Auditing and Providing Assurance on a GRC Capability
The mounting pressures on modern business are leading many organisations to improve their risk management and compliance functions. This new emphasis on more formalised and integrated governance, risk management and compliance (GRC) effort has led many audit professionals to ask:
What are established criteria against which I can audit a GRC capability?
What specialised skills or certifications are necessary to provide a high quality audit on a GRC capability?
What standards or frameworks should be used to perform an audit and report on a GRC capability?
Is there a mechanism organisations can use to obtain a third-party assurance report over the design and operating effectiveness of their GRC capability?
Often audit professionals feel alone and confused about these questions, not realising help is nearby.
GRC or not GRC? That is the question...
While there is no denying the increasing regulatory pressure, there will always be differing opinions within the market as to the best risk structure to accept? Still a relatively fresh concept that is often misunderstood, the concept of governance, risk & compliance (GRC) increasingly appears to be one that is gaining a firm foothold. So what is influencing an organisation’s interest in GRC convergence? Many recent studies and white papers all point in the direction of the following drivers:
- Overall business complexity
- The desire to reduce exposure of organisation to risks
- Desire to improve corporate performance
- Concern to avoid ethical and reputational scandals
- Expected regulatory intervention
- Concern about greater risk from non-compliance
- Increasing focus on governance from internal and external stakeholders
- Greater focus on corporate social responsibility
- Desire to reduce cost base
- Desire to improve agility in decision-making
GRC is ground-breaking in the wisdom that the ultimate goal of GRC is to establish a fully integrated approach to risk management, governance and regulatory compliance of an organisation.
By implementing GRC will the organisation benefit?
A holistic risk management framework like GRC also gives a universal vision that will greatly assist to break down the siloed attitude to risk management that unavoidably always results in duplicated control systems, redundant efforts and increasing costs.
When implemented GRC convergence:
- Ensures collaboration for business strategy in the context of risk
- Gets respective risk exposure issues on the collective table (people talk to each other!)
- Improves communication, transparency and how resolution can benefit all
- Greater corporate assurance (that key activities are not “falling through the cracks)
- Advances executive decision making (by getting access to the resulting proper evidence)
- Positively affects business on performance (through the ability to identify and manage risks more quickly)
Furthermore when such a holistic view is taken it:
- Enables better prioritisation (for the context of other risks the business is exposed to)
- Facilitates breaking corporate inertia and builds risk confidence in the best interest of the business as a whole (through global understanding of risk and compliance)
Thinking about implementing or auditing a GRC framework?
To survive and thrive in today’s difficult economic climate, companies require a strong risk culture backed up by effective, well monitored controls and overseen by firm governance. Organisations that plan for change, execute well, and resolve the inevitable issues with pace and confidence tend to succeed against their competitors. Binding the silos of governance, risk and compliance of a business together forms a trinity that improves the understanding of the organisation’s capital management strategy.
All good strategies need a framework and although various standards and structures exist to address discrete portions of governance, risk management and compliance issues, the Open Compliance & Ethics Group (OCEG) have a GRC capability model that is the only open standard providing comprehensive and detailed practices for an integrated GRC program. With an across-the-board unified system having obvious benefits, it is not surprising to see the likes of PwC, Ernst & Young, Deloitte, Thompson Reuters, Dell, Unilever, Walmart, Grant Thornton, RSA, Microsoft, SAS, SAP, Cisco, Oracle, Aon, Global Compliance, Ethics Point and many others on OCEG’s growing list of past and present Charter and Leadership council members. With today’s regulatory pressures, it would appear that GRC is most certainly gaining adhesion.
GRC tools and guides
OCEG has spent over 10 years working with end user companies, service providers, technology companies, and audit firms to develop a GRC capability framework and associated tools to aid GRC and GRC professionals. The GRC Capability Framework, GRC Assessment Tools, Internal Audit Guide, and professional certifications provide the foundation for developing and auditing a GRC capability.
The GRC Capability Framework can be used as criteria to audit against with the GRC Assessment Guide providing objectives, suggested requested information, and review procedures for each component and element of the GRC Capability Framework. These tools, along with certifications as a GRC Professional (GRCP) and GRC Auditor (GRCA) equip an individual and organisation to audit and provide assurance reporting on a GRC capability.
As more organisations implement a GRC program, the staff who are implementing the products and leading these programs are now looking to professionalise with certifications.