When looking for a GRC software, how much would price affect your decision? Would you try a free open source, but reduced feature software?

An interesting comment on the Norman Marks blog asks why you would stick to a fixed set of features rather than look for “á la carte” GRC software. At what “point” would you choose product that covers a fixed feature set over a pick-and-choose approach to software or visa versa?

The GRC Envelop is a risk and audit management tool that is web – based and has risk and audit work flows. To answer the price issue, GRC Envelop tool is available in 2 licences: an open source licence and an enterprise licence. The open source licence is referred to as the community version. The enterprise licence is refer to as the enterprise version. The enterprise version has commercial support and many additional features to help with risk and audits. Please take a look at the feature list to decide which one is better for you.

GRC Envelop tries to blend the price and feature set issue by the classic software design of breaking the tool into modules. For example, the risk management module that can be swapped for another risk management tool, using APIs provided.

Audit and risk management tools are quite common in the enterprise, and they help structure the audit work flow, maintain a common repository of audit/risk related information (such as objectives, risks, controls, and tests) and manage the people around the audit/risk activities. Assuming we look at audit management for now, there are four basic areas for every audit management tool should have:

1. Creating audits – Title, description, start and end dates are of some of the features that are available while creating an audit. You can also attached work papers to an Audit. While creating an audit, you can create the processes, the objectives, the risks, the controls and the tests. At each of these levels you can attach work papers too.
2. Managing and executing audits – to manage or execute an Audit, the GRC Envelop tool provides a separate workflow to ensure that auditors can only enter test results and test descriptions. While executing the audit you can create findings and actions. The ability to make control and test assessment is only available in the enterprise version.
3. Report generation – the main use of this tool is to provide easy report generation at the end of an auditing exercise. report generation template can be modified according to your needs. The community version has only one default report generation template. The enterprise version has the ability to have multiple templates.
4. User management – Restricting users to their areas is an important task for a tool. The community version has only one user type ( auditor) whereas the enterprise version has 6 user types (Audit manager, auditor, external viewer, internal business user, repository manager and risk manager)

The GRC Envelop provides all these basic areas. Paid support is also available for the community version. The community version has to be downloaded and installed on your machine or server. The enterprise version can be run on your servers or hosted on a public server. Please take a look at the feature list to understand which version will be most suitable for your use. Here are a few questions that we’d like to pose:

1. Do you think there are other basic areas that was missed out?
2. How would you define if a audit tool is easy or complex to use (steep learning curve)? The time it takes to learn a tool is one aspect, what else affects complexity?

Let us know in the comments below.