The document outlines a webinar led by Toby Deroche discussing the differences between Governance, Risk Management, and Compliance (GRC) and combined assurance. Key points include the integration of audit functions, the benefits and challenges of both approaches, and the importance of effective communication and coordination among various departments. The document also provides guidelines for attendees regarding CPE credit acquisition and technical considerations for participating in the webinar.

1. 29-8-2017
1
GRC and Combined Assurance:
What’s the Difference?
Toby DeRoche
MBA, CIA, CCSA, CRMA, CICA, CFE
Senior Market Development Consultant
Housekeeping
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
 If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
 This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique
join link.
 We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
 If you have indicated you would like CPE you must answer all the polling questions to receive CPE
per NASBA.
 If you meet the NASBA criteria for earning CPE you will receive a link via email to download your
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to
white list this address. It is from this email that your CPE credit will be sent. There is a processing
fee to have your CPE credit regenerated post event.
 Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
 Please complete the evaluation questionnaire to help us continuously improve our Webinars.
Agile Auditing

2. 29-8-2017
2
IMPORTANT INFORMATION
REGARDING CPE!
 SUBSCRIBERS/SITE LICENSE USERS - If you attend the Webinar and answer all the polling questions you will
receive an email with the link to download your CPE certificate. The official email for CPE will be issued via
NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be
sent. There is a processing fee to have your CPE credit regenerated post event.
 NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the Webinar and answer all the polling
questions and requested CPE you must pay to receive your CPE. No exceptions!
 We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly
recommend that you work with your IT department to identify and correct any email delivery issues prior to
attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will
redirect or not allow delivery of this email from Gensend.io
 Anyone may register, attend and view the Webinar without fees if they opted out of receiving CPE.
 We are not responsible for any connection, audio or other computer related issues. You must have pop-ups
enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately
every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a
polling question.
Agile Auditing
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral
presentation accompanying them, are for educational purposes only and do not
constitute accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and
complete, AuditNet® makes no representations, guarantees, or warranties as to
the accuracy or completeness of the information provided via this presentation.
AuditNet® specifically disclaims all liability for any claims or damages that may
result from the information contained in this presentation, including any websites
maintained by third parties and linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
Agile Auditing

3. 29-8-2017
3
Speaker Bio
 Toby DeRoche MBA, CIA, CCSA, CRMA, CICA, CFE
 Internal Audit with a Fortune 100 corporation for 4 years
 Audit consultant for Wolters Kluwer for 7 years
 Works with organizations that are looking for solutions to address their audit and compliance needs.
 Assisted several hundred internal audit departments create, perform, and supervise financial, operational, and
compliance audits to evaluate control frameworks, financial systems, and operating procedures.
GRC vs Combined Assurance
Presentation Overview
With more organizations exploring the concept of
Combined Assurance, there have been many questions
about how this relates to GRC.
In this presentation, we will explore both concepts and
discuss the differences between Combined Assurance and
GRC.
GRC vs Combined Assurance

4. 29-8-2017
4
Agenda
Understand the concepts behind
Combined Assurance and GRC
Discuss pros and cons for both
Combined Assurance and GRC
GRC vs Combined Assurance
POLLING QUESTION

5. 29-8-2017
5
Assurance Providers
Assurance
Audit
ERM
SOX
InfoSec
EHS
Legal
Numerous departments within
an organization contribute to
governance
GRC vs Combined Assurance
Understanding Combined Assurance

6. 29-8-2017
6
Combined Assurance
 Prevent management from being overwhelmed by information
and reports and succumbing to “audit fatigue”
 Provide better organizational governance
 Benefits:
 One voice and taxonomy across all governance bodies and functions in the
organization
 Efficiency in collecting and reporting information
 Common view of risks and issues across the organization
 More effective governance, risk, and control oversight
GRC vs Combined Assurance
Coordination and Reliance
IIA Standard 2050:
 The chief audit executive should share
information, coordinate activities, and consider
relying upon the work of other internal and
external assurance and consulting service
providers to ensure proper coverage and
minimize duplication of efforts.
GRC vs Combined Assurance

7. 29-8-2017
7
Coordination Approaches
 Integrated planning
 A comprehensive audit risk assessment process should consider:
 Current work planned by other assurance providers that can be
relied upon for audit coverage
 Past results from work completed by other assurance providers
 Integrated reporting
 Reporting on risk coverage and audit coverage
 Reporting on the control environment and issues found
 Comprehensive issue trending by multiple categorizations
GRC vs Combined Assurance
Overlapping Activities
GRC vs Combined Assurance
Audit planning
Risk
based
projects
Issue
categorization
Board
reporting

8. 29-8-2017
8
Coordination Approaches
 Integrated planning
 A comprehensive audit risk assessment should consider:
 EHS risks
 InfoSec risks
 Legal risks
 Work planned by the other assurance providers can be relied
upon for audit coverage for these areas
 May need to use tools like a Risk Coverage Map
GRC vs Combined Assurance
Coordination Approaches
 Integrated planning
 CAE and other assurance groups should submit summaries of their
respective planned audit activities, staffing plan, and budget to senior
management and the board
 Combining this presentation helps stakeholders better understand the
scope of the work and planned audit coverage
GRC vs Combined Assurance

9. 29-8-2017
9
Coordination Approaches
 Integrated reporting
 Co-presenting internal audit and other audit results will enable
management to focus and set priorities for the organization.
Reduces “audit fatigue”
GRC vs Combined Assurance
Coordination Approaches
 Audit activity alignment
 Align the structure of risk and control assessment
 Align documentation standards
 Align project and board reporting structure
 Align issue categorization
GRC vs Combined Assurance

10. 29-8-2017
10
POLLING QUESTION
Leverage Technology
 Look for systems to integrate the audit effort
 Shared risk assessment tools
 Shared control monitoring tools
 Shared analytics tools
 Shared documentation tools
 Shared reporting tools for aggregation
GRC vs Combined Assurance

11. 29-8-2017
11
Understanding GRC
What is GRC?
GRC is the process of integrating governance efforts, risk
management, and control implementation an organization puts in place
to ensure success.
GRC vs Combined Assurance

12. 29-8-2017
12
What GRC is NOT?
 GRC is not software
 GRC solutions are not a magic bullet that creates governance
 Good GRC software should open communication lines across
departments
GRC vs Combined Assurance
GRC Goals
 Reduced costs
 Reduced redundant activities
 Streamline operations
 Capture better data more
efficiently
GRC vs Combined Assurance
Copied form OCEG Website

13. 29-8-2017
13
GRC Challenges
 Hard to define
 Hard to achieve integration
 Hard to maintain consistency
GRC vs Combined Assurance
Copied form OCEG Website
Leverage Technology
 Look for systems to integrate the functions
 Shared strategic objectives
 Shared risk assessment tools
 Shared control monitoring tools
 Shared reporting tools for aggregation
 Shared data for analytics
 Allow integrated individuality
GRC vs Combined Assurance

14. 29-8-2017
14
POLLING QUESTION
What’s the difference?
 GRC is an alignment of
business and risk functions
 GRC is typically a
management function
 GRC should include internal
audit
 Combined Assurance is an
alignment of audit functions
 Combined Assurance is an audit
function
 Combined Assurance is lead by
internal audit

15. 29-8-2017
15
Questions?
AuditNet® and cRisk Academy
 If you would like forever access
to this webinar recording
 If you are watching the
recording, and would like to
obtain CPE credit for this
webinar
 Previous AuditNet® webinars
are also available on-demand
for CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
Agile Auditing