Governance, Risk & Compliance (GRC)

Governance, frequently called “Tone at the Top”, is the responsibility of the board and senior executive management. They must promote appropriate ethics and values, ensure effective performance management and accountability, and appropriately communicate risk and control information within the organization and among the board and external auditors. Internal Audit must assess and make recommendations related to Governance according to the 2009 revised Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF).

Risk Management identifies, assesses, and responds to risk based on the organization’s business objectives. Risk Management leverages internal controls and other risk responses to manage and mitigate risk throughout the organization. It also identifies opportunities and manages the exploitation of those opportunities to increase value for the organization.

Compliance is the process that records and monitors the controls that enable compliance with legislative or industry mandates as well as internal policies.

Why is this important?

An interesting exercise is the review of the Forbes Corporate Scandal Sheet. What you find are off-balance sheet loans, inflated revenue, round-trip trades, and the list goes on. Most of these activities relate to practices at the highest levels of the organization. The common thread is that external or internal auditors did not report any of the warning signs. This raises the following questions:

1. What is your Internal Audit department doing that will detect these kinds of activities?”

1. Who is reviewing the activities of executive management and the board? 
1. If it is Internal Audit or the External Auditors, can they operate independently? 
2. Will they still have a job if they ask the tough questions and make unpopular recommendations?

Value to the Client

An independent third party review can add significant value and insight into the areas of GRC within your organization. These reviews frequently uncover unspoken concerns that are important for the ongoing welfare of the organization.

Why hire M&A?

The independence of the Chief Audit Executive and the Internal Audit department may be impaired resulting in them not being able to perform these reviews. In this situation, an excellent solution is to engage an external consultant to evaluate the governance structure, including the sensitive areas of board, audit committee, and internal audit oversight functions. M&A has the experience to work with your organization to perform an assessment that fits your organization and your needs. Our experienced facilitation and internal controls staff develop materials tailored to your organization. Since GRC needs are unique to your environment, our flexibility results in a review that meets your needs resulting in a more efficient process.

Contact the M&A Risk Management Services Team at ENissley@macpas.com for more details, and subscribe to The RMC Advisors blog at www.theRMCadvisors.com to receive updates on relevant accounting and audit information!