GRC Envelop is a risk management and audit management software tool. It enables process control managers, auditors and risk managers to document and manage their work. The entire tool is web based and is built using the Python / Django_(web_framework). The idea behind GRC Envelop is to help risk managers and auditors with a standard work flow and framework to help capture the process details within an organisation. This tool is mainly used for internal and external audits focused on financial, IT, HR and sales processes within firms.
Since, this tool has an open source license, it has been listed on a few sites
Throughout GRC Envelop, the fundamental data structure is as follows:
Processes -> Objectives -> Risks -> Controls -> Tests -> Findings -> Actions
Processes are the basic starting point for the entire tool. Objectives, risks and controls are the most important part that this tool intends to handle. Sometimes this part is also referred to as the risk control matrix in some organisations.
Video GRC Envelop
Features
- Audit management: There are three basic areas for the audit management
- Creating audits - Title, description, start and end dates are of some of the features that are available while creating an audit. You can also attached work papers to an Audit. While creating an audit, you can create the processes, the objectives, the risks, the controls and the tests. At each of these levels you can attach work papers too.
- Managing and executing audits - to manage or execute an Audit, the GRC Envelop tool provides a separate workflow to ensure that auditors can only enter test results and test descriptions. While executing the audit you can create findings and actions. The ability to make control and test assessment is only available in the enterprise version.
- Report generation - the main use of this tool is to provide easy report generation at the end of an auditing exercise. report generation template can be modified according to your needs. The community version has only one default report generation template. The enterprise version has the ability to have multiple templates.
- Risk Management: The risk management module looks at providing the basic structure for capturing the risk assessment process and documentation. The module is generally based around ISO/IEC 27001:2013.
- Risk register: A register is a collection of risks. Registers may be used to group risks in any manner that is convenient to the firm. A Register report can be generated to show risk register details and an overview of all the risks and stakeholder opinions.
- Risk: A risk is a clear definition of some kind of uncertainty that will affect the firm in future. An uncertainty can occur on many different dimensions, for example, financial risk or reputation risk. There are two aspects to consider when modeling risk, likelihood and impact. Likelihood and Impact are presented as scales in the risk management module.
- The risk owner: any user on the system
- Risk Opinion: The most powerful feature of this module is to generate a survey link which can be sent to all the stakeholders associated with the risk (or risk register). GRC Envelop with capture all the responses on the survey and present the report based on a template.
- Risk Summary: The risk summary provides an overview of all the responses from the stakeholders to the Risk Manager. There is a table that provides the detailed view of each stakeholder and their responses. The last row of the table has the average values of the likelihood and impacts across all the stakeholders.
- Report generation: reports can be generated based on a changeable template. The template can be designed to aggregate the responses in numerous ways.
- Scales: Scales are to be defined for likelihood and impact of a risk. Each scale has numeric range (minimum and maximum values), the units that the scale deals with and the type of scale (whether Likelihood or Impact scale). Each scale has a title and description too.
- Repository: The repository module is a store or library of processes, objectives, risks, controls and tests. The structure under a process group is the same as that in the audit module. However, there are no findings or actions in the repository module.
- Planning: Planning module helps managers to see on a calendar format the different audits and resources that are planned for a time period. For example, conflicts of assignment of auditors can be quickly recognised
Maps GRC Envelop
Users and Roles
Restricting users to their areas is an important task for a tool. The community version has only one user type ( auditor) whereas the enterprise version has the following seven user types:
- auditor
- audit manager
- risk manager
- repository manager
- internal business user
- external viewer
- system administrator
Licenses
There are two types of licenses that with which GRC Envelop is available:
- Open source MIT license (limited features)
- Enterprise license
Releases
- 17 April 2018 - Release version 0.4.1 (community version)
- 24 October 2017 - Windows installers are made available (community version)
- 1 October 2017 - Release version 1.2.1 (enterprise version)
- 15 January 2017 - Release version 1.1.4 (enterprise version)
- 27 September 2016 - Release version 1.1.4 (enterprise version)
- 8 June 2016 - Release version 0.3.2 (community version)
- 30 September 2015 - Initial release version 0.2 (community version)
References
External links
- Official website
Source of the article : Wikipedia