In my last article I wrote about the methodology in the ARIS Business Architect that we use to plan and document the audit process and all the related data. In this article I will describe how you can use this data within the ARIS Risk & Compliance Manager and which functionality we offer in the new module “Audit management”.
In the ARIS Business Architect you can model all the relevant data of your audit process like when does the audit start/end, which audit steps have to be done, who are the responsible persons and what is the scope of the audit. All this information is used then in the ARIS Risk & Compliance Manager to automatically start the audit workflow.
So let’s begin with the start of the audit. As soon as the start date of the audit is reached the ARIS Risk & Compliance Manager informs all the responsible persons via email about their tasks and offers a link to log in the ARIS Risk & Compliance Manager. Each logged-in person can then see and work only on its responsible audit steps and has an overview about the status of the subordinated tasks. When the responsible person for an audit step opens it he/she will find:
- a description of what to do in this audit step
- the time schedule for this step (including when it should be finished, how much processing time should be spent for it and which period is audited) and
- the audit scope of this step.
Depending on the audit scope (e.g. the R & D department) all the relevant data for this scope element will be shown. This could be in our example the issues concerning R & D, risks and their risk assessments, incidents and losses, test and questionnaire results of R & D and so on. With all those information the audit step owner then can decide if the tested element was compliant, non-compliant or maybe not auditable.
Next to the different audit step owners are the audit owner (who is responsible for a particular audit) and the audit manager (who has access to all audits of a special client). Those two roles need an overview of the complete audit(s) and the status of its different steps.
Here you can see an example of an audit overview:
On the left side in the tree you can see all audit steps including their subordinated steps. In the middle you can see the time schedules of the different steps and who is responsible for it and more on the right side the status and the scope of each step.
Another form of an audit overview that the ARIS Risk & Compliance Manager offers is shown in this example:
The Gantt chart shows the planned times for the audit and its steps and in addition also the actual start and end time. This variance analysis can be very useful for the future audit planning and helps to track the audit progress.
Of course there are some more analysis available in the evaluation part of the audit management module. Besides that you always have the possibility to use the MashZone to build up your individual MashApps.