Originally ARIS Risk & Compliance Manager (ARCM) was developed for supporting testing activities. Meaning, the risks, controls and test definitions modeled within ARIS Business Architect (ABA) are transferred into ARIS Risk & Compliance Manager, which is then combining these data sets; as a result we get test cases. Testers are being informed and guided through the relevant test cases by ARIS Risk & Compliance Manager: Controls have to be checked concerning the design as well as the operating effectiveness. This is the common business case supported by ARIS Risk & Compliance Manager.
Some customers do think differently though. Not the testing activities are within scope but the control activities. Not testers are to be informed to check whether controls have been executed or not, but control owners / control executors are within scope. Concentrating on the control owners means to make sure that controls are executed in the first place: control owners are triggered by ARIS Risk & Compliance Manager and are able to link the control evidence into “control cases”, audit proof.
So far it was an either/or: Either ARIS Risk & Compliance Manager was installed and used to have audit proof testing evidence, or – as described – to have audit proof control evidence.
Since the beginning of August we have a customized ARIS Risk & Compliance Manager version running at customer side covering both aspects. The risk based approach was enhanced by different test definitions: next to the standard “test definition” triggering the test cases in ARIS Risk & Compliance Manager we now model “control definitions” within ABA too, in which we describe the relevant control procedure in detail and define the responsible control owner and reviewer groups. Taking into account that usually the control cases are executed before the test cases are being generated we made sure that the control cases, belonging to a certain control, are automatically linked into the corresponding test case, focusing on this specific control. The tester selects a test case and has only to open the given links in order to track the control result including descriptions and access linked evidence (documents).
With this setup we make sure that control as well as test activities are being triggered and monitored by ARIS Risk & Compliance Manager in order to prove e.g. an effective Internal Control System.
Hi Andreas,
I think this is a good improvement, which will surely reduce the number of test definition or at least the scope and frequency of the tests to be realised at this customer.
It is quite costly though and is surely more adapted to compliancy project such as Sarbanes Oxley than for less demanding internal control project.
Is this a recurrent need at cutomer side?
Regards,
David
Hi David,
this specific setup does need more people using the ARCM, that is correct. The implementation itself is actually not that complicated and time consuming...
In fact I had more questions concering this linkage and the first project we are implementing it now is dealing with the Internal Control System.
Best regards
Andreas
Hi Andreas,
To use the Control Owner, who may perform the control inspections and associate evidence that checks were carried out, as it should be defined hierarchical structure in the ABA? In this case, the structures of the ABA should be defined according to the Control-Based Aproach, right? And then we have to define a Control Manager, Owner and Control Reviewer, right? Control is a structure-based aproach, the hierarchical structures for the management of operational risk remains? It is possible to have two defined structures and manage operational risk and controls, right?
Thank you.
Miguel Leão Guerra