A “quandary” is an interesting word meaning: a state of perplexity or uncertainty over what to do in a difficult situation. Several internal auditors have told me they are in a quandary when auditing GRC capabilities. They often find it difficult to determine whether GRC capabilities are designed effectively. They find it difficult to know who should provide this assurance—internal auditors or another assurance function.
How can we know if a capability is designed effectively when as auditors we may not be experts in the detailed activities of GRC capabilities? Who should provide the assurance?
