Download - GRC Green Sutainability Solutions
-
8/6/2019 GRC Green Sutainability Solutions
1/5
Governance, Risk & Compliance (GRC) Use Case Process
Certification & Risk Management
Supporting Green Initiatives across the Global Organization
Revision History
Date Author Description of change
05/18/2011 Shyam
Radhakrishnan
Document Created
-
8/6/2019 GRC Green Sutainability Solutions
2/5
Use Case: Perform Global Processes, Risks & Controls Assessment
Id: UC- UC-GRC-171640-1
Description
Customer records global business processes for each organization, documents risks associated with
each parent process & establishes controls that mitigate those risks.
This Use Case establishes efficient cost saving procedures that will result in the contribution towards
reduction of global greenhouse challenges such as avoidable mass travel to global destination using
Air, Road & other means in addition to contribution toward avoidable resource consumption.
Level: High-Level Summary of controls assessment process
Primary Actor
Chief Executive Officer (CEO)
Office of Compliance & Oversight Committee
Supporting Actors
Internal Audit Assessor
Global Process Owners
Stakeholders and Interests
External Auditor Controls Efficiency; Risk-levels; Adherence to Annual Compliance
Mandates
Oversight Committee Internal controls state of readiness; Global Organizational controlframework
IT Department Automated/Manual controls around business & infrastructure systems
Finance Department Internal controls around financial applications
Office of the CIO/CEO (Executive Team) Status of Assessment & Accountability activities
Pre-Conditions
Governance, Risk & Compliance Tool/Application needs to be installed & implemented
Global Availability of Tool/Application
Statutory exercise to record business process assessment needs to be initiated
Corporate Internal Audit department has the mandate to perform exercise Timeline for initiation & completion of the assessment exercise is set
Post Conditions
Reporting capability based on GRC assessment data
Tool/Application Availability Post-Assessment
Post-Assessment Executive Sign-off for Accountability
-
8/6/2019 GRC Green Sutainability Solutions
3/5
-
8/6/2019 GRC Green Sutainability Solutions
4/5
Extensions
1. The GRC Tool/Applications needs to be setup by Global Entity/Organization and further by
department within those Organizations as it relates to Main Success Scenario Step # 3above
2. Control Framework is required to be setup based on compliance mandates that need to be
satisfied year over year (SOX, ITIL, BASEL etc) as it related to Main Success Scenario Step # 5
3. Electronic Process Certification initiation is dependent on the availability of the functionality
(workflow/SMTP based) within the GRC tool/application Main Success Scenario Step #6
4. Audit Engagements need to be created within the GRC tool/application prior to executing theinternal audit exercise as it related to Main Success Scenario Step # 10
5. Consolidate processes, risks & controls scenario Report is either out-of-the-box or written
using BI Reporting tools (Oracle GRC Intelligence/OBIEE) based on data from the GRCManager Suite
Variations
1. Processes, Risks & Controls can either be typed entered into the GRC tool/application oruploaded from file using a web interface similar to Oracle Web ADI (Application desktop
integrator)2. If GRC tool/application is not available for some remote locations, the Internal Audit
Department can send/receive certifications using other methods such as certified/signed
hardcopies, Excel based documentation or other electronic methods as long as Internal AuditController approves such methods
3. Internal Audit department is required to document evidence of successful/failed controls
assessment. The artifacts can be electronic or hardcopies but the final resting place(repository) needs to be within the GRC tool/application as it related to the Processes, Risks
& Controls for that specific organization/department audited.
Frequency:
Every Quarter
Assumptions
1. The GRC tool/application has multi-lingual capability
2. Global assessment is done by the Internal Audit Department from the Corporate HQ3. Users within the GRC tool/application are setup and access rights configured prior to
initiation of the certification process
4. Timeline for certification process initiation & completion are setup in advance
5. External Audit is provided access to the GRC tool/application to monitor/compare progressof the assessment
6. IAD Corporate is the owner of the Global process documentation & assessment exercise7. Unit Heads from Global Locations are required to complete their Self-Assessment
certification within the stipulated timeframe of the exercise8. Reporting requirements may change and are managed by the Internal Audit Department
Corporate
-
8/6/2019 GRC Green Sutainability Solutions
5/5
Special Requirements
Performance
1. Availability of GRC tool/application is mandatory across global locations (browser basedaccess) with limited exceptions see variations above
2. Global business process certification needs to be a required task announced by the Office of
the CEO (and enforced by the Office of the Corporate Internal Audit Controller) thus acommunication needs to be sent out to each global unit prior to initiation of the quarterly
process
User Interface
1. The GRC tool/application needs to be multi-lingual and special characters/fonts displayed to
users Globally
2. Requirements & Procedures need to be made available to the process owners Globally withinthe GRC tool/application as instructions
Security
1. Access to the GRC tool/application Globally needs to be secured by standard authenticationmethods (Access credentials & encryption)
2. Process certification authority (Stakeholder workflow) needs to be established by corporate
Internal Audit Department within the GRC tool/application
Issues
1. In the event of control failure for a certain key business process, process owner needs to
certify this event as a failure and seek guidance for remediation of the control deficiency2. When IAD performs internal audit across the global organization for certified processes, any
deviations to the certification needs to be discussed with the process owner and plan of actionestablished
3. In case there is system unavailability, backup methods to gather data needs to be established
To do
1. Obtain list of organizations, departments & process owners in order to prepare
communication2. Ensure system availability (GRC tool/application)