Auditing Your GRC Program

1
Auditing Your GRC Program
2
What Constitutes a GRC Program?

• Governance, risk and compliance or GRC programs
  are complex an organization has to use its GRC
  program to address the regulatory requirements
  expected of, among others, the following
• Enterprise Risk Management
• COSO Internal Controls
• Environmental Compliance (EPA rules)
• Anti Trust
• Anti Money Laundering
• Anti Bribery/Corruption
• Quality Management and Standards such as ISO
  9000, 9001
• Process Management such as Six Sigma
• Anti Harassment
• Human Capital
• Whistle-blowing
• HR Processes
• The areas listed above are just few of those that
  come under the purview of a robust GRC program.

3
Why Audit a GRC Program?

• Given the complex nature of regulations around
  the world today and the increasing risks of doing
  business, it is important that the GRC program in
  an organization is audited frequently. Most of
  the lapses in corporate governance occur due to
  outdated GRC programs that have not been audited
  and updated to reflect the current regulatory
  environment.
• Internal audits of GRC programs allow management
  and the board to identify risks and areas that
  need strengthening and root out any
  non-compliance.
• An audit can help evaluate the adequacy of the
  programs design and effectiveness as well as new
  practices and technologies to be implemented.
• Audits of the GRC program have to be carried out
  periodically these should supplement an
  ongoing, daily evaluation of the effectiveness of
  the program, including monitoring of controls and
  responses.

4
Internal Audit Process The General Steps

• Define evaluation scope, objectives, and the type
  of evaluation.
• Define the level and type of assurance
• Identify the evaluation team and skills required.
• Develop evaluation plan.
• Perform design adequacy evaluation.
• Perform operational effectiveness evaluation.
• Communicate evaluation results and ensure
  follow-up to address issues.

5
Conduct Proper Risk Assessment

• Before carrying out the audit, the risks need to
  be understood and assessed. Risk assessment is
  important in ensuring that the audit plan,
  program and specific tests that need to be
  carried out are appropriate and adequate. The
  risk assessment needs to be carried out while the
  audit is underway as well.
• Some of the key risk factors in GRC program
  audits include
• The scope and complexity of the program.
• The scope and complexity of the organization.
• The current regulatory environment.
• Breaking news and developments relevant to
  corporate governance.
• The experience of the GRC program management
  team.
• Implications of Sarbanes Oxley on the business.
• The day-to-day involvement and support of the
  management and board.
• The pace of updates and changes to the programs
  efforts.
• The maturity of the program.
• The robustness of the GRC programs project
  management processes.

6
Best Practices for Successfully Auditing GRC
Programs

• Plan Your Audit Properly
• Define Your Audit Scope and Objectives
• Conduct Proper Risk Assessment
• Ensure Audit Testing is Carried Out
• Issue a Comprehensive Audit Report

7

• Want to learn more about audit, and best
  practices for auditing? ComplianceOnline webinars
  and seminars are a great training resource. Check
  out the following links
• How to Audit GRC Programs?
• Role of the Audit Committee in Corporate
  Governance
• Internal Audit's Role in Enterprise Risk
  Management
• OCEG Approved GRC (Governance, Risk and
  Compliance) Professional Seminar
• Auditing Technology and IT Investment Management