It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
If you’re staring down the gauntlet of a GRC audit, you may be tempted to envy an earlier generation of business leaders. Things seemed a lot simpler then, at least on the surface. A train station billboard in the 1970s captured the tone of the era perfectly. It featured three business men (men, of course…) in suits reading Forbes, Fortune and Businessweek. The ad simply asked, “Who’s the head honcho?” Well, of course it was the one reading Fortune. Maybe it was Forbes… but that’s not the point. The idea was that it was supposed to be easy to spot the head honcho.
The “G” in GRC standards for governance. Back then, governance was about the structure of the board—who was the head honcho and who bowed down to him? The “R” for Risk and “C” for compliance were also more manageable affairs in those days. Risk was about insurance policies and treasury oversight. Compliance involved the SEC and a few other alphabet agencies, but head honchos weren’t constantly threatened with perp walks. After, they were honchos. The world is different today.
What is GRC?
GRC describes a number of critical shared responsibilities held by the board of directors. The board, representing the shareholders, has a fiduciary duty to protect shareholder assets from risks like theft, damage and hacking. Governance is the means by which they protect and grow those assets. Risk management comprises the practices of identifying and mitigating threats to the value of shareholder assets. Compliance relates to the board’s duty to shield the shareholder assets from the devaluing impacts of regulatory penalties. The latter ranges from fines all the way up to de-listing from exchanges and prison terms for C-level executives.
In theory, G, R and C are separate spheres of activity. Pushing them into a single category arises naturally from their deep connections. IT, in particular, creates overlaps and dependencies between G, R and C. Non-compliance is essentially a risk, for example. Cyber security is a risk factor which connects directly with most major compliance regimens, e.g. Sarbanes Oxley and PCI. Governance structures are supposed to address risk management and compliance. Today’s boards, for instance, now often feature dedicated cybersecurity committees. This is a new phenomenon, but reflective of the unified nature of GRC.
GRC is also a software category. As G, R and C have become intertwined, this new class of software emerged to help companies stay on top of the divergent and sometimes conflicting workstreams of GRC. GRC solutions provide a means for tracking risks and policies. They offer ways to report on activities of various systems that the company relies on for GRC functions. A GRC platform might deliver reporting on the policy enforcement activities of an Identity and Access Management (IAM) system like Microsoft Active Directory.
What is a GRC Audit?
Let’s start by saying there is no such thing as an official GRC audit. It’s not like a Sarbanes-Oxley Section 404 audit over internal controls. That’s an audit with a well-understood structure and set of deliverables. Nor is it an audit like those done for PCI-DSS, which covers an industry-standard set of parameters and confers a certification upon passing. A GRC audit is made up of steps and reports determined by whoever is responsible for GRC. This is usually the CFO or Chief Compliance Officer (CCO).
The GRC audit assesses how well an organization is following its particular implementation of its chosen GRC framework. The frameworks vary. Some are completely original in nature. Each company has its own way of doing GRC and as a result, its own unique GRC audit processes and deliverables.
What is consistent across all GRC audits, however, is the practice of generating and evaluating reports from security and compliance systems that support GRC overall. The GRC audit process will include creating accurate reports on the state of the company’s segregation of duties, monitoring of user accounts and role changes, password management on ERP systems and so forth.
How to Nail a GRC Audit
Getting the GRC audit right takes a combination of tooling and processes. People matter, too. They are the ones using the tools and executing the process. But, of these three, having the right tools at the heart of GRC makes the biggest difference. Without effective GRC tools, people and process won’t get you very far.
Our approach involves the use of our ControlPanelGRC AutoAuditor. This software helps with GRC and compliance by automating the execution and validation of reports. With the tool, it’s possible to predefine numerous reports and then run them with relative ease. This removes some of the stress of preparing reports for a GRC audit. Our customers frequently tell us how laborious GRC audit report preparation can be.
Specifically, ControlPanelGRC AutoAuditor enables you to schedule and then automatically execute any predefined, customized compliance report. The application can then route it preselected users. AutoAuditor also integrates with other ControlPanelGRC modules, including Risk Analyzer, Usage Analyzer, Transport Manager, User and Role Manager and Emergency Access Manager.
Combined with well-thought-out GRC audit procedures, tools like AutoAuditor can expedite and streamline the GRC audit process. The results of the audit will come faster and be easier for key stakeholders to consume and act upon. The audit should be less costly and time-consuming for everyone involved. Now, even in today’s mixed world of compliance and risk, someone can at least be the head GRC honcho after all.