This articles talks about how auditors can contribute to streamlining GRC program by evaluating its effectiveness and aligning various aspects of GRC auditing, thereby fulfilling the new responsibilities and adding immense organizational value.Download an Insight
The complex world of compliance requirements
The business environment has become increasingly complex, and so have compliance requirements. Organizations are spreading themselves thin to comply with the multitude of regulations in areas as diverse as quality, environment sustainability, human capital, corporate social responsibility, legal matter management, competitive practices, whistleblowing, hiring and retention, workplace violence, employment and labor, information management, government contracts, and control of malpractices such as money laundering, fraud, and corruption.
Governance, Risk, and Compliance (GRC) programs at organizations are constantly evolving to embrace newer requirements and achieve the organization’s compliance goals. A strong GRC model is recommended by the Open Compliance and Ethics Group (OCEG) for making GRC part of organizational culture. It provides assurance as well as support for an organization’s ongoing effort to be well-managed and high-performing.
How audits can contribute to streamlining GRC and adding value
Audits need to look at the bigger picture and focus on higher business objectives. The audit function needs to work with a good understanding of voluntary boundaries set by the management, such as public commitments, organizational values, contractual obligations, and other policies, as well as mandatory boundaries or those established by external sources such as laws, government regulations, and other mandates. Auditors also need to know the organization’s business model, as well as its objectives, and the obstacles and risks that lie in the way of achieving those objectives.
Audits can strengthen the GRC program by evaluating its efficacy on a regular basis. Various aspects of GRC audits can collectively contribute to a successful GRC program.
Defining the right and efficient GRC program
The first step for a successful GRC audit is to determine what constitutes an effective GRC program for the organization. Once there is an agreement on that, it is easier to achieve a consistency between the audit function and management on the exact goals of the GRC program. Each industry has its own subtleties, and the GRC program needs to reflect them. When the right GRC program is structured, the organization needs to determine the exact steps of the audit to evaluate the efficiency of the program.
Determining the steps of internal audits
Though the fundamental audit process stands unchanged, there can be multiple issues such as privacy issues, security issues, operational issues, and inconsistency in management objectives. Therefore, it is a good practice to spend enough time on determining the plan and steps of the internal audit. The OCEG Internal Audit Guide provides extensive details on the steps involved. Internal auditors need to:
- Define the scope and type of evaluation
- Determine the privilege status, level of assurance, and objectives of the audit
- Identify the evaluation team and its skill set
- Develop an evaluation plan
- Perform a design adequacy evaluation
- Conduct an operational effectiveness evaluation
- Communicate the evaluation results
- Ensure follow-ups to resolve issues
Key Capabilities of Robust Audit Management Infrastructure
Planning the audit
Flexibility and adaptability are very important while planning audits. The planning stage should focus on the scope of the audit. In other words, it should determine the parts of the GRC program that will be evaluated. The audit scope and scope exclusion need to be documented with clarity.
Since every organization and its GRC requirements are unique in many ways, the check-list approach is not recommended. Developing a description of the program, determining who is responsible for what, and describing the measures that are being used for the program are some of the key areas involved in audit planning.
The focus of the audit should be on the business aspects of the GRC program. Understanding all the components of the GRC program is fundamental to audit success. In the process, the importance of interaction and involvement with program management personnel cannot be stressed enough to achieve consistency in the management of the program. If there is a lack of consistency in what exactly an effective GRC program is, the audit can become extremely difficult and diffused.
Performing audit risk assessments
The key to a successful GRC audit is to not rely on check-lists, but to adopt the risk assessment approach. Auditors need to understand the risks of the program, determine how the audit plan should be adjusted based on the business risks that are involved, and then perform the appropriate tests for risk assessments.
Technology can support the audit process by automating risk assessments and highlighting high-risk areas. Auditors can then prioritize their audits so as to focus maximum attention on these key areas.
The complexity of GRC programs differs from one organization to the next. For example, a one-person GRC team functions very differently from a multinational organization with many lawyers and compliance officers working across the globe. Therefore, auditors need to understand the complexity and the scope of the program, the type of regulatory environment that the organization is working in, the financial implications of these, and the future plans of the organization. For example, if cash management is at the center of a business and its survival, then the financial management and treasury functions will be large, and the risk management program needs to be appropriately proportionate to the scale.
Another set of risk factors includes the program management team’s experience, level of involvement and support from executives, the amount and pace of change involved in the program effort as well as the maturity in terms of the number of years the program has been functioning, and the strength of the project management process.
Describing the evaluation scope and objectives
In order to determine the audit scope and objectives, auditors need a clear understanding of the organization’s culture, business, and strategic goals. A GRC audit is a means to compliance goals and not a goal in itself. Therefore, auditors must understand where the organization is going, what major objectives it is trying to achieve, how the GRC program is helping the organization in this, and what risks the organization faces. Auditors also need to know the organizational structure very well.
Every organization approaches its GRC program differently - the focus can be on risk management or compliance, or ethics, depending on the organization’s progress in the last five years. In the next five years, it may focus on, for example, organizational control, or reporting, or health and safety. Since GRC is a very broad area, auditors must know where the organization is coming from and where it is going.
To create the scope, auditors need to determine key operational processes, document projects that are being worked on, and determine the information systems that support the GRC program efforts.
The board and the management need to periodically evaluate the design adequacy and operational effectiveness of the program which can supplement the ongoing daily monitoring of responses and control activities. This provides an opportunity to consider new practices and technologies to enhance the program, thus adding organizational value.
Creating clear accountabilities
For an auditor of a GRC program, it is very important to understand who is responsible for what. As a norm, the management is responsible for the performance of the organization’s compliance and ethics program. The board oversees the implementation of these programs to ensure effectiveness, and auditors provide the assurance to the management and the board that the program is achieving its goals. They also identify significant opportunities for improvement.
Auditors need to be clear in understanding which areas are the responsibilities of the management, and what the accountabilities of the board are. It is essential to determine what the program is accountable for, and who the players are. Auditors must work with the management and find an agreement on the scope of each role’s accountability.
Once roles and responsibilities have been clearly defined, task assignments need to be delegated. Automating this process -- be it conducting a task, reviewing findings, or approving reports -- can improve audit efficiency, and create significant cost-savings.
Determining the right audit approach
Auditors should determine the audit approach while planning the audit, and get an agreement from the management on this approach. The focus should be to identify opportunities to enhance GRC practices. Auditors need to be flexible in their approach, and ready to learn from stakeholders and other staff. The flexibility implies that auditors should not only ensure that a complete roadmap is in place before starting the audit, but also allow continuous refinement of the plan throughout the audit.
- Collaborating to achieve the audit objectives
The audit team must use a collaborative way of working while conducting the GRC audit. The team needs to be open to learning from the program staff and management and vice versa. Auditors must understand that an audit is a journey where all stakeholders need to collaborate. They must also remember that the management is responsible for the GRC program efforts and results. So the management needs to take ownership for the corrective actions and recommendations of the audit.
- Ensuring the relevance of the GRC audit to the organization’s specific needs
One of the challenges confronting auditors is the diversity of GRC programs across organizations and industries. While there has been a convergence of various related programs into one overall GRC program, many organizations’ GRC programs have a different focus such as security, risk, compliance, or governance. The GRC audit needs to be organization-specific and must be tailor-made for the specific organization in the specific industry, as opposed to a generic GRC audit. Therefore, the right description of the GRC program is essential for the audit.
Ensuring detailed audit reporting
When a GRC audit is completed, auditors follow the traditional reporting method listed below. Communicating the results and walking the management through the implications of the audit are some of the particularly important stages in GRC audit reporting because of the diversity of GRC programs.
The traditional reporting method follows these steps:
- Before issuing the final audit report, auditors debrief the management and formally discuss the audit findings and conclusions.
- Auditors present a written draft report to the management to communicate the audit results clearly, precisely, and in a fair and balanced way.
- Auditors and the management discuss the draft report.
- Auditors issue the draft report.
- The management provides feedback on the draft report and the proposed corrective action plan.
- Auditors review the corrective action plan.
- Auditors finalize and distribute the final audit report.
- Auditors close the audit project and plan follow-up efforts for the management’s corrective action plan.
Automating the report preparation process can save a lot of time for auditors who usually use spreadsheets and other manual process to generate their reports. Real-time reports and actionable intelligence can provide additional benefits - they offer executives complete visibility into the audit process, and auditors the opportunity to clearly see the risks impacting the internal audit. The auditors can then confidently suggest internal controls to manage these risks.
Testing audit efficacy
Testing audits is a challenging task in a GRC audit where one is auditing governance practices and not transactions. The GRC audit does not only validate data and control, but also confirms ethical conduct in the organization and the program’s capability to perform efficiently.
The diversity in GRC audit testing is enormous, and risk assessments help determine the kind of tests that need to be performed for checking the efficacy of the audit. The tests can aim at starting on a higher level and drilling down when issues are discovered. They can also use the “bottom up” approach. Testing can be linked to audit objectives, validating certain aspects related to the objectives.
Following best practices
Audits need to be completed within three-six months, and organizations look at auditors to provide constructive feedback and recommendations. Some of the best practices that a GRC audit needs to follow are:
- Ensure proactive audit management with frequent monitoring of program efforts.
- Create clear and up-to-date documentation of GRC policies, procedures, critical GRC processes, and status reporting.
- Conduct a management analysis of program results on a regular basis.
- Use facts and actual results for management action.
- Build documentation around the chain of commands, and roles and responsibilities (e.g. organizational chart and job descriptions).
- Ensure timely investigation of issues.
- Focus in a balanced way on both long-term as well as short-term objectives and results.
- Create a powerful and strong program team.
- Ensure good management practices where planning, direction, monitoring, and reporting processes lead to high quality.
- Study the resources and guidance provided.
- Engage in an honest discussion with the executive management team about the quality of the organization’s GRC program and the potential improvements needed.
- Identify the most significant components of the GRC program that need improvement or a formal assessment by the internal audit function.
- Complete a high-level audit survey of the GRC program as the preliminary step to completing a formal internal audit.
A robust GRC model is essential for making GRC a part of organizational philosophy and, in turn, achieving performance goals. The audit function can support the GRC program by evaluating its effectiveness on a regular basis. Auditors need to understand the organization’s business model, objectives, and risks, and contribute gainfully to a successful GRC program. Using the right technology can play a vital part in strengthening the audit function. With a robust understanding of organizational objectives supported by appropriate audit infrastructure, auditors can add immense organizational value and fulfill their new responsibilities efficiently.