Governance, Risk Management, and Compliance (GRC): Influences on Internal and External Audits

19 May 2020 - By Maeva Charles, Partnerships & Technical Director

The nature of risk management is changing. And given the current crises across the globe, it is undergoing a renaissance in importance, as well. Part of these changes is the growing uncertainty around external risks and their impact on both internal and external audit processes. 

Although there are important differences between the two types of audit, notably their audiences there are equally important commonalities. Ultimately, those two distinct audits rely on a robust risk monitoring and governance process, at the heart of GRC.

What does GRC mean?

GRC is the integrated collection of Governance, Risk Management, and Compliance capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity. This includes the work done and oversight provided by departments like internal audit, compliance, risk, legal, finance, IT, and HR as well as the lines of business, executive suite and the board itself.

Internal and External Audit Processes: Differences

The first step to exploring that point is to look at how internal and external audits differ. The chart below lays out the most important differences. As you can see, internal audits are continuous, focus on GRC concerns, and are intended for executive consumption, especially the C-Suite. Meanwhile, external audits are a third-party review intended for the shareholders in order to assure annual financial reports.

Governance, Risk Management, and Compliance (GRC): Influences on Internal and External Audits

The key takeaway here is that each type of audit is valuable at different levels and for different audiences

Internal and External Audit Processes: Similarities 

Ultimately, however, both types of audit are targeted towards the same goals: making sure that the company is not overlooking any material issues; ensuring appropriate management in the case of internal audit; and providing valid financial statements in the case of external audit. Both types push, directly or indirectly, towards a better understanding of external risks. Undergirding this is a pressing need to continuously monitor those risks and to overcome the challenge of systematically gathering evidence and data.

Understanding external risks in internal audit...

A solid understanding of external risk factors is a crucial component of the GRC structure, the main object of an internal audit, that will influence the content of the annual report and, in turn, the outcome of the external audit. But in this regard, internal and external audits ask different questions - and get different answers. More than anything, this shows how different perspectives are essential to understanding the environment we work and conduct business in. 

An internal audit looks at formal internal processes that ensure risk management controls, for the identification, assessment, mitigation, and monitoring of risks. Emerging risks and external risks, more particularly, are the ones the most difficult to capture and manage, because they are respectively less apparent and more out of the company’s control.

Risk process

However, a robust and systematic process can enable companies to capture weak signals through the use of ‘Big Data’ and artificial intelligence like Natural Language Processing. By doing so, the internal audit enables the constant review and maintenance of a company’s risk register, which feeds the annual report with priority risks.

…And in external audit

A few steps down this process comes the external audit. This review is primarily aimed at confirming that a company’s accounting records are complete and accurate and that no material misstatement has been made. Indirectly, the implication is for a review of the evidence behind a company’s disclosure on what affects or might affect its financial performance. 

This is where a robust GRC structure improves the preparation of the company for that review and provides more confidence to external auditors as to how decisions were made - enabling the tracking of evidence used by decision-makers to their collection point (i.e. the audit trail). This allows for verification of how well the internal system does in completely accounting for risk factors and not overlooking potential threats.

Addressing the need for monitoring

In a digital world that can move as fast as the speed of your Internet connection, the need for monitoring is omnipresent. Internal and external auditing complement each other by ensuring that the necessary monitoring gets done on all relevant levels. 

There is a clear premium placed on dynamic monitoring and continuous assessments over static, once a year reviews of external and emerging risks. For example, one of the main references to determine external risks, is the Global Risk Report published every year by the World Economic Forum. The most recent one, dated January 2020 was outdated as it was published - with infectious diseases (for one) not making the cut of top 10 risk factors by likelihood.

In addition, external risks can be completely undetectable by traditional means - even though all the signals might be there. Companies need to be able to capture so-called ‘weak’ signals out of the sea of data that is generated daily. Stepping up the risk management game in a way that enables this will pave the way for business resilience through a more proactive process. The key to that process is improving data gathering, analysis, and application tools.

Systematically gathering evidence and data

This is the central challenge for auditing processes in the 4th Industrial Revolution: how to systematically gather evidence and data in a way that is comprehensive, objective, and digestible?

One way of doing this is to do so manually, but this risks objectivity and is in any case far too time-consuming. While this has been the way of doing things in the past, it is now obsolete. 

The solution, as many companies have already discovered, lies in automation.

Discovering a robust audit process

Regardless of whether the audit is intended for internal or external stakeholders, the need for a robust process is undeniable. Now more than ever, it is important for boards to take a more active and direct role in risk management, which can be facilitated by stronger internal and external audits processes.

The best - and only - viable way to achieve this is through the use of technology. Only digital technologies can allow auditing processes to be truly systematic. Automation through the use of machine learning AI and Natural Language Processing can help companies see weak signals that are otherwise invisible to the naked eye. 

Automated, AI-driven, cloud-based systems are the future of data collection and risk monitoring processes. Datamaran, the only software in the market for external risk identification and monitoring, allows businesses to take control of risk management and materiality analysis in-house at accelerated speed to keep up with rapidly changing trends.


Global Insights Report: The Three Big Wake-Up Calls For Boards

The events of 2020 brought risks related to public health, climate change, and diversity, equity, and inclusion to the forefront of public consciousness. Yet, too many businesses are failing to incorporate external and ESG risks into their long-term strategies and to think about business model innovations to reorient towards long-term value creation.

Published jointly by Datamaran and The Conference Board, this Global Insights Report examines how some of the largest public companies reacted to the events of 2020 in their corporate reporting. It considers how senior executives and Boards can apply this knowledge in addressing other systemic and external risks.

Get your complimentary copy now and learn how to use real-time data to monitor the external risks landscape and stay on top of trends.

Global Insights Report 2020


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Sign up here to receive our newsletter.