executive summary - barnowl.co.za€¦ · web viewintroduction. xxx requires a fully integrated...
TRANSCRIPT
Request for Proposal Template for
Governance, Risk, Compliance and Audit Software
IDI Technology Solutions
MMM DD, 2015
IDI Technology Solutions
1
Contents1 Executive Summary.......................................................................................................................3
1.1 Introduction...........................................................................................................................3
1.2 Project Scope.........................................................................................................................3
1.3 High Level Requirements.......................................................................................................4
1.4 Benefits..................................................................................................................................5
2 Requirements of the System.........................................................................................................6
2.1 Objectives of the project.......................................................................................................6
2.2 Risk Management..................................................................................................................8
2.3 Performance Management..................................................................................................11
2.4 Compliance..........................................................................................................................12
2.5 Internal Audit.......................................................................................................................14
2.6 Non Functional Requirements.............................................................................................18
2.7 Implementation Approach and Experience.........................................................................19
2.8 Information Technology Requirements...............................................................................20
3 Expected Outcome/Benefits from the System/Tool.....................................................................21
2
1 Executive Summary
1.1 IntroductionXXX requires a fully integrated Enterprise Risk Management, Compliance and Audit software solution which supports the XXX’s, Enterprise Risk Management framework, Compliance strategy and Audit methodology whilst embedding best practice frameworks such as, COSO, ISO31000, National Treasury Framework, Compliance Institute International Standards , legislations applicable to XXX environment and The Institute of Internal Audit Standards, IPPF (International Professional Practice Framework).
XXX has adopted an integrated approach to assurance and therefore XXX aims to support and co-ordinate the establishment of effective system of internal control in order to provide reasonable assurance that XXX financial and non-financial objectives are achieved in accordance with ISO31000, COSO, PFMA, MFMA.
1.2 Project ScopeThe business objectives are the following:
Implement a fully integrated Governance, Risk, Compliance and Audit solution which supports planning,
management, execution and monitoring of activities that will integrate:
o Enterprise Risk Management
o Compliance
o Internal Audit
Streamlined planning, resources management, allocation and monitoring
Enable combined assurance co-ordinated planning, management and aggregation of assurance
reporting.
Enable reporting by each discipline within the department, for each cluster, department and/or
municipal entity in the Organisation; as well as integrated assurance reporting against each strategic
objectives.
Organisation-wide to the GRC solution by all the Organisation’s core administration assurance functions
and departmental / branch / municipal assurance functions; in accordance with assigned user profiles
and delegated access.
3
1.3 High Level Requirements
XXX would like to procure an off the shelf software solution which is flexible and can be configured to meet the requirements of XXX:
Risk Management facilitating:
step by step enablement of ERM in our organisation, best practice methodology within our organisation, an up to date picture of our risk universe, continuous monitoring of our risk universe, improved quality and consistency of our information, reporting at the click of a button, accountability and ownership of risk throughout our organisation, a culture of risk and control within our organisation, the co-ordinated achievement of our strategic vision.
Compliance facilitating:
the management of our regulatory universe by rating and monitoring compliance to the acts, regulations and provisions at every level of the organisation, where applicable,
the documentation of risks associated with compliance / regulatory requirements and the ability to link the relevant sections of acts and/or policies / procedures to these risks,
automation of Checklists (acts and legislation checklists) supplied by 3rd party compliance providers, the monitoring of compliance utilising surveys and the capturing and monitoring of live action plans where
there is non-compliance.
Audit (Internal and Forensic auditing) facilitating:
risk and control based auditing ensuring that risks that matter to the organisation are audited and that the results are updated back into risk management,
the standard Internal Audit process of planning, execution, reporting and follow-up, centralised audit management framework which automates and manages the entire audit life cycle, from
planning and scheduling audits to developing standard audit plans, collecting field data, generating audit reports with findings, and implementing audit recommendations and remediation,
Audit activity management reports and timesheets, Project management dashboard for tracking progress on all audit projects, Customised final audit reports and audit committee reporting at the click of a button, Live tracking of progress on management action plans, Quick and easy follow-up reviews, Increased audit coverage, Reduced audit time and cost.
4
1.4 Benefits
Benefits include:
system-wide view of the risk universe at a strategic group level as well as at each individual business unit level and / or process level. Keep risk managers / owners appraised of a changing risk environment improving their insight and oversight issues and exposures of the business at a strategic level,
utilisation of a centralised risk, compliance and audit management framework which automates the full GRC and audit life cycle,
Management of increasingly complex requirements relating to regulatory, legal, and risk management obligations,
reduction of time performing administrative work and reporting, elimination of manual audit processes thus reducing countless hours spent preparing work papers and
audit reports along with associated documentation. reduction of audit inefficiencies related to errors, unreliable reporting, redundant efforts, inflated costs,
and data inaccuracies, poor collaboration between the departments, manual and inefficient follow-up on action items and, time-consuming data gathering processes which result in limited reporting and data analysis,
combined assurance reporting, leverage the solution to identify gaps or inefficiencies in XXX’s risk coverage, resolve compliance issues,
enable fraud risk assessments, build continuous audit capability, improve risk management and processes, and reduce audit complexity and costs.
Provide real value and insight into the business: root cause analysis, trend analysis, performance monitoring, cross divisional benchmarking, process improvement identification, drive accountability, provide an early warning system, provide combined assurance, track incidents, repeat incidents, near misses, perform ‘what if’ analysis, monitor consequences etc.
5
2 Requirements of the System
2.1 Objectives of the project
Description Response
Manage organisational risk within one flexible, configurable solution – provide easy access to information with the ability to configure custom workflows. Calculations, standardised methodology, a limitless hierarchy, and virtual parameters for normalised reporting;
Obtain clarity through convergence – enable managers to improve insight and oversight issues and exposures of the business at a strategic level;
To enable us to roll out our risk management and internal audit programmes and policies in both a bottom up and top down approach within the organization;
IDI Technology Solutions
6
Description Response
Assist in driving best practice methodology across the organisation with regards to risk management, compliance and internal audit;
Provide proactive monitoring of any issues via action plans, emails notification etc;
Provide meaningful and timely management information ensuring quick follow up;
Enable you to analyse information and identify & investigate problems areas;
Facilitate a culture of risk and control within the organisation;
7
2.2 Risk ManagementDescription Response
Alignment with the COSO and ISO31000 frameworks.
Objective RegisterThe proposed solution must have the functionality to allow the objectives to be captured at every level of the organisation and linked to ‘sub-objectives’ and / or risks that threaten (downside risks) or are required to achieve objectives (upside risks).
Risk RegisterThe proposed solution must have the functionality to allow the capture or import of existing risk register (risks, controls) from Excel.
Risk AssessmentThe proposed solution should have the functionality to perform risk assessments (inherent, residual, target risk) making use of a Risk Assessment Matrix.
Scheduling and automation of risk assessment voting online (web-interface) and / or workshop-based voting
Survey functionality: scheduling of online (web-interface) surveys / checklists / questionnaires with email notifications and reminders as well as extensive analysis of survey results.
8
Description Response
Risk RatingAbility to incorporate metrics, impact, likelihood etc. These should have set criteria to help weight the scoring more accurate and consistently.
Control RegisterThe proposed solution must have the functionality to allow the controls to be captured at every level of the organisation and linked to risks.The system must allow for the rating of controls.
Management and Monitoring of Key Risk IndicatorsThe proposed solution should have functionality to assist with the management and monitoring of Key Risk Indicators (KRI) and key controls.
Capture and Manage Contributing Factors
The proposed solution should have functionality to assist with the management and monitoring contributing factors.
Capture and Manage IncidentsThe proposed solution should have the capability to capture, manage and report on loss events suffered by XXX.
9
Description Response
Action PlansActions can be assigned and action carried out with online update back to the system for risk manager monitoring.
ReportingA simple at a glance presentation of the data either in heat map or customisable formats, pie charts, scatter grams, graphs etc.
ReportingStandard risk committee reports along with customisable reports:User can choose from existing reports or create reports at its discretion through wizards and report builders.
Links to MS outlook to enable email notifications, reminders and escalation relating to action plans, risk & control self-assessments and checklists.
Ability to stratify risks, i.e. high level risks linked to lower level risks. We will need to link these and mitigate them separately.
Automatic trigger reporting for risk that exceed a certain criteria.
Automatic updates for risks owners to review progress.
PermissionsVarying levels of authorization and security operators.
10
2.3 Performance ManagementDescription Response
Monitoring and management of Key performance indicators
Integration of performance management with strategic and operational risks that will hinder organisation in achieving it strategic objectives. Consideration must also be taken of key risk indicators (KRls) and Key Control Indicators (KCIs).
Setting up of Key Risk Indicator (KRIs) based on thresholds, frequencies, targets linked to target periods, unit of measure etc.
Capturing of KRI values into the system; email notifications to KRI owners with online capturing of KRI values and / or import from ‘live’ systems
Dynamic re-assessment notifications to the risk owner based on changing KRI values.
Key Risk Indicator reporting including trends
11
2.4 Compliance
Description Response
Follow the best practice compliance management process in line with best practice as set out in the SA compliance institutes handbook.
Phase I – Compliance Risk Identification
Phase II – Compliance Risk Assessment
Phase III – Compliance Risk Management (Control optimisation)
Phase IV – Compliance Risk Monitoring
Update Compliance Checklist/Questionnaire: Ability to regularly update the compliance checklists or questionnaires in terms of legislative amendments or new regulations.
Compliance Risk Management Plans (CRMPS)
Distribute Compliance Assessment reports via email. Ability to distribute the results which constitutes the verification or audit on the compliance self-assessments by BU’s to the relevant BU compliance owners via email.
12
Description Response
Management Reports (e.g. Group Consolidated Compliance Dashboards, BU specific compliance reports, and Remedial Action Monitoring reports.): Provides list of standard management reports with the ability to configure and draw custom reports from the system. It should also provide summary reports graphically.
Develop Action Plans: Provide interface to create action plans (with defined timelines and assigned responsibilities) aimed at rectifying areas on noncompliance.
System and User Administration: Ability to configure users and groups and assign roles to users and group based on functionality.
13
2.5 Internal AuditDescription Response
The system needs to assist with easy coordination of RM and IA work; IA must have access rights to the RM module and the same goes for RM. This will give the organisation comfort and confidence in managing the business risks and ensuring that risks that matters to the organisation are audited.
The system should be able to support the standard Internal Audit Process:
In summary, the audit process consist of the following sub-process: (a) Strategic planning, (b) Assignment planning, (c) Assignment execution, (d) Assignment reporting, (e) Assignment follow-up (f) Reporting to stakeholders (key being management, external auditors , audit committee) and (g) Forensic investigation process.
Ability to configure internal audit methodology and templates in line with the International Professional Practice Framework (IPPF).
Time Sheets: Due to the nature the work, we have to keep an accurate record of the hours spent per assignment. During the strategic planning phase, we would have estimated the hours for each assignment.
The system must provide online and offline access. In case the internet is down, we must be able to work offline and synchronies back to the system later.
IA must be able to generate final audit reports in MS Word
14
Description Response
whereby relevant information from planning and execution automatically gets pulled into the report at a click of a button.
Ability for IA to capture additional risks and controls (which can be “accepted” back into risk management module during the audit alignment phase)
Ability for IA to rate the risks already rated by RM and this change to be communicated to RM.
Ability to manage electronic working papers including tests and business logic able to create automated findings. Preferably these working papers are to be captured in database fields and not just attached as Excel / Word templates.
Ability to assign different responsibility within the audit team as well as escalation of audit areas when not executed.
Ability to ‘check in’ / ‘check out’ complete audit sections.
Email notification to reviewer when audit sections are ready to be reviewed.
Ability to create and clear review notes with full preparer / reviewer history.
15
Description Response
Ability to attach supporting documents under a specific audit area/working paper/finding.
Ability to rate various findings on the audit report.
Ability to send reports or a finding by email to the process owner/responsible official for comment on audit recommendations (even if the process owner does not have a license to operate the software he/she must be able to comment)
Email notifications to audit team after a review note has been inserted by the process owner/responsible official.
Ability to summarise e.g. all significant findings for various reports for specific periods and to track their progress with regards to implementation by responsible officials.
Live tracking of findings; the system must allow audit to be able to track progress of implementation of findings, it should be able to send notification to auditees just before the due date of the implementation and prompt them for comment; it must also be able to notify the audit team even if the auditees has not responded to the recommendations timely.
Ability to generate follow up reports and perform follow-up audits.
16
Description Response
Ability to track and manage compliance with Acts and Regulations. I.e. PFMA, King III etc…
Archiving of internal audit projects
Self-Assessment & Integration into Internal Audit functions and systems
A simple at glance presentation of data either in a pie chart, scatter grams, graphs etc…
Integration with MS Outlook to enable email communication and response monitoring.
Varying levels of authorization and security for operators.
Permissions: System and User Administration: Ability to configure users and groups and assign roles to users and group based on functionality.
Online help functionality
17
2.6 Non Functional RequirementsDescription Response
Integrated solution
Enterprise-wide/global solutions (LAN, WAN, Web) with online and offline functionality
Choice of interface to suite business requirement and usability (Web and Rich Client)
Integration into email and network system (Active Directory) to reduce ongoing administration for IT.
Simple to learn and operate – fast Return On Investment (ROI) and quick implementation.
Simple and intuitive to use.
Powerful reporting & notification features.
Ability to maintain a central repository of all risk, compliance and audit information.
Ability to analyze information, monitor, notify and act proactively.
Import from Excel of various registers for take-on such as risk, controls, incidents, checklists and findings
Flexible drag and drop registers with export of registers into Excel
18
Description Response
Permissions: System and User Administration: Ability to configure users and groups and assign roles to users and group based on functionality.
Online help functionality
2.7 Implementation Approach and Experience Description Response
Implementation approach and project plan
Training, training manuals, online help
Migration Plan
Project team skills (CV’s)
Transfer of skills approach
Experience, Track record and competence of Service Provider with contactable details of references.
Software upgrade strategy and patch management for reduced IT admin
Support strategy, help desk, user group, support portal
19
2.8 Information Technology RequirementsDescription Response
The system to run on a SQL database as the backend and the operating system to be Windows based.
Rich front end for power users supporting online and offline use.
Web-based interface to be platform and browser independent
2.9
20
3 Expected Outcome/Benefits from the System/ToolDescription Response
Compliance with COSO, ISO31000, National Treasury framework, Compliance Institute framework, IPPF standards;
Ability to maintain a central risk, compliance and audit repository;
Configurable methods and frameworks to fit the business requirement as it changes over time;
Ability to track and manage compliance with Acts and Regulations, i.e. PFMA, Internal Policies, etc…
Far better understanding of risk environment, compliance challenges and related decision making;
Savings in management time due to a shift to managing by exception, related reporting and more efficient business processes;
Accountability by staff and performance measurements of staff
Enforcement of controls, clear processes and ongoing management thereof resulting in substantial savings
21
Description Response
Formalization of policies and procedures, best practices etc. through electronic measurable systems
Improvement in efficiency of Internal Audit function
Standardization of reporting at all levels including board level – from region level and right through to consolidated departments and committee/group level;
Reduction in time taken to produce reports and format data.
Paper use reduction and associated workflow improvement;
Better alignment with and more effective External Audits;
Alignment of organisation’s units and establishment of closer relationships between Group and organization’s units as information is available and interpreted prior to interaction;
Organisation-wide knowledgebase and best practice accessibility by any person/department to create better efficiencies (i.e. not having to re-invent the wheel);
Reduction in cost and time of employees by better training, induction, handover and adherence to policies and procedures;
22
Description Response
Availability of information at all times and real time notifications;
Consistent interface, training and standardization of reporting across the entire organization thus enabling easier skills development and training;
Far better understanding of risk environment, compliance challenges and related decision making;
Incidents register for general insurance management, disaster management and recovery, emergency management (BCM), manage financial, HR , labour risk related items;
Less litigation, penalty and loss events in the business resulting from better adherence processes, policies and procedures
Standardization of reporting at all levels including board level – from branch level and right through to consolidated business units and group levels;
Reduction in time taken to produce and format data;
Ability to make decisions at board level by dynamically re-assessing the risk universe.
23