Frequently Asked Questions

What is GRC? What is QGRC?

Governance, Risk and Compliance (GRC) software is a core software solution that helps organizations manage their corporate governance processes, risk management processes, and regulatory compliance obligations in an integrated and compliant manner. The purpose of a GRC tool is to create a central framework that enables businesses to achieve their business goals, address uncertainty, and act with integrity.

• Governance includes ensuring that all strategy, operations, management, control and audit processes are aligned and consistent with the overall strategy, policies and objectives of the business, ensuring accountable, responsible, transparent and fair management for stakeholders. It sets the tone and direction at the top, guiding everything from day-to-day operations to long-term planning. In this sense, internal audit and internal control systems support governance. Integrated management provides added value.

• Risk Management is a systematic approach to identifying, analyzing, assessing and addressing potential risks that could hinder the company's operations or lead to losses. This includes ongoing monitoring and assessment of financial, strategic, and operational risks to minimize the negative impact they may have on the company's assets and earnings. As a result of identifying, implementing and monitoring the reactions to the risk, the company is protected from financial, operational, legal and reputational losses. At this point, the internal control system provides a holistic and comprehensive approach in terms of risk mitigation strategy. In this sense, when risk management and internal control are managed in an integrated manner, added value increases.

• Compliance refers to developing strategies and operating in accordance with applicable _asa and regulations. It's not just about avoiding legal penalties, it's also about protecting the integrity, reputation and customer trust of the company. Compliance management ensures that business processes, operations, and practices comply with all applicable laws, regulations, standards, and ethical practices. In addition, it aims to ensure that the internal regulations of the company are in line with external regulations and that all regulations are associated with the processes. Process owners have to monitor the change caused by the external environment and take quick action on adaptation-related changes. The units that coordinate this work within the company are also required to coordinate compliance through process management, internal communication and internal control processes.

Q-GRC is a comprehensive GRC tool, combining these three key areas into a single, cohesive platform.

QGRC supports companies' governance, risk management and compliance processes. How does it do that?

• • Establishing, managing and monitoring internal control and risk management processes in companies
  • Facilitating internal audit processes, integrating them with internal control and risk management
  • Process and document-based management of compliance with internal and external regulations
  • Ensuring organization, process management and management of duties / responsibilities in companies

What is the benefit of QGRC to my organization? What will it bring to my organization?

Q-GRC software centralizes governance, risk management, and compliance processes into a single system, breaking down silos and fostering collaboration across departments. By integrating these functions, organizations can ensure that their strategies are consistently implemented at all levels and improve the overall effectiveness of their governance, risk management, and compliance initiatives.

Processes such as internal control, risk management, process management and internal audit under GRC are generally managed independently and disjointed from each other in companies/institutions. It is a very serious problem to integrate these management systems with each other, exchange data with each other.

Companies that manage these processes all over the world and in our country allocate a lot of resources to the issue, and with great effort, they usually develop the integration with in-house solutions or manual methods. Providing this integration with the Q-GRC software solution; It will allow the management of these management systems from a single point in a way that integrates with each other and reduces duplicate efforts, and in this way, a serious cost advantage, data security, data integrity and enterprise resource efficiency will be provided.

• Improved Decision Making with Real-Time Data and Analytics
• Cost Efficiency with Process Optimization
• Consistent Regulatory Compliance and Faster Adaptation to Changes
• Proactive Risk Management
• Improved Reporting Capabilities
• User-Friendly Interface and Customizability
• Resilience in the Face of Uncertainty
• Increased organizational agility
• Creating a Culture of Compliance and Risk Awareness
• Contribution to ERP Projects Transition or Revisions

What are the technical specifications of QGRC?

ERP Integration

Azure App Service

Active

Single Sign On

Mail Integration

SMS Integration

Escalation

Ready-Made Web Services

Multi-Language Support

Wide Parameter Support

Bulk Transfer Tools

Role-Based Authorization

Dashboards,

Consolidated Reports

In which sectors should QGRC be used, is it used?

It is used in every sector. In particular, Public, Energy, Finance, Telecommunication, Informatics, Insurance, Leasing, Factoring, REIT Health.

Differences of Q-GRC (How do we differ from our competitors?)

In the crowded market of GRC solutions, Q-GRC differentiates itself by offering a range of features that are both advanced and user-centric, enabling our customers to not only comply with regulatory requirements, but also gain significant strategic advantages.

Gömülü Know-How, Methodology and Tool Desteği

Q-GRC is aligned with international professional practice frameworks, standards and frameworks of professional organizations such as IIA and ICI, as well as organizations such as COSO. More than compliant, it includes implementation models, methodologies and tools that comply with these standards. When you receive the Q-GRC, you come loaded with this know-how. In addition, we provide technical support in the installation and implementation of the software, and professional support in the transfer or revision of internal control, risk management and internal audit processes in your company with our consultant and expert team.

• Üstün Integration Yetenekleri

While many GRC tools offer integration with ERP systems, Q-GRC stands out by providing seamless integration capabilities with the most common ERP software. This means less downtime and fewer compliance issues for the application, ensuring that your organization can synchronize data between systems without the need for extensive customization or costly IT resources.

In addition, our Q-GRC tool can be integrated with our other software QDMS, Ensemble and Beam. This will provide additional benefits to our customers, especially those who are already using these software. Apart from data exchange, users who are familiar with the interfaces of these software will have the advantage of intuitive use in Q-GRC.

Gelişmiş Reporting and Analitik

Q-GRC is equipped with superior reporting capabilities that go beyond standard compliance checks. Our tool offers in-depth analytics and visualization capabilities, enabling organizations to understand not only where they are compliant or at risk, but also the reasons and what actions can be taken to mitigate those risks. Customizable dashboards provide executive overviews and drill-downs tailored to the specific needs of various stakeholders, from audit committees to operational managers.

With advanced analytics and reporting capabilities, Q-GRC transforms data into actionable insights. This feature allows you to easily understand complex GRC data and make informed decisions to manage risk and ensure compliance. Regular and ad-hoc reports can be generated to meet the needs of different stakeholders, including regulatory bodies, senior management, and the board of directors, thus facilitating transparency and accountability.

Kullan Centered Bill m

Ease of use is at the heart of Q-GRC's design philosophy. Our interface is intuitive, reducing the learning curve and enabling users in your organization to become proficient quickly. This user-centric design extends to mobile platforms as well, ensuring that your team can access critical GRC functions anytime, anywhere, and fosters a consistent approach to GRC management.

Özelleştirme and Esneklik

Q-GRC stands out for its ability to adapt to the unique needs of each organization. Unlike many competitors that require organizations to tailor their processes to the tool, Q-GRC can be customized to fit your existing processes, governance structures, and risk management frameworks. This flexibility ensures that organizations don't have to compromise their operational procedures to conform to a predefined software structure.

Proaktif Compliance Yönetimi

Our software is not only reactive but also proactive. It enables you to make the necessary adjustments to compliance and risk management strategies in a timely manner. This proactive approach minimizes the risk of non-compliance by enabling organizations to monitor regulatory changes and always reflect change in their operations.

Uygun Costly Uygulama

Q-GRC provides a cost-effective application compared to many of its competitors. By reducing the need for external consultants and lengthy customizations, organizations can achieve a faster return on investment. Our transparent pricing model also ensures that there are no unexpected costs that are often encountered in GRC implementations.

Sağlam Security Özellikleri

In the age of data breaches and cyber threats, security is paramount. Q-GRC includes robust security protocols to protect sensitive data. Encryption, role-based access control, and ongoing security updates are just a few of the features that ensure your data is safe and you don't compromise on your compliance with data protection regulations.

Are there any legal obligations for GRC?

Regarding legal obligations; There are obligations on internal control, risk management and internal audit.

In fact, international internal control regulations have been adopted in internal control practices in Turkey. Studies on internal control in our country, CMB and Banking Regulation and Supervision

It was made by the Board (BRSA) and the Public Financial Management and Control Law No. 5018 was enacted. Later, regulations were made for internal control in the New Turkish Commercial Code No. 6102.

CMB Regulations

The evaluation of the internal control structure in the CMB legislation is regulated in the communiqué numbered Series: X, No: 22. In this communiqué; It has been said that independent auditors have to evaluate whether the internal control structure is functioning effectively.

In the CMB, in line with the Investor Protection Law, it has been made mandatory to establish a committee responsible for supervision. In this context, companies whose shares are traded on the stock exchange must establish a committee responsible for supervision. The audit committee oversees the functioning and effectiveness of the internal control structure of the partnership.

Regulations Made by the Banking Regulation and Supervision Agency (BRSA)

In banks, this function has been described as 'internal systems'. Bank, Factoring Company, Electronic Money payment institutions; internal control, risk management, internal audit, compliance obligations.

Regulations Made within the Scope of Public Financial Management and Control Law No. 5018

In all public institutions; Ministries, Universities and Municipalities have to establish internal control, corporate risk management and internal audit systems

Investment Financing Decree

SOEs are obliged to establish internal control, enterprise risk management, internal audit systems according to the investment financing decree.

New Turkish Commercial Code No. 6102 (TCC)

In the Turkish Commercial Code No. 420, which was published in the Official Gazette on 14 .02 \ 2011 with the Law No. 6102 and started to be implemented on 01 .07 \ 2012 \ (TCC), mandatory rules have been introduced for joint stock companies to be structured on the basis of Corporate Governance Principles.

In order to ensure better management of companies in the TCC No. 6102; The necessity of an effective internal control structure and internal audit in companies has been stipulated and regulations have been introduced to encourage the establishment of internal audit units.

In order to ensure institutionalization in TCC No. 6102, the Early Detection of Risks Committee, the Corporate Governance Committee and the Audit Committee were established.

Summarize; In the TCC, internal control, risk management and internal control are mandatory in publicly traded companies. In joint stock companies, it is left to the decisions of the companies' own board of directors within the scope of compliance with corporate governance principles. However, in any case, the TCC wants the risks to be identified. In cases of foreign investors, etc., internal control, risk management, internal control systems are questioned.

Is COSO compliant with SOX, IIA, ISO 31000 standards?

QGRC focuses on areas that have international standards and are mandated by legal regulations: enterprise risk management, operational risk management, internal control, internal audit, compliance with legislation/policies and procedures.

The standards we aim to comply with are:

• COSO Internal Control Framework
• COSO Enterprise Risk Management Framework
• ISO 31000 Standards
• IIA Internal Audit Professional Practice Framework (Standards)

The legal regulations we aim to comply with are:

• Public Internal Control Standards
• Guide to Government Enterprise Risk Management
• Sarbanes Oxley (SOX)
• CMB Regulations
• TCC Requirements

We take a Model-To-Execute approach to ensure that organizations comply with the above standards. Because GRC or internal control, enterprise risk management and internal control automation is not just a matter of technology. In order to take full advantage of automation in this regard, methodology challenges need to be overcome. Q-GRC's Model-To-Execute approach provides organizations with all the technical functions and methodology proposals needed in Internal Control, Operational Risk Management, Enterprise Risk Management, Internal Audit and Compliance within the scope of GRC strategies in accordance with international standards. Because we want to make internal control, operational risk management, enterprise risk management, internal audit and compliance requirements applicable in the right way at once with an integrated solution. Q-GRC has developed a holistic Model-To-Execute approach that combines methodology and technology.

Ne How long does it take to make a profit?

With QGRC, you manage your big risks, prevent big loss and leaks, prevent abuses and protect your reputation. These are invaluable...

You start to show its effect in 6 months.

You will get a return on your investment within 1.5-2 years.

What modules does QGRC consist of, how is it used, why is it important?

• ## Baz Modül (Q-GRC Server)

• Politika and Prosedürler

• Eylem Planlama

• İç Denetim

• Risk Bildirimi

• Süreç Risk Yönetimi

• Süreç Yönetimi

BASE MODULE: (Q-GRC Server)

• What it is: Q-It is the core module that provides the necessary infrastructure for GRC to run. Modular-based arrangements are made. Used by System Administrators.
• How to Use: Only available to system administrators. Definitions, Configuration Settings, and Reports menus are included. Authorizations are defined through the Definitions menu and HR data is included. Through the Configuration Settings menu, changes are made throughout the application as needed. Application usage reports and log information are available through the Reports menu.
• Why It's Important: All modules work on and with the base module. Technical specifications and system changes are made through this module.

POLICIES AND PROCEDURES:

• What it is: Within the Q-GRC System, it ensures the management of all processes such as initial preparation, revision, cancellation, review, control, approval of the administrative documents of the institution such as policies, procedures, instructions, job descriptions, which are necessary to keep the system operational and operational.
• Used: A special folder tree structure is created according to the organization and document system of institutions and organizations. Authorizations are made folder-wide or document-specific. Preparation, revision and cancellation operations are carried out within the authorization. A reading task occurs for the published documents, and at the same time, the system is informed by e-mail.
• Why It's Important: Documents need to be monitored and managed for the effective operation of process-risk-control management components within Q-GRC. There is a search feature in the document list or within it. The review process is carried out periodically. Revision information of documents can be easily followed. Document revisions by associating documents with processes; It is automatically reflected in the processes.

ACTION PLANNING:

• What it is: Within the scope of Q-GRC, risk processing action plans that arise as a result of risk assessment processes can be implemented and relevant tasks can be defined; It is a module in which the person who will do the job and the responsible person are determined, the deadlines are given and the work done is followed.
• How to Use: An action plan is created for the work that needs to be done. Relevant actions (actions) are defined in the created action plan. For these actions, the person who will do the work, the responsible person and the deadline are determined. Relevant users are informed by e-mail. Shutdown confirmation may be requested to check completed actions. In addition, the system notifies the senior management of the delay for overdue actions.
• Why It's Important: It works integrated with Internal Audit, Enterprise Risk Management, Nonconformity Event Notification modules. In this way, the necessary actions to improve and resolve the findings arising from internal audit, threats or risks are easily planned and followed. Action owners are informed, reminded before the deadline and delay notified after the deadline. There is also a periodic and covert action feature.

INTERNAL AUDIT:

• What it is: It is a module that enables process and risk-oriented internal audits to be carried out and necessary measures to be taken for the findings. It works integrated with the Action Planning module. It is a module related to the processes and risks of the institution. Internal audit results can be reported.
• How to Use: Control tests related to controls are defined in the system. At the same time, the risk priorities of the processes can be monitored through the audit universe according to the determined criteria. The processes to be audited are determined and an audit plan is created. An audit task is automatically initiated by the system with the control-control tests related to the processes selected in the Audit Plan, and when the audit is carried out, the audit report-related findings and actions are created in the system when the control test results are entered into the system by the auditors.
• Why It's Important: It allows organizations to make preliminary preparations before the audit. If there are findings, it ensures that the inspections carried out by the authorities are successful by taking the necessary measures in advance. Since a relationship is established between control and control tests, it can be seen how much the institution provides control efficiency.

RISK NOTICE:

• What it is: It is the module that enables the relevant measures to be taken by notifying the incidents and non-conformities related to operational/compliance/financial and strategic threats in the institution. It can be associated with documents, processes. It works integrated with Action Planning modules.
• How to Use: Risk Notification is made by the relevant employee by filling out the form through the module in Q-GRC. After the form is filled, actions or corrective actions are defined by the relevant responsible persons within the workflow to be defined specifically for the institution. The process is completed by obtaining the relevant controls and approvals.
• Why It's Important: The standard risk disclosure form is readily available in the system. This enables the incident-nonconformance reporting process to be used quickly and effectively. Control approval and e-mail notification can be made at all desired steps, which allows stakeholders in the process to obtain information about the process.

PROCESS RISK MANAGEMENT

• What it is: It is the module that enables the identification, analysis and evaluation of these threats and risks through existing controls, taking measures depending on the risk level, reviewing, revising and reporting for all situations that affect the strategy, mission, vision of the institution or pose a threat.
• How to Use: A ready-made risk assessment method is installed in the Q-GRC Process Risk Assessment Module. These fields are populated for the risk assessment record. Natural risk and residual risk calculations are automatically performed by the system. Depending on the level of risk, measures/actions are planned, and the risk is revised after the measures. The review process is applied periodically. Control and approval processes are used in accordance with the structure of the institution.
• Why It Matters: It can be associated with legislation, process, document, control. View or transaction authorization can be granted on a per-user basis. A risk-dependent control or approval hierarchy can be constructed. A mandatory or automatic precautionary warning system can be established for certain risk levels. It has unlimited parametric field support.

PROCESS MANAGEMENT

• What it is: It enables all business processes available within the organization to be easily drawn in the digital environment with the drag-and-drop method, and not only designs processes, but also Input-output, Source, Documentation, Risk, Responsible, Controls, etc. It is a module that deals with such processes with all its stakeholders.
• How to Use: With BPMN 2.0 support and the Drag and drop method, you can easily create process models digitally on the web-based drawing screen. In addition, the risks and controls on the process board are automatically integrated from within the relevant modules within the scope of Q-GRC, providing an integrated environment.
• Why It's Important: Process Management is one of the most important steps of GRC studies. Both the current status (as is) - and the (to be) versions of all processes belonging to the institution can be determined, thus supporting process improvement studies.

Do you have a demo address where we can access the QGRC app?

Our QGRC application has a "demo" system. It can be accessed with any browser, at the following address. You can request the demo login information from the sales manager.

Address: http://qgrcdemo.bimser.com.tr/

Does QGRC work on console or browser?

The application is web-based and works on all browsers. No additional programs will be installed on your computer.

Is there a QGRC mobile app?

You can download the QGRC app for free from markets such as Apple Store or Google Player. Mobile licensing with the app will also be available for free.

Is __QGRC installed on our servers or yours?

The application can be installed on-prem (on your servers in your institution) or on a cloud server (private cloud) to be provided by you. In the near future, it will be possible to install it in its own cloud environment provided by Bimser.

Does the QGRC app have cloud support?

Currently, the QGRC application can be installed in a cloud environment provided by our customer. It is also installed in the cloud environment provided by Bimser.

Do we have the option to rent Uygulamay?

Yes, we have the option to rent. In the rental option, you also do not pay maintenance money.

Do we have Lisanslara? Or is it a timed purchase?

You have two different licensing options: perpetual and lease (temporary, term-based). In perpetual licensing, you can use the license without any time limit by paying the license fee at once. The warranty period for this type of license is 1 year. After 1 year, our customers can continue to receive support by making a Maintenance and Version Update Agreement if they wish. In Term Licensing, our customers pay the license fee for the duration of the solution. At the end of the commitment period, he can stop using the solution at any time.

Do I need a Kullan license?

A user license is required to use the ensemble. The ensemble license fee only covers the active user license. 

Hangi users are included in the license?

A license is requested for users who will add data into the system and be in an infrastructural setup.

For example: Policy Procedures preparation, revision, opinion, control or approval require a license. It does not require a license for e-mail notification, reminders, reading process, access, writing and reporting. You can contact Bimser for detailed information.

Can we draw with BPMN icons in Süreç Management?

Yes, you can.

How is Süreç Management different from Visio?

Processes that are created statically in Visio are managed more dynamically with all process stakeholders in QGRC Process Management. It is ensured that the users related to the process control and opinion approval mechanism in QGRC Process Management are included in the process. At the same time, automatic process distribution and revision tasks are automatically reduced to the relevant users. In addition to the creation of corporate rules with QGRC Process Management, it ensures that stakeholders such as risk, control, opportunity, documentation, resource, input-output, performance indicator are included in the process while performing process activities. With the integrations to be made, you can instantly monitor the data on the process models with the TDA feature. You can assign performance indicators for the created process models, set targets for the indicators, and perform measurement activities with the data you obtain manually and/or with integration. With this data obtained, you can also manage improvement activities.

Is version (revision) information kept by the system in Dokümantasyon and Process Management?

Yes, revision history is kept, comparisons are made, and it can be reported.

Can we do bulk transfer for Politika and Procedures?

Yes, there are bulk transfer tools.

Can we prepare policies and procedures on the Uygulama interface?

Yes, you can carry out your document operations by uploading them, either in the application interface or on the desktop.

Hangi can we integrate with databases?

Data integration can be achieved with all databases.

Is SQL licensing owned by Bimser?

SQL licensing is at the customer's credit.

What are the Sistem requirements?

Sistem Gereksinimleri

Sunucu İşlemcisi

Min Intel Xeon 4-core processor

Sunucu Ram

Min 32 GB, 64 GB (recommended)

Sunucu Operating Sistemi

Windows 2016 or higher 64 Bit (minimum)

Web Server

IIS7 or later

Framework

Microsoft .NET Framework 4.8

Veritaban i

MS SQL Server 2016 or later (minimum)

ORACLE 12c or higher (minimum)

DB Disk Space

Min 100 GB recommended 200 GB

Uygulama Disk Space

Min 50 GB recommended 100 GB