Information Technology Reference
In-Depth Information
Fig. 4.
Conceptual Model for Compliance
prioritize risks that are already aligned with corporate objectives defined by
governance (Fig. 4).
This way, audit management, one of the key components of GRC, is responsi-
ble for auditing the processes or departments of the organization in which risks
that menaced and compromised the achievement of goals were identified. By hav-
ing risks aligned with objectives, audit teams can address the most important
threats that place organizations' compliance under risk. Audit management is
responsible for internal controls testing and policies review [22] in order to report
findings and produce recommendations that will subsequently improve controls
and policies (Fig. 4). Findings and issues are very similar. Organizations, there-
fore, need to pay close attention to them to know what needs to be fixed, who
is responsible and what is the progress in accomplishing it [22].
Although audit management is very important and a crucial piece of the
puzzle, it must be presented as an independent and neutral component [21],
so as to preserve reliable conclusions and results that can be translated into
important improvements. Consequently, compliance is responsible for defining
the tactical approach that the organization should follow in order to be com-
pliant with standards and regulations and translate it to policies and proce-
dures. By tactical approach, we mean implementing communications so that
