GRC should cover; Awareness of the frameworks that are used for regulatory frameworks, required by law in a project. Quality Management like PDCA, Service Management, ISO 27001 security frameworks, COBIT for Basel 2 and Sarbanes-Oxley.
The scope, goals, and structure of these major frameworks: Service-Level Agreements; Process Configuration Management; ITIL and COBIT-based technology management; Privacy and Security Standards and Enforcement. Corporate Governance, Enterprise Risk Management, Strategic Compliance Management, and Corporate Social Responsibility. Assurance topics including Information Assurance, Process Assurance, and Quality Assurance. Design of services; Meeting GRC requirements; Designing and building auditable Business Processes.
Our project example is described below:
STRATEGY
Control self assessment
Scoping of key controls and processes
High level testing strategy
Purpose of Self- testing
OPERATIONAL EFFECTIVENESS
Nature and types of self-testing
Supervisory Testing
Evidence of supervisory testing
Sample based Self-testing
MECHANICS
Prepare test scripts against actual controls
Direction of the test and covering the full population
Evidence that the control has been performed
Evidence of the quality of the control has been performed
Determine sample size and sample method
Remediated Controls
Multi-location Environment
Non routine / Per Transaction controls
Sample within a Sample
Multiple Instances
Extension of Sample Sizes
Regular Interval
Random
Judgemental Sampling
IMPLEMENTATION
Combine tests into work programmes
Assign Self-Testing work to staff
Roll Forward Sample Sizes
Testing Schedule
Document test of control on a workpaper
The details of the workpaper
Supporting Documentation Requirements
Conclude on tests
Review and Approve Test Results
COLLATERAL
Devising A Test Workbook
Test Script and Work Plan
QA/QC Checklist