GRCA GRC Auditor Certification Exam Questions and Answers

The level of assurance risk targeted by an assessment should be driven by the assessment's purpose and parameters. Not all assessments require very low or zero assurance risk; some may appropriately target higher levels of assurance risk depending on the context and objectives. The purpose and scope of the assessment, as well as the risk tolerance of the organization, will dictate the acceptable level of assurance risk. This approach ensures that resources are allocated efficiently and that the assessment is tailored to the specific needs and risks of the organization. References:

ISO 31000:2018 - Risk management – Guidelines

COSO Enterprise Risk Management – Integrating with Strategy and Performance

Follow-up on the implementation status of the recommendation from within the area being assessed is known as Follow-Up by Process Owner. This approach involves the individuals responsible for the area under assessment reviewing the progress of implementing recommendations and controls. It ensures that those directly involved in the process take ownership and accountability for addressing the identified issues. References:

ISO 19011:2018 - Guidelines for auditing management systems

COSO Internal Control – Integrated Framework

The key steps in the Assurance Process are Plan, Perform, Report, and Follow-Up. This structured approach ensures that assurance activities are conducted methodically and effectively:

Plan: Define the objectives, scope, and methodology of the assurance activity.

Perform: Carry out the assurance activity based on the defined plan.

Report: Document and communicate findings, conclusions, and recommendations.

Follow-Up: Verify that recommendations are implemented and assess their effectiveness.

These steps help ensure that assurance activities provide valuable insights and drive improvements within the organization. References:

IIA Standards for the Professional Practice of Internal Auditing

COSO Internal Control – Integrated Framework

Risk is defined as a measure of the desirable effect of uncertainty on objectives. According to the ISO 31000 standard, risk is "the effect of uncertainty on objectives" which can be either positive (opportunity) or negative (threat). This definition encompasses the uncertainty that can impact the achievement of goals and objectives. It highlights that risk is not just about potential losses but also about potential gains that come from taking risks. References:

ISO 31000:2018 - Risk management – Guidelines

NIST SP 800-30 Rev. 1 - Guide for Conducting Risk Assessments

If follow-up discovers that actions and controls haven't been implemented, it is important to use professional judgment and work with the action owner to understand why the plans have not been implemented. Immediate escalation to the board without understanding the context may not be the most effective approach. Engaging with the action owner can help identify obstacles and facilitate a constructive resolution. Escalation should be considered if there is a significant risk or if there is consistent non-compliance despite reasonable efforts to address the issue. References:

ISO 19011:2018 - Guidelines for auditing management systems

IIA Standards for the Professional Practice of Internal Auditing

Follow-up should not be restricted to the recommendations and action plan alone. It should also target the underlying risk to ensure that the actions and controls implemented are effectively mitigating the identified risks. If the follow-up reveals that the planned actions and controls are not working as intended, it is essential to identify and recommend necessary changes to address the underlying risk adequately. This approach ensures that the root causes of issues are addressed and that the organization is protected against potential risks. References:

ISO 31000:2018 - Risk management – Guidelines

COSO Enterprise Risk Management – Integrating with Strategy and Performance

Assessments should be selected based on how objectives connect and prioritize the risk universe and assessment universe. This approach ensures that the assessments are aligned with the organization's strategic goals and that the most significant risks are addressed. It involves understanding the organization's risk landscape and prioritizing assessments that focus on the areas of highest impact and relevance to achieving objectives. References:

ISO 31000:2018 - Risk management – Guidelines

COSO Enterprise Risk Management – Integrating with Strategy and Performance

If the inherent risk and control risk are both low, we may consider performing less testing. Inherent risk refers to the risk of an event occurring without considering any controls, while control risk is the risk that controls will not prevent or detect the event. When both risks are low, it indicates that the likelihood of issues occurring and not being detected is minimal, allowing for a reduced level of testing. This approach helps in efficiently allocating resources while maintaining a reasonable level of assurance. References:

AICPA Auditing Standards

ISO 31000:2018 - Risk management – Guidelines

A written report by an assurance professional is most likely to be the most objective source of evidence. Assurance professionals are trained to conduct evaluations impartially, following standardized methodologies and best practices. Their reports are based on documented evidence and systematic analysis, ensuring a high level of objectivity and reliability compared to vocalized statements or reports by process owners, who may have biases or conflicts of interest. References:

IIA Standards for the Professional Practice of Internal Auditing

ISO 19011:2018 - Guidelines for auditing management systems

Follow-up on the implementation status of recommendations by assurance personnel is known as Follow-Up by Independent Assurance. This process involves independent assurance providers reviewing the actions taken to address the recommendations and verifying that they have been implemented effectively. This follow-up ensures that issues identified during the assessment have been resolved and that improvements have been made. References:

IIA Standards for the Professional Practice of Internal Auditing

ISO 19011:2018 - Guidelines for auditing management systems