Data Analytics for GRC - demystifying Continuous Control Monitoring
Vol. II: Practical Guidance in the World of Data Analytics for GRCTo help all our customers and others in the market currently exploring GRC integration possibilities: we try to provide some insights and business cases from our own experiences attempting to demystify, educate and align terminology.<>In an earlier blog post I announced a series of articles on data analytics for GRC. This second post will go into detail with regards to continuous control monitoring.
I have a background as an IT auditor for KPMG. Several years of which my primary focus was performing audits on ERP systems such as SAP. Either from an financial statement, Audit, Sox Audit or Operational excellence point of view we gathered large chucks of data that were afterwards analyzed to help our financial auditors or management in improving their processes and making them more efficient.
Lately the discussion surrounding monitoring of controls is starting to become more important (reference to isaca monitoring of it). The ways to improve compliance processes and to get 'in control' better would be to on a continuous bases measure your control effectiveness and performance using tools.
Its a pioneering area and one of the topics closest to my hearts since I have had a very strong opinion and large influence on the development of supporting tooling both with KPMG as well as at BWise. Discussing it with customers is always fun since they are usually amazed at the possibilities and the resulting demonstration, reporting that we have has a high 'wow' factor. This situation also poses a lot of questions on how it works and what is required to make it operational within your organization.
I've written quite an elaborate article on the latter questions and tried to answer as many of these questions as possible. If there is anything I missed, feel free to comment and maybe I will create a version 2.0. Request the article.
Ps: it is beneficial to read vol 1 - Through Different Glasses first since it sets the context.