anha's picture

Originally ARIS Risk & Compliance Manager (ARCM) was developed for supporting testing activities. Meaning, the risks, controls and test definitions modeled within ARIS Business Architect (ABA) are transferred into ARIS Risk & Compliance Manager, which is then combining these data sets; as a result we get test cases. Testers are being informed and guided through the relevant test cases by ARIS Risk & Compliance Manager: Controls have to be checked concerning the design as well as the operating effectiveness. This is the common business case supported by ARIS Risk & Compliance Manager.

Some customers do think differently though. Not the testing activities are within scope but the control activities. Not testers are to be informed to check whether controls have been executed or not, but control owners / control executors are within scope. Concentrating on the control owners means to make sure that controls are executed in the first place: control owners are triggered by ARIS Risk & Compliance Manager and are able to link the control evidence into “control cases”, audit proof.

So far it was an either/or: Either ARIS Risk & Compliance Manager was installed and used to have audit proof testing evidence, or – as described – to have audit proof control evidence.

Since the beginning of August we have a customized ARIS Risk & Compliance Manager version running at customer side covering both aspects. The risk based approach was enhanced by different test definitions: next to the standard “test definition” triggering the test cases in ARIS Risk & Compliance Manager we now model “control definitions” within ABA too, in which we describe the relevant control procedure in detail and define the responsible control owner and reviewer groups. Taking into account that usually the control cases are executed before the test cases are being generated we made sure that the control cases, belonging to a certain control, are automatically linked into the corresponding test case, focusing on this specific control. The tester selects a test case and has only to open the given links in order to track the control result including descriptions and access linked evidence (documents).

With this setup we make sure that control as well as test activities are being triggered and monitored by ARIS Risk & Compliance Manager in order to prove e.g. an effective Internal Control System.

Tags: GRC