5 Best Practices for Successfully Auditing GRC Programs

    Ensure GRC programs are strong and robust by carrying out periodic audits that spot weaknesses and faulty internal controls and processes.

    The news these days is filled with reports of one company or the other being fined for corporate misbehavior - evidence of a lack of governance, risk and compliance or GRC programs in these organizations. A number of regulatory agency citations in fact do highlight weak internal controls and failure of management and board to set the tone in terms of ethical conduct. It is not just enough to have a GRC program in place, however. Companies must ensure that it is in line with current regulatory requirements and takes into account the challenging nature of doing international business in volatile conditions. In order to make a GRC program effective, companies must carry out periodic audits of the program's processes. This article explains what makes a GRC program effective and the five best practices that companies should follow to successfully audit their GRC programs.

    What Constitutes a GRC Program?

    Governance, risk and compliance or GRC programs are complex - an organization has to use its GRC program to address the regulatory requirements expected of, among others, the following:

    • Enterprise Risk Management
    • COSO Internal Controls
    • Environmental compliance (EPA rules)
    • Anti-Trust
    • Anti-Money Laundering
    • Anti-Bribery/Corruption
    • Quality Management and standards such as ISO 9000, 9001
    • Process management such as Six Sigma
    • Anti-harassment
    • Human capital
    • Whistle-blowing
    • HR processes

    The areas listed above are just few of those that come under the purview of a robust GRC program.

    What Makes a GRC Program Effective?

    • The program with its many requirements should be organized as integrated processes assigned to designated business functions. These should be managed by individuals with overall responsibility and accountability. The organizations with effective, functioning GRC programs have also found it advantageous to have an oversight council.
    • It should be flexible enough to incorporate changing regulation.s into the operations of the organization
    • The organization's management should consistently communicate and ensure that the organization's values and behavioral expectations are modeled along those detailed in the compliance and ethics program. Management should be proactive in identifying risks and non-compliance.
    • The board should also be proactive, identifying the values of the organization and setting the tone at the top. Its behavior and values should function as a model that all members of the organization can emulate.
    • Metrics are an important measure of how the organization is achieving its compliance goals and should be an integral part of any GRC program.
    • Management has the primary responsibility in implementing the GRC program and seeing that the organization adheres to the program's requirements. The board oversees management's implementation of the program. Executives at both levels have to constantly monitor the program.

    Why Audit a GRC Program?

    Given the complex nature of regulations around the world today and the increasing risks of doing business, it is important that the GRC program in an organization is audited frequently. Internal audits of GRC programs allow management and the board to identify risks and areas that need strengthening and root out any non-compliance. An audit can help evaluate the adequacy of the program's design and effectiveness as well as new practices and technologies to be implemented. Most of the lapses in corporate governance occur due to outdated GRC programs that have not been audited and updated to reflect the current regulatory environ.ment.

    Audits of the GRC program have to be carried out periodically - these should supplement an ongoing, daily evaluation of the effectiveness of the program, including monitoring of controls and responses.

    The next section in this article details five best practices for successfully auditing GRC programs.

    5 Best Practices for Successfully Auditing GRC Programs

    The following are recommended best practices for successfully conducting the internal audit of an organization's GRC program:

    1. Plan Your Audit Properly
      • The audits of a GRC program have to be planned well in advance so they are executed effectively. During the planning phase, the following has to be done:

      • The purpose of the audit
      • A complete description of the GRC program. This should include details such as the entity which is to be audited and the key measures of the program
      • The scope of the audit and the scope exclusions
      • The objective of the audit and the approach to be taken
      • A high-level schedule of the audit and a detailed timeline
      • The necessary skills needed to complete the audit
      • The selection of members of the internal audit team
      • Any other resources required for successful completion of the audit Document management and archival/ retention policies and processes
      • Rules that will govern the involvement of the organization's counsel - these have to be objective

    2. Define Your Audit Scope and Objectives
    3. Defining the scope of the audit and its objectives is an important part of planning the process, ensuring that the audit is carried out successfully.

      In order to conduct a successful GRC program audit, the auditors need to have a thorough understanding of the following:

      • The organization's culture, business, strategic goals and objectives
      • Key risks that the program and the organization face
      • The organization and structure of the GRC program and its future evolution

      Auditors must determine the following:

      • The major operational processes
      • Various initiatives being implemented within the organization
      • The IT systems that support the operation of the GRC program

      An audit of a GRC program should have the following objectives:

      • Evaluate the "tone at the top" - Is it proper and effective in promoting a culture that is ethical and compliant?
      • Check if the program provides reasonable assurance of compliance with organizational policies and all applicable laws and regulations
      • Determine if the motivation/incentive/reward system is well planned and structured
      • Determine if the GRC program has a robust management framework that is well documented and has enough resources to carry out its tasks
      • Check whether the GRC program has been implemented and if the program's performance reporting system accurately represented the end results of the program's efforts
      • Conduct a cost-benefit analysis of the GRC program
      • Determine whether the program is up-to-date with prevailing industry practices and is adequate for the size and complexity of the organization
      • Include other audit objectives that the board or management has requested

    4. Conduct Proper Risk Assessment
    5. Before carrying out the audit, the risks need to be understood and assessed. Risk assessment is important in ensuring that the audit plan, program and specific tests that need to be carried out are appropriate and adequate. The risk assessment needs to be carried out while the audit is underway as well.

      Some of the key risk factors in GRC program audits include

      • The scope and complexity of the program
      • The scope and complexity of the organization
      • The current regulatory environment
      • Breaking news and developments relevant to corporate governance
      • The experience of the GRC program management team
      • Implications of Sarbanes Oxley on the business
      • The day-to-day involvement and support of the management and board
      • The pace of updates and changes to the program's efforts
      • The maturity of the program
      • The robustness of the GRC program's project management processes

      It is important to remember that it is essential to carry out a proper risk assessment considering all of the above factors and others specific to the organization. It is not just enough to check them off on a checklist.

    6. Ensure Audit Testing is Carried Out
    7. A key part of the audit of a GRC program is testing. Since the types of tests that can be carried out are large and varied (due to the complexity of the regulations, policies and laws involved in a GRC program), it is important to do a risk-based analysis to decide which types of tests should be done.

      The following should be done when testing during an audit:

      • Start at the top and drill down to where and when issues with the program are found/ identified
      • As management is expected to constantly monitor the GRC program throughout the year, use its efforts to test the program for weaknesses
      • All testing efforts should be tied to the audit's objectives. Otherwise, things can go out of scope and any weaknesses in the program will be overlooked, rendering the audit efforts useless

      Since GRC programs also include governance and ethical conduct, it is not just enough to test the obvious data and control features. The effectiveness of the program in ensuring that employees adhere to ethical policies and conduct will have to be tested during an audit as well.

    8. Issue a Comprehensive Audit Report
    9. The audit report, which documents the audit findings, is the final step and the most visible product of the process, putting in writing the results of assessing the effectiveness of the organization's GRC program. The following are the steps to be followed in order to issue a comprehensive audit report:

      • Once the audit is finished, auditors should meet with management to discuss significant audit findings and conclusions before the report is issued
      • A draft written report must be presented to management by the auditors. A good report should be clear and precise as well as fair and balanced.
      • Management should give feedback on the draft report and their action plan that will act on the audit's findings
      • Auditors will have to review this action plan
      • The action plan will have to be incorporated into the final audit report.
      • The final report should be issued and distributed
      • The audit process is then closed out by the auditors and further plans have to be made to monitor the follow through on the management's action plan

    Auditing - A Key Process in Ensuring Your GRC Program is Strong and Effective

    As this article has explained, it is not enough to conceptualize and implement a good GRC program. In order for organizations to follow good corporate governance practices and maintain regulatory compliance, their GRC programs have to be constantly assessed for faults. Recent news of multimillion- and billion-dollar penalties paid by corporate organizations for lax internal controls and failing to adhere to laws and regulations have highlighted the need for robust GRC programs. Auditing is the key process in ensuring that the GRC program is strong and effective, allowing management to implement updates to reflect the requirements demanded by the current regulatory environment.

    How can governance, risk and compliance training help?

    The areas highlighted above are just a small part of the wide range of practices and processes in the GRC domain. Subjects such as governance, risk and compliance are multi-faceted and complex and can be better understood after attending a training course such as the ones offered by ComplianceOnline. Our courses are available as live webinars, training recordings and seminars. We also offer customized training courses developed in conjunction with organizations that wish to train large groups of their employees.

    We offer training in other GRC areas such corporate governance, anti-money laundering controls, anti-bribery and soon.

    If you need customized training courses or specialist GRC consulting services, please contact us through email [email protected] or call us at this toll-free number: +1-888-717-2436