IRIS Intelligence Internal Audit Management System
IRIS Intelligence Audit Management System supports the internal audit function to plan, test, assess and report on the design and operational effectiveness of internal controls. Customisable workflows promote team coordination, while detailed analytics support decision making and drive continuous improvement.
Features
- Web-based Audit Management System
- Customizable Audit Templates and Checklists
- Risk Assessment and Prioritization Tools
- Ability to Add Customer Specific “Custom Data Fields”
- Real Time Reporting and export to excel / PowerPoint
- Email Integration and Automated Reminders to Ensure Data Remains Fresh
- Automated Integration with Excel, Project and Other Applications
- Dynamic Charts: Control Register, Risk Matrix (Heatmap) Risk Burndown (Waterfall)
- Top of the range encryption and secure access permissions
- Simple, intuitive, easy to use: Configure to match user requirements
Benefits
- Enhanced efficiency through streamlined audit processes and automated workflows.
- Improved accuracy with real-time data tracking and automated report generation.
- Increased productivity by centralizing audit tasks and facilitating team collaboration.
- Enhanced compliance with regulatory standards through customizable audit templates.
- Better decision-making with instant access to comprehensive audit insights.
- Reduced risk exposure through proactive issue identification and resolution.
- Enhanced security with role-based access control and secure document management.
- Seamless integration with existing systems for data exchange.
- Provide secure audit trails for all activity
- Share data across teams through secure database
Pricing
£10 a licence a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
9 2 8 0 4 2 5 1 6 1 1 8 6 8 0
Contact
IRIS Intelligence Ltd.
Nayane Ferreira Huntriss
Telephone: 020 3286 7857
Email: nhuntriss@irisintelligence.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
-
- Public cloud
- Private cloud
- Community cloud
- Hybrid cloud
- Service constraints
- None.
- System requirements
-
- OS - Windows Server 2022, 2019, 2016, 2012 , 2008R2.
- DB – SQL Server 2008R2, 2012, 2014, 2016, 2017, 2019
- Server RAM – minimum 2 GB free
- Free Hard Disk space 5GB Minimum
- CPU – Minimum 2 core , 1.4GHz
- Can be run on a shared or dedicated server
- Can be run virtualised if Host Machine has sufficient horsepower.
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Initial response within 1 working day.
Accelerated response times for Security or Level 1 category issues. - User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Support through email and phone is available from 9 to 6, Mondays to Fridays. 24/7 Premium support for customers with larger teams, or upon premium service subscription.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- The initial default settings of the audit management software leverages the Institute of Internal Auditors (IIA) Standards and are configured to the specific environment of each customer. Users can access a dedicated help site with user documentation, and context sensitive help within the application. Upon purchase of the software, user training, either face-to-face or online, is provided.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- The client will be provided the underlying SQL databases upon contract completion. Spreadsheet formats of the data can also be produced for client records.
- End-of-contract process
-
All data can be extracted via Excel, XML, CSV or SQL Query.
General Assistance with the extraction process is covered within the maintenance helpline.
Import of the data into alternate system may be subject to additional charges
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- System available for use on mobile via the browser using responsive design.
- Service interface
- Yes
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- Description of service interface
- Web-based software accessed from any major browser. System is built using the Microsoft stack in ASP.NET using the MVC framework
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- User groups include visually impaired with specific assistive technology integrated
- API
- Yes
- What users can and can't do using the API
- Data export API that can export the data in xls, csv, XML, JSON.
- API documentation
- Yes
- API documentation formats
-
- HTML
- ODF
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
Fully customisable using the standard user interface.
Users with administrative permissions can customise the system.
System also allows for local administrator access for lower level users to customise only those areas they are responsible for
Scaling
- Independence of resources
- Each end customer is typically provided with their own service machine to ensure their peak demand is satisfied. Within each instance, caching is used throughout the system to reduce demand on the database and increase the speed of user access.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Instantaneous and historical usage of license pools.
- Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2019
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- In-house
- Protecting data at rest
-
- Physical access control, complying with CSA CCM v3.0
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
-
Data can be exported to spreadsheet and presentation formats. Users can upload their own templates for additional custom exports.
Data Export API with export to JSON and XML. These files can be read directly by external applications such as R, Python, Tableau, Power BI etc. - Data export formats
-
- CSV
- ODF
- Other
- Other data export formats
-
- Excel
- Powerpoint
- XML
- JSON
- MS Project
- Tableau
- Power BI
- Data import formats
-
- ODF
- Other
- Other data import formats
-
- Excel
- MS Project
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
Multiple options for guaranteeing availability are available, from cold start backup servers to hot mirroring.
Typical SLA includes 99.5% availability (>99.9% actual) to allow sufficient time for patches and updates. Updates are made outside of business hours to minimise disruptions. Default settings provide cold backups every 5 minutes, allowing roll back of data with minimal loss. Increased availability and hot backups available on request but may be subject to additional charge. - Approach to resilience
- Available on Request.
- Outage reporting
- Email alerts.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- IRIS software employs a role-based authorization within the system, where only an identified subset have access to management interfaces.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- Yes
- Any other security certifications
- US Department of Defence Certificate of Networthiness
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
-
Platform security inherited from datacentre (Azure, AWS, etc).
IRIS internal processes are fully aligned with ISO 27001 and the CSA CCM standards. We follow the standards set out for the Microsoft Azure platform set out here: https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/
Operational security follows in house standards based on ISO 27001. - Information security policies and processes
-
Security is taken extremely seriously and is in the direct purview of the IT Director. Staff report directly about security matters and there is a no blame, and a report all, approach to security. This ensures that staff have not got any disincentives to report actual and potential security threats for further actioning. In this environment staff feel comfortable checking the previous work of other staff members during regular security audits.
In development, any proposed system changes are thoroughly tested prior to roll out and back-tested against previous iterations. A robust three tier change control process is in place for an updates or changes to the system. All software development is managed through Team Foundation Server and no changes can be made to the software unless they are logged within Team Foundation Server first.
We implement the highest possible security standards. In addition to the firewall, the security architecture includes IDS / IPS and SEIM technologies. The combination of these components ensures maximum security against cyber-attack and hacking. IT staff are subscribed to numerous security mailing lists and are alert to new actual and potential vulnerabilities in the underlying operating system and frameworks.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- All changes are tracked using BitBucket and Microsoft's Team Foundation Service (TFS). No change can be made without being logged and as all builds, and tests, are automated, no release can be made without a change being recorded. From initial request to release is all performed, and tracked, within BitBucket and TFS. In the development early stages automated builds and tests act as gateways. A final manual test is run before release.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
Staff subscribe to multiple security mailing lists and websites to keep abreast of the latest in security vulnerabilities.
When patches are released we update our own systems first. If there are no regressions we update our production servers. Security patches are typically approved within hours if there are no immediate regressions. If there are we investigate the scale and make a judgement as to the impact of the security vulnerability versus the scale of the patch regression. This typically happens on the day of release. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Intrusion detection software runs on all servers to monitor for suspicious activity. Anti-virus and anti-malware scans run regularly as well. On detection of a compromise resolution is the priority and all relevant staff are re-tasked to the job of resolution. Our preferred solution would be to restore from clean backups where possible onto a clean virtual machine, which leaves the original virtual machine free for forensics (In simulations this would take at most an hour).
- Incident management type
- Supplier-defined controls
- Incident management approach
-
The preferred method by which users can report events is through their assigned support contact who will provide up to date incident reports throughout the resolution process.
The staff have a number of predefined processes mostly designed to get the customer back up and running as quick as possible whilst allowing root cause analysis to be performed at a slower pace with no affect on the customer.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Equal opportunity
Fighting climate change
Fighting climate change
IRIS Intelligence Ltd. supports a number of initiatives in the fight against climate change. This includes:
- Implementing a green procurement policy throughout our supply chain
- Climate friendly practices such as encouraging remote working, active travel and ensuring offices are equipped with recycling facilities and energy saving devices
- Pro-bono support for innovative start-ups seeking to limit and reduce the negative impact of human activity on the environment
- Direct financial support through monetary contributions that, for example, plant sufficient trees to ensure every IRIS employee is offsetting the carbon footprint of two or more individuals and remove plastic from the Ocean equivalent to two or more individuals. As a result, we are proud to declare that each IRIS staff member has a negative footprint for both Carbon Emissions and Plastic Pollution.
We are proud to report that our ocean plastics charity partner has been nominated for the Earthshot prize in 2024.Equal opportunity
IRIS Intelligence Ltd. is committed to equal opportunities in employment and service delivery. The policies and practices of IRIS Intelligence Ltd. aim to promote an environment that is inclusive and free from all forms of unlawful discrimination and values the diversity of all people. At the heart of our policy, we seek to treat people equally, fairly and with dignity and respect. IRIS Intelligence Ltd. will take every reasonable and practical step to ensure that no person working for IRIS Intelligence Ltd., all job applicants, former employees, or any member of the public using IRIS Intelligence Ltd.’s premises or services will receive less favourable treatment (direct discrimination) or will be disadvantaged by requirements or conditions that cannot be shown to be justifiable (indirect discrimination) because of; are perceived to be; or, are associated to any of the following: We will take proactive steps to ensure that the policy is known to all employees, potential employees, and organisations that we work with. We will also ensure that equal opportunity, diversity, and inclusion is embedded in all our policies, procedures, day to day practices and external relationships.
Pricing
- Price
- £10 a licence a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- 14 day limited demonstration version