Knowledge Base

GRC Knowledge Base

The GRC Knowledge base is a valuable resource that contains definitions of key industry terms from the governance, risk and compliance market.

• What is Governance, Risk and Compliance?
• What is an Internal Control?
• What is a control environment?
• What is a Workpaper?
• What is corporate governance?
• What is a board of directors?
• What is a board portal?
• What is assurance?
• What is risk governance?
• What is auditing?
• What is internal auditing?
• What is Tone at the Top?
• What is compliance?
• What is a policy?
• What is a procedure?
• What is a disclosure?
• What is EDGAR?
• What is XBRL?
• What is fraud?
• What is a false positive?
• What is money laundering?
• What is transaction monitoring?
• What is enhanced due diligence?
• What is Know Your Customer (KYC)?
• What is insider dealing / insider trading?

What is Governance, Risk and Compliance?
GRC is the common industry acronym that stands for Governance, Risk Management and Compliance. GRC can be described as a system of people, processes and technology that enables an organization to:

• Understand and prioritize stakeholder expectations
• Set objectives matching with values and risks
• Take a holistic approach to risk management
• Achieve objectives while optimizing risk profile and protecting value
• Operate within legal, internal, and social boundaries
• Communicate with internal and external stakeholders about performance
• Provide assurance that the system is effective, efficient and agile

back to top

What is an Internal Control?
In accounting and auditing, an internal control is defined as a process affected by an organization’s structure, work and authority flows, people and management information systems, and is designed to help the organization accomplish specific goals or objectives.

An internal control plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).
back to top

What is a control environment?
An organization’s control environment is the attitude and actions of the board and management regarding the importance of control internally.

The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control.

The control environment includes elements such as integrity and ethical values, management’s philosophy and operating style, organizational structure, assignment of authority and responsibility, human resource policies and practices, competence of personnel
back to top

What is a Workpaper?
Workpapers are written records kept by auditors which provide the audit trail and principal support for the auditor’s report. They also document the procedures applied, tests performed, information obtained, and the conclusions reached in the examination
back to top

What is corporate governance?
Corporate governance can be described as the external direction, control and evaluation of a corporation. This may include laws, regulations, contracts, and policies that direct, control and evaluate a corporation, and the combination of processes and internal framework and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.
back to top

What is a board of directors?
A board of directors is a group of persons elected by the shareholders of a corporation to govern and manage the affairs of the company. Directors are either named in the articles of incorporation or appointed by the incorporator on formation of the corporation.
back to top

What is a board portal?
A board portal is a workflow solution that allows a board of directors to securely access board documents and collaborate with other board members electronically. Legislation such as the Sarbanes-Oxley Act has placed significant legal and financial responsibility on the board of directors to ensure that they fulfill their fiduciary duty and has driven many companies to increase the number of outside, independent directors on the board. Consequently, this has led to more frequent meetings, increased information review, and increased communications between meetings. The purpose of a board portal is to securely support board communications and board workflows.
back to top

What is assurance?
Assurance is an objective examination of evidence intended to provide confidence. This involves the act of management providing accurate and current information to the stakeholders about the efficiency and effectiveness of its policies and operations, and the status of its compliance with the statutory obligations.
back to top

What is risk governance?
Risk Governance is the act of externally directing, controlling and evaluating the risk management system.
back to top

What is auditing?
Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.
back to top

What is internal auditing?
As defined by the Institute of Internal Auditors, internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
back to top

What is Tone at the Top?
The ethical atmosphere in the workplace set by the Board and senior management through their actions, decisions, and governance. Management's tone has a trickle-down effect on employees. If top managers uphold ethics and integrity so will employees; if upper management appears unconcerned with ethics and focuses solely on the bottom line, employees will be more prone to commit fraud and feel that ethical conduct isn't a priority. In short, employees will follow the examples of their bosses. The right tone at the top involves a system of organizational integrity where the business has a set of guiding values that are understood and support ethically sound behavior by all employees. These ethical values are the responsibility of all employees, not just lawyers or compliance officials.
back to top

What is compliance?
Compliance is the process of adhering to obligations derived from laws, regulations, industry and organizational standards, contractual commitments, corporate commitments (e.g., social responsibility statements, corporate filings), values, ethics, and corporate policies and procedures.
back to top

What is a policy?
A policy is a document that establishes rules for expected behavior of individuals, processes, and/or relationships. A policy provides the “why;” is high level and strategic; sets the tone, context or intent; is relatively short by nature (generally no more than one or two pages in its entirety); and changes infrequently.
back to top

What is a procedure?
A procedure is a document that provides an established or official way of complying with a policy. A procedure provides the “how to” of policies and standards and guides their implementation. Procedures are detailed and often audience specific with variance from department to department. Procedures provide exact instructions that ensure compliance with a given standard. Procedures must be flexible, and easily editable as business needs or regulation change.
back to top

What is a disclosure?
A disclosure is the release of information about a person or entity. For a corporation it is the filing of documents and statements required by law. In litigation, disclosure is the release of documents and other information subpoenaed or otherwise sought by the other side.
back to top

What is EDGAR?
The Electronic Data Gathering, Analysis, and Retrieval system (EDGAR) performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file forms with the US Securities and Exchange Commission (SEC). Its primary purpose is to increase the efficiency and fairness of the securities market for the benefit of investors, corporations, and the economy by accelerating the receipt, acceptance, dissemination, and analysis of time-sensitive corporate information filed with the agency.
back to top

What is XBRL?
eXtensible Business Reporting Language (XBRL) is a standards-based way to communicate and exchange business information between business systems. These communications are defined by metadata set out in XBRL taxonomies, which capture the definition of individual reporting concepts and other semantic meaning. Information being communicated or exchanged is provided within an XBRL instance.

Instead of treating financial information as a block of text, XBRL provides a computer-readable tag to identify each individual item of data. By attaching identifying tags to individual pieces of data, a business reporting document becomes “intelligent” data, allowing the exchange of business reporting data by encoding the information in a meaningful way. On 30 January 2009, the US Securities and Exchange Commission (SEC) published a final rule for the mandatory use of eXtensible Business Reporting Language (XBRL) in reporting financial information to the SEC.
back to top

What is fraud?
Fraud is perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
back to top

What is a false positive?
A false positive error is a result returned in a database search that is classified as a mismatch.

They occur because a mix of both the specified and incorrect search criteria is present in the match. False positives are usually generated when insufficient information is entered into search fields, opening up the matching process to a wide set of possibilities, or when the search filters are not well structured, which hinders more specific matching.

When screening a database of names and entities, the search can produce matches that have the same or a similar name to the search target but may be far removed from the subject, creating a irrelevant and ‘false’, yet ‘positive’ match.
back to top

What is money laundering?
Money laundering is the process of integrating the financial proceeds of unlawful activities with the legitimate economy so as to disguise the source of the funds and to avoid reporting duties and detection by authorities and regulators.

Money laundering is a necessary consequence of almost all profit generating crimes and can occur almost anywhere in the world.

The proceeds of unlawful activities includes any property or any service, advantage, benefit or reward which was derived, received or retained in connection with or as a result of any unlawful activity carried on by any person. Property, defined broadly, includes money or any other movable, or immovable object.
back to top

What is transaction monitoring?
Transaction monitoring is a process that monitors transactional account and customer behavior, highlighting activity that may or may not be unlawful but warrants further investigation.

It assists organizations to comply with anti-money laundering (AML) and countering the financing of terrorism (CFT) legislation, and to prevent fraud and market abuse that may compromise the integrity of an organization.

At a predetermined time, usually the close of business, transactional activity and customer profiles are systematically reviewed and compared to a number of preset scenarios that contain expected behavior. Any activity or details that fall outside of expected behavior is automatically flagged for further investigation. A customer or account that is behaving differently – either to past patterns, to predicted patterns or to their peers – is often of interest and worthy of deeper investigation.
back to top

What is enhanced due diligence?
Enhanced due diligence (EDD) is the investigation of a target that goes over and above standard due diligence or Know Your Customer (KYC) procedures.

With the expansion of regulation and oversight in recent years, including the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (CISADA), as well as a lack of clarity around what constitutes due diligence, organisations are advised to adopt a risk based approach to business and implement a policy of EDD. An EDD programme should be rigorous and robust, measurable and consistent and able to provide auditable proof of due diligence.
back to top

What is Know Your Customer (KYC)?
Know Your Customer (KYC) refers to the process that financial institutions and other regulated companies must perform to identify their clients and ascertain pertinent information prior to conducting financial business with them, in order to conform to due diligence and financial regulatory legislation, such as anti-money laundering and combating the financing of terrorism.

This includes being able to check, among other information, the identity of the prospective client, its activities and sources of revenue, and its background and financial structure.
back to top

What is insider dealing / insider trading?
Insider dealing refers to illegal share dealings for financial advantage by employees or associates of a company where they have used confidential price-sensitive information, to which they are party to due to their employment position, which is not released to the general public.

If individuals pass on and encourage others to use information about a company which is not in the public domain, this is also considered insider dealing.
back to top