Risk Advisory
One Team, One Goal- Innovation & Transformation
Practice Leader
- Karan Gupta
- karagupta@spcnc.com
Karan spearheads the TRICS division at SPC with more than 15 years experience in field of Technology, Risk & Integrity Consulting having extensive experience in implementation and consulting for ERP, CRM, HRIS, ISMS, EPS, DMS & PMS. Combined with his expertise in Risk management, SOP development, Fraud risk framework and Anti-Money Laundering he, along with the dedicated Technology team provides end to end business strategy and technology implementation advisory to clients within SPC ecosystem.
SOC & SOX TESTING
SPNX Consulting has been working as an outsourcing partner of various CPA firms and has helped them meet their tough deadlines on numerous assignments. SPNX Consulting has been working actively in the field of SOC/SOX audit since last 3 years. SPNX Consulting has collaborated with various offshore audit and consultancy firms and is working as their outsourcing partner. We have helped our offshore partners in meeting their deadlines even in tough situations. We have summarized our experience in the charts below:
OUR APPROACH
PROCESS STEPS
INTERNAL AUDIT & PROCESS REVIEWS
OUR AUDIT PROCESS & PLANNING
The audit risk assessment and a continuous follow up process is critical to identifying and filtering the processes and flows that can perform to provide measurable benefit to the organization. audit can deliver increased risk coverage, cost savings and measurable value to the business by identifying and performing audits across the company’s value chain. In our role as the provider of audit services, we aim to:
DASHBOARD
INTERNAL AUDIT & PROCESS REVIEWS
In our role as the provider of internal audit services we deploy continually updated functional checklists, CAAT, Data analytics and Data-Rooms for managing and advising clients on key risk areas and revenue leakages and control lapses and assist in business processes optimization and data driven decision making quality and effectiveness of the control environment within the organization
At SPNX Consulting we perform -
based Internal Audit
INTERNAL AUDIT PLANNING APPROACH
Overview of the approach for risk-based internal audit planning and execution, taking into consideration the significant and material risks for the Enterprise A good plan is half the job done – and in order to derive value from Internal Audits, it is important that a value-based approach is adopted at the time of planning itself:
INTERNAL AUDIT EXECUTION APPROACH AND METHODOLOGY
Using a top-down, risk-based approach will address the expectations of the management while maintaining efficiency throughout the audit process and meeting the objective of evaluating the design & operating effectiveness of Internal Controls:
THIRD PARTY RISK MANAGEMENT
Outsourcing activities to third-parties provide advantages to an organization but these may also carry along various risks. Therefore, NBFCs are advised to conduct a self-assessment of their existing outsourcing arrangements. These agreements are to be brought in line with the Directions as mentioned in the Circular “RBI/2017-18/87 DNBR.PD.CC.No.090/03.10.001/2017-18” dated November 09, 2017.
To ensure sound and responsive risk management practices for effective oversight, due diligence and management of risks, Third-party Vendor risk management (TPVRM) shall be done which focuses on identifying and reducing risks relating to the use of third parties.
KEY RISKS ASSOCIATED WITH OUTSOURCING SERVICES TO THIRD-PARTIES
A SUCCESSFUL TPVRM PROGRAM ADDS VALUE TO THE ORGANIZATION AND INCLUDES BENEFITS SUCH AS:
- Improved security
- Increased time savings
- Less redundant work
- Simpler assessments
- Easier audits
- Better vendor performance
- Improved customer trust
- Increased cost savings
- Faster vendor onboarding
- Better reporting capabilities
- Less risks
- Less spreadsheets
APPROACH AND METHODOLOGY
Implementing an end-to-end TPRM program will:
> Minimize total cost of ownership > Provide a fast time-to-value > Deliver information to make the best risk-based decisions
THE SPNX Consulting VRM APPROACH
1. Understanding the procurement policy for vendors onboarding
- Understanding the Procurement policy and the scope of Diligence
- Understanding the agreement with vendors and documents required from vendors
- Understanding the conditions to be fulfilled by Vendors
2. Define objective and prepare plan
- Assess associated and level of risk
- Define objective of the exercise
- Prepare the Diligence plan and document checklist as per the scope, level of risk and the objective
- Service level Agreement (SLA) Monitoring
3. Gather information
- Gather basic information like incorporation documents , tax registration, Documents, Shareholding structure, Register of Directors, etc. on the basis of checklist
- Gather respective documents to mitigate all the risks assessed in the previous step
4. Validation and Evaluation
- Validate the documents for authenticity
- Evaluate and assess the documents with the Parameters, information provided by Vendor, agreement, etc
- Visit the vendor premises, if required
- Collate the findings and prepare the risk matrix for each vendor according to the scope of work or update the risk matrix provided by client (as the case nay be)
- Invoice Testing
- Vendor Performance Mapping
5. TPVRM Report
- Prepare the report on the basis of the scop of work, findings and the risk matrix
- Share the report with the customer
IT AUDIT SUPPORT
Companies are highly dependent on Information Technology Infrastructure and need to build a fine balance implementing advanced IT solutions and mitigating the cyber risks at all levels to manage those risks. Our insights and experience gained through continuous involvements in IT governance projects and IT certification and attestation services enable us to assist you in project management of major IT changes, as we have seen that it is often of utmost importance to find and implement solutions for particular issues encountered in daily operations. especially concerning cybersecurity and data protection.
THREE LINES OF DEFENCE IN REFERENCE TO IT GOVERNANCE
IS AUDIT
- Application Audit
- BCP/DR Review
- Network/ Cyber Security Audit
- Audit of ATM/ SWIFT Project
- Outsourcing Audit
IT ASSESSMENT & ASSURANCE - SERVICES
Application
Audit
EFFECTIVE APPLICATION CONTROLS
A complete review of core applications and delivery channels from an application control and security stand point.
BCP/DR
Review
ADEQUACY OF BCP CONTROLS
Exhaustive audit of data center, disaster recovery center and audit of business continuity plans benchmarking best practices
Network/Cyber Security Audit
RESILIENT ENTERPRISE NETWORK
Security audit of entire network infrastructure including configuration audit of various devices
Vendor
Audit
SECURE VENDOR OPERATIONS
Audit of information systems, functional, operational aspects of outsourcing activities