80 likes | 247 Views
What Constitutes a GRC Program?<br>Governance, risk and compliance or GRC programs are complex – an organization has to use its GRC program to address the regulatory requirements expected of, among <br><br>others, the following:<br><br>Enterprise Risk Management<br>COSO Internal Controls<br>Environmental Compliance (EPA rules)<br>Anti Trust<br>Anti Money Laundering<br>Anti Bribery/Corruption<br>Quality Management and Standards such as ISO 9000, 9001<br>Process Management such as Six Sigma <br>Anti Harassment<br>Human Capital<br>Whistle-blowing<br>HR Processes<br><br>The areas listed above are just few of those that come under the purview of a robust GRC program.<br><br>Why Audit a GRC Program?<br>Given the complex nature of regulations around the world today and the increasing risks of doing business, it is important that the GRC program in an organization is <br><br>audited frequently. Most of the lapses in corporate governance occur due to outdated GRC programs that have not been audited and updated to reflect the current <br><br>regulatory environment. <br>Internal audits of GRC programs allow management and the board to identify risks and areas that need strengthening and root out any non-compliance. <br>An audit can help evaluate the adequacy of the program’s design and effectiveness as well as new practices and technologies to be implemented.<br>Audits of the GRC program have to be carried out periodically – these should supplement an ongoing, daily evaluation of the effectiveness of the program, including <br><br>monitoring of controls and responses.
E N D
What Constitutes a GRC Program? Governance, risk and compliance or GRC programs are complex – an organization has to use its GRC program to address the regulatory requirements expected of, among others, the following: • Enterprise Risk Management • COSO Internal Controls • Environmental Compliance (EPA rules) • Anti Trust • Anti Money Laundering • Anti Bribery/Corruption • Quality Management and Standards such as ISO 9000, 9001 • Process Management such as Six Sigma • Anti Harassment • Human Capital • Whistle-blowing • HR Processes The areas listed above are just few of those that come under the purview of a robust GRC program.
Why Audit a GRC Program? • Given the complex nature of regulations around the world today and the increasing risks of doing business, it is important that the GRC program in an organization is audited frequently. Most of the lapses in corporate governance occur due to outdated GRC programs that have not been audited and updated to reflect the current regulatory environment. • Internal audits of GRC programs allow management and the board to identify risks and areas that need strengthening and root out any non-compliance. • An audit can help evaluate the adequacy of the program’s design and effectiveness as well as new practices and technologies to be implemented. • Audits of the GRC program have to be carried out periodically – these should supplement an ongoing, daily evaluation of the effectiveness of the program, including monitoring of controls and responses.
Internal Audit Process – The General Steps • Define evaluation scope, objectives, and the type of evaluation. • Define the level and type of assurance • Identify the evaluation team and skills required. • Develop evaluation plan. • Perform design adequacy evaluation. • Perform operational effectiveness evaluation. • Communicate evaluation results and ensure follow-up to address issues.
Conduct Proper Risk Assessment • Before carrying out the audit, the risks need to be understood and assessed. Risk assessment is important in ensuring that the audit plan, program and specific tests that need to be carried out are appropriate and adequate. The risk assessment needs to be carried out while the audit is underway as well. • Some of the key risk factors in GRC program audits include: • The scope and complexity of the program. • The scope and complexity of the organization. • The current regulatory environment. • Breaking news and developments relevant to corporate governance. • The experience of the GRC program management team. • Implications of Sarbanes Oxley on the business. • The day-to-day involvement and support of the management and board. • The pace of updates and changes to the program’s efforts. • The maturity of the program. • The robustness of the GRC program’s project management processes.
Best Practices for Successfully Auditing GRC Programs • Plan Your Audit Properly • Define Your Audit Scope and Objectives • Conduct Proper Risk Assessment • Ensure Audit Testing is Carried Out • Issue a Comprehensive Audit Report
Want to learn more about audit, and best practices for auditing? ComplianceOnline webinars and seminars are a great training resource. Check out the following links: • How to Audit GRC Programs? • Role of the Audit Committee in Corporate Governance • Internal Audit's Role in Enterprise Risk Management • OCEG Approved GRC (Governance, Risk and Compliance) Professional Seminar • Auditing Technology and IT Investment Management