How can Internal Audit Aid in Effective GRC Implementation

By Devedra Kumar Vyas, CEO, Srei Equipment Finance


Devedra Kumar Vyas, CEO, Srei Equipment Finance

Organizations have been independently dealing with governance, risk management and compliance issues in isolation for a long time, but very few have tackled these issues under a coherent, integrated framework. Governance, Risk management and Compliance (GRC) is a framework that aims to assimilate and streamline information across the GRC functions to enable efficient operations, effective reporting and information sharing.


GRC need not be a separate function within an organization, but can be effectively employed with proper collaboration between different departments. The ever changing business dynamics have given rise to fast evolving trends and consequently newer risks. Increasingly, companies are finding it difficult to comprehend and cope up with the new challenges. The silo approach to handle the new risks hasn’t been very successful. Collaboration is needed, so that every department within the organization is on the same page. For effective implementation of GRC it is vital that there is collaboration between the board of directors, audit committee, internal auditors, independent external auditors, and management. It is fundamental to an organization’s success to ensure this collaboration occurs economically, efficiently and effectively.


Internal Audit and GRC


Internal Audit is uniquely placed within an organization to support the implementation of GRC as a framework. Audit of governance activities gives assurance to the various stakeholders about the effectiveness of different processes. Internal audit can ensure that shareholders rights are recognized, the organizational activities are socially responsible, and are aimed towards sustainable business growth. Internal Audit can aid the management in finding the perfect balance between shareholders rights, social impact and sustainable profits. Internal audit can also assist the board in reviewing and guiding the management in defining the organizational strategy. It can also check whether the board’s plans and actions adhere to risk regulations and ensure that the board is actively involved in the business plans and annual budgets. It can also help the board in evaluation of corporate performance. Internal audit can collaborate with the risk department and cross-leverage each function’s respective competencies, roles and responsibilities. Risk management and internal audit teams, at different product development stages can point out mutual areas of interest, increase awareness and take pre-emptive actions. There could be potential ‘white spaces’ – areas that don’t have an easily identifiable owner or aren’t associated to any functions. Internal audit and risk management together can effectively identify these ‘white spaces’, actively fill the spaces and provide higher level of confidence in the overall risk management system. The management can learn the risk assessment methods of internal audit and benefit from the insights of the audit team. Internal audit, along with the audit committee can raise and follow-up on any issue which call for accountability of the management.


CEO’s contribution in improving the collaboration and GRC framework


For a CEO protecting value is equally important as creating value. The CEO can oversee the integration of internal audit in business management and elevate audit from watch dogs to business partners. She/he can understand and communicate shareholders point of view to the internal audit committee and can also bridge the gap between internal audit and other business departments.

In conclusion, the organizations which recognize that integrating principles of sustainable practices are required for long term value creation will fare much better than organizations otherwise. Enterprise risk management has permeated the risk management layers, and now governance, risk and compliance is following suit and taking it even further. Internal audit can act as a kernel to the business modules of risk management process, information technology/data management, operational risks, compliance and regulation, corruption/fraud, corporate governance, cost reduction/containment, and tax compliance of any organization. Every organization is unique and faces unique challenges. Audit is best placed to understand those challenges. For GRC to be implemented effectively, the framework needs to be implemented keeping in mind those challenges, for which internal audit is the most suited function. 

Current Issue