If the inherent risk and control risk are both low, we may consider performing less testing. Inherent risk refers to the risk of an event occurring without considering any controls, while control risk is the risk that controls will not prevent or detect the event. When both risks are low, it indicates that the likelihood of issues occurring and not being detected is minimal, allowing for a reduced level of testing. This approach helps in efficiently allocating resources while maintaining a reasonable level of assurance. Reference:

AICPA Auditing Standards

ISO 31000:2018 - Risk management -- Guidelines

The statement that producing value and protecting value are trade-offs and cannot be done at the same time is false. In fact, both can and should be pursued concurrently. Effective governance, risk management, and compliance (GRC) strategies integrate the production of value (achieving business objectives and growth) with the protection of value (safeguarding assets, ensuring compliance, and managing risks). This integrated approach ensures sustainable performance and long-term success. Organizations that balance both aspects can achieve principled performance by reliably achieving objectives, addressing uncertainty, and acting with integrity. Reference:

ISO 31000:2018 - Risk management -- Guidelines

COSO Enterprise Risk Management -- Integrating with Strategy and Performance

The level of assurance required for an assessment can vary depending on the purpose, scope, and objectives of the assessment. It is crucial to define the desired level of assurance (low, medium, or high) before beginning the assessment to ensure that the approach, methodology, and resources allocated are appropriate. This helps in setting clear expectations and aligning the assessment process with the organization's risk tolerance and regulatory requirements. Reference:

ISO 19011:2018 - Guidelines for auditing management systems

COSO Enterprise Risk Management -- Integrating with Strategy and Performance

The best sequence of testing is to conduct control testing first and then substantive testing. This approach ensures that the effectiveness of internal controls is evaluated before examining the details of transactions and data. By testing controls first, assurance providers can determine if controls are reliable and can potentially reduce the extent of substantive testing needed. Effective controls can provide confidence that transactions and data are accurate, reducing the need for extensive substantive testing. Reference:

AICPA Auditing Standards

ISO 19011:2018 - Guidelines for auditing management systems

GRC (Governance, Risk, and Compliance) integrates multiple disciplines to create a cohesive approach to managing an organization's overall governance, risk management, and compliance with regulations. The integrated disciplines include:

Audit and Assurance: Ensuring internal controls are effective and compliance with laws and policies.

Governance and Oversight: Establishing frameworks and policies to guide the organization.

Strategy and Performance Management: Aligning risk management and compliance with strategic objectives.

Quality and Conformance: Ensuring products/services meet regulatory and customer standards.

Information Privacy and Security: Protecting sensitive data and ensuring information security.

Compliance and Ethics: Adhering to legal requirements and promoting ethical behavior.

Risk and Decision Support: Identifying, assessing, and mitigating risks to support decision-making.

The integration of these disciplines ensures a comprehensive approach to managing risks and achieving organizational objectives.

OCEG GRC Capability Model (Red Book)

ISO 31000:2018 - Risk management -- Guidelines

COSO Enterprise Risk Management -- Integrating with Strategy and Performance