How InComm Payments Cuts IT Evidence Requests by 50% with AuditBoard
In our Spotlight on Success series, Amanda Pope, Vice President of Audit and Risk Management at InComm Payments, shares how she’s accelerating her risk management program by making data-driven decisions.
This update builds on our 2021 interview with InComm Payments. Hear how InComm Payments — a technology innovator for prepaid products like gift cards and other payment devices — makes sure they are meeting their industry’s complex regulatory requirements and more, including how the team:
- Mapped regulations to controls with AuditBoard’s CrossComply to discover specific controls that met multiple needs.
- Saved time by engaging issue owners to make their own updates, which is possible due to the intuitive, user-friendly platform.
- Leveraged a single source of record to provide one-click risk management reporting, and began to draw new connections into how issues are correlated.
2021 InComm Payments Success Story:
Tell us a little about your team at InComm Payments.
My team is made up of three different departments. Risk management has five people, with ERM, operational risk, cyber security risk, compliance risk, and vendor risk. Internal audit has eight people and performs IT, operational, and financial audits. Our assurance team has four people and manages all of our SSAE team reporting, PCI certifications, HITRUST certifications, and any other regulatory certifications.
Prior to using AuditBoard, we used SharePoint with Excel documents and Word documents. I saw AuditBoard at an IIA conference and saw the user-friendliness of it. It’s very intuitive, not overly prescriptive, and not too demanding. We wanted something that would be easy to use, and that’s why we chose AuditBoard.
How has using AuditBoard improved the issue management process and reporting?
The biggest efficiencies we’ve seen since implementing AuditBoard have been in the issue management follow-up processes. That click-of-the-button WorkStream process — having users go directly into AuditBoard to make their updates — has been a huge time-saver. We now send out a monthly report of outstanding issues and management action plans to executive leadership. This has driven more oversight of issues and traction on management action plans.
We send out all of our issue management updates to issue owners, and that has them engaged with the tool. They’re starting to see how issues correlate and how we have to show work and evidence of how the issues are being remediated. We use that data to create an enterprise risk management committee deck that goes out every quarter, and we are in the process of moving that to monthly. AuditBoard has made it a lot easier for us to do that reporting, because it’s a click of the button to get the data.
How has using AuditBoard improved your reporting data and read-outs?
In AuditBoard we included a field for an ERM committee update. We have users input a summary sentence that we can include in our update — why we’re behind or why we’re on track. Once we get all of that information, we’re able to pull the reporting out of AuditBoard and drop it into a PowerPoint. This has made it so much easier for us to pull that data in a very efficient manner.
Your business is in a heavily monitored space with a lot of different compliance regulations. What industry-specific needs has AuditBoard been able to help with?
InComm Payments covers financial services, healthcare compliance, lottery and gaming, utilities… and giving people means of paying for goods and services. One of the biggest challenges we face as a company is having so many regulations and guidelines to follow, and we had previously not had a great way of organizing our controls in all of our processes and programs. We were able to do a very distinct mapping between all of the regulations to specific controls and realized we may have one control that meets six or seven regulations, instead of having one for every single regulation.
The biggest efficiency gained is when we implemented CrossComply we were able to lay out all the regulatory frameworks and tie those to our underlying controls. Now we have our controls built out in the SOXHUB, and once we started identifying issues coming out of the assurance or audit work, we were able to tie it back to a regulatory framework. We’re able to view those issues and risks in a different light and really talk about how these could impact our compliance — how our issues and risks can impact our regulation, and how we are complying with it.
How has using AuditBoard strengthened your team’s audit methodology?
I really enjoy using AuditBoard because I believe all the fields that we have to include drive home good audit methodology. AuditBoard helps us have a stronger control environment — and risk environment, as well — and we’ve been able to adapt our risk assessments to be even better than they were before. It’s really pushing us to improve.
What are your future plans for using AuditBoard?
Looking to the future, I’m very excited to have AuditBoard working with us to help drive the conversations around the risk environment that InComm Payments is facing, and how those risks can be mitigated. We want to start using AuditBoard and WorkStream to confirm all of our narratives and our controls and use that to get updates to make sure we have the right information when we go into an audit.