Home > Risk > How effective are your systems of governance, risk, and control/compliance (GRC)?

How effective are your systems of governance, risk, and control/compliance (GRC)?

September 27, 2021 Leave a comment Go to comments

The IIA likes to talk about GRC as an acronym that stands for governance, risk management, and internal control. The rest of the world has ‘compliance’ as the last part.

That doesn’t really matter.

The point is that we are talking about the organization, systems, processes, and related controls that management relies on to not only manage ‘risks’ but achieve their objectives.

They rely on them to function properly and do what is asked of it.

One of the valued services that internal audit provides is assurance, as expressed in the last part of the IIA’s Definition of Internal Auditing:

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The majority of internal audit functions perform a variety of audits every year and provide an opinion (ideally) or at least a list of risk-ranked weaknesses (far less than ideally) on the scope of each audit.

But too few provide an overall opinion on whether management and the board can rely on “the effectiveness of risk management, control, and governance processes” taken as a whole, or at least for the more significant risks and opportunities.

This is something I did at each of my companies and I was part of the team that developed a Practice Guide in 2009: Formulating and Expressing Internal Audit Opinions. Its Background section stated:

Internal auditors are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

I strongly recommend that every internal audit leader become familiar with the Practice Guide. Since 2009, I have developed reservations about a grading system as discussed in the Guide. However, it covers very important issues such as:

  • The form and scope of the opinion
  • The work required to support it
  • Reliance on the work of others

I covered this important topic in Auditing that Matters (my essential book for practitioners). I said:

I am a strong advocate that the CAE should provide a formal overall assessment of the systems of internal control and risk management[1] to the audit committee (or full board) and top management on an annual basis.

While some do not think this is necessary or even achievable, a growing number of governance codes around the world require internal audit to provide an overall opinion. I believe that in time this will be recognized as not only best practice but mandatory.

I started doing this in the mid 1990’s at Tosco and have not looked back. The board very much appreciated the assessment, as did management.

I believe this is the primary value that internal audit can provide to any organization.

It provides leadership of the organization with confidence that they can rely on its people, processes, and systems to support their initiatives and achieve enterprise objectives.

It provides leadership with the confidence to take the risks necessary for success.

An opinion on the overall systems of internal control and risk management does not mean that the CAE is opining on the management of every risk. It represents the CAE’s professional opinion on whether there is reasonable assurance that the risks that matter, the risks addressed in the audit plan, are at desired levels.

Let me break that down.

An opinion is just that, an opinion.

As professionals, we are capable of forming and communicating our opinion.

Every professional provides an opinion. It’s not a statement of fact, it’s an opinion – and we are not only entitled to form but to share that opinion.

There is a possibility that we are wrong, but if we and our team perform the work to appropriate professional standards we should be able to stand behind it and provide an overall assessment of the condition of the controls over the risks that matter.

I argue that if we don’t provide that opinion, we are shirking our professional responsibilities.

There’s a huge difference in the quality and value of assurance provided by an overall opinion compared to the value of individual reports with opinions on the management of specific risks.

The overall opinion is clear, concise, and actionable.

When only individual reports are provided, the CAE is leaving the audit committee and management to determine for themselves whether, overall, the systems of internal control and risk management are adequate.

Why make them make that assessment, guessing whether deficiencies in one area mean that the overall assessment is that it is deficient?

I think the CAE should step up, take the risk, and share his opinion.

When I provide my opinion, it:

  • Is formal, in writing
  • Is an assessment of the systems of risk management and internal control over the more significant risks to the organization and its objectives, based on the work performed during the year; that work is reflected in the audit plan and reports on the audit engagements that have been completed
  • Is based in part on the insights obtained by auditing by walking around, talking to management, and being present. The assessment is not limited to the formal audits that have been completed
  • Is a positive statement, rather than a ‘negative’ opinion. The latter is where you point out the risk and control issues but don’t make a positive assertion on the condition of the risk and internal control systems. I dislike the negative opinion as it makes the board and top management guess what our real opinion is
  • Where there are risk and control issues that merit special attention, or where parts of the organization are of concern, they are highlighted

In other words, I try to provide the board and top management with the information they need if they are to understand the condition of the risk and internal control systems, whether risks are being managed at acceptable levels, and whether action is required by them.

For example, while at Tosco, I highlighted the issues at the Avon refinery in Northern California while praising the strength of the Bayway refinery in New Jersey. The contrast was especially useful to the audit committee.

I explained that controls over financial reporting were fine, but those over some operational risks were not. I told them what they needed to know.

My communication is intended to help the board and top management discharge their governance and oversight responsibilities. It is not about telling them how good we are and how successful we have been in identifying deficiencies.

Because my primary end product is this annual assessment, I design the audit plan to give me the input, the information about the management of risk that I need.

In the book, I provide an example of the opinion I shared with the audit committee of the board at Tosco Corporation. I also share how I developed the audit plan and the team to execute it.


  1. Do you provide an opinion on each audit rather than ratings or a list of weaknesses?
  2. Do you provide an overall opinion annually?
  3. Do you do the right work to support that opinion?
  4. Do you do work that is not necessary for that opinion – and if so why?

I welcome your answers and comments.

[1] I consider governance processes to be part of the systems of internal control and risk management. Technically, internal control exists to manage risk, so I could readily make the case that we should just be assessing the management of risk – but it is easier to talk about the more traditional view of internal control and how it helps manage the risks that matter.

There are some that believe internal audit should provide assurance on governance, risk management, and compliance (or control). I don’t agree with this position. Internal audit can provide advisory services to help the board assess its practices, but I don’t believe internal audit should put itself in the position of assessing the competence, integrity, or performance of either the board or executive management. Instead, I believe we should assess whether there are processes and controls in place that address the risk of ineffective governance. We can also share best practices in governance. But going further is a step too far, in my opinion.

  1. September 27, 2021 at 10:30 AM

    Norman, definitely agree with you. The UK’s Corporate Governance code (provision 29) requires, ‘The board should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.’ As a result, I always provided an overall opinion to the Audit Committee and would expect that CAEs in a similar position would do the same.
    In the recent request for comments on the IPPF, I suggested that an overall opinion should be required in the standards: 2450 – Overall Opinions
    ‘The chief audit executive must issue overall opinions at least annually, based on the results of
    individual audits. The opinion should state whether the business is likely to achieve its objectives, based on the individual audit opinions in the period under review.’

  2. John Fraser
    September 27, 2021 at 11:19 AM

    Your Questions:
    Do you provide an opinion on each audit rather than ratings or a list of weaknesses? YES
    Do you provide an overall opinion annually? NO – SEE BELOW
    Do you do the right work to support that opinion? SORT OF
    Do you do work that is not necessary for that opinion – and if so why? YES – SEE BELOW
    Re providing an overall opinion on whether management and the board can rely on “the effectiveness of risk management, control, and governance processes” taken as a whole, or at least for the more significant risks and opportunities: JOHN: in every company that I have worked at, the control weaknesses were so significant that I could never give a ‘clean’ opinion. It would have had to be a long form opinion which is what my reports to the Audit Committee were..
    Re Q 4: yes, we did some ‘consulting’ as recommended by the IIA. But it was not directly affecting our opinion on internal control. Management loved it though.

  3. Anonymous
    September 27, 2021 at 11:48 AM

    Thanks Norman, this is insightful. If you could share a model year end opinion to be share with the board

    • Norman Marks
      September 27, 2021 at 11:52 AM

      I have one in the book, but did not retain the ones I provided the audit committees of my other companies.

  4. Mohammad Majdy Hassan
    September 27, 2021 at 1:07 PM

    I totally agree about “how far internal audit should go with auditing governance” I my self benchmark the existing model or practices with a maturity model or best practices and recommend what is missing and mostly things requested by regulators related to financial services “the company”
    The questions
    1. Yes I do an opinion for individual risk/item been audited.
    2. Yes as I devide my plan to have 2 semiannual reports I try “as possible ” to make all risks related so the 2 overall opinion would be on related subjects and on others that may not be directly related but it would effect the related organizational objectives.
    3. I believe yes, as my plan, audit program, evidences, and recommendations all related to the objectives that would be effected in my personal professional opinion.
    4. Yes, I try to avoid consulting services as possible by some kinda trick if I may call it. I use whitepapers! For example if I found weakness in Asset management and there is many high important/priority recommendations, I provide the senior management a whitepaper on best practices for asset management and effective internal controls without forcing them to implementing it. But this would be “for them” like further understanding for why in my opinion I provide no assurance or limited and the gaps between what the existing and what in my/Auditor mind as recommendations “Without mentioning in the whitepaper”
    If they do some of what is in that white paper I may provide factsheet that represents how the work may be effected.
    The board would receive my opinion, and recommendations and what the company did for them or agreed to do and when. So at the end I make sure that the board and senior managers and even staff would all agree or understand why my opinion is negative or positive and there would be actions to be done.

  5. September 27, 2021 at 2:45 PM

    I think providing an overall opinion is the big picture which the board requires to contextualize the effectiveness of risk management, governance, and control. Given several separate audit opinions on engagements during the year become part of the big picture, but so often all the moving parts are not accounted for e.g. several issues might be resolved by the time overall annual opinion can be drafted which consequently affects risk profile, governance, and control. These should be discussed in the commentary. Also, as it is a professional opinion it’s based on an objective interpretation of information on a specific date, it should be communicated clearly and objectively on ‘effectiveness’ of these three areas on company’s objective, which also means that it could be a negative statement when the company is actually performing well

  6. tom wong
    September 27, 2021 at 5:15 PM

    I would agree on general principle that Boards can use a more insightful and wider scope of opinion, i.e. an overall opinion of an organization or a major part of it. However, it is my opinion that Internal Audit Departments are often not staffed, or budgeted enough to do such comprehensive audits, which is needed to make an wide-scoped overall organizational opinion. To provide an overall opinion affecting the entire organization or a large part of it requires a very thorough audit program, with extensive and lengthy interviews, audit coverage of all critical strategic operational sub-areas of the primary department/function, strong and proactive support of executive staff and their reports, and possibly a prior history of such comprehensive audits. I’ve done and managed some of these audits, so I know they are risky, possibly political, and all resource-consuming. I do believe that organization can benefit from such audits, but adequate resources and management support need to be in place.

    • Norman Marks
      September 27, 2021 at 5:24 PM

      I agree, but then the issue is whether the CAE is willing to say that to the audit committee: “I don’t have sufficient resources to cover a reasonable number of the more significant risks”.

  7. September 27, 2021 at 7:36 PM

    It is a very risky proposition for an internal audit to assess the competence, integrity, or performance of either the board and/or executive management. It’s like hitting one’s head in a thick brick wall. There are a number of indicators that could assess their performance for a conclusion to be reached of the quality of the performance of the board and senior executives. Of course, it is imperative that there’s a regular assessment of whether there are processes and controls in place that address the risk of ineffective governance such as assessment of the tone at the top (i.e., employee surveys, social media reputation, the existence of whistleblower’s program, extent and nature of wrongdoings, tone of management communication, ethical values being promoted and practiced, etc.) and other elements/factors of the control environment, and do away something that would imply personification of the assessment such as those dealing with their integrity and/or competence. Who will then assess their competence and integrity? In my opinion, let the shareholders and regulators have a say on that, and seek assurance to be provided by an “independent” body not reporting to the board nor the executive management such as IA.  IA could provide the hints, but should not be involved in providing assurance by assessing their competence, integrity, or performance. These are so delicate areas that IA should tread with caution. 

  8. September 28, 2021 at 3:06 AM

    Good post. Thank you. One way to implement what you describe is to focus on strategic responsibilities. A key responsibility that could easily be included in the audit plan is a review of the board’s governance responsibilities. What could be more strategic? It’s easy when using this approach to start with a few simple questions – What are you trying to accomplish (and is it appropriately defined)? How are you going about it (is it a good strategy)? And how well is it working? These are things that auditors have the ability to objectively review and opine on.

  9. Lalit Dua
    October 3, 2021 at 4:41 AM

    IA forms opinion based on the audit reviews of data, records, reports etc. for a period under review and on sample data, hence the expression of reliable opinion on effectiveness of GRC processes will always be subjective. The situation aggravates further in absence of documented processes and controls, frequent change of roles of managerial/operational staff and high rate of attrition. Since effectiveness of GRC depends on attitude and work approach of leaders of management team, the annual opinion should be from them. IA can’t be held responsible for every acts and actions within the organisation. As such IA is apprising board and AC periodically about critical strategic and operation issues and related mitigation plans by conducting regular and management audits and investigations.

  1. September 27, 2021 at 10:14 AM
  2. September 27, 2021 at 9:50 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: