Any and all of the listed roles can conduct assurance activities provided they have the appropriate purpose and parameters defined. Assurance activities are not limited to a specific function but can be performed by various roles within an organization, such as Internal Audit, Compliance, Risk Management, and Information Security, among others. The key is that these roles must operate with the proper scope, authority, and independence to provide credible and reliable assurance.References:
COSO Internal Control – Integrated Framework
ISO 31000:2018 - Risk management – Guidelines
Question # 15
You must use GRC Assessment Tools to do a GRC Assessment
While GRC Assessment Tools can greatly aid in conducting a GRC assessment by providing structured methodologies and frameworks, it is not mandatory to use them. Assessments can be conducted using other methods and tools as long as they are systematic and thorough. The key is to apply professional judgment and ensure the assessment is comprehensive and aligned with the organization's needs.References:
The key steps in the Assurance Process are Plan, Perform, Report, and Follow-Up. This structured approach ensures that assurance activities are conducted methodically and effectively:
Plan:Define the objectives, scope, and methodology of the assurance activity.
Perform:Carry out the assurance activity based on the defined plan.
Report:Document and communicate findings, conclusions, and recommendations.
Follow-Up:Verify that recommendations are implemented and assess their effectiveness.
These steps help ensure that assurance activities provide valuable insights and drive improvements within the organization.References:
IIA Standards for the Professional Practice of Internal Auditing
