Adapting the Internal Control System (ICS) and keeping track of it is becoming increasingly difficult for executives and risk managers due to supervisory regulations (such as BAIT/VAIT/MaRisk) and increasing complexity within banks and insurance companies, e.g. due to the growing number of service providers.
The PASS GRC Suite has an industry-specific ICS software and helps financial institutions and insurance companies to implement, monitor and comply with the EBA (European Banking Authority) guidelines on outsourcing as well as for the management of ICT and security risks.
Is it also the case in your company that hectic activities begin when the auditors or BaFin/Federal Bank have registered for a special audit? Audit and IT management quickly try to compile the processing status of open items from the last audit, gather information about review meetings with external service providers, and finalize the latest policies and work instructions. The challenge is often that each department keeps the information relevant for audits, either in "their own" systems or Excel lists. This is not only inefficient, non-transparent, time-consuming and error-prone because no one has an overview of all the information, but also often leads to the audit result being worse than it should be, e.g., when all the information could have been presented to the auditors in full and on time.
With PASS' ICS software, information can be stored in a structured and centralized way and is available at any time.
Insurance Supervisory Requirements for IT (VAIT) / Minimum Requirements for the Business Organization of Insurance Companies (MaGO)
VAIT / MaGO
- In particular, management assesses whether the company's risk strategy and governance are aligned and consistent with the business strategy and whether the business organization supports the objectives of the business and risk strategy (MaGO 8.2)
- The written guidelines must be reviewed at least once a year using methods appropriate to the risk profile. The reviews must be documented. Findings and resulting recommendations shall be reported to senior management (MaGO 8.3.3)
- Written guidelines shall be prepared for the entire area of outsourcing (MaGO 13.8)
- Risk analysis for IT outsourcing and other procurement of IT services must be performed and demonstrated in advance (VAIT para. 9.1 and para. 9.2)
- Documentation and monitoring of the measures derived from the risk assessment (VAIT para. 9.4)
- Complete, structured contract overview (VAIT para. 9.3)
- Obligation to conduct risk analyses for service providers in the event of significant changes to the risk profile (VAIT para. 9.5)
- Obligation to evaluate and document the procurement of hardware and/or software and support services as outsourcing (VAIT para. 9.5)
- Emergency management and IT emergency concepts taking into account the protection goals (VAIT Tz. 3.5) and proof of effectiveness (VAIT Tz. 10.5)
- Evidence pursuant to Section 8a (3) BSIG regarding compliance with the requirements pursuant to Section 8a (1) BSIG can be provided by means of security audits or audits (e.g., as part of the audit of the annual financial statements) (VAIT para. 11.5)
BAIT / MaRisk
- Assessment of the risks associated with outsourcing (BAIT item 9.2, MaRisk AT9 item 2) and consideration in the overall risk assessment (BAIT item 9.4)
- Content requirements for the outsourcing contract (MaRisk AT9 para. 7)
- Complete, structured contract overview (BAIT Tz. 9.3)
- Central outsourcing register (MaRisk AT 9 para. 15)
- Monitoring of service provision (also through KPIs) as well as regular and ad hoc reviews (BAIT Tz. 9.3/9.5, MaRisk AT9 Tz. 9)
- Implementation and further development of outsourcing management and corresponding control and monitoring processes (MaRisk AT 9 para. 12)
Linking SLA and KPIs with live data
By linking relevant contract content such as service level agreements (SLAs), operating level agreements (OLAs) or key performance indicators (KPIs) with live data from your production operations, you have an up-to-date view of your service providers' performance at all times. This enables you to manage them better and in a more targeted manner, and to prove this directly and at any time.
Outsourcing Management / Contract Management SLA
With the integration of service provider contracts into the PASS ICS software, you comply with the requirement to maintain an outsourcing register.
- Management of the internal control system (ICS) in one application
- Transparency of processing status at all times
- Collaborative work between Compliance, IT, Orga and external auditors
- External auditors use the application to document their processes for auditing purposes
- Integration of live data from production, SLA monitoring and other KPIs possible
- Additional modules for outsourcing management from requirements of MaRisk/BAIT and MaGO/VAIT are planned
Web-based application with modern user interface enables company-wide access and collaboration with e.g. auditors or auditors.
Flexible and fine-grained role and rights management for internal as well as external users via LDAP connection.
Referencing to multiple audit standards & regulatory requirements (including ISO 27001 BAIT/VAIT, MaRisk, MaGO, BSI, ISO 9001). Extensible with individual rules.
Extensive reporting and report functions, as well as e-mail dispatch. Ad-hoc reporting, e.g. for the processing of monitors or findings.
All adjustments, entries, status changes are stored in the solution and can be tracked at any time.
Assist in timely completion of audit-related tasks from management and control systems.
User centered interface
The PASS ICS software offers the user a uniform interface and user guidance across all modules, which can be customized individually. For example, users can save their own column settings and filters for each mask and call them up again at any time.
Notification and reminder management
Immediately after logging into the ICS software, each user is shown in their personal dashboard which tasks are pending or overdue.
Status values can be defined independently for all modules. It can be defined which status values have relevance for the notification and reminder management of the ICS software.
The configurable roles/rights system enables fine-grained definition of function-related rights for internal as well as external users in the ICS software. The visibility of risks, checks and measures can be reliably restricted for each user by assigning freely definable scopes.
Flexible adaptation to company-specific requirements
To customize the risk module, numerous options, intervals, lead times for displaying due processing steps in the dashboard, etc. can be adapted to the specific company.
An optionally integrable report generator enables the creation of standard reports and their provision for call-up by defined user groups.