Information Technology Reference
In-Depth Information
everyone knows about the compliance problems [21], through training, surveys
and self-assessments.
This is very much related to policy management, as compliance must deter-
mine if the organization is conforming to its defined policies. If it is not, the
organization must take the necessary measures to upgrade the current policies
and, thus influence the policy life-cycle.
Summarizing, we can identify more relations between compliance, governance
and risk areas:
1. Risk categorization is used to schedule and prioritize audits. Consequently,
investigations and recommendations have an impact on risks due to the
improvement of controls;
2. Policies are reviewed and improved by compliance, mirroring the impact of
external regulations, standards and audits, and thus has an influence on
policy management and the inherent life-cycle of policies.
Real-time monitoring also provides the opportunity to eliminate or greatly reduce
sample-based audits [26]. This way, through continuous monitoring, auditors can
rely in the existence of automated controls as evidence of compliance [26].
3.4
Integrated GRC Conceptual Model
In this section we present an integrated view of the three scopes presented(Fig. 5).
The points of integration that we specified in each section are now combined in
an integrated model. We opted not to include monitoring, dashboards and re-
porting to remove further complexity from the model.
As previously stated, internal controls are paramount in this model since
they are crucial for governance, risk and compliance activities [15]. Controls are
clearly a common thread among the GRC components (Fig. 5). An organization
should, then, develop and implement adequate controls that mirror policies and
procedures' objectives.
According to the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), controls are also indispensable to achieve key business ob-
jectives through the mitigation of risks that menace the same objectives, and
thus have a tremendous impact on effective risk management. Compliance man-
ages controls through audit management, which is responsible for testing and
improving controls based on findings and respective recommendations, a travail
of auditors' work. By having adequate, effective and ecient controls, organi-
zations are not only better prepared and safeguarded from external audits, but
also guarantee organizations' health.
Risks and processes are also presented with a central role in integrated GRC,
because they are linked to everything. In all activities, there are processes and
subsequently, risks. In order to successfully and proficiently manage all GRC ac-
tivities, processes must be associated with risks, and risks have to be linked with
controls. This way, all information is organized, making it highly manageable
and traceable.
