Governance, Risk & Compliance Business Intelligence

Governance, Risk & Compliance Business Intelligence

My client was a medium sized building construction company located in New South Wales, Australia.

Problem – Business Need

I had conducted three separate investigations into theft (asset misappropriation). It was clear the Governance, Risk & Compliance (GRC) internal controls were exposing the business to risk that could be mitigated.


I developed an online self-assessment tool based on the Open Compliance and Ethics Group (OCEG) Red Book. Stakeholders were able to assess the business by answering questions that scored the business against the OCEG benchmark. Reporting was provided via SQL Server Reporting Services (SSRS), and training provided via LearnDash running on WordPress.


For the investigations I followed the “Fraud Theory” methodology outlined in the Association of Certified Fraud Examiners Manual.

  • Analysed available data – employee records, rosters, job descriptions, financial statements, etc.
  • Created a hypothesis – the “worst case scenario” and listed possible “red-flags” that would indicate the hypothesis.
  • Tested the hypothesis – brainstormed “what if scenarios”.
  • Refined and amended the hypothesis.
  • Conducted interviews – obtained circumstantial evidence, direct evidence, then investigated/interviewed the “subject”.

Following that method we were able to uncover schemes conducted by employees that resulted in termination of their employment

Risk Mitigation

To mitigate the risk of further schemes being perpetrated we initiated a program to improve the organisations business processes and internal controls. I was asked to formulate a framework that would be suitable.

I extracted benchmark information from the COSO Framework, Sarbanes Oxley Act, CLERP 9 and the OCEG Red Book.

I designed a solution and met with stakeholders to discuss the solution to ensure it met their needs and requirements.


The solution consisted of a WordPress Intranet, an assessment that started with 12 core questions and used conditional logic to expand out to 1440 questions.

Reporting enabled the business to focus on areas of improvement.  The LMS enabled stakeholders to access best practises based on established benchmarks.