2. As defined by the Institute of Internal Auditors (IIA), internal audit is “an
independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
governance processes.”

3. First-Party Audits: These are performed within an organization to measure its
strengths and weaknesses against its own procedures or methods and/or external
standards. Internal audits are first-party audits and are conducted by auditors who
are employed by the company being audited, but have no vested interest in the
audit results of the area(s) being audited.
Second-Party Audits: These are external audits performed on a supplier by a
customer or by a contracted firm (consulting firm) on behalf of a customer.
Third-Party Audits: These are external audit performed on a supplier or regulated
entity by an external participant other than a customer. They are conducted for
recognition or registration purposes are performed either by Extrinsic Regulatory
(FDA, FAA, NRC, USDA) or Registrars (ISO9001, AIB, JCAHCO ).

4. Plan
•Establishing the Audit Program
•Objectives and extent of audit
•Responsibilities, resources, and procedures related to the audit program
Do
•Implementing the Audit Program
•Scheduling audits and selecting the audit team
•Directing audit activities and maintaining records
Check
•Monitoring the Audit Program
•Monitoring and reviewing the audit program
•Identifying needs for corrective and preventive actions
Act
•Improvement
•Improving the Audit Program
•Identifying needs for continual improvement

5. During the planning phase, the following has to be done:
 The purpose of the audit
 A complete description of the GRC program. This should include details such as
the entity which is to be audited and the key measures of the program
 The scope of the audit and the scope exclusions
 The objective of the audit and the approach to be taken
 A high level schedule of the audit and a detailed timeline
 The necessary skills needed to complete the audit
 The selection of members of the internal audit team
 Any other resources required for successful completion of the audit
 Document management and archival/ retention policies and processes

6.  Defining the scope of the audit and its objectives is an important part of
planning the process, ensuring that the audit is carried out successfully.
 In order to conduct a successful GRC program audit, the auditors need to have a
thorough understanding of the following:
 The organization’s culture, business, strategic goals and objectives
 Key risks that the program and the organization face
 The organization and structure of the GRC program and its future evolution
 Auditors must determine the following:
 The major operational processes
 Various initiatives being implemented within the organization
 The IT systems that support the operation of the GRC program

7. An audit of a GRC program should have the following objectives:
 Evaluate the “tone at the top” – Is it proper and effective in promoting a culture that is ethical
and compliant?
 Check if the program provides reasonable assurance of compliance with organizational policies
and all applicable laws and regulations.
 Determine if the motivation/incentive/reward system is well planned and structured.
 Determine if the GRC program has a robust management framework that is well documented
and has enough resources to carry out its tasks.
 Check whether the GRC program has been implemented and if the program’s performance
reporting system accurately represented the end results of the program’s efforts.
 Conduct a cost-benefit analysis of the GRC program.
 Determine whether the program is up-to-date with prevailing industry practices and is adequate
for the size and complexity of the organization.
 Include other audit objectives that the board or management has requested.

8. Want to learn more about audit, its process and best practices
for auditing? ComplianceOnline webinars and seminars are a
great training resource. Check out the following links:
 Risk Based Internal Auditing (RBIA)
 Internal Auditing Essentials for Medical Device
Manufacturers
 How to Audit GRC Programs?
 Role of the Audit Committee in Corporate Governance
 Internal Audit's Role in Enterprise Risk Management
 OCEG Approved GRC (Governance, Risk and Compliance)
Professional Seminar
 Auditing Technology and IT Investment Management