As noted in my last post, Corporate Boards have come under increasing scrutiny and are being held accountable relative to their oversight responsibilities. The design and implementation of policy and practice within the corporation is part of management’s mandate. The assurance that these activities are being done and being done effectively is the final and exclusive responsibility of the BOD. The BOD effectively delegates this responsibility to the internal audit function who must:
1. Ensure that automated, well-defined, controlled, and documented procedures to assess the adequacy of internal controls, quickly detect and report all violations, and ensure that business units take timely and appropriate corrective action have been established
2. Ensure that the systems involved in the preparation of key reports such as financial performance generate accurate information.
3. Ensure that their own process of delivering this assurance and the charter that governs their activities is adequate, appropriate and demonstrable on a continual basis.
To deliver this level of assurance to the BOD on a continuous basis Audit Departments must:
1. achieve broad levels of investigative coverage with only limited numbers of expert resources
2. conduct field work within the corporate business areas in a consistent and standardized manner
3. proactively focus on the areas of the business that are believed to be at the highest risk
4. react to changes in both external and internal influencing factors such as regulatory requirements, corporate restructuring and unexpected loss events.
5. keep a complete system of record to fully support their assertions and findings
6. conduct all activity within the parameters of professional auditing standards, confidentiality and disclosure considerations and security requirements.
7. operate as both a key part of the GRC infrastructure and the infrastructures’ primary oversight function
Every Corporate Board relies on internal audit departments to provide assurance that corporate systems are functioning to protect them from scandal, fraud and misrepresentation. Audit departments are quickly being transformed from their traditional roles as backward looking investigators into a process oriented, forward looking group with international perspective that can provide education and insight beyond their traditional annual audit plans.
A GRC solution can provide auditors with software and services to help them:
• Tightly integrate continuous control monitoring abilities with the audit planning and execution features
• Fashion a system able to fully support a true risk based approach to internal audit
• More easily build and modify their audit universe so that it always reflects the current state of their organization and the internal and external factors affecting their audit scopes.
• Standardize activities through the use of project, templates, workflows, scopes and rule sets.
• Establish two-way communication between fieldwork and the system’s central libraries to ensure new data is captured, vetted and used to drive the appropriate activities.
• Maintain data, documents and activities to maximize visibility and accountability
In my next post, I consider the risk management aspects of a GRC program, and how they are positioned within an existing enterprise risk management (ERM) framework.