GRC, ERM & internal audit

  • GRC (governance, risk management and compliance)
  • ERM (Enterprise risk management)
  • Combined assurance
  • Internal audit


Governance is the act of ensuring that all organizational activities are aligned to support your business goals and the culture, process and laws that determine how an organization should conduct itself.

Risk is the act of ensuring that any risk (or opportunity) is identified and addressed in a way that supports your business goals. It is also the effect of uncertainty on your organizational objectives.

Compliance is the act of ensuring that all of your organizational activities meet all the relevant laws, regulations, corporate policies and procedures that impact systems.

GRC is really a coordinated and integrated collection of all the capabilities necessary to support robust IT security. The main areas are:

1.Enterprise risk management (ERM)

2.Governance committee mandates

3.Co-ordination of the 3 lines of defence


Enterprise Risk Management (ERM) is the discipline, culture and control structure an organization has in place that continuously improves its risk management capabilities. We can help you navigate today's uncertain waters with an aggressive - yet agile - approach to ERM. Your organization must be able to protect itself against volatile world events, regulatory changes and a host of other threats to corporate governance. Stakeholder expectations are increasing and your management and boards must realize that risk cannot be managed by specialist risk managers alone.

A fully comprehensive and combined assurance is possible from Fernhill Assurance.

Combined Assurance

Combined assurance ensures that a coordinated (combined) approach is applied in receiving assurance on whether key risks are being managed appropriately within an institution. Like risk management, it is has been applied within every successful organisation for years.

A thorough combined assurance model must pinpoint the risks facing the institution but can only be successful with a robust and mature risk management process that takes into account the three lines of defence.

Three Lines of defence: A combined assurance model

A combined assurance model provides management and internal/external assurance providers with a comprehensive and holistic view of the efficacy of governance, risk management, and controls in the organization.

The model effectively co-ordinates the efforts of all stakeholders, increases their collaboration and helps them to develop a shared overview of the organization’s risk profile. Informed decisions can only be made when the analyses, aggregation, and reporting of information (supplied by the various assurance providers) passes through the three lines of defence.

First line of defence—management

Management represents the front line as they are most familiar with day to day operations. They own and manage risks and are typically responsible for:

  • Monitoring and controlling operations
  • Guiding the development and implementation of internal policies
  • Identifying risks
  • Executing actions to manage and treat risks

Other dedicated functions can support management and help design a framework to monitor risks and controls.

Second line of defence—functions and risk management

Management must establish different risk management and compliance functions to help construct and/or monitor the first line-of-defence controls. Second line defenders are the standard setters or risk oversight groups responsible for establishing policies and procedures and they serve as management oversight over the first line. The second line is typically a group or entity that oversee risks.

  • Functions in this second line of defence can include:
  • Designing and implementing effective ERM practices
  • Helping operational management and risk owners define target risk exposure
  • Reporting pertinent risk-related information throughout the organization
  • Monitoring noncompliance with applicable laws and regulations
  • Monitoring financial risks and reporting financial issues

The second line ensures the first line of defense is properly designed, in place, and operating as intended, but cannot offer truly independent analyses to governing bodies regarding risk management and internal controls.

Third line of defence—Independent assurance (internal and external)

Internal/external auditors provide the governing body and senior management with comprehensive independent assurance based on the highest level of independence and objectivity within the organization. Internal audit provides assurance that:

  • Overall governance is effective
  • Risk management, and internal controls are working
  • The second lines of defense is achieving risk management and control objectives

 Internal audit

Combined assurance is only complete when the three pillars of internal Audit, cyber Security and anti-money laundering (AML) are designed well and maintained frequently.

According to the Institute of Internal Auditors, “the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.” Internal audit is conducted objectively and must be designed to improve and mature an institution’s business practices. Internal audit relieves the pressure on management that may be overwhelmed by data.

Internal audit programs are critical for monitoring and assuring that your institution is secure and safe from threats. Fully independent audit also makes sure that your processes are in line with your documented policies and procedures. In short – you actually do what your policies and procedures say you are doing.

Internal audit is a central pillar in good governance and it:

  • Provides objective and independent and unbiased insight
  • Improves the overall efficiency of all operations
  • Evaluates risks and protects assets by identifying gaps in processes
  • Assesses controls to ensure they fulfill their purpose
  • Ensures compliance with relevant laws and regulations

Regular internal audit provides peace of mind and confidence that the next external audit will be free of issues. Gaining - and keeping - client trust and avoiding costly fines associated with non-compliance is achievable with Fernhill. When your organization is dependent on process, rather than people, it can eliminate costly errors and save time and money.

Internal audit principals

Internal audit can be described by these three important words.

1. Our Fernhill internal auditors provide assurance to you that your controls are effective, policies are being followed, and your organization is operating as intended.

2. Our Fernhill internal auditors possess a unique vision that:

  • identifies which risks might lead to loss of consumer trust and revenue
  • Identifies innovative ways to reduce costs
  • Enhances revenues and increase profits
  • Improves controls, processes, procedures, performance, and risk management

3. Our Fernhill internal auditors view your organisation with the strictest sense of neutrality to provide unbiased and accurate reports.