Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

Start your free, no obligation 5-day trial to continue exploring with full access.

The GRC Audit Quandary

Jason Mefford | December 22, 2015

A “quandary” is an interesting word meaning: a state of perplexity or uncertainty over what to do in a difficult situation.  Several internal auditors have told me they are in a quandary when auditing GRC capabilities. They often find it difficult to determine whether GRC capabilities are designed effectively. They find it difficult to know who should provide this assurance­—internal auditors or another assurance function.

How can we know if a capability is designed effectively when as auditors we may not be experts in the detailed activities of GRC capabilities? Who should provide the assurance?

The OCEG GRC Capability Model states: “Assurance should focus on the ability of the capability to meet its objectives while being consistent with the decision-making criteria for acceptable residual levels of reward, risk, and compliance.”

This means we must take a risk-based audit approach, focusing on the key objectives of the organization, and the areas we audit,...

Read this single article for $49, or click the subscribe button below to review subscription options.

Enjoy unlimited access to thousands of articles, browse five years of digital magazines, qualify for reduced admission to events, and more.