CrisMo is our suite of solutions developed for enabling GRC @ the speed of Business, a possibility with the convergence of tools, experience, knowledge and technology. It adopts a simple process of Standardize, Automate & Manage.
CrisMo suite consists of the following solutions:
Continuous risk assessment and Monitoring for Business process controls in the SAP environment
Standard risk assessment items are developed based on best practices and our experience of internal controls evaluation in the SAP environment.
Risk Assessment items are mapped to their most relevant business process or sub-business process based on our experience and best practices.
To ensure an integrated solution for multiple requirements, Risk Assessment items are mapped to multiple requirements like SOX, Fraud Risk, ICFR, IFC, etc.
Assessment of Critical Access Rights, including SoD (Segregation of Duties) based on who executed the transactions.
How it Works
Relevant table data for the selected Business process are downloaded from SAP
Pre-written Data analytics queries are run on the data downloaded to obtain the results
Scope and coverage
Critical Master data like Vendor masters, Customer masters, Material masters, Asset Masters, Equipment Masters, etc
Critical Business processes like Procure to Pay, Order to Cash, General Ledger, and Reporting, Hire to Retire, Inventory Management, Plant Maintenance, Investment Management & Project systems. Stock Transfer cycle including Transportation, etc.
IT Tools for Continuous risk assessment and Monitoring for Information Technology controls.
CrisMo IT is a solution for ITGC / IT Security controls in critical IT Infrastructure components like Operating Systems, Database, and Network environments and is extended to cover SAP Basis controls, wherever it is possible
Controls are developed based on CIS benchmarks
Now review of Operating systems, Databases, and Network equipment will take few minutes instead of few days.
100% coverage of machines and controls is possible within a fraction of the time required for a manual review of configuration files
How it Works
Scripts are executed for collecting the configuration data as output files
Output files are uploaded into an application to process, which can process an unlimited number of devices and generate an immediate report
Scope and coverage
Operating Systems: Windows, Unix / Linux
Database: Oracle, MS SQL, My SQL
CrisMo Web Application
Cloud-based Application to manage internal controls and risk assessment framework, testing, and remediation.
Ready to configure organization hierarchy, which can meet the testing, reporting requirements
Manage your Risk Assessment framework with a repository of controls as Global Risk Matrix and org element specific controls and periodic assessment specific controls as Assessment Risk Matrix
Plan, manage, monitor, and review assignments based on their status.
The workflow-based approval process at relevant stages like risk assessment, remediation & compliance.
Access rights with an ability to restrict on the need to know / Need to do basis using Org elements and Objects.
Responsibility matrix to define responsibilities at Business Process, Sub Business process, and Control Domain level. These are used to define Action by, for each recommendation and notifications.
Reporting to review and monitor the plan, status, and pending management replies, compliances, etc.
Risk & Controls Content
You can manage your checklists online in our CrisMo Web App.
Our pre-developed Risk Assessment Matrices can be adopted as a ready-made Internal Control Framework for multiple purposes.
Risk Assessment Matrices are organized Business Process, Sub Business process-wise. For example: Procure to Pay Business process checklist is organized based on sub-business processes like PR (Purchase Requisition), PO (Purchase Orders), GR /SES (Goods receipt / Service Entry sheet), etc.
Risk Assessment Matrices are comprehensive and
Risk Assessment items are categorized into Control Domains based on the nature of controls,
For example Master data, Configurations, Business Transactions & Critical Access Rights
These Risk Assessment items are further classified as Informative, Indicative & Inconsistency based on the type of test conducted.
They are further mapped to various parameters like SOX, ICFR, Fraud Risk, Legal Risk, Internal Audit based on relevance.