Get Audit-Ready - With ADONIS and ADOIT
you can control your audit-related tasks

Success factors that save your sleep

Business Process Management (BPM), Enterprise Architecture (EA) and Governance, Risk & Compliance (GRC) are three disciplines that are the focus of interest in the context of regulated scenarios. The relevant analyses and reports are not only relevant internally for corporate management, but can or must be reported to external stakeholders in various audits.

More frequently, companies are required to conduct internal and external audits.

The background to this can be very different:

 

  • Audit by internal auditors
  • Audit in the framework of the final examination or the ICS examination
  • Audit by external supervisory bodies, such as the financial market supervision
  • Certifications based on standards (ISO 9000, ISO 27000, etc.)
  • Audits by business partners (e.g. supplier audits or risk audits for insurance contracts)

 

For the preparation and execution of such audits as well post-audit activities such as evidencing improvement in the course of re-certification, companies are investing a lot of time and effort. In order to be prepared for such a situation, several requirements (audit-readiness factors) have to be fulfilled:

 

  • The relevant documentation and reporting must be methodically correct and consistent.
  • It must be understandable how the documentation has been created and how the above-mentioned documentation has been approved.

However, audit-relevant areas are not often considered isolated, but rather based on preliminary work carried out by other disciplines. For example, an internal control system with risk and control documentation makes little sense without a process map and an associated process organization. Therefore, the integration of management approaches is crucial.

 

In an integrated management system, different disciplines work together in a common digital repository to provide the different target groups with tailored information, evaluations and reports. In the context of BPM, EA and GRC, the departments with a central responsibility in the company cooperate with other stakeholders (e.g. business architects, process managers, quality managers, application managers, digital officers, compliance offices, internal auditors etc.).

In order to master the challenge of getting "audit-ready", we have identified the following approaches and success factors:

1

Integration of management areas and disciplines

 

Without integrating management systems, individual stakeholders may work side-by-side, yet isolated from each other. This often leads to duplicate work, many requests to specialist areas and, regrettably, to incomplete presentations and reports. The wheel is reinvented again and again and those limits in users’ heads prevent them from reusing and complementing existing documentation. On the other hand, when a company has integrated documentation, it allows not only more efficient work, but also to better understand large contexts.

2

Reuse and extension of existing documentation

 

The integration of management systems also has potential for reuse and expansion of existing documentation. If you don’t have to invest extra time gathering information from other disciplines, you can not only work more efficiently, but you can also achieve higher reliability in data quality. Finally, all experts contribute to the overall picture directly and personally.

3

Strong functional support with a suitable tool set

 

In order to meet necessary obligations, strict criteria have to be met. Some of them should be supported by a suitable tool set that help you to get your job done. BPM and EA tools such as ADONIS and ADOIT as well as the GRC module have always had their strengths in the integrative view of corporate management. They feature a variety of functions that clearly meet essential criteria such as traceability, historization, versioning or compliance with audit rules. The use of our products has long gone beyond a simple graphical modelling of process flows or IT landscapes. The use of basic documentation or specific evaluations for audit-relevant requirements is becoming more and more relevant.

4

Reference models from audit-relevant departments

 

Reference models not only help you to get started with the necessary documentation tasks, but also create additional confidence regarding completeness and plausibility. The BOC Group has a variety of reference models from a wide range of disciplines, from a first orientation to the establishment of audit-relevant test area: maturity level assessments in the context of ISO 9001: 2015 and EFQM, reference process descriptions from ISO / IEC 27001, COBIT 5.0 or ITIL, or risk and control catalogs based on Basel II / Basel III, Solvency II and many more.

5

A strong and experienced partner who can advise

 

The requirements, both internal and external, are demanding. But the good news is, you are not alone. Benefit from the experience of others and let yourself be supported by experts when preparing for your next audit. Whether tool-based or independent, proven techniques and methods can make life much easier for you.

Maturity level assessment regarding compliance requirements

For an efficient analysis of the necessary need for action in the context of preparation for an audit, the current level of maturity is being analysed together with subject matter experts, and the corresponding CAP for the target specification is being determined. In ADONIS and ADOIT, these compliance requirements can be structured as control target catalogues in the repository and assigned to the relevant assets (processes, organizational units, IT systems, data, documents, etc.). For an efficient analysis of the need for action, the current level of maturity is compared with the target value and evaluated graphically or in tabular form.

Preparation of audit-relevant documentation

The efficient use of important tools is crucial in the preparation of audit-relevant documentation. ADONIS, ADOIT and the GRC module provide a browser-based modelling platform, which can be prefilled or continuously updated using a variety of interfaces. Through a very specific allocation of rights to user groups and individual roles within the company, the corresponding assets can be specifically created and maintained in your documentation, and can also be reused for graphical modelling and evaluation.

Validation, audit rules and traceability

Before you can technically release your documented content, it must go through an examination and this often means a considerable effort for your company. The products of the BOC Group support you with issues on completeness, identifying inconsistencies and also accompany your professional audit steps. Corresponding validations and checking rules can be defined and checked automatically when your documentation is released. These predefined checking rules can be adapted to suit your business environment and changes you make to models or objects over time are comprehensibly logged and are stored in a tamper-proof manner.

Versioning, historization and archiving

Your documentation is a living entity. Therefore, changes must be subject to a comprehensible procedure, in order to ensure accuracy of the content and the changes by authorized stakeholders. Model and object release workflows in ADONIS, ADOIT and the GRC module of the BOC Group offer just that: They guarantee that only methodologically and technically tested process descriptions, service catalogs and IT architectures are published and incorporated into an audit. A revision-conforming historization ("When was which object or model valid?") is part of this procedure. The process descriptions and IT documentation can also be provided with a resubmission date. This automatically reminds the relevant creator after the expiration of this period to create a new version and to incorporate the resulting changes, or to extend the validity.

Publishing and feedback mechanisms

The released documentation should be available in the company (only that which you wish to publish) in a transparent manner. This is ensured by publishing mechanisms that you can easily adapt to your specific needs. In addition, your documentation will continue to be alive beyond the creation of audit-relevant documentation. For this reason, experts from the various disciplines (business experts, compliance officers, ICS managers, etc.) can submit comments and improvement suggestions for models and objects via social media-like communication streams in ADONIS or ADOIT.

Analysis and reporting

After audit-relevant information on release mechanisms has been published as valid and compliant to revision standards in the company, the target group-specific preparation of the audit documentation is carried out via analysis and reporting mechanisms. With the products of the BOC Group, also these parts of the overall model can be made available online (process or organizational portal) or offline (e.g. via Microsoft Excel, PDF, PowerPoint). ADONIS, ADOIT and the GRC module provide configurable analysis and reports.

Integrated management of measures

Findings from the audit are recorded in the form of modification measures to assess their performance in the next cycle. ADONIS and ADOIT also serve to document these measures. We thereby also follow the integrative idea – the measures are directly assigned to the corresponding assets (processes, controls, IT applications, etc.). By means of action planning (responsible person, start and end time) and also measure tracking, the circle closes again to the next audit.

?

Interested? Face your next audits with our support.

The BOC Group supports you with the preparation of audit-relevant documentation and reports and helps you to keep this documentation up-to-date – without hassle. A proven mix of audit experience, product support and reference content.

?

FRAGEN?

Enrique Lobo Cruz

P +353-1-871 94 16
F +353-1-871 94 17
E info@boc-group.com