Tip of the Month: BarnOwl Combined Assurance

Did you know ?

There are various ways in which BarnOwl can be used to capture and report on combined assurance. This article will show you how to configure and report on Combined Assurance in BarnOwl.

Combined Assurance rating methods in BarnOwl

  1. Within the Risk Management module, control effectiveness ratings can be input (imported or captured) per assurance provider from different lines of defence per period. See point 1 below.
  2. In line with risk and control based auditing, the Audit module allows the auditor to automatically ‘import’ risks and controls from Risk Management specific to the business units and / or processes being audited. At the time of performing the audit, Audit rates the risks and controls independently of Risk Management after performing detailed testing. Once an audit project is closed, the risk manager can compare the Risk Management (1st / 2nd line of defence) ratings (risks and controls) with Audit’s (3rd line of defence) ratings as well as review any new risks or controls identified by Audit. The risk manager can choose to ‘Accept’ Audit’s risk and the control ratings as well as ‘Accept’ any new risks and controls identified by Audit. On acceptance, the risk and controls are updated from Audit into Risk Management. An audit trail is kept of all changes to the risks and controls (date time stamp, User Id, old value, new value) showing risk and control rating changes (trends) over time by Assurance Provider (line of defence). See point 2 below.
  3. Risk and control self-assessments (RCSAs) votes can be sent out to any number of respondents via the BarnOwl web portal (intranet). The RCSAs scores are averaged for all respondents for each risk / control in the vote. In addition, a manager can review the risk /control scores before committing them to the database. Reports can be generated by the system showing what was rated by whom (lines of defence) over time periods. See point 3 below.
  4. BarnOwl provides a built-in combined assurance report showing control ratings by service provider / line of defence over time periods. Additional combined assurance reports and dashboards can be provided in SSRS (SQL reporting services) and / or Power BI. See point 4 below.

1. Risk Management – capturing control ratings per assurance provider

Figure 1: Within the risk management module you can capture or import control effectiveness ratings for any number of Assurance Providers from different lines of defence.

2. Audit Alignment – updating Risk Managment risk and controls from Audit

In line with risk and control based auditing, the Audit module allows the auditor to automatically ‘import’ risks and controls from Risk Management specific to the business units and / or processes being audited. At the time of performing the audit, Audit rates the risks and controls independently of Risk Management after performing detailed testing. Once an audit project is closed, the risk manager can compare the Risk Management (1st / 2nd line of defence) ratings (risks and controls) with Audit’s (3rd line of defence) ratings as well as review any new risks or controls identified by Audit. The risk manager can choose to ‘Accept’ Audit’s risk and the control ratings as well as ‘Accept’ any new risks and controls identified by Audit. On acceptance, the risk and controls are updated from Audit into Risk Management. An audit trail is kept of all changes to the risks and controls (date time stamp, User Id, old value, new value) showing risk and control rating changes (trends) over time by Assurance Provider (line of defence).

Figure 2.1: The following example shows Risk Management’s risk ratings (RI,RL,RR) versus Audit’s risk ratings (ARI,ARL,ARR) as well as Risk Management’s control adequacy and control effectiveness ratings versus Audit’s control adequacy and control effectiveness ratings. The risk manager can click to ‘Accept’ Audit’s ratings to update the risk and control registers within Risk Management. In addition, any new risks or new controls identified by Audit ( ) can be updated (imported) into Risk Management’s risk and control registers by ‘Accepting’ them:

Figure 2.2:The system message displayed when the risk manager chooses to ‘Accept’ Audit’s risk and control ratings:

3. Risk Management – risk and control self-assessment voting

Figure 3.1: Risk and control self-assessments (RCSAs) votes can be sent out to any number of respondents via the BarnOwl web portal (intranet). The RCSAs scores are averaged for all respondents for each risk / control in the vote. In addition, a manager can review the scores before committing them to the database. Reports can be generated by the system showing what was rated by whom (lines of defence) over a time period.

Figure 3.2: The results of a vote. Voting can be anonymous or non-anonymous, in which case, the system shows who voted what. A reviewer / manager can optionally review and override the rating of the respondents.

Figure 3.3:Double click on the chart icon (in Fig 2.2 above) to see how many respondents voted what per risk (or control). In the example below only one respondent has voted. If many respondents had voted, one would see the spread of the votes in the chart and the average of all the votes per risk / control. The average of each vote is calculated, however can be reviewed and adjusted by a manager / reviewer if required:

Figure 3.4 :The RCSAs (voting) ratings (average of all respondents or the reviewer rating) can be updated into the live BarnOwl risk and control registers when the vote is closed. Audit trails are maintained for every update to risk and / or control ratings in all registers showing what, when and who made a change:

4. Combined Assurance reporting

BarnOwl provides a built-in combined assurance report showing control ratings by assurance provider / line of defence within a time-frame. Additional combined assurance reports and dashboards can be provided in SSRS (SQL reporting services) and / or Power BI.

Figure 4:The example below is derived from the control ratings of the various Assurance Providers (per line of defence) as detailed in point 1 above. The report is exported into Excel, however customised combined assurance reports can also be generated using SSRS (SQL reporting services) and / or Power BI according to client requirements.

5. More about combined assurance


https://api.barnowl.co.za/tip-of-the-month/tip-of-the-month-combined-assurance-using-barnowl-risk-management/


https://api.barnowl.co.za/wp-content/uploads/2015/08/Combined-Assurance.pdf

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by close to 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see www.barnowl.co.za for more information.

arrow up