AudiTalk
Discussion Forum from AuditNet.org
Internal Audit's Role in GRC
3 posts • Page 1 of 1
Internal Audit's Role in GRC
by auditnet » Mon Feb 16, 2009 8:32 am
What should the role of the Internal Auditor be in governance, risk and compliance? There has been much discussion on this topic but I am interested in feedback from the global audit community. Some audit committees believe their internal audit departments should not take on significant additional responsibilities for risk management. Instead, they say internal audit should remain focused on financial audits and internal controls.
What is your opinion?
What is your opinion?
Jim Kaplan
Recipient of the IIA's 2007 Bradford Cadmus Memorial Award
AuditNet LLC
http://www.auditnet.org
The Global Resource for Auditors
Recipient of the IIA's 2007 Bradford Cadmus Memorial Award
AuditNet LLC
http://www.auditnet.org
The Global Resource for Auditors
- auditnet
- Site Admin
- Posts: 30
- Joined: Sun Jan 25, 2009 5:42 pm
- Location: U.S.
Re: Internal Audit's Role in GRC
by simongr » Thu Dec 17, 2009 1:20 am
What should the role of the Internal Auditor be in governance, risk and compliance? There has been much discussion on this topic but I am interested in feedback from the global audit community. Some audit committees believe their internal audit departments should not take on significant additional responsibilities for risk management. Instead, they say internal audit should remain focused on financial audits and internal controls.What is your opinion?
I am a firm believer of GRC so my opinion although formed through personal experience might be skewed to one side.
I have worked as an Internal auditor, a risk manager a compliance manager, a financial servies regulator and as Head GRC and Legal.
As I see it compliance is ensuring that one abides with regulations, standards, procedures and policies... i.e. work is done within a framework. On the other hand Internal Audit and Risk Management can sometimes be interlinked since they are both out to determine the flaws and risks in systems, processes and procedures, they differ only in the final approach. The former should facilitates and gives recomendations on mitigation/management of the risks and flaws (if they are needed to be mitigated) and helps management take informed decisions. While the latter is also responsible for the managment of this.
In my opinion the characters and attributes of the persons involved is very important to ensure GRC works - they should be team players, good listeners, good communicators (writen and verbal), motivator and should be strong in character - not afraid to say what they think. Especially the Chief GRC/Head GRC should be ready to say 'no' and this needs a good backing from the Audit Comittees and Chairman.
In the former case (compliance) one can always back up an argument by quoting legislation and standards…the only subjectivity is interpretation of the spirit of legislation and standards.
I feel that working under one head GRC is cost efficient in many way since it creates pro-activity in ones approach and eliminates overlapping of certain functions..
The way I was set up in a firm of 400 employees
Head GRC
Manager – Risk
Manager – compliance
Manager – Legal
Manager – Internal Audit
Assistant x 2
Simon
I am a firm believer of GRC so my opinion although formed through personal experience might be skewed to one side.
I have worked as an Internal auditor, a risk manager a compliance manager, a financial servies regulator and as Head GRC and Legal.
As I see it compliance is ensuring that one abides with regulations, standards, procedures and policies... i.e. work is done within a framework. On the other hand Internal Audit and Risk Management can sometimes be interlinked since they are both out to determine the flaws and risks in systems, processes and procedures, they differ only in the final approach. The former should facilitates and gives recomendations on mitigation/management of the risks and flaws (if they are needed to be mitigated) and helps management take informed decisions. While the latter is also responsible for the managment of this.
In my opinion the characters and attributes of the persons involved is very important to ensure GRC works - they should be team players, good listeners, good communicators (writen and verbal), motivator and should be strong in character - not afraid to say what they think. Especially the Chief GRC/Head GRC should be ready to say 'no' and this needs a good backing from the Audit Comittees and Chairman.
In the former case (compliance) one can always back up an argument by quoting legislation and standards…the only subjectivity is interpretation of the spirit of legislation and standards.
I feel that working under one head GRC is cost efficient in many way since it creates pro-activity in ones approach and eliminates overlapping of certain functions..
The way I was set up in a firm of 400 employees
Head GRC
Manager – Risk
Manager – compliance
Manager – Legal
Manager – Internal Audit
Assistant x 2
Simon
- simongr
- Posts: 1
- Joined: Fri Dec 11, 2009 5:48 am
Re: Internal Audit's Role in GRC
by auditnet » Tue Dec 29, 2009 5:32 am
Dear Simon,
Your comments on this topic are right on. The attributes are the key! There is a great deal of discussion on the subject of the auditor's role in governance, risk and compliance that is taking place in the profession. Auditor's are in a unique position to assist through their reviews to ensure that the controls are in place. IMO the profession is having a difficult time clearly defining the auditor's role. This reminds me of the debates that took place around the auditor's involvement in system design and development. Auditors should be involved in "steering" rather than "rowing" when it comes to GRC!
Best regards,
Jim
Your comments on this topic are right on. The attributes are the key! There is a great deal of discussion on the subject of the auditor's role in governance, risk and compliance that is taking place in the profession. Auditor's are in a unique position to assist through their reviews to ensure that the controls are in place. IMO the profession is having a difficult time clearly defining the auditor's role. This reminds me of the debates that took place around the auditor's involvement in system design and development. Auditors should be involved in "steering" rather than "rowing" when it comes to GRC!
Best regards,
Jim
Jim Kaplan
Recipient of the IIA's 2007 Bradford Cadmus Memorial Award
AuditNet LLC
http://www.auditnet.org
The Global Resource for Auditors
Recipient of the IIA's 2007 Bradford Cadmus Memorial Award
AuditNet LLC
http://www.auditnet.org
The Global Resource for Auditors
- auditnet
- Site Admin
- Posts: 30
- Joined: Sun Jan 25, 2009 5:42 pm
- Location: U.S.
3 posts • Page 1 of 1
Return to Governance Risk and Compliance
Who is online
Users browsing this forum: No registered users and 1 guest