Alright, the title is a little misconceiving but let me explain. This is golf season and for a hacker like me golf strategy doesn't matter much. I'm not going to play very well no matter how much I plan or strategize. However, for pro golfers, the way they approach a tournament, a course or even a particular hole or golf shot can mean success or failure. You may have heard of Jack Nicklaus, widely regarded as the best pro golfer of all time as he went on to win 18 major championships. Jack says, "golf is a game of strategic positioning your ball on the golf course. The better strategies you execute, the lower your score will be." It also stands to reason that the better you know the course the better your game will be - where the flags will be on the greens, where the sand traps are or the length of each hole. This takes preparation each time you play the game. You play the same course again and again, but it might be different each time due to the placement of the flags on the greens, holes that are opened or are closed, the weather and a host of other factors. In other words, the playing field changes each time.
An age old challenge Internal Auditors face has always been to understand their "playing field", which is the area of the organization they're planning to audit. If Internal Audit has never audited a particular department, business area or IT system before then they have to understand the organization. If Internal Audit has performed audit work in that area before, then they have to understand what has changed since the last audit. This is important because Internal Audit has to be able to properly scope their engagement, perform the most effective audit work and add value (hit the lowest golf score and win the tournament). Basic questions to answer as part of audit scoping are what business processes does the organization perform, what regulations are important for them to follow, what critical information do they maintain and what controls are in place. Again, so much of this changes over time. What further complicates things is a lot of this information is hard to find, unrelated and outdated. The information is oftentimes closely held, kept in separate systems or maintained by different groups. Like golfers understanding their next course or tournament, what Internal Audit needs is a reliable, interrelated and real-time source of this information they can leverage during their annual audit planning or preparing for the next audit engagement.
RSA Archer's Enterprise Management solution offers just this type of approach and real time, interrelated information. It's available not only for Internal Audit, but for Risk, Compliance, Vendor and other groups needing access to this critical information. Think about scoping an upcoming audit engagement and having access to such information as business processes performed by the area you're going to audit, IT applications they use, regulations and policies they have to follow, critical information they produce, etc. - and it's interrelated and real time. What's even better is you'll also see the results of work performed by Risk, Compliance and Internal Audit groups for the area you're auditing, allowing you to see risk and compliance scores and metrics, perform dynamic risk assessment and continuous control monitoring and leverage a host of other analytical procedures and reports. Talk about understanding the course before you play the game!
This may not make for a better golfer, but to Internal Auditors it's so important to have access to better, real-time information to enable them to quickly understand the organization and be confident enough to refine or reduce their scope. This saves time and money, and enables them to achieve their audit plan while using their critical resources on the most value added activities. Is this a challenge for your organization? Let me know your thoughts by emailing me at Patrick.firstname.lastname@example.org