Chris Fox of CA shares his thoughts on GRC best practices and shedding light on the role auditors will play as GRC continues to rise in importance in the enterprise. Chris has had many years of international experience in the systems and processes areas and has assisted in writing books on Sarbanes-Oxley and Basel II. He is also a member of the task force which developed OCEG’s GRC Capability Model (Redbook II) and is one of the expert contributors to CobiT 4.1.

---

One of the issues facing internal auditors is how to report issues to the audit committee, and to what extent. If internal audit reports every single blip on the radar screen, then the important and most critical issues could be lost. It is important for internal audit to report the most important issues -- issues that are not being remediated -- along with any trends they’re seeing in internal control. Software can facilitate this review to enable internal audit to prepare a ‘state of the union’ of their internal controls and identify the issues that the audit committee should focus on. This article will discuss how software can help to achieve these reporting objectives.

 

Being able to identify the most important issues – those worth reporting -- was sometimes difficult before Sarbanes-Oxley. The large increase in exceptions reported from Sarbanes-Oxley efforts made this identification more challenging because of the large number of exceptions that were initially identified, and because of the need to evaluate an aggregation of exceptions to identify underlying trends. For example, before Sarbanes-Oxley, an audit finding may have been that program change control in the accounts payable environment could be improved. But, after Sarbanes-Oxley, an audit finding could be that the program change process for all financial applications is deficient.

 

Sarbanes-Oxley provided an opportunity to assess controls over financial reporting across an organization. GRC continues this trend by extending the identification of risk and the assessment of controls, beyond financial reporting into operational areas.

 

Centralized GRC can help to make critical risk and compliance information more easily visible, such as:

• The view of risk across all organizational silos
• The status of all significant controls, including the results of testing and remediation efforts
• Summary of risk and control information from other computer applications, for example, the results from reviews of segregation of duties applications
• The results from monitoring applications, for example, unusual transactions identified as part of Foreign Corrupt Practices Act efforts
• The status of regulatory compliance efforts, for example, addressing regulatory examination concerns
• Updates to policies and procedures
• The status of training and compliance programs, for example, the number of people that have successfully completed HIPAA update training
• The results of specialized continuous auditing programs.

Centralized GRC can present internal audit with a wealth of information, but the challenge is identifying the important information, acting on this information, and reporting trends and issues to the audit committee and executive management.

Internal audit could adopt the following strategy:

• Develop their own exception reports which would identify the ‘red flags’ that require immediate attention
• Develop internal audit management reports that provide internal audit’s view of the control environment and how internal audit is reacting to changes in controls and risks
• Work with the audit committee and executive management to develop tailored reports to identify controls and risks that could require the immediate attention of the board and executive management.
• Prepare an independent quarterly ‘state of the union’ report that addresses internal audit’s view on risk, internal control, emerging issues and their response to these issues.

As noted in the introduction, one of the challenges facing internal auditors is how to report issues to the audit committee, and to what extent. Following the implementation of Sarbanes-Oxley, recent corporate failures and the trend towards more formalized GRC programs, internal audit reporting is becoming more important. The reporting of issues is becoming more comprehensive. This provides internal audit with an opportunity to add tremendous value to an organization.