From the perspective of the Legal professional, the demand on time and effort can be difficult to capture, organize and manage. Time is, as we all know, expensive. The Onspring Corporate Counsel solution allows Legal teams of all shapes and sizes to manage the requests, reviews and matters.
About Jason Rohlf
As Vice President of Solutions for Onspring, Jason is responsible for designing and developing our solution suite, providing sales support and domain expertise and driving our go-to-market strategy. Leveraging 20 years of Internal Audit, Compliance, GRC, software and consulting experience, Jason helps organizations of all shapes and sizes to solve business challenges, gain efficiencies and work to their full potential.
Entries by Jason Rohlf
IRM vs. GRC: What’s in a name? And what does this all mean? For many it means learning a new language and making old terms taboo. For others it means straddling both sides of the fence. And for others it doesn’t mean very much at all. Jason Rohlf explains.
Each of the primary groups impacted by SOX—Management, Public Accountants and Internal Auditors—has more clearly defined what role they play in the overall process, and this definition has been carefully and thoughtfully refined over time. And while we have reached a much more structured and stable point in the SOX lifecycle, it’s never a bad idea to revisit and refresh our understanding of why this structure works. A big reason why we find ourselves in this more predictable state is that all involved parties have a much better understanding of their specific role in the process.
I believe you’d be surprised at the number of organizations that do not have a fully structured approach to evaluating the effectiveness of their system of controls. Whether their approach is not formally defined and communicated, inconsistently applied and/or inefficiently managed and monitored, they are at risk of not fully understanding whether their controls are meeting their stated objectives or worse, being completely caught off guard by a critical control failure that could lead to much more serious issues. To that end, we offer the following considerations as you evaluate the effectiveness of your control testing program.
While the concept of reporting seems to be pretty straightforward, the term “report” can have a variety of meanings, so I’m always careful to validate my understanding so I don’t veer off in some unwanted direction. After all, reporting capabilities often represents the organization’s A-1 deal breaker requirement.
Organizations stand to benefit from building a standardized control library. Even the simplest data points you capture can become part of a very compelling story about how well (or poorly) your organization is meeting its objectives. And organizing this library in a systematic and structured way allows you to keep that critical knowledge at your fingertips and answer compelling questions at a moment’s notice.
Common supports remain in place, even as regulations and best practices evolve. Remember this as you stand at the metaphorical “ice cream counter of compliance.” The sheer variety and complexity of requirements can be overwhelming, but the core people, processes and technologies you engage to understand and address those requirements remains largely the same.
Your organization must place its primary focus on the execution of the critical GRC processes that have been vetted and validated. That said, as you ride the ebbs and flows of your business, it is crucial to perform periodic assessments of your processes to make sure it’s giving you what you need. Keep in mind that this does not merely involve reviewing your process documentation, making a few tweaks, and calling it a day. Rather, you should focus on asking yourself some tough questions.
Despite the changes that swirl around us each and every day, there are some things that thankfully remain constant. Integrity, focus on the customer’s needs, a desire to solve problems no matter what obstacles present themselves, respect for our fellow humans—these principles have served us well over time and continue to hold up in the present day.
The internal audit profession has long called upon itself to add value to the organizations it serves. It’s not just about performing audits, testing controls and issuing reports. Internal audit is expected to use its unique position within the organization to take the collection of individual pieces and parts and build a comprehensive view of the company and provide valuable guidance on the strengths, weaknesses, threats and opportunities that the organization must navigate in order to succeed.
There is little to be gained by playing this guessing game, outside of additional stress and scrutiny which are already plentiful enough in our lives. But there is good news. Sometimes the byproduct of pain and inefficiency and drudgery is the realization that there must be a better way to do this. And the good news is that there is most certainly a better way. Advancement and improvement, whether monumental or incremental, is always within our reach. As long as we are willing to accept that something is broken, it becomes infinitely easier to fix.
With each release, I make time to analyze the key features and perform updates across our full suite of Internal Audit, Risk Management and Compliance solutions. As I do this, I’ll be sharing my thoughts, ideas and insights here on the blog, if only to help spark ideas for our clients on how they, too, can use Onspring to the fullest.
Need a Hand?
Contact support during business hours at (913) 601-4999
- Monday–Friday: 8am–5pm CST
- Saturday: Closed
- Sunday: Closed