How to improve the GRC Process Control ?
Within each company, there are many controls and audits that must be carried out on specific dates. The purpose is to evaluate, verify and control specific elements of the company to ensure compliance with the regulations in force.
We find different types of control among which the control of the accounting or the energy audit, set up in 2005.
In this article, we will look at the case of internal control in general, which will revolve around governance, risks and compliance.
What is a GRC Internal Control?
A GRC control is a process involving the whole company and whose goal is to preserve all the company’s resources in order to achieve its objectives. Thus, the objective of the control will be multiple:
- Protecting assets against fraud or negligence
- Minimize errors
- To meet objectives
A distinction is made between internal control, which is carried out by a person or group of people within the company, and external control, which evaluates the operation of the control.
These are specialized organizations or individuals (an auditor, for example) involved in verification and auditing.
In France, the Direction générale de la concurrence, de la consommation et de la répression des fraudes is one of the main control bodies.
The Steps for Setting up an Internal Control
The first step consists of assessing the risks. To do this, it is possible to use a risk map (or heatmap) or to classify the different risks. Let’s take the example of an accounting control:
- Reality: this is the risk that a transaction is recorded when it is not real.
- Completeness: all transactions must be accounted for.
- Measurement: transactions must be associated with the right amount and consistent with each other.
- Classification: transactions must be recorded in the right place and in the right year.
Once these risks have been identified and classified, it will be necessary to start thinking about procedures to reduce them.
Finally, it will be necessary to regularly update all the control procedures according to the company’s evolution.
COSO, the most Widely used Framework today
In 1992, a study group put forward the COSO (Comittee Of Sponsoring Organization) standard, which is still one of the most widely used today. This standard puts forward a common risk management process.
Represented in the form of a cube, it allows the different entities of the company (subsidiary, division…) to follow the same communication, strategic, operational and financial objectives while respecting the principles of GRC.
COSO highlights 5 components:
- Enabling environment: this refers to everything that concerns the company’s structure. This environment is the basis for internal control.
- Risk assessment: each risk must be detected, analyzed and classified. This process must be dynamic and interactive because risks influence objectives.
- Control activity: this refers to the procedures and policies put in place to manage risks. It can be automated or not according to COSO.
- Information and communication control: all the company’s information must be centralized and, above all, translated so that it can be understood by everyone.
- Monitoring: it is important to follow the control in order to improve it later.
General Principles to be Respected
Equality: all activities must be oriented towards the general interest of the company and must not grant any privilege.
Separation of duties (SoD): not all duties are compatible with each other and certain combinations can lead to significant risks for your company. It is therefore important to clearly define and distribute the different activities.
Communication: it is essential that everyone adheres to and participates in internal control. It should not be considered as something negative, on the contrary. We are talking here about a common culture of internal control.
Build on what already exists: to improve internal control, it is not necessary to revolutionize everything and start from scratch. Often, a simple development and a small reorganization can change everything. It is therefore necessary to take stock of what is being done in the company.
Improving the Control Process with the GRC Approach
A GRC approach is a control strategy based on three areas:
- Governance: This is the set of processes and decisions that will enable the company to gain efficiency. This requires transparent communication between the decision-making entities and the management bodies.
- Risks: in business, a risk is an unforeseen event that can occur during the normal course of the company and that will have an impact and cause damage (economic, moral, material…).
- Compliance: many laws and regulations govern the professional world and it is important to respect them in order not to be exposed to sanctions. It is therefore necessary to put in place preventive procedures to prevent the law from being broken.
Today, if many companies have adopted a GRC strategy, it is often not open enough and organized in silos. Yet it is easy to put in place a simple organization that will improve internal control.
The first step is the adoption of a repository.
GRC Software, the ideal Solution to optimize your Internal Control
Internal control tools have evolved more slowly than new technologies, but today, many efficient and reliable software solutions exist to help you manage your company’s risks and compliance.
The first GRC solutions date back to the 1980s and were similar to an Excel file with a large number of spreadsheets.
In the 90’s, new versions were released but did not meet the success expected due to their high complexity. It was not until the 2000s that the first easy-to-use GRC software appeared.
SAP is going to be among the first software vendors to offer a robust GRC solution. In particular, we will distinguish SAP GRC Access Control, whose latest version (12.0) dates from 2018.
There are many, many advantages to using a solution such as SAP GRC Access Control:
Central software: all information is grouped together in a single system. It is therefore easily accessible but can be manipulated by a reduced number of people, which increases data security.
Real-time risk management: with just a few clicks, you can generate personalized reports that take into account all the risks of your company in real time for better anticipation and reaction. Thus, it offers you a better visibility and analysis of the risks present in the SAP environment.
Successful external audits: all reports and dashboards provided by GRC software are auditable. These can be automated, which greatly reduces the risk of error.