PASS ICS Software – Internal Control System
Managing the internal control system (ICS) correctly
ICS software specially designed for the needs of banks and insurance companies
Adapting the Internal Control System (ICS) and keeping track of it is becoming increasingly difficult for executives and risk managers due to supervisory regulations (such as BAIT/VAIT/MaRisk) and increasing complexity within banks and insurance companies, e.g. due to the growing number of service providers.
The PASS GRC Suite has an industry-specific ICS software and helps financial institutions and insurance companies to implement, monitor and comply with the EBA (European Banking Authority) guidelines on outsourcing as well as for the management of ICT and security risks.
Ensure ICS management
Is it also the case in your company that hectic activities begin when the auditors or BaFin/Federal Bank have registered for a special audit? Audit and IT management quickly try to compile the processing status of open items from the last audit, gather information about review meetings with external service providers, and finalize the latest policies and work instructions. The challenge is often that each department keeps the information relevant for audits, either in "their own" systems or Excel lists. This is not only inefficient, non-transparent, time-consuming and error-prone because no one has an overview of all the information, but also often leads to the audit result being worse than it should be, e.g., when all the information could have been presented to the auditors in full and on time.
With PASS' ICS software, information can be stored in a structured and centralized way and is available at any time.
VAIT / MaGO
- In particular, management assesses whether the company's risk strategy and governance are aligned and consistent with the business strategy and whether the business organization supports the objectives of the business and risk strategy (MaGO 8.2)
- The written guidelines must be reviewed at least once a year using methods appropriate to the risk profile. The reviews must be documented. Findings and resulting recommendations shall be reported to senior management (MaGO 8.3.3)
- Written guidelines shall be prepared for the entire area of outsourcing (MaGO 13.8)
- Risk analysis for IT outsourcing and other procurement of IT services must be performed and demonstrated in advance (VAIT para. 9.1 and para. 9.2)
- Documentation and monitoring of the measures derived from the risk assessment (VAIT para. 9.4)
- Complete, structured contract overview (VAIT para. 9.3)
- Obligation to conduct risk analyses for service providers in the event of significant changes to the risk profile (VAIT para. 9.5)
- Obligation to evaluate and document the procurement of hardware and/or software and support services as outsourcing (VAIT para. 9.5)
- Emergency management and IT emergency concepts taking into account the protection goals (VAIT Tz. 3.5) and proof of effectiveness (VAIT Tz. 10.5)
- Evidence pursuant to Section 8a (3) BSIG regarding compliance with the requirements pursuant to Section 8a (1) BSIG can be provided by means of security audits or audits (e.g., as part of the audit of the annual financial statements) (VAIT para. 11.5)
BAIT / MaRisk
- Assessment of the risks associated with outsourcing (BAIT item 9.2, MaRisk AT9 item 2) and consideration in the overall risk assessment (BAIT item 9.4)
- Content requirements for the outsourcing contract (MaRisk AT9 para. 7)
- Complete, structured contract overview (BAIT Tz. 9.3)
- Central outsourcing register (MaRisk AT 9 para. 15)
- Monitoring of service provision (also through KPIs) as well as regular and ad hoc reviews (BAIT Tz. 9.3/9.5, MaRisk AT9 Tz. 9)
- Implementation and further development of outsourcing management and corresponding control and monitoring processes (MaRisk AT 9 para. 12)
Linking SLA and KPIs with live data
By linking relevant contract content such as service level agreements (SLAs), operating level agreements (OLAs) or key performance indicators (KPIs) with live data from your production operations, you have an up-to-date view of your service providers' performance at all times. This enables you to manage them better and in a more targeted manner, and to prove this directly and at any time.
Outsourcing Management / Contract Management SLA
With the integration of service provider contracts into the PASS ICS software, you comply with the requirement to maintain an outsourcing register.
You can also learn more about outsourcing management with software from PASS in our Finance IT Blog.
- Management of the internal control system (ICS) in one application
- Transparency of processing status at all times
- Collaborative work between Compliance, IT, Orga and external auditors
- External auditors use the application to document their processes for auditing purposes
- Integration of live data from production, SLA monitoring and other KPIs possible
- Additional modules for outsourcing management from requirements of MaRisk/BAIT and MaGO/VAIT are planned
Web application
Web-based application with modern user interface enables company-wide access and collaboration with e.g. auditors or auditors.
Authorization management
Flexible and fine-grained role and rights management for internal as well as external users via LDAP connection.
Generic system
Referencing to multiple audit standards & regulatory requirements (including ISO 27001 BAIT/VAIT, MaRisk, MaGO, BSI, ISO 9001). Extensible with individual rules.
Reporting
Extensive reporting and report functions, as well as e-mail dispatch. Ad-hoc reporting, e.g. for the processing of monitors or findings.
Auditability
All adjustments, entries, status changes are stored in the solution and can be tracked at any time.
Task Management
Assist in timely completion of audit-related tasks from management and control systems.
User centered interface
The PASS ICS software offers the user a uniform interface and user guidance across all modules, which can be customized individually. For example, users can save their own column settings and filters for each mask and call them up again at any time.
Notification and reminder management
Immediately after logging into the ICS software, each user is shown in their personal dashboard which tasks are pending or overdue.
Workflow
Status values can be defined independently for all modules. It can be defined which status values have relevance for the notification and reminder management of the ICS software.
Authorization system
The configurable roles/rights system enables fine-grained definition of function-related rights for internal as well as external users in the ICS software. The visibility of risks, checks and measures can be reliably restricted for each user by assigning freely definable scopes.
Flexible adaptation to company-specific requirements
To customize the risk module, numerous options, intervals, lead times for displaying due processing steps in the dashboard, etc. can be adapted to the specific company.
Report generator
An optionally integrable report generator enables the creation of standard reports and their provision for call-up by defined user groups.
Controls
The control structure of a company can be modeled with up to four hierarchy levels. For controls, referencing to legal requirements or standards is possible. For many areas, content can be provided for a quick start (e.g. ISO/IEC 27001, BAIT/MaRisk, etc.).
Risk Management
The risk module supports a cyclical process of planning, assessing or monitoring, reporting and obtaining management acceptance of opportunities and risks or implementing and tracking control measures.
Policies/Guidelines
With a policy module, PASS ICS software provides document management functions integrated with notification and reminder management.
Examinations/Audits
The audit module supports a cyclical audit process, which supports the involvement of external auditors as well as access to results and documents of previous audits or the exchange of information with the risk module.