This articles talks about how auditors can contribute to streamlining GRC program by evaluating its effectiveness and aligning various aspects of GRC auditing, thereby fulfilling the new responsibilities and adding immense organizational value.
The business environment has become increasingly complex, and so have compliance requirements. Organizations are spreading themselves thin to comply with the multitude of regulations in areas as diverse as quality, environment sustainability, human capital, corporate social responsibility, legal matter management, competitive practices, whistleblowing, hiring and retention, workplace violence, employment and labor, information management, government contracts, and control of malpractices such as money laundering, fraud, and corruption.
Governance, Risk, and Compliance (GRC) programs at organizations are constantly evolving to embrace newer requirements and achieve the organization’s compliance goals. A strong GRC model is recommended by the Open Compliance and Ethics Group (OCEG) for making GRC part of organizational culture. It provides assurance as well as support for an organization’s ongoing effort to be well-managed and high-performing.
Audits need to look at the bigger picture and focus on higher business objectives. The audit function needs to work with a good understanding of voluntary boundaries set by the management, such as public commitments, organizational values, contractual obligations, and other policies, as well as mandatory boundaries or those established by external sources such as laws, government regulations, and other mandates. Auditors also need to know the organization’s business model, as well as its objectives, and the obstacles and risks that lie in the way of achieving those objectives.
Audits can strengthen the GRC program by evaluating its efficacy on a regular basis. Various aspects of GRC audits can collectively contribute to a successful GRC program.
The first step for a successful GRC audit is to determine what constitutes an effective GRC program for the organization. Once there is an agreement on that, it is easier to achieve a consistency between the audit function and management on the exact goals of the GRC program. Each industry has its own subtleties, and the GRC program needs to reflect them. When the right GRC program is structured, the organization needs to determine the exact steps of the audit to evaluate the efficiency of the program.
Though the fundamental audit process stands unchanged, there can be multiple issues such as privacy issues, security issues, operational issues, and inconsistency in management objectives. Therefore, it is a good practice to spend enough time on determining the plan and steps of the internal audit. The OCEG Internal Audit Guide provides extensive details on the steps involved. Internal auditors need to:
Key Capabilities of Robust Audit Management Infrastructure
Flexibility and adaptability are very important while planning audits. The planning stage should focus on the scope of the audit. In other words, it should determine the parts of the GRC program that will be evaluated. The audit scope and scope exclusion need to be documented with clarity.
Since every organization and its GRC requirements are unique in many ways, the check-list approach is not recommended. Developing a description of the program, determining who is responsible for what, and describing the measures that are being used for the program are some of the key areas involved in audit planning.
The focus of the audit should be on the business aspects of the GRC program. Understanding all the components of the GRC program is fundamental to audit success. In the process, the importance of interaction and involvement with program management personnel cannot be stressed enough to achieve consistency in the management of the program. If there is a lack of consistency in what exactly an effective GRC program is, the audit can become extremely difficult and diffused.
The key to a successful GRC audit is to not rely on check-lists, but to adopt the risk assessment approach. Auditors need to understand the risks of the program, determine how the audit plan should be adjusted based on the business risks that are involved, and then perform the appropriate tests for risk assessments.
Technology can support the audit process by automating risk assessments and highlighting high-risk areas. Auditors can then prioritize their audits so as to focus maximum attention on these key areas.
The complexity of GRC programs differs from one organization to the next. For example, a one-person GRC team functions very differently from a multinational organization with many lawyers and compliance officers working across the globe. Therefore, auditors need to understand the complexity and the scope of the program, the type of regulatory environment that the organization is working in, the financial implications of these, and the future plans of the organization. For example, if cash management is at the center of a business and its survival, then the financial management and treasury functions will be large, and the risk management program needs to be appropriately proportionate to the scale.
Another set of risk factors includes the program management team’s experience, level of involvement and support from executives, the amount and pace of change involved in the program effort as well as the maturity in terms of the number of years the program has been functioning, and the strength of the project management process.
In order to determine the audit scope and objectives, auditors need a clear understanding of the organization’s culture, business, and strategic goals. A GRC audit is a means to compliance goals and not a goal in itself. Therefore, auditors must understand where the organization is going, what major objectives it is trying to achieve, how the GRC program is helping the organization in this, and what risks the organization faces. Auditors also need to know the organizational structure very well.
Every organization approaches its GRC program differently - the focus can be on risk management or compliance, or ethics, depending on the organization’s progress in the last five years. In the next five years, it may focus on, for example, organizational control, or reporting, or health and safety. Since GRC is a very broad area, auditors must know where the organization is coming from and where it is going.
To create the scope, auditors need to determine key operational processes, document projects that are being worked on, and determine the information systems that support the GRC program efforts.
The board and the management need to periodically evaluate the design adequacy and operational effectiveness of the program which can supplement the ongoing daily monitoring of responses and control activities. This provides an opportunity to consider new practices and technologies to enhance the program, thus adding organizational value.
For an auditor of a GRC program, it is very important to understand who is responsible for what. As a norm, the management is responsible for the performance of the organization’s compliance and ethics program. The board oversees the implementation of these programs to ensure effectiveness, and auditors provide the assurance to the management and the board that the program is achieving its goals. They also identify significant opportunities for improvement.
Auditors need to be clear in understanding which areas are the responsibilities of the management, and what the accountabilities of the board are. It is essential to determine what the program is accountable for, and who the players are. Auditors must work with the management and find an agreement on the scope of each role’s accountability.
Once roles and responsibilities have been clearly defined, task assignments need to be delegated. Automating this process -- be it conducting a task, reviewing findings, or approving reports -- can improve audit efficiency, and create significant cost-savings.
Auditors should determine the audit approach while planning the audit, and get an agreement from the management on this approach. The focus should be to identify opportunities to enhance GRC practices. Auditors need to be flexible in their approach, and ready to learn from stakeholders and other staff. The flexibility implies that auditors should not only ensure that a complete roadmap is in place before starting the audit, but also allow continuous refinement of the plan throughout the audit.
When a GRC audit is completed, auditors follow the traditional reporting method listed below. Communicating the results and walking the management through the implications of the audit are some of the particularly important stages in GRC audit reporting because of the diversity of GRC programs. The traditional reporting method follows these steps:
Automating the report preparation process can save a lot of time for auditors who usually use spreadsheets and other manual process to generate their reports. Real-time reports and actionable intelligence can provide additional benefits - they offer executives complete visibility into the audit process, and auditors the opportunity to clearly see the risks impacting the internal audit. The auditors can then confidently suggest internal controls to manage these risks.
Testing audits is a challenging task in a GRC audit where one is auditing governance practices and not transactions. The GRC audit does not only validate data and control, but also confirms ethical conduct in the organization and the program’s capability to perform efficiently.
The diversity in GRC audit testing is enormous, and risk assessments help determine the kind of tests that need to be performed for checking the efficacy of the audit. The tests can aim at starting on a higher level and drilling down when issues are discovered. They can also use the “bottom up” approach. Testing can be linked to audit objectives, validating certain aspects related to the objectives.
Audits need to be completed within three-six months, and organizations look at auditors to provide constructive feedback and recommendations. Some of the best practices that a GRC audit needs to follow are:
A robust GRC model is essential for making GRC a part of organizational philosophy and, in turn, achieving performance goals. The audit function can support the GRC program by evaluating its effectiveness on a regular basis. Auditors need to understand the organization’s business model, objectives, and risks, and contribute gainfully to a successful GRC program. Using the right technology can play a vital part in strengthening the audit function. With a robust understanding of organizational objectives supported by appropriate audit infrastructure, auditors can add immense organizational value and fulfill their new responsibilities efficiently.