The new law
It took some effort, but on 1 January 2023 the Decentralised Audit Chambers Strengthening Act came into effect. This means that municipal executive boards, provincial executive boards and executive boards of joint arrangements independently account for compliance with applicable laws and regulations when establishing the income and expenses and balance sheet changes in the annual accounts. In this way, we are working towards greater transparency between executive boards and municipal councils, whereby the latter will have a better view of improvement measures.
More aware of their own actions
Because these decentralised authorities are given more responsibility, legitimacy will also become more part of the political debate. And that is an interesting development, because this will create more awareness and consciousness within these organisations as to whether the euros spent have actually been spent lawfully. For example, when providing subsidies or when purchasing products to which tendering rules apply. Greater awareness of one’s own actions also fits in with the trend we see within compliance and risk management, where some organizations choose to also decentralize tasks and responsibilities within the organization.
Headaches
The accountant still plays an important role in the whole. He or she still has to issue a truthfulness assessment for the annual accounts. This means that many organisations sit down with their accountant to discuss whether they are testing for legality in the right way. Is the system set up well enough to arrive at a statement? How do we guarantee that? How do we arrive at a reliable result? Does the system provide a sufficient basis? Many organisations are currently racking their brains about this.
The risks of offline
This applies in particular to organisations that carry out their audits ‘offline’, via Excel files, e-mail and SharePoint. Where these tools used to be of great value, it now often appears difficult to gather the often fragmented information within an organisation. With various other options that are available today, these offline tools appear to be outdated. It even makes issuing a legality statement yourself complex and expensive. The reports will also still be created manually. A labor-intensive activity, where real-time insight is not exactly provided. In addition, there is the risk that employees can go work elsewhere and take their valuable knowledge with them. The number of municipalities that work via Excel and struggle with these risks is large. Among them are also cities in the top 15 of the largest municipalities in the Netherlands.
The power of GRC software
Concerns about whether or not they can issue a factually correct justification for legality are causing many local governments to consider switching to GRC (governance, risk and compliance) software. GRC software makes it easier to demonstrate that the control system within the organisation is working – and that contributes to the justification for legality. The software also addresses the risks mentioned above (fragmented information, challenge of decentralised working, labour-intensive, expensive and vulnerable). This is done in the following ways:
- The process is set up and checks are automatically scheduled, without management having to follow up. This promotes decentralised working.
- The work process is set up with a reliable audit trail. This allows you to upload documents with which you demonstrate the legality of a decision. And: you cannot check your own work.
- The software automatically produces reports that are in line with new legislation.
It goes without saying that the time savings and the certainty of good controls increase enormously with this – and that with fewer resources. GRC software does much more than just check the legality accountability. It takes the risk management of an organization to a higher level in breadth. GRC software guarantees laws and regulations, standards frameworks and associated risks and makes them manageable. As an organization, you can always demonstrate which rules, laws and standards frameworks you comply with. Also when it comes to information security, for example. You also make clear what you do not comply with. In this way, you show that you are taking action to improve the organization.
Minimizing risks
Traditionally, control activities within organizations are often data-driven. This means that auditors focus primarily on checking individual data and documents, without looking at the context and the bigger picture of the process.
The advent of GRC software allows organizations to increasingly focus on process-driven control. The software offers the possibility to map the entire process, with a focus on identifying risks and ensuring compliance at every stage of the process. This process-driven approach allows weak points and potential risks to be identified more quickly and proactively acted upon to minimize these risks. Audit and control activities become more efficient and effective, allowing organizations to respond more quickly and effectively to changing risks and regulations.
Essential tool
At a time when compliance and risk management are becoming increasingly important, GRC software can be an essential tool for organizations that want to ensure their accountability for legality. By centralizing information, standardizing processes and improving collaboration between different departments, fragmented information comes together, creating real-time insights to make the right decisions based on facts and data.