock in achieving this goal is the potential danger of individuals exposing themselves or interrupting the problem before professionals can investigate.
Establishing an anonymous self-reporting tool can eliminate these problems and encourage employees to be educated and vigilant around their control environment and business processes. By using intuitive and modern technology, no training is necessary for employees to complete the necessary steps. Rewards and recognition can be simple support measures for these programs, and may be directly related to training, education and other Compliance initiatives.
The right tools for the job
With ACL GRC’s Event Reporting feature, users can anonymously inform investigation teams of potential threats or control failures. A dedicated web-form is created via ACL GRC, which can be pasted into an internal corporate intranet site or sent out via email. All data provided is entered into a simple questionnaire form which gathers the necessary information specific to the compliance risk or control test being monitored (e.g., HR Violation, Security Breach).
From there, cases are aggregated into a central repository and easily reported within the tool or exported out for review. Embedded into this reporting repository is a full escalation management process, where certain conditions (e.g., departments, account status, amount thresholds) can instantly be flagged and broadcast to investigators for review. This aggregated data with associated comments and resolution efforts, can also instantly be transferred into unique Data Interpretations and Visualization tools. With ACL GRC, you can easily monitor several incident hotlines at the same time with little administrative burden.
Connecting reported incidents to audits and global risk management
By using results from incident reporting and case management efforts, auditors gain additional insight to review and adjust their audit scope and planning. Consider using the output of these programs to align reporting alongside enterprise-wide issue tracking. With ACL GRC, incident reporting can easily be linked to the audit or investigation group that may be documenting and testing the respective control or policy.
Fully integrating these incidents and issues allows the enterprise ACL GRC system to capture and automatically convey potential fraud, compliance and operational effectiveness at the top level. The ability to trend and analyze patterns could be quite valuable to executives and show the overall risk to the board and stakeholders. Additionally, specific read-only access can be provisioned to selected stakeholders enabling instant access to highlighted issues and reports.
By connecting the dots and using the right technology, deploying new compliance and investigation initiatives can indeed be less of a burden than expected. Automated incident and whistleblower programs are just the tip of the iceberg. GRC event reporting can also be a useful tool for vendor approvals, budget requests and control attestations, to name just a few examples.
“Perhaps Internal Audit can score a touchdown with executives by calling these internal plays, and being the compliance and ethics quarterback?”
Sign up to receive email updates from ACL