Questions to ask about GRC – #12: GRC Assurance
12. Does the board have continuing assurance regarding GRC processes?
The board is reliant on management’s processes for providing necessary information to establish appropriate strategies, execute on those strategies and deliver performance, consider and manage risk, and remain in compliance.
The external auditors provide a level of assurance to the board that management’s financial statements can be relied upon, but (with a few exceptions) they don’t provide opinions on management’s other processes. For those, the board has to rely on the internal audit function and other assurance groups (which may include a risk office; environmental, health and safety function, etc.)
In most countries, the board (or its audit committee) is expected to ensure that the organization has effective risk management and internal control processes. Those should extend to include the processes the board relies on to provide effective governance and oversight.
In my opinion, the board (or its committees) should ensure that they have a basis for any assessment they may make on the adequacy of risk management and internal control – and the best source for that assurance is the internal audit function. I believe that internal audit should provide an annual report that includes an opinion on governance, risk management, and related internal control processes. That opinion will be based on the work they have performed, which will typically focus on the more significant risks to the enterprise as a whole.