Auditing Your GRC Program
What Constitutes a GRC Program? Governance, risk and compliance or GRC programs are complex – an organization has to use its GRC program to address the regulatory requirements expected of, among others, the following: Enterprise Risk Management COSO Internal Controls Environmental Compliance (EPA rules) Anti Trust Anti Money Laundering Anti Bribery/Corruption Quality Management and Standards such as ISO 9000, 9001 Process Management such as Six Sigma Anti Harassment Human Capital Whistle-blowing HR Processes The areas listed above are just few of those that come under the purview of a robust GRC program. Why Audit a GRC Program? Given the complex nature of regulations around the world today and the increasing risks of doing business, it is important that the GRC program in an organization is audited frequently. Most of the lapses in corporate governance occur due to outdated GRC programs that have not been audited and updated to reflect the current regulatory environment. Internal audits of GRC programs allow management and the board to identify risks and areas that need strengthening and root out any non-compliance. An audit can help evaluate the adequacy of the program’s design and effectiveness as well as new practices and technologies to be implemented. Audits of the GRC program have to be carried out periodically – these should supplement an ongoing, daily evaluation of the effectiveness of the program, including monitoring of controls and responses.
228 views • 7 slides