The internal auditor, by understanding GRC, can play a critical role in guiding his/her company toward an integrated GRC capability. When effectively deployed, GRC can help ensure controls are appropriate, operate effectively, address risks as intended, and use resources efficiently.
The formalization of GRC as an operating framework has begun to force the discussion around how Internal Audit [IA] and other oversight functions can work together toward common goals, and has increased the opportunities for IA to partner with management.
The internal audit function serves as a support function to assist an organization in monitoring strategy implementation to meet organizational objectives.
Since each organization is different, internal audit can, and is often required to, perform multiple roles to fit the needs of the organization’s stakeholders.
According to the Institute of Internal Auditors, “the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.”
Internal audit is conducted objectively and must be designed to improve and mature an institution’s business practices.
Internal audit programs are critical for monitoring and assuring that an institution is secure and safe from threats. Fully independent audit also makes sure that organizational processes are in line with documented policies and procedures. Internal auditing can add value to an organization by improving the organization’s operations.
Internal audit is a central pillar in functional GRC as it:
- Provides objective and independent and unbiased insight;
- Improves the overall efficiency of all operations;
- Evaluates risks and protects assets by identifying gaps in processes;
- Assesses controls to ensure they fulfill their purpose; and
- Ensures compliance with relevant laws and regulations.
Regular internal audit provides peace of mind and confidence that the next external audit will be free of issues. Gaining – and keeping – stakeholders’ trust and avoiding costly fines associated with non-compliance is achievable.
Internal auditing is unique in the sense that it can add value through providing assurance of an organization meeting their objectives, or, in an effort to assist an organization struggling to meet their objectives, internal auditing can be a business partner and provide consulting activities which will assist in providing solutions to potentially solve the organization’s problems.
GRC is a part of the very core of internal auditing and a key player within GRC itself.
The internal audit function within the GRC framework has the ability to fulfill two roles within the process. The first role is to help the Board of Directors improve GRC by being a driver for organizational change.
This role, in essence, requires the internal audit function to be a catalyst for change by advising the Board and Audit Committee on GRC improvements that can be made as well as annual updates as to how well the organization is operating.
The key to this role is for internal audit to possess the ability to help the organization understand the benefits of GRC and to also initiate GRC projects, as well as help ensure that the organization seeks solutions that reflect the organizations goals, cultures and stakeholder expectations.
In an established GRC organization, Internal audit’s role is to essentially advocate improvements that they have determined by their second role within GRC.
The advisory role of GRC integration also entails the internal audit function’s ability to advise the Audit Committee on best practices that are emerging, as well as being able to develop communication lines and positive relationships within an organizations functions.
It is also equally important for the Internal Audit function to also be able to communicate with management about the limitations of GRC. Specifically, the internal audit function should explain to the Board that a GRC strategy can be effective, but it cannot resolve every issue an organization may have within these concept areas.
Additionally, GRC will not absolve the organization from all of the risks they face, whether they are execution risks or operating risks. Often overlooked is the internal audit functions’ ability to play a consulting role. But consulting the organization on GRC improvements can also benefit internal audit’s role by allowing it to perform its duties more efficiently.
By participating at a higher level in assisting overall GRC initiatives, the internal audit function allows it to become business partners to the organization.
The second role of the internal audit function is to be a participant as a function within GRC by continuing to provide assurance over the other functions and activities taking place within the organization. This role requires internal audit to continue their value- adding activities within each GRC component, which is to evaluate and improve the effectiveness of each component through their assurance and consulting activities.
This position allows the internal audit function to gain valuable insights through their assessments and reviews, and as a result, affords the internal audit function the ability to fulfill their first role as drivers in GRC development and improvement.
The diagram below explains the role of the various GRC components at two levels: Audit Committee Direction, Financial Reporting Framework and Anti-Fraud Governance structure on the right; The Board, Compliance Management, ERM, Governance and Internal Audit on the left. The entire GRC engine is synchronized to deliver stellar results for an organization.
GRC is a strategy that aims to eliminate redundancies and streamline processes and policies within an organization. Therefore, by aligning the needs and objectives of the functions within an organization (such as compliance, human resources, Risk Management (ERM), information technology (IT) and internal audit), internal audit provides a crucial role in ensuring the common goals and objectives of the organization are met through their assurance and consulting activities.
Therefore, internal audit can best support GRC efforts by being able to identify improvements and effectively communicating them to the audit committee and the Board and through their consulting engagements with other functions.
The need for the internal audit function to be a support group in the implementation of GRC is also crucial to the success of GRC because internal audit typically has a good understanding of the different processes involved within GRC.
By leveraging their insight into the governance and risk management of an organization, they can help those implementing GRC by focusing their efforts on implementing the proper policies that help the organization achieve their goals.
Internal Audit is uniquely placed within an organization to support the implementation of GRC as a framework. Audit of governance activities gives assurance to the various stakeholders about the effectiveness of different processes.
Internal audit can ensure that shareholders rights are recognized, the organizational activities are socially responsible, and are aimed towards sustainable business growth.
GRC and internal audit teams, at different product development stages can point out mutual areas of interest, increase awareness and take pre-emptive actions. There could be potential ‘white spaces’ – areas that don’t have an easily identifiable owner or aren’t associated to any functions.
Internal audit and GRC together can effectively identify these ‘white spaces’, actively fill the spaces and provide higher level of confidence in the overall GRC ecosystem.
The question for IA is how closely to align their approaches, thresholds and decision criteria with GRC. The ―right balance‖ is a relative term that depends on the organization and the industry, and its place on the maturity spectrum, regulatory issues, management priorities, and many other factors.
IA must continue to strike a balance between independence and partnership. In their decision process, IA needs to realize that business requirements and resulting risks are becoming more complicated and far-reaching, and the organization needs IA’s perspective and recommendations.
To realize this in addition to its audit plan of planned audits, it is imperious that IA coordinates with other existing and emerging risk and control groups, to the point that IA seeks these functions out, evaluates their objectives, and determines how they should coordinate with them.
IA and enterprise GRC programs should look to remove as many boundaries between them as possible. However, IA must decide where precincts should exist to enable them to maintain an appropriate level of independence.
As the organisation proceeds down the path of alliance and moves ahead on the spectrum of group development, the growing pains of alignment will turn into achievable benefits.
