GRCA GRC Auditor Certification Exam Questions and Answers

Follow-up should not be restricted to the recommendations and action plan alone. It should also target the underlying risk to ensure that the actions and controls implemented are effectively mitigating the identified risks. If the follow-up reveals that the planned actions and controls are not working as intended, it is essential to identify and recommend necessary changes to address the underlying risk adequately. This approach ensures that the root causes of issues are addressed and that the organization is protected against potential risks.References:

ISO 31000:2018 - Risk management – Guidelines

COSO Enterprise Risk Management – Integrating with Strategy and Performance

Follow-up on the implementation status of recommendations based on high priority, due or overdue items, or time-sensitive items is known as Follow-Up by Targeted Review. This approach focuses on areas that are of critical importance or where timely implementation is essential. It helps ensure that the most significant risks are addressed promptly and that any delays in addressing recommendations are identified and managed.References:

IIA Standards for the Professional Practice of Internal Auditing

COSO Internal Control – Integrated Framework

During the planning phase of an assessment, it is not necessary to conduct a complete risk assessment and detailed testing. Instead, limited information gathering and initial procedures are sufficient to estimate inherent risk and control risk, allowing planning to proceed. This initial estimate helps to set the scope and focus of the assessment. Detailed testing and a comprehensive risk assessment can be conducted during the actual assessment phase. This approach allows for a more efficient and flexible planning process.References:

ISO 19011:2018 - Guidelines for auditing management systems

NIST SP 800-30 Rev. 1 - Guide for Conducting Risk Assessments

Follow-up on the implementation status of the recommendation from within the area being assessed is known as Follow-Up by Process Owner. This approach involves the individuals responsible for the area under assessment reviewing the progress of implementing recommendations and controls. It ensures that those directly involved in the process take ownership and accountability for addressing the identified issues.References:

ISO 19011:2018 - Guidelines for auditing management systems

COSO Internal Control – Integrated Framework

Inspecting the use of a RACI template in the field to see how it is being used is classified as a substantive test. This test involves examining actual instances of the RACI template's application to verify its proper use in practice. It goes beyond evaluating the design of the control (the template itself) and looks at the real-world implementation and effectiveness, providing evidence on how the control operates in practice.

References:

AICPA Auditing Standards

ISO 19011:2018 - Guidelines for auditing management systems

If follow-up discovers that actions and controls haven't been implemented, it is important to use professional judgment and work with the action owner to understand why the plans have not been implemented. Immediate escalation to the board without understanding the context may not be the most effective approach. Engaging with the action owner can help identify obstacles and facilitate a constructive resolution. Escalation should be considered if there is a significant risk or if there is consistent non-compliance despite reasonable efforts to address the issue.References:

ISO 19011:2018 - Guidelines for auditing management systems

IIA Standards for the Professional Practice of Internal Auditing

When writing a complete recommendation, it is important to include specific suggestions or mandatory requirements to comply with in order to fix the problem. This ensures that the recommendation is actionable and provides clear guidance on what needs to be done to address the issue. General comments may not provide enough detail or direction for effective implementation. Clear, detailed recommendations help organizations understand the necessary steps to mitigate risks and improve controls.References:

ISO 19011:2018 - Guidelines for auditing management systems

COSO Internal Control – Integrated Framework

Reasonable assurance is considered a high level of assurance. It indicates that the assurance provider has conducted a thorough and rigorous evaluation, although it does not guarantee absolute certainty. Reasonable assurance is commonly used in auditing and risk management contexts to provide stakeholders with confidence that the organization is operating effectively and complying with relevant standards and regulations.References:

ISO 31000:2018 - Risk management – Guidelines

AICPA Auditing Standards

The parameters of an assessment include Scope, Criteria, and Nature of Testing. These elements define the boundaries and focus of the assessment:

Scope:Defines the areas, processes, and activities to be assessed.

Criteria:Specifies the standards, policies, and regulations against which the assessment will be conducted.

Nature of Testing:Describes the types and extent of testing procedures that will be employed to gather evidence and evaluate compliance and performance.

These parameters ensure that the assessment is well-structured, targeted, and aligned with the objectives and requirements of the organization.References:

ISO 19011:2018 - Guidelines for auditing management systems

COSO Internal Control – Integrated Framework

Compliance is defined as a measure of the degree to which obligations and requirements are addressed. It involves adhering to laws, regulations, policies, and standards that are relevant to the organization. Compliance ensures that the organization meets its legal and ethical obligations, thereby avoiding legal penalties, reputational damage, and operational disruptions. Effective compliance programs involve continuous monitoring, training, and auditing to ensure all requirements are met and maintained.References:

ISO 19600:2014 - Compliance management systems - Guidelines

NIST SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations