2. As defined by the Institute of Internal Auditors (IIA), internal audit is “an
independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
3. First-Party Audits: These are performed within an organization to measure its
strengths and weaknesses against its own procedures or methods and/or external
standards. Internal audits are first-party audits and are conducted by auditors who
are employed by the company being audited, but have no vested interest in the
audit results of the area(s) being audited.
Second-Party Audits: These are external audits performed on a supplier by a
customer or by a contracted firm (consulting firm) on behalf of a customer.
Third-Party Audits: These are external audit performed on a supplier or regulated
entity by an external participant other than a customer. They are conducted for
recognition or registration purposes are performed either by Extrinsic Regulatory
(FDA, FAA, NRC, USDA) or Registrars (ISO9001, AIB, JCAHCO ).
•Establishing the Audit Program
•Objectives and extent of audit
•Responsibilities, resources, and procedures related to the audit program
•Implementing the Audit Program
•Scheduling audits and selecting the audit team
•Directing audit activities and maintaining records
•Monitoring the Audit Program
•Monitoring and reviewing the audit program
•Identifying needs for corrective and preventive actions
•Improving the Audit Program
•Identifying needs for continual improvement
5. During the planning phase, the following has to be done:
The purpose of the audit
A complete description of the GRC program. This should include details such as
the entity which is to be audited and the key measures of the program
The scope of the audit and the scope exclusions
The objective of the audit and the approach to be taken
A high level schedule of the audit and a detailed timeline
The necessary skills needed to complete the audit
The selection of members of the internal audit team
Any other resources required for successful completion of the audit
Document management and archival/ retention policies and processes
6. Defining the scope of the audit and its objectives is an important part of
planning the process, ensuring that the audit is carried out successfully.
In order to conduct a successful GRC program audit, the auditors need to have a
thorough understanding of the following:
The organization’s culture, business, strategic goals and objectives
Key risks that the program and the organization face
The organization and structure of the GRC program and its future evolution
Auditors must determine the following:
The major operational processes
Various initiatives being implemented within the organization
The IT systems that support the operation of the GRC program
7. An audit of a GRC program should have the following objectives:
Evaluate the “tone at the top” – Is it proper and effective in promoting a culture that is ethical
Check if the program provides reasonable assurance of compliance with organizational policies
and all applicable laws and regulations.
Determine if the motivation/incentive/reward system is well planned and structured.
Determine if the GRC program has a robust management framework that is well documented
and has enough resources to carry out its tasks.
Check whether the GRC program has been implemented and if the program’s performance
reporting system accurately represented the end results of the program’s efforts.
Conduct a cost-benefit analysis of the GRC program.
Determine whether the program is up-to-date with prevailing industry practices and is adequate
for the size and complexity of the organization.
Include other audit objectives that the board or management has requested.
8. Want to learn more about audit, its process and best practices
for auditing? ComplianceOnline webinars and seminars are a
great training resource. Check out the following links:
Risk Based Internal Auditing (RBIA)
Internal Auditing Essentials for Medical Device
How to Audit GRC Programs?
Role of the Audit Committee in Corporate Governance
Internal Audit's Role in Enterprise Risk Management
OCEG Approved GRC (Governance, Risk and Compliance)
Auditing Technology and IT Investment Management
Hinweis der Redaktion
Narration: The audits of a GRC program have to be planned well in advance so they are executed effectively. <Read text as it is>