Why Your GRC Software Should Map to Your COSO Framework
Published by maincompcen on July 18, 2017
Growing regulatory oversight, more business complexity, and the increased focus on accountability have led enterprises to seriously consider GRC software solutions. In fact, a recent Deloitte survey explained how roughly 40% of organizations said they were likely to make a major investment over the next 12 months.
COSO’s 2013 update comes as a reminder of the dynamic nature of internal controls and the need for enterprises to have systems in place to stay up-to-date with changes to the framework. After all, the framework enables organizations to effectively and efficiently develop and maintain systems of internal control, which allows organizations to achieve objectives, while adapting to changes in the business and operating environments.
Unfortunately, traditional GRC SaaS options have trouble adapting to regulatory and operational developments in a time when risks are complicated, interdependent, and controls are shared. As a result, many GRC solutions are planned and managed in silos, which increases risk for any business. Moreover, simultaneous risk and compliance initiatives take time and effort to manage, leading to increased costs.
So, as you pursue GRC software solutions, it’s vital to ensure the system you choose has the ability to map to your organization’s COSO framework for the following reasons:
Increased scrutiny and inspections from the Public Company Accounting and Oversight Board (PCAOB)
Continuous development of the COSO internal control framework
Interpretation by your external auditor of the above
The true nature of compliance is dynamic and free flowing, with changing requirements from external auditors, regulators, and from the government itself. Ideally, you should strive for a compliance platform that supports your firm’s internal controls process as it dynamically changes to meet the needs of the three aforementioned parties.
The COSO Framework emphasizes the need to assess and oversee risks from a holistic perspective. Therefore, the process should sit within a larger framework that uses the information gathered to make decisions about risk responses and monitoring, then feeds the information back into the strategic planning process. This provides true visibility into all risks, mitigating the potential for errors and missed deadlines.
Remember: a primary purpose of GRC software is to automate a lot of the work associated with the documenting and reporting of internal controls most closely related to corporate governance and business objectives.
It’s the greater collaboration, increasing regulatory requirements, and lack of uniformity in auditor requests, that demands GRC systems be agile in adapting to changes in business, operating and regulatory environments. Without the ability to adjust, a GRC system cannot be effective enough for modern internal controls and risk management