The IIA likes to talk about GRC as an acronym that stands for governance, risk management, and internal control. The rest of the world has ‘compliance’ as the last part.
That doesn’t really matter.
The point is that we are talking about the organization, systems, processes, and related controls that management relies on to not only manage ‘risks’ but achieve their objectives.
They rely on them to function properly and do what is asked of it.
One of the valued services that internal audit provides is assurance, as expressed in the last part of the IIA’s Definition of Internal Auditing:
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The majority of internal audit functions perform a variety of audits every year and provide an opinion (ideally) or at least a list of risk-ranked weaknesses (far less than ideally) on the scope of each audit.
But too few provide an overall opinion on whether management and the board can rely on “the effectiveness of risk management, control, and governance processes” taken as a whole, or at least for the more significant risks and opportunities.
This is something I did at each of my companies and I was part of the team…
