In the coming version of ARIS Risk & Compliance Manager 4.0 we have implemented a new functionality called “audit management”. In this article I will give you a preview of what you can expect from it. So let’s see how this new topic fits together with the already implemented functionalities and how it works.
So far the ARIS Risk & Compliance Manager is providing the data for an audit. We have already the modules for test management, issue management, risk management, survey management and deficiency management which help you to manage and document all the relevant information for an audit. As an auditor you can then check the test results, the risk assessments, the deficiencies and issues, the results of questionnaires and so on. But till now the process of the audit itself was not covered yet. This will change soon with the new module “audit management”.
Let’s have a closer look on the audit management process. The process of audit management itself is divided in four main processes:
The first step of the process is the audit planning. In this phase the audit and its steps have to be defined and timed, the responsible persons have to be assigned and the scope of the audit needs to be identified. To have a better overview, all this information can be documented within the ARIS Business Architect on which I will focus in this first part of my article.
For the documentation of the audit plan we use the model “project schedule” which is perfect for time-based modeling. The complete methodology with all the new attributes and connections used for audit management is available in ARIS Business Architect 7.2.2.
Here is an example how it could look like:
What you see here is the plan of an example ISO audit. On the left side in the first column you can see the responsible persons of the different audit steps and on the right side you can see when the audit steps are timed. The special feature of this model is that you can define the attributes for the time based modeling and based on that by moving/scaling an object the attributes are automatically filled. So you can easily schedule and reschedule your audit steps.
The definition of the audit scope can be done per audit/audit step by assigning an organizational unit, a process, an application system type or another hierarchy element via the “task allocation diagram”. This is important because after the import of your planned audit into the ARIS Risk & Compliance Manager, you can see depending on the scope all the related data that is needed for the audit. This means that if you decide to check in your audit/audit step a part of your organization e.g. the R & D department, the ARIS Risk & Compliance Manager will automatically support you with all the for R & D relevant information like issues concerning R & D, test and questionnaire results of R & D and so on.
So as it is already said above after the planning phase your audit plan is ready to start the workflow in the ARIS Risk & Compliance Manager 4.0. The description of how that works will be part of my next article.