Webinar Recording

Recent Trends and Best Practices in Internal Audit Management for Better Business Performance

Log in and watch the full video!

Kuppinger Cole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning. Good afternoon, ladies and gentlemen, welcome to our cooking. A cold webinar, recent trends and best practices in internal audit management for better business performance. This webinar will be done by me, Martin cooking off a and by Dominic per of matrix extreme, the webinar is supported by major extreme. Before we start some short information, keeping a call is an Analyst organization providing enterprise it research advisory decisions, approach, and networking for it, professionals and GRC professionals and others through our subscription services, advisory services and events, and you went and you will find all the information you'd like to, or you might need at our website or com. Our main event is the European identity conference, which is held in, in together with the clouds 2011 conference from 10th to 13th of May, 2011 in Munich. Like every year, we will have a lot of awards, which are not only identity awards, but also some abroad awards, which are more around GRC topics.
There are sponsorship opportunities, and you can now and get your early bird discount, which is well us until the, of March. So have a look@ourwebsiteid.com regarding this. And there will be a lot of sessions which are around the topics we discuss in this webinar and related topics. So a lot of things around governance and other important things, some guidelines for the webinar before we start. So you are muted C so you don't have to mute around mute yourself. We are controlling these features and you don't have to care about these features. That's the first thing we will record the webinar and we will make available the recording usually by the, the next day. So tomorrow as well as we will make available the presentations as PDFs. So you can directly access the presentations so I can forward. I can also forward link to, to the recording and all the other things to share it with your peers, Q and a will be at the end.
So we do like at the webinar. Now we'll do a Q and a session. You can enter your questions at any time. There's a questions area. And the go to webinar control panel, which is usually at the right side of your screen. And there you can enter the questions. So we will pick them usually at the end, sometimes if appropriate, you might also pick them during the webinar. My recommendation is to end the questions when they come to your mind so that we have comprehensive set of questions available when we are done with two presentations regarding the, so the first part will be done by me. It will be about paradigm shift in return audit at we observing alignment to company strategies and how enterprise QRC might help. And the second paradigm will be done by Dominic Perera of matrix stream, who will talk about best practices for internal audit management.
So really how to make this work. And as I said, the next thing then will be the Q and a session where you're invited to enter your questions so that we have a lot, lot of things there. So when I look at, at the, the advisories we are doing, many of them are related in some way or other to audit. And usually the internal audit plays a role in it. And what we really observe is that the way internal audit has to act, and also the let's say the expectations to internal audit are definitely changing. So the role of internal audit is changing.
And, and I will start a little bit just talking about what we are serving there and what we've also learned from other sources. So there's sort of a classical part for this, which is around even the classical part for what audit always has start doing is for sure ensuring that compliance regulations are met. The problem is there are more relations that I before and are becoming increasingly more. So there are more audit to run than ever before. And there's an also increasing pressure for external, from external parties. I think a very interesting point we observe is that there are more external auditing parties. If you look at finance industry, for example, which really put pressure on the internal audit to ensure that they, we, they fulfill the requirements. And so internal audit has to let's say, do a lot of things more than they have to do before.
It's really very interesting thing what we are, what we are observing as a change there. Then we have the, let's say sort of newer requirements. So risk management is becoming a part of everyday business risk management is really moving up in the agenda, continuous controls monitoring becoming increasingly important. So really looking at a broad set of controls. So many of them are, are really very business specific controls, not only financial controls, which are monitored over time, fraud detection, for instance, gaining momentum, also the ability to, to look at what has happened, what has gone wrong and why has a gun wrong? So that type of things is coming in and there are some other things we try changing. So what I particularly think is, is very important is that the role of, of the auditor is, is not only the auditor's more and more often advisor.
So he has to provide a usable focus information to board and audit committees. I will talk about his information later on and especially the recommendation part, gaining weight above the observation part. So it's not only about observing that there's something going wrong. It's about recommending how to deal with this. And also a lot of internal people, not only the broaden, the audit committees, but also the, the sort of different business departments are requesting the, the internal audit to say, not only what has gone wrong, but how should we address it? What should we really do? So this recommendation part is really changed the advisory part. And it's also about supporting the business and solving observations of external auditors. So when there's a, when we look at the increasing pressure from external auditors and internal audit is more and more asked about how should we deal with it, how to react on this.
The other thing is, there's more non-financial right now. So it's really non-financial aspects, gaining momentum thing about access controls in it. So who's allowed to do what very important, but also think about environmental aspects of governance. So things which are depending on the industry, also very important thing. We have the situation also that that sort of, we have not only not that much more alone fighter, but it's more really the team player. So internal audit for, for pretty long time frequently as been surgery of lone fighter, being there as the sometimes seen as the bad guys, sometimes seen as not the bad guys, but very separated from others. And right now they have to, to work much more with others. They don't have to do everything, but they have to enable a lot of things to provide the information required by board, by the audit committees and the others.
So it's really about how to ensure that the right information is provided to the ones who need it accurate and on time. And the other thing which we, we also observe is that there is a lot more about, let's say the business performance part. So not only we fulfill the specific compliance or regulatory compliance requirement, but we also are able to answer questions, which business asks. So delivering more strategic value, supporting business performance, risk mitigation. So what are the risks, how to mitigate them deeper insight into what happens in the business? So what is going wrong, or where are things we, where, where do we have exceptions to deal with and the ability as well to quickly analyze these issues and depths. So it's not only about saying, okay, there's a problem, but it's also going, enabling the, the deep dive into this information and, and understanding where business doesn't operate well.
So where business controls are in math, all it has to provide and a view on effectiveness and efficiency of operations and effectiveness and efficiency of all implemented control frameworks and controls. So financial and non-financial, it's for sure as well about reliability of financial reporting. That's a core part of it that has been always a part of it. It's about compliance with loss and regulations, but it's also about early warnings and strong forensics. And I think the first two and the last point are really the ones which are, let's say, changing and gaining momentum and changing the way internal audit works and what internal audit tests provide. And this has to be done continuous well planned and structured as an auditing. And so not once a year or even less frequent, it's ongoing with a combination of automated manual controls. So the manual controls are insufficient anymore.
And if you look at many of the, the incidents we have, it doesn't have a financial organization to know some months later, okay. We had a problem there. It's about really looking at these things. And it's also about relying on other, sorry, relying other policy organization to successfully provide information required by the executives and audit committees. And I think we have a question I will cover later on, which is a little bit about where do I draw board the line between what audit does and what other areas does. And I, I think that will be something I will cover also later in my presentation, but we will pick up the question also later on. So it's also about moving from reactive to preventive. So reactive expo scheduled infrequent analyze of what has gone wrong, observation, a little recommendation. And right now it's about Infor forcing detection of exceptions and ensuring that early warning were focus on risks and all that type of thing.
And that has to be done with a lot of different parties. And I think it's very important to understand all doesn't have to provide every information audit doesn't have to, to let's say, deliver every result, but audit's responsible that this could be done. So I think that there's a borderline C level needs things, and audit has to ensure that this is done legal department place. And for sure external audit is place in. Then we have internal risk management that has to work correctly. That's part of audit controlling, which provides information, but it's important to ensure that the right things are done there. And that's where audit again comes into play. So audit is the one who really ensures that these operational teams who provide information, the controlling, the risk management, the others work the way we, we need to do it, and that they have the, the sales, the, the technical infrastructure in place to provide what the C level, what the audit committees requires.
So what to audit today, it's business rules map to controls. And there, the audit itself is not about doing everything and monitoring because there we have other things to do, but it's about monitoring the effectiveness, ensuring the effectiveness of defined rules and implemented controls. So ensuring that the right controls are in place, that they are really working and also working on findings and recommendations, it's it rules the same applies here. It's about effectiveness of defined it guidelines are they implemented correctly and all the other things, providing these information and ensuring that the right things can be provided to the C level. And I think that's the very important thing. It's focused areas of audit plans are changing it's so risk management, information, technology, risk, operation, risk, emerging risk identification. The, the, I think the, the, of this thing is to ensure that the, the framework is correctly implemented, that is correctly executed and that the right information, the focused information then can be provided to the C level.
So the right information, what is the information required for the executives and audit committees, looking at exceptions? So what are the things which are different from everyday operations? What should be reported to them? Audit has to ensure that this information is provided. It doesn't necessarily have to ensure that it provides itself information, but it's the one who ensures that the right information is provided. The accurate information is provided so that the right process and controls are in place and are operating correctly, the focused information pharmacy level, so that the information is filled, however that what is found in raw data and ends up in high level presentations summaries. And so, so that the right information, the focus part ends up there, focus on the relevant key messages. That's what the C level then file finally needs. And that's is, it's a consumable information for the, the C level.
So audit is fact the one who, who ensures that these things are, are probably executed and delivered the real important information, highlighted things aren't oversee, filtering works correctly, exception focus. That is what, from our perspective, and from what we see in our advisors, from what we learn from a lot of others is to really look at, so how do we do this? We have usually a lot of tools out there to do some, to provide some of that information. We have a lot of business analytics. We have business business, performance management tools out there. We have business activity monitorings, maybe out there. We have a lot of specific tools around GRC there, which allow us to do something based on spreadsheet, something based on very specific tools, but we end up with a lot of tools and a lot of options to provide information without really knowing do we cover everything?
Do we provide information the way we really need? Are we allowing the drill on all the other things? And that's where, where then technology comes and it's about integrations. So move away from point solutions, which are too inefficient to deliver what really business really needs today support on the other hand, drill down, because when you look at exceptions and at highlights, the problem always is what do you present to someone? Do you present a lot of information, a lot of lists, which are hard to oversee for an audit committee and even for a board member, or how do you deal with all these things and, and how do you then allow it to drill down when required? And that's, I think one of the important things, the second thing is automation. It's not only about automated and manual controls. So having lists, having track lists, having spreadsheets isn't sufficient, you need a good mix of automated manual controls and automated actions for efficient, quick and focused auditing.
And we have the holistic approach as part, which is integrate business chairs with it, GRC in other areas provide a platform which supports the specific audit things which supports integration with the risk management, which allows to understand, do we really meet all our compliance requirements? So one audit environment, not many for many parts of the organization. And from our perspective, the, the thing which is important for, for successful internal audit is not to do everything itself. There are two, so many others out there which really should do a lot of things, but to ensure that this entire framework really works, that you have to speak picture of business PRCS, which operational risk, manual controls, high level dashboards, the CCM part was focused on business process, automated controls sometimes focused on specific systems, the it governance part with all of its elements, which really provides detailed information about a lot of things and the systems itself.
So that's, from my perspective, really the thing which has to be in place and moving forward, it's, it's really about ensuring that all these different parts of GRC. And we have, I think, a very interesting report out there, which is around the GRC reference architecture, where it's important to have a holistic view on all the different parts of it. So the compliance dashboard, the operational risk test versus GRC project test products, and all the other things to bring these things together, to have one view of these things, it's about really monitoring the activity it's going beyond having some report to some point of time providing a business, you looking at exception, having an enterprisewide perspective and being not only in a reviewer and especially, and I think that's really the most important thing, ensuring the tools and processes and methodologies and controls are in place and are probably used so supporting these things. So I have put together a list of some questions for internal audit, which maybe are, are a good resume me for, for what I've been talking about. So one of the questions are the processes and controls in place to support all information needs of management and audit committees. Is there a holistic approach across the entire organization? All types of controls in place are the controls and processs implemented and operated correctly.
Do you support exception based reporting and drill down to details so that you really can provide ensure or ensure that the things are provided to the seal level, which are required? Our exceptions detected and time and forensics supported was not necessarily auditing doing it, but ensuring that it could be done is the information flow to executives and audit committees for scheduled, and the information well defined the process for selecting aggregating, summarizing and presenting information defined, supported, automated, and audited. So do we ensure from an audit perspective that correct and focused information is provided to the ones who need it, does the cooperation work correctly with all the different players in this and the system implemented effectively and efficiently? So does it really work also from a technology perspective and does it really help that's fi the final question moving the business forward, or is it just showing what doesn't work?
I think personally showing that things don't work never, ever have been, has been sufficient right now. I think the expectations are changing and sea level expects more emergency, not only say, okay, there's a problem, but that should be a solution. These are the details and that are the real problems. And that, that is a list of things where might some problems might be. And that's what really is strange from our perspective. And so the role of internal audit is changing. And in the second part of this webinar right now, Dominic Perera of matrix stream will talk about how, from his perspective, these things can be addressed. So he will look at a little bit more at doing these things and practice and how to make these things work. So Dominic make, it's your turn.
I'm sorry. Hello everyone.
Good morning. I'm good afternoon. Thanks Martin. For the introduction over the next next part of the webinar, I'll actually take it through the solution perspective of whatever Martin is. Speaking of, primarily trying to address those 10 questions from a system perspective as to how we actually address it. So the first thing we want to look at is the integrated audit system. So when we are talking of an internal audit system, we are primarily looking at the system being tightly integrated, audit standard, the integration from and risk inventory management perspective to the audit planning and how you actually control the resource scheduling time expense management, and how you actually go about conducting the feedback, reporting all the findings, observations to the management and going through the complete review cycle. And then you publish the final report. So this is where we're looking at it complete integrated internal audit solution, moving away from, from the past where we had point solutions to address some of the key areas we have now a single solution, which will actually address all of this again, linked with the enterprise risk and compliance framework to actually get your risk assessments into the internal auditing system so that you can actually target the right risk that need to be audited for the, for the coming years, and also integrated with the other in-house systems.
Again, some of the other key key capabilities are looking at metrics stream for it to be flexible, scalable, and adaptable to the whole enterprise so that you not have different systems cater to those needs, but you have a single system actually performing all of your internal auditing requirements.
So, so the first part, when, when you're creating, when I actually want to define the whole solution, we look at defining a flexible information model. So we're defining, you have to clearly define what are your areas of compliance, the function standards you're actually creating to. So this would actually vary from an industry from different organizations, the way you wanna structure your content, but the, the application would support all different relationships that you want to build within the system, whether it's a process and the way the process are related to different risks, the same thing goes with all the controls you want to put in place for, for the risks to be mitigated and the controls that you would actually find during, during your audit execution, which has to move back to your whole inventory system. So this is the whole overall flexible information model that the system provides for you to actually define all aspects of your audit universe or risk universe in the system.
And then looking at risk based internal audit system. The most, most key aspect you look at is the risk profile. You look at this whole inventory and look at the auditable entities that you want to actually consider for auditing. And the key indicator would be a risk profile. You would want to consider audits, which, which are with high risk. So the management would give you a mandate where you want to actually consider certain audits, which are of high risk. So the metrics stream application would actually provide you interfaces or what we call the audit advisors, which will actually display all the high risks that have to be audited for that year. It enables the audit planner to actually consider only those risks, which are required for the audit plan. So when we're talking about auditing in the metrics stream application, the audit table entity could be a business unit. It could be a process. It could be an application, it could be project. It could be pretty much anything. You can also audit suppliers, or it can be any aspect of the organization. And the key driver for all of that is gonna be the risk profile. What are the risk you want consider for your audit plan?
So now I'll just get into the core function capabilities of the metrics stream solution take overall flow of the metrics stream application. When we start the whole process, we are looking at the risk based annual plan where we define what are the auditable entities? What are the different risks you want to plan for audit? And as part of business you would, we help with different advisors. What we call the risk advisor or audit advisor, which gives you information, different forms for you to make a judgment on what are the different aspects need to audit for the next year. And just moving through all the different phases that we look at, we're looking at planning and scoping the whole audit. Then we move into the audit field work. We also have a very strong offline capability to actually take all your audit tasks, offline, work on it, and you can synchronize it back with the system.
The same thing goes when you're reporting the issues, you wanna report it internally to management. When as, as soon as you detect any issue at the same time, do not want to wait for the whole complete process to be completed before you escalate these issues internally. And before they roll into the final audit product audit report, which once it is published to the recipients, you want to also track these issues and, and limitations to closure. So you have the complete 360 degree cycle, which, which starts from defining the inventory process, putting in your audit plan. And again, closing the loop by actually tracking these actions and issues to closure. So this is the overall solution flow for the audit management world. And some of the key highlights of the application. We spoke about the audit advisor. We're looking at the highlights that this application is designed for large global companies.
So any number of audit teams, large audit teams can work on it, conducted resource planning, audit management, completely in the system. It has some key capabilities like efficient handling of work papers, offline auditing. We spoke about that flexible audit task management, the flexibility to create a task or audit activities and pattern. As in, when you go through the whole audit process, giving you an option to reco the audit. So, so when you go through the whole process, there are different risks. You fail, you then consider well planning the audit. You want to add it at a later date, you can do all of that in the application. And again, we have configurable outputs for the draft and final audit reports based on different divisions within the organization. So you can use the same application for different divisions to, to actually generate those reports in those particular formats.
So when you're actually defining the audit program, you, you would look at the risk library, the auditable entities. We said that it could be a business unit, a process, an application. It could be pretty much anything that you want to audit within the organizations, look at the audit, the risk library. And then you define the audit universe within that. You define all your audit programs, which actually translates into individual audits within the system. And then we, we support all of these Al milestones, what we call the project management aspect of the audit work papers. And then finally the draft and the final report, wait to some these aspects previously, but just to touch upon the three or four stages we look at the first is the annual planning where you, you map the risk to the audit entities. You, you conduct your risk assessment process as part of it, it's all in the same system.
You do all of that. You scope this risk and, and decide what, what needs to go as part of your audit plan for the next year. And once you get into auditing that particular aspect of it, you actually define the scope, walkthroughs or testing, whatever is required as part of the whole audit project. And then as the final stage, you would actually report all of these, which would actually consolidate into the whole final audit report. So this whole process we're defining is, is completely integrated within the system over the next few screens. I'll just take you through some of the screens within the metric stream application, to just give you an idea of how we've actually configured this whole application to meet to the internal auditing solutions, the audit plan. This is, this is a place where you would actually lay out your whole audit plan, define the key information for the audit.
And for each of this, you, you would define the audit candidates in terms of what are the different audits you want to conduct this year of the organizations they call objects, we call it, it could be a process, a system. It could be an asset, anything, and all the related risks for that. You define the plans. When you want to schedule this audit all the information while defining an audit, then, then we, we, we specifically support advisors forms of actually generating this information for, to help the end users decide what are the auditable entities that need to be audited for that year. So you see that we have the auditable entities listed. You can drill down and go to the next step and look at all the risks that have been mapped, that particular auditable entity. You also define the score. You can look at the scores which are high risk and actually decide that these are the risks you want to consider for, for auditing.
For this year. We pull out from, from, as this is a completely integrated system. We know when was it, last time this auditable entity was audited in the system. And what were the audit years planned? A lot of organizations come and define that if it's a high risk audit, it has to be audited every one and a half year. If it's a medium risk, you want audited every three years. So these definitions can be configured in the system and the system will pull up the report like this, telling you that, okay, this audit was connected in 2009, it's the high risk audit. So you need to have this audit this year. So all of that information's pulled up in advisors. We have two or three different advisors. One of them is what we call the audit advisor. At the same time. You have another view, what we call the risk advisor, which is just looking at the whole aspect from, from the other angle and then the audit entities.
Yeah, we have, we support all these drill down information. You can look at all the business units or entities in the systems at any point of time, look at the risk, the inherent risk risk, and then see what are the different risks that have been mapped to that particular audit entity. You can drill down, look at all the risks within that particular audit entity, and also see that particular score at that point of time. So you can color code it based on, on your conventions. Like it's high risk, you color coded red. This is something you can configure in the system. And this is probably giving you lot of information to decide for the audit plan as to what needs to go as part of the audit plan.
And, and the next view we're looking at is the ongoing audit view. When, when the audit has get started in the system, the, when you have the in charge auditor or lead auditor, or the audit manager come into the system, he looks at all these audit projects being defined, and he can connect panel tasks. He can create work papers in a very panel mode. He can actually go and look at all the issues that have been track been rated for that audit. At that point of time, you can look up issues. You can look up at recommendations, and if there are any remediation actions proposed by the auditors, all of that can be viewed in a single place. I look at an audit, I go to the draft issue issues, link, and I can just see all the issues that have been completed or have been actually lower at that point of time, the same time, if there are any critical issues, there's something very serious detected, significant issue.
You want to escalate it to senior management within the organization. You can actually go and send these issues for, for additional reviews within the system. So all of these can be can happen ly and most of it is supported by configurable flex based on the way you would connect your audit. So we look at a create task form where I just wanna create a, I wanna test it in controls, whether they're they're effective. So I can just, GoCreate a control test. Then we're looking at the project management aspect of an audit where I can define how this audit should work. So whether it's a restricted audit. So if there is a confidential audit or it's a restricted audit, you can define that in the system that by defining that you can actually provide a security layer that only the audit team members can actually view that particular audit, instead of all the members within the organization.
At the same time, you can define what are the different templates that need to be used for the final audit report for the notification audit announcement memo, and, and whether you, you want to enable allow the auditors to create their own tasks or work papers in the system. So this is something you can define and also how the whole approval should work, whether you need the lead auditor to approve every task in the system. So all of that is actually configured using the project management form. And as you see, this is actually come from the audit candidates. We have defined in the system from the plan that translates into each audit as part of the audit execution. You can, you have an option to actually redefine the scope of the audit at any point in time, if an audit is planned the previous year, when you're conducting the audit, you've figured out that there are some risks that need to be considered.
So you can actually go through an approval process, add this additional scope, or also with de scope, some of the items which are not relevant. So all of that is you can do it in the system. We, we support very strong resource management. So at any point of time, the lead auditor can request for specific resources he wants in the, for that particular audit. So I can see I'm looking at, at I land and UK as a resource pool, I want do auditors. You can put in a comment seeing that I want auditors with these capabilities and also define on which days you need their specific services. So you can, once you do that, this is something which sent to the resource pool owners. They would look at the audit request or the auditor's request, and they can assign these auditors for the project. So once they're assigned to the audit project, they become part of the audit team.
So this also gives you, enables you to provide or generate different reports in the system, in terms of what is the requested time, what is the actual time spent? What is the planned dates or planned target dates in the system versus the actual dates? So all of that can be generated as different reports in the system. We support a strong calendaring function where we log into the application, you have a calendar view, all the upcoming task and audits for you. You can also, this also enables you to support collaborative auditing. You can change the auditor. If there is a task, which an auditor is working his out of office, you want to reassign it to him again, or to some other auditor. You can do all of that and also view what are the different audits, which are happening at that particular timeframe. So you can, you have a complete month view or a yearly view actually track.
This also enables you to look at different audits in the system, which are happening in panel. And if, if you want to actually reconsider some of the audits at the same time, there are redundant audits. You can actually go cancel audits, advance the audit dates at the same time, also postpone the audit. So all of that is, is configured in the system. And this view actually helps you look at different audits, which are being performed with different teams and the audits, which are relevant to you. So we support a lot of color coding to identify the audits specifically where your time is required.
So it's part of the field work. Each of the auditors, when, when they're working on this work work papers, they get to, they get all the details of the task, which have been assigned the instructions. Same time, the audit details, all of that is assigned to the users so they can control it. They can test the controls. They look at the risk name, they control within that. They can provide inputs, whether they control has been designed effectively, or whether it's a key control, and whether you need additional testings to be performed at the same time, you can also define whether the control is operating effectively. So all of this can be captured within the system. And at any point, when you add, you also have an option to add new controls or missing controls in the system. So once you do that, this information flows back to the, to the inventory owners who are actually owning those particular controls of the risk, that there are these new controls, which we've identified during field work.
So that, that provides feedback into the system. You can log findings, recommendations, recommendations within the system. So you can actually dispose issues at any point in time. If you find some of the issues are actually just observations, but you want to log in the system, but they're not really reportable or issues that you want to track to closure. So you can do all of that. Are you using form like what we call the finding issues from, and also at the same time attach documents. So it could be any reference from the library. It could be documents from document management system, which are metrics stream based, or the document management system. You can upload it into the system or any, any file you wanna upload from your desk. So you can do all of that for that particular task. We support a strong, offline work paper management.
So you, you can take all your, all your tasks that have been assigned to you offline in the offline mode. You can actually go and, and work on these tasks. And when you come back to the server, you can sync it back to the server. So that's, that's a very key capability. We've announced, right? We support tablets and, and notebooks. So you can actually take all these tasks, go to the field, talk to the auditors document, all of that. You don't have need to have internet connectivity at that point, but when you come back, you can synchronize all of this in the system. And this is something quite widely used by a lot of organizations. And then they found find that a very useful feature. And these are some of the reports generated on the plan dates versus actual case the system. So there are key events.
You, you track in the system based on that you can, for each of the orders you can generate, whether the field work has started based on plan, and you can actually have color coding of the reports. These are different views in the system. So it's an easy visualization to drill down, to look at Assud risk and control. So you look at accounts, be able as a process that are different risk identified, you can drill down to it. And this actually gives you a good visualization for, for senior management to look at where, what are the different risks and also for different color recording. We now also support geospatial reporting. So if there are locations identified as part of her audits and each of the risks, so you can actually generate reports where you say, okay, this particular area that are, that are these many risk identified, what are the issues?
What are the medium risk issues? What are the high risk issues? So that's something is also for, for a global organization. They find it very useful to understand which are the areas where we're seeing the highest risk at any point of time. So these, these are nice views, which are generated in the system and also the final audit report, the way we actually go generating it, you can configure any template based on, on your requirement and the system automatically generates the word document. So this actually saves a lot of time in, in building formatting your documents. So you give a pre formatted document in the system that will actually enable you to generate the, the, the complete report automatically use using the system. So, so these are some of the key features at I thought I should highlight as part of the system. And just couple of points about metrics stream.
The vision of metrics stream is to deliver business performance through integrated governance, risk, and compliance. And, and to actually meet that vision, we have different solutions. We put in place, some of them out of this, where we invented this particular topic, risk management, we have internal audit management issue and incident management. And I GFC in terms of low market leadership. We serve large double corporations, interest, GRC, and audit offerings. And we are platform, which is the GRC platform technology. This that's the platform which we use to enable this whole integrated GRC piece Analyst recognition, Gartner recogniz us as a leader in the Gartner GRC magic quad, and Forer is also recognized as the leader in the GRC wave. For more details, you can always visit our website metricstream.com. And if you want additional information, you can just send out an email to info metricstream.com back to you, Martin.
Okay. Thank you, Dominic. And thank you for the information you've provided to our attendees. So we are right now in the Q and a session, and I have some questions here. So, so I will start with these questions and if there are additional questions, then we, we might pick up them as you might enter them so that we can do the Q and a later on. So the first question I I'd like to pick, I I've shortly covered during my part of the presentation where it came in, was around what is, what really is, is relevant to the sea level. I think the, where audit is let's say, comes into play when it comes, what C level requires. I think the point really is C level needs to know what are the real problems. So what are the exceptions? What are the real issues? Do we have covered everything?
Do we have our frameworks in place? So are also the process is working and ensuring that this information is provided. Some thing I've talked about at the end of my presentation. I think that's, that's very things really come in where it's really about providing not only, only first of all, providing the, the, let's say the security or the, the, the, the information to the level that the entire framework is, is working correctly in this implement correctly. And on the other hand also providing, let's say a business view on things. So what does it mean if there is a problem in that area and that area and that area? So let's just to pick up this question. There's the next question is, and I think is a very interesting one because I started with a very, very broad view on those things, which have to be provided and then then said, okay, internal audit is the one who's mainly not responsible for providing every information to, for doing every report.
The question is, where do you draw the line between business performance management handled by controlling and BPM to be monitored by internal audit? So from the perspective of the, the, the person you asked the question, BP is more controlling task. And I, I think that's, that's really what, what, I've also tried to express that it's, that it's not a trouble of internal audit to, to do everything controlling or other areas of the organization I've been doing before. It's the trouble of internal audit to monitor that these things are then corrected at the right information is provided that all these things are working in the way we, we need it. And we need a, let's say some much more things than, than have been done before. However, I would say controlling in many cases also is more fo today's even today, more focused on unde, detecting more things are going wrong instead of really talking about recommendations on how to change things.
But the line I would draw is really that audit is more, more the ones who are in charge of ensuring that the entire framework we are operating in is correctly implemented. And then the next question I'd like to pick is from, from your experience. And maybe before I picked the question again, please enter your question so that we have some comprehensive list of questions to talk about within the next few minutes. So the question is here from your experience where, or based on which requirements like company size say and so size and so on, would you say that establishing an it audit function would make sense? Some it aspects can be covered by the internal, by the operation or commercial audit, but what really are determining factors for establishing an it audit function within your audit department? First of all, I would say it auditing always has to be a part of the entire auditing function.
So first of all, it's very important not to separate between audit non it audit, and it audits, but integrating these things because you can't separate, for example, operational risk from it, risks and vice versa, I'd be looking at it risk because they can affect operations or even come. It might become strategic risks. We are looking at, and, and we are looking at operational risks. Most of these things are based on it systems. So we have to have an integrated view on these things. When does it make sense to, to have an, a specific it depart audit department? I think that's really depends on the number of people you have in auditing. So once you have sufficient people there to say, okay, this people are really focusing on the it aspects. They're very familiar with the it things, and it makes sense to, to do it also depends for sure.
On, on, do you have specific requirements? If you look at financial industry, for example, there are so many very specific regulations which also directly effect it systems and it audit that it really makes sense to have a separate function there. However, it shouldn't be, as I said, it shouldn't be segregated in the way these are, that are different things. Okay. So just maybe the short answer to the person you asked the question, don't hesitate to directly get in touch with me regarding this question so that we can discuss it more in detail. Another question is how can one ensure comprehensive audit in a heterogeneous environment? Maybe that's a question where I'd like to start and Dominic might add, add on some things. I think, first of all, we need to do a comprehensive audit in a heterogeneous environment, and that had routines environment. And to do that, we need tools which are really built to support Atunes environments. Also the control of control things which integrate things. And, and even today what I've served, things are changing, what, what I've serviced that many of the high level tools we have are very isolated. And I think what we really need are platforms which can integrate with the it information, which can act control of controls. How many would you like to add something to this?
Yeah. When you're looking at a comprehensive ID solution. So primarily what we have seen in some of our implementations is you want to have a complete view of what, what needs to be audited. So, so I think of having a comprehensive, like a system in place will actually enable you to do all of that. We'll give you a complete view if you want, probably enable something like a five year plan to make sure that every audit entity is audited say in, in a span of five years. So all of that will definitely be much more easier if you have a comprehensive system.
Okay. Thank you. And then we have another question. How can we start as new internal audit department and how can we make, or how do we make our team and our planning from where we can start? So, so how to, what do you really need to start such department? I think there were, were a lot of things in, from, in the presentation of, of Dominic. And then I will hand over the question soon to Dominic. What I would say is what you really need to, to have first is to understand what, what is the role of the audit department? So what do you do and what do others do? Where do you interact with these others? So think about the BPM or controlling. So you it's audit. What is the role of audit? Where does it intercept? Where, which information does it have to provide to whom and which things does it have to look?
So what are the, then the next thing for sure is then to implement the controls framework. So what are the, the controls to have in place? What are the audits to be done? How do they relate to information which is available for market parties and how is it ensured that the right information is provided to the people above? That's definitely about defining organizations to define sort of a book of rules or, or rule sets for, for policies, for, for what artists start doing and defining these process, which is some, some sort of paperwork and organizational preparation work things which, which have to be done, which not necessarily should be done in a too complex way, but where you have to work on. And then for sure, it's also important to ensure that you have a technology in place, which supports you from the very beginning in providing an integrated view of information to the C level, to the departments you have up there. So the, the, the audit committees and all the others where you can really ensure that all the things are provided in the way we need. So the focused, the correct. And so on information I've been talking about before Dominic, what would you like to add to this question?
Nothing much on that Martin, I just had another question sent to me, so I just thought I'll touch upon that. So there's a question on this whole audit issue management systems. So I think we spoke about the audit system overall system. And I think previously, I think we always looked at an issue tracking system as a separate system to be to where you go and dog, your issues platform, and an audit management as a separate system. But with the metrics stream integrated approach, you actually would cover the whole, all the aspects of an audit issue management. So once the issues have been actually closed, you can actually have been actually published to the issue owners to actually work on it, to the audits. You can actually track these issues to closure in the system. So the system provides you an interface where once you look at the issues, the auditors who are actually working on the audit project can actually track the progress of these issues and actually be responsible to actually close out these issues.
So, so things like that are, are possible in an integrated approach and, and is supported in the system. So that's something I thought I just provide a quick response on, and also the question about the extensive resource management, whether it is required for smaller companies. So in the, in the metric stream aspect. So the resource management comes in as an additional feature for, for organizations who have a complete structured way of actually requesting and assigning resources to the, to the audit project. But for other authorization who are smaller teams, you, we, we have simpler ways of handling it. You can actually go and assign team members to the audit project who actually go ahead and work on the particular audit aspect. So we support both aspects of that, just to take on that. So please, a couple of questions I had received the Martin power over to you.
Okay. I don't have any questions right now, if there are any other questions, so please enter them right now so that we can pick up these questions. In the meantime, I I'd like just to mention that there will be a lot of additional call webinars again, in, on our European identical inference, which is around not only identity management, but as well around GRC. And if you look at the trend, you'll find that there are many, many sessions around GRC issues. So it's definitely worse to attend this conference with more than 100 speakers. Okay. Any other questions? So if there are no other questions, then it's up to me to thank say thank you to you all the attendees for listening to this call webinar and saying thank you to Dominic Perera for working with us in this webinar. Thank you.