What's the Difference between GRC and Combined Assurance?

29-8-2017
1
GRC and Combined Assurance:
What’s the Difference?
Toby DeRoche
MBA, CIA, CCSA, CRMA, CICA, CFE
Senior Market Development Consultant
Housekeeping
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
 If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
 This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique
join link.
 We are recording the webinar and you will be provided access to that recording after the webinar.
Downloading or otherwise duplicating the webinar recording is expressly prohibited.
 If you have indicated you would like CPE you must answer all the polling questions to receive CPE
per NASBA.
 If you meet the NASBA criteria for earning CPE you will receive a link via email to download your
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is important to
white list this address. It is from this email that your CPE credit will be sent. There is a processing
fee to have your CPE credit regenerated post event.
 Submit questions via the chat box on your screen and we will answer them either during or at the
conclusion.
 Please complete the evaluation questionnaire to help us continuously improve our Webinars.
Agile Auditing

29-8-2017
2
IMPORTANT INFORMATION
REGARDING CPE!
 SUBSCRIBERS/SITE LICENSE USERS - If you attend the Webinar and answer all the polling questions you will
receive an email with the link to download your CPE certificate. The official email for CPE will be issued via
NoReply@gensend.io and it is important to white list this address. It is from this email that your CPE credit will be
sent. There is a processing fee to have your CPE credit regenerated post event.
 NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the Webinar and answer all the polling
questions and requested CPE you must pay to receive your CPE. No exceptions!
 We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly
recommend that you work with your IT department to identify and correct any email delivery issues prior to
attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will
redirect or not allow delivery of this email from Gensend.io
 Anyone may register, attend and view the Webinar without fees if they opted out of receiving CPE.
 We are not responsible for any connection, audio or other computer related issues. You must have pop-ups
enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately
every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a
polling question.
Agile Auditing
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral
presentation accompanying them, are for educational purposes only and do not
constitute accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and
complete, AuditNet® makes no representations, guarantees, or warranties as to
the accuracy or completeness of the information provided via this presentation.
AuditNet® specifically disclaims all liability for any claims or damages that may
result from the information contained in this presentation, including any websites
maintained by third parties and linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
Agile Auditing

29-8-2017
3
Speaker Bio
 Toby DeRoche MBA, CIA, CCSA, CRMA, CICA, CFE
 Internal Audit with a Fortune 100 corporation for 4 years
 Audit consultant for Wolters Kluwer for 7 years
 Works with organizations that are looking for solutions to address their audit and compliance needs.
 Assisted several hundred internal audit departments create, perform, and supervise financial, operational, and
compliance audits to evaluate control frameworks, financial systems, and operating procedures.
GRC vs Combined Assurance
Presentation Overview
With more organizations exploring the concept of
Combined Assurance, there have been many questions
about how this relates to GRC.
In this presentation, we will explore both concepts and
discuss the differences between Combined Assurance and
GRC.

29-8-2017
4
Agenda
Understand the concepts behind
Combined Assurance and GRC
Discuss pros and cons for both
Combined Assurance and GRC
POLLING QUESTION

29-8-2017
5
Assurance Providers
Assurance
Audit
ERM
SOX
InfoSec
EHS
Legal
Numerous departments within
an organization contribute to
governance
Understanding Combined Assurance

29-8-2017
6
Combined Assurance
 Prevent management from being overwhelmed by information
and reports and succumbing to “audit fatigue”
 Provide better organizational governance
 Benefits:
 One voice and taxonomy across all governance bodies and functions in the
organization
 Efficiency in collecting and reporting information
 Common view of risks and issues across the organization
 More effective governance, risk, and control oversight
Coordination and Reliance
IIA Standard 2050:
 The chief audit executive should share
information, coordinate activities, and consider
relying upon the work of other internal and
external assurance and consulting service
providers to ensure proper coverage and
minimize duplication of efforts.

29-8-2017
7
Coordination Approaches
 Integrated planning
 A comprehensive audit risk assessment process should consider:
 Current work planned by other assurance providers that can be
relied upon for audit coverage
 Past results from work completed by other assurance providers
 Integrated reporting
 Reporting on risk coverage and audit coverage
 Reporting on the control environment and issues found
 Comprehensive issue trending by multiple categorizations
Overlapping Activities
Audit planning
Risk
based
projects
Issue
categorization
Board
reporting

29-8-2017
8
 A comprehensive audit risk assessment should consider:
 EHS risks
 InfoSec risks
 Legal risks
 Work planned by the other assurance providers can be relied
upon for audit coverage for these areas
 May need to use tools like a Risk Coverage Map
 CAE and other assurance groups should submit summaries of their
respective planned audit activities, staffing plan, and budget to senior
management and the board
 Combining this presentation helps stakeholders better understand the
scope of the work and planned audit coverage

29-8-2017
9
 Integrated reporting
 Co-presenting internal audit and other audit results will enable
management to focus and set priorities for the organization.
Reduces “audit fatigue”
 Audit activity alignment
 Align the structure of risk and control assessment
 Align documentation standards
 Align project and board reporting structure
 Align issue categorization

29-8-2017
10
POLLING QUESTION
Leverage Technology
 Look for systems to integrate the audit effort
 Shared risk assessment tools
 Shared control monitoring tools
 Shared analytics tools
 Shared documentation tools
 Shared reporting tools for aggregation

29-8-2017
11
Understanding GRC
What is GRC?
GRC is the process of integrating governance efforts, risk
management, and control implementation an organization puts in place
to ensure success.

29-8-2017
12
What GRC is NOT?
 GRC is not software
 GRC solutions are not a magic bullet that creates governance
 Good GRC software should open communication lines across
departments
GRC Goals
 Reduced costs
 Reduced redundant activities
 Streamline operations
 Capture better data more
efficiently
Copied form OCEG Website

29-8-2017
13
GRC Challenges
 Hard to define
 Hard to achieve integration
 Hard to maintain consistency
Copied form OCEG Website
Leverage Technology
 Look for systems to integrate the functions
 Shared strategic objectives
 Shared risk assessment tools
 Shared control monitoring tools
 Shared reporting tools for aggregation
 Shared data for analytics
 Allow integrated individuality

29-8-2017
14
POLLING QUESTION
What’s the difference?
 GRC is an alignment of
business and risk functions
 GRC is typically a
management function
 GRC should include internal
audit
 Combined Assurance is an
alignment of audit functions
 Combined Assurance is an audit
function
 Combined Assurance is lead by
internal audit

29-8-2017
15
Questions?
AuditNet® and cRisk Academy
 If you would like forever access
to this webinar recording
 If you are watching the
recording, and would like to
obtain CPE credit for this
webinar
 Previous AuditNet® webinars
are also available on-demand
for CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
Agile Auditing

What's the Difference between GRC and Combined Assurance?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What's the Difference between GRC and Combined Assurance?

Similar to What's the Difference between GRC and Combined Assurance? (20)

More from Jim Kaplan CIA CFE

More from Jim Kaplan CIA CFE (20)

Recently uploaded

Recently uploaded (20)

What's the Difference between GRC and Combined Assurance?