Improving Control Management
Product Strategy and Design | AuditBoard | 2021
Enabling clients to manage their Control Environment in one centralized location
Overview
AuditBoard is a governance, risk, and compliance (GRC) management product suite that helps businesses efficiently conduct and complete audit, risk, and compliance projects. AuditBoard started as a niche project management product called SOXHUB for internal audit teams and has since grown to support related projects undertaken by other teams managing risk and compliance.
Audit teams used SOXHUB to centralize and document business processes, conduct audits, and track issues. Before starting the Control Management project, SOXHUB was built and launched in 2014 and has not seen any major updates since then. While it was capable of handling a small team's needs, AuditBoard needed to scale to support complex use cases and decrease custom implementations. Thus, the new initiative to build a full-service Compliance product would require updated architecture, designs, and workflows.
Role and team
Senior Product Designer
Responsible for the entire end-to-end design and development process, including product strategy, research, design sprint facilitation, information architecture, wireframing, usability testing, visual design, prototyping, and QA.
Project Team
1 Product Manager, 4 Engineers, 1 QA engineer, 7 SMEs (Sales, CAS, Product)
What's a control? 🤓
Control [kuhn-trohl]
noun
1. The act or power of controlling, regulation; domination or command: Who's in control here?
2. A process or a procedure a company uses to reduce the chance of an unwanted risk outcome.
Opportunity
From 2014 to 2020, AuditBoard had reached an enormous growth, both in the number of clients using the software and the complexity of each client environment. In addition, the app had grown from two unique modules to now ten modules, with controls being the common denominator. What once had worked for a smaller audit team managing their controls, now needed to be redesigned to allow the company to scale in order to provide a more robust solution to our clients while working towards a new ARR company goal.
Company & Team Goals
-
Increase platform scalability to expand product offering for complex or enterprise-level use cases (company)
-
Increase Compliance ARR by increasing module adoption (company and team)
-
Improve overall usability of Control Management (team)
Product Constraints
-
Controls module is a high touchpoint for 90% of users since it's the oldest module in the app.
-
SOXHUB was built for one specific compliance framework, SOX, and does not easily support other compliance frameworks due to a rigid data architecture model.
-
A lot of technical implications occur since the Controls module connects to all parts of the app.
Product & Design Strategy
As the Product Design Lead for Control Management, my efforts included:
01
Familiarizing myself with the existing app’s user experience, functionalities, and capabilities.
03
Reinforce the value of user input to Product and Engineering by regularly sharing syntheses and insights from research sessions.
02
Conduct research by establishing feedback and user testing loops to fully understand the users' frustrations with the app, their workflows, and their motivations.
04
Strategize with product and engineering leads on how to address our users’ pain points and how to prioritize those efforts as we build the solution.
1,000+
clients
~15,500
dau
~570,000
controls
User Profile
Internal Audit Teams
Clients' needs vary from one environment to another. An internal auditor's goals may include:
-
Set up control environment in AuditBoard by mass importing my controls
-
Set up a brand new environment in AuditBoard (no prior existing environment)
-
Add an existing control/subprocess/process to an entity
-
Create a new cycle(s), entity(s), process(es), subprocess(es) and control(s) and add to entity
-
If entities get consolidated, merge identical controls into 1 control
-
If a new entity is added, copy one entity environment to the new entity environment
-
Archive a control in an inactive or closed entity
New Constraint & New Opportunity
New Constraint: Internal audit admins have access to all cycles (IT and non-IT), which gives them the ability to edit environments they are not managing (via client feedback).
New Opportunity (Technical): Create a layer above cycles to separate IT and non-IT cycles.
Research
What did the data tell us? It was imperative to understand our client's environments in order to provide a holistic solution to current and future clients.
In collaboration with my product manager, we were able to pull queries that would provide a detailed control environment breakdown. We were able to identify and put our clients into two profile buckets: Non-IT (Information Technology) clients and IT clients.
Non-IT Clients
Usually Internal Audit teams
Control Environment
✅ Fewer Entities (1-5)
✅ Lots of Processes/ Subprocesses (5-25)
✅ LOTS of Controls
IT Clients
Usually Compliance teams
Control Environment
✅ Lots of Entities (25-60)
✅ Fewer Processes/Subprocesses (1-3)
✅ Fewer Controls
User Problems
While the team was very much aware of the bigger company goals and the constraints we were working under, we had to figure out where the breakdowns were occurring in the UX and what to prioritize that would result in the biggest impact on our users today and in the future.
Leveraging internal stakeholders, such as our CS counterparts, who helped us generate qualitative data and looking at quantitative data from Pendo, we uncovered a reoccurring theme around inability and confusion around adding existing controls and creating new controls. Insights on why this was occurring revealed the following:
01
Discoverability
There is too much information available upfront. Where do I start? Where do I go to create a new process, subprocess, or control?
02
Usability
I've found where I want to add a new control but don't see the subprocess/process where I want to add the control. How can I create a new subprocess/process and a new control?
03
Usefulness
When I create a new control, how can I simultaneously add it to other entities in my environment instead of going through the same process for each entity?
Current User Experience
Current UX
Adding Existing Control/Subprocess/Process
Pendo Data & Assumptions
Assumption 1: Users want to create new controls in their environment.
Assumption 2: When users create a new process or subprocess, they usually want to add control(s) to that process or subprocess.
Assumption 3: Users would filter their environment (e.g., find the cycle first, then entity, then process, then subprocess, and then add a control) to include an item in it.
Use Cases
Use Case 1
As an admin, I want to quickly add an existing Control to a Subprocess.
As an admin, I want to quickly add an existing Subprocess and Control to a Process.
As an admin, I want to quickly add an existing Process, Subprocess and Control to an Entity.
Use Case 2
As an admin, I want to create a new Control and add to an existing Subprocess.
As an admin, I want to create a new Subprocess and Control and add to an existing Process.
As an admin, I want to create a new Process, Subprocess and Control and add to an existing Entity.
Use Case 3*
As an admin, I want to map the new Control I've created to other Entities in my Environment.
Considered
As an admin, I want to move a Control/Subprocess/Process from one Entity to another.
As an admin, I want to consolidate a Control/Subprocess/Process between Entity 1 and Entity 2.
* Not part of the original scope
Ideation
Bringing in multiple perspectives and ideating together was crucial in order to capture as many ideas and voice as many concerns upfront. By conducting a Lightning Decision Jam workshop, I was able to include ideas from other designers, product managers, engineers, and customer support stakeholders.
Below are some of the ideas captured during the workshop that afterward were placed into similar themes.
Overview
After the team completed the LDJ workshop, I synthesized the ideas that were generated and was able to initially identify 3 potential options within the first set of explorations.
01
Exploration: What can we leverge that currently exists to ship ASAP?
-
Pros: Low design effort, familiarity with current UX, ship fast
-
Cons: UX is less innovative, visually not as appealing by recycling old components
02
Exploration: What could the UX look like if we didn't have any constraints?
-
Pros: Opportunity to innovate, reduce user cognitive overload as much as possible
-
Cons: Slower release due to more time spent doing research, testing, and developing
03
Exploration: Is there a middle ground?
-
Pros: Introduce a new pattern/UX without overhauling current UX, medium effort on design and dev time
-
Cons: Train user on how to use new feature(s) due to a learning curve
Exploration 01
What can we leverge that currently exists to ship ASAP?
E1 A/B Testing & Findings
Finding 1
Option 1 (modal) was a clear winner out of the three options due to its ability to focus on one task at a time and stay on the page to complete any secondary tasks.
Pros:
-
Reduce cognitive load by keeping UI simple and separate by using a modal
-
It would ship fast, gather feedback, and the team can iterate
Cons:
-
The solution only addressed users wanting to create new controls and not add to an existing list of controls.
Finding 2
Modal would be the ideal direction since the entire control management must be accessed from other app parts.
Exploration 02
What could the UX look like if we didn't have any constraints?
E2 Usability Testing & Findings
Finding 1
Users liked "revealing" what controls were available to add to their environment by exposing unmapped controls. This would be helpful only if users could filter the area within their environment first.
Finding 2
Users were getting stuck in key steps within the user flow, such as triggering viewing unmapped controls and how to create new controls.
Exploration 03
Is there a middle ground?
E3 Usability Testing & Findings
Finding 1
From a technical perspective, the modal UX was the best direction to pursue in order to minimize redesigning the current treeview, scale the experience, and add it to other parts of the app.
Finding 2
5 out of 5 testers said they would happily trade off the current control creation UX with the new modal UX, which would force them always to create a new control.
Finding 3
5 out of 5 users said that creating a new control and mapping it to multiple entities would significantly reduce their time and effort to complete that task by approximately 70%.
MVP Solution
(Not Included: Empty States, Edge Cases, Validation Flows)
High-Fidelity Mocks
Use Case 01
Adding Existing Controls/Subprocess/Process to Environment
Consideration: How might a user quickly locate the area in their environment to which they want to add a control and know which controls are available to add?
Detail 1
Allow users to select the Cycle and Entity they would like to manage within the main page view. This view reduces the user's cognitive load, and better platform performance is supported by rendering specific data instead of all data at once.
Detail 2
Once the Add Control modal is launched, provide Process and Subprocess filters so the user can quickly locate the area in their environment to which they want to add a control and a list of all available controls within the Subprocess/Process they could add.
Use Case 02 & 03
Creating New Controls/Subprocess/Process & Mapping to Additional Entities
Consideration: How might a user quickly locate the area in their environment to create a new control and map to additional entities?
Detail 1
Leveraging the same primary modal, a user can quickly view all available controls and create a new one as needed. This launches a secondary flow that would allow a user to create a new Control if it doesn't exist within the specified section.
Details 2
If the user does not have a Process and/or Subprocess, the user can add an in-line new Process and/or new Subprocess before finally creating the new Control and mapping the Process, Subprocess, and/or Control to additional entities.
User Acceptance Testing & Quality
Since Control Management was a very big project and an important redesign, the team was very methodical in our UAT effort. I created a documented where the team noted discrepancies and prioritized them according to user impact. In addition, a status was provided for each item to support the engineers' efforts in fixing the issues.
Impact & Outcomes
7 clicks v 4 clicks now
⬇️ 43%
Adding existing controls
18 clicks v 10 clicks now
⬇️ 44%
Creating new control
& adding to environment
25 clicks v 12 clicks now
⬇️ 52%
Creating new subprocess + control & adding to environment
35 clicks v 14 clicks now
⬇️ 60%
Creating new process + subprocess + control
& adding to environment
Control Management was released middle of January 2021 and has been met with an overall increase in positive sentiment from the Customer Support team and our users, many of whom report that adding and creating controls was no longer such a complicated and exhausting experience.
Using Google's HEART framework to measure design impact, the team is currently measuring metrics relating to Engagement and Task success in order to evaluate the solution. Since most of the Engagement and Task Success metrics such as effectiveness, time spent on task and error percentage would take some time to measure, today we are able to measure the efficiency of the designs by calculating the average percentage decrease in workflow complexity.
Next Steps
While the team tackled the most common use cases for Control Management, there are outstanding use cases for which the UX needs to be improved. We find these additional use cases to be important, but since my team is focusing on increasing adoption of the Compliance module, we will look to bring the experience we created into the Compliance module to allow admins who don't have access to the settings page to manage their controls.