Due in Q1: Enterprise GRC and Internal Audit Solutions, 2023; Market Update and Vendor Landscape

Report in brief

As part of its new approach to governance, risk management and compliance (GRC) research, Chartis has divided the discipline into several sub-sections, to provide more focused and granular insight that mirrors sectoral trends. This report contains Chartis’ view of the market and vendor landscape for enterprise GRC (EGRC) and internal audit solutions. It considers case management and workflow tools, which now cut across a broad range of business types and functions to provide integrated functionality and cross-business visibility.

Key takeaways: market landscape

Internal audit, arguably the foundation of an organization’s risk and compliance function, now serves to maintain regulatory compliance and identify and control risks. Formerly a largely manual process, it has become more data-driven and analytically structured.

New technologies have led to growth in the development of open-source workflow engines. Low-code/no-code development platforms and domain-specific languages now allow organizations to create powerful work engines in a variety of contexts, while supporting an extensive range of databases, core applications and data-input activities. Cloud is having a strong impact, as it allows communication across components in different containers, operational stacks or applications.

Internal auditors have begun using natural language processing (NLP) to process and document information quickly, as well as robotic process automation (RPA), which uses AI/ML to automate the audit function. NLP and RPA work in tandem to pull important information from varying sources automatically, analyze that information and create automated audit reports to inform both business decisions and satisfy compliance requirements.

Key takeaways: vendor landscape

New technology developments have created growth opportunities for many vendors, and the market is evolving away from domination by a select few firms.

EGRC and internal audit solutions vendors historically have fallen into one of the following three categories:

• Application/platform-centric vendors specialize in building sophisticated, well-developed platforms with extensive workflow engines and case management capabilities to provide comprehensive and user-friendly frameworks for controlling and visualizing enterprise risk.
• IT-centric vendors leverage third-party partnerships and open-source programming languages to build platforms and applications that decrease complexity and improve the user experience. These vendors have integrated AI, automation and machine learning into easy-to-use, out-of-the-box platforms.
• Content-centric vendors, primarily professional services firms, build customized technology platforms for their clients, particularly in the internal audit space, where clients are seeking to automate internal audit practices across varying jurisdictions and multiple regulatory agencies.

IT-centric and content-centric firms are becoming major players in the EGRC and internal audit space, once dominated by platform- and application-centric firms. Platform-centric firms are now increasing their analytical capabilities to compete with highly automated and technologically complex vendors.

Chartis believes that the winners in the medium and long term will be vendors that can build workflow tools with strong case management and visualization capabilities, taking an organizational and operational view of workflows. Vendors need to provide a structured framework for workflow orchestration. They also need to employ development languages that enable end users to change, modify and extend the workflow and orchestration capabilities built into their systems. These technological capabilities and components already exist, but the key for vendors is how they package and make them available.

For more information about this and other Chartis reports, in GRC [LINK TO GRC PAGE] and other core research areas, contact us [LINK].