Not sure you understand what this means? Or are you sure it does not make sense? Or you know for sure, it isn’t true?

Worry not, for we’ll cover quite some of that ground here.

Let’s recall a part of how The Institute of Internal Auditors defines internal auditing.

“Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”.

Classically internal auditing value proposition was geared at improving the internal controls, however with concept of risk management coming to life and evolution in governance, internal auditing, being closely aligned to these, encompassed improvements in these areas as well.

With the availability of many frameworks for risk management and controls and the regulation around governance and with the fancy organizational investments in dedicated resources for risk management, internal controls, etc. one would think what else could internal auditing offer in these areas and how exactly its improvement interventions in risk management, control and governance processes fuels business growth?

For starters, it’s not just about testing these systems and recommending improvements on these. It is much more about how these processes work to accomplish the objectives they are designed for and that’s where the internal auditor’s skillset comes in handy.

So, let’s just dive right in!

Risk Management

• Evaluating the risk management policies and strategies to determine need assessment and alignment with business objectives.
• Evaluating on the framework investment choices aligning it with the organization’s requirements.
• Evaluating competence of resources invested to drive risk management.
• Evaluating the comprehensiveness and relevance of the risk identification process.
• Evaluating the adequacy of the heat map.
• Evaluating the alignment of risks classification mechanism with the Organization’s business.
• Evaluating the thoroughness of the risk assessment process and objectivity of scoring under the heat map.

Controls

• Evaluating the control philosophy and structure laid out to implement it.
• Evaluating if the control objectives are fully laid out and well understood.
• Evaluating if a comprehensive framework is relevant to the Organization’s business or dispersed control procedures are adequate.
• Evaluating the competence of resources entrusted with responsibility for controls.
• Evaluating the mechanism for determination of alignment between design of controls and the objectives and processes they’re part of.
• Evaluating the thoroughness of control procedures, inter-relationships, dependencies and monitoring mechanisms.

Governance

• Evaluating if the governance structure and systems are laid out in accordance with regulatory requirements.
• Evaluating if all areas needing governance are serviced through Organization wide policies.
• Evaluating if the governance structure and system is adequate to the Organization’s requirements.
• Evaluating the significance attached to adherence with governance requirements in the understanding of those charged with governance.

Be advised, the steps are inconclusive and do not provide absolute guidance on the GRC design evaluation services internal auditors can and may provide. Moreover, testing of the designed GRC systems is typically a part of assurance services, internal auditors provide and hence these have not been mentioned.

The systematic and disciplined approach to GRC that internal audit offers allows the organization an opportunity to evaluate its GRC investments in an integrated manner with an independent and fresh perspective. The internal auditors could utilize a number of capability and maturity models to make their assessments.

For instance, the internal auditors might harness the detailed oriented process approach from initiation and planning to design and implementation and eventually monitoring and continual improvement as part of their evaluation of organization’s GRC systems and pinpoint deficient stages that are best candidates for improvement. This allows reviewing the transactional/workflow through all the processes, making up the system (not stopping at a particular process boundary) in an integrated evaluation.

Through corrective approach, root causes are targeted for improvement in controls so that instead of symptomatic fixes, the system evolves to a better version of itself ready for taking on further challenges. Under preventive approach, similar advisory allows improvement in identical processes before they become a problem.

Internal auditing aids in development of sustainable processes and thus resilient GRC systems. Growth comes when the organization stops losing in its operations since energies and efforts then do not remain bogged down to firefighting, an application of the controls system evaluation. Growth also comes when an organization is aware of its brand, product and market direction and strategies, an application of the risk management system evaluation!

Finally, governance ensuring both the risk management and control systems are designed and working as intended is perfected in its pursuits only by Internal Auditing!