The following Executive Summary provides information about the contents of the OCEG GRC Assessment Tools also known as the OCEG "Burgundy Book."
The purpose of the Burgundy Book is to provide GRC professionals, as well as those responsible for providing assurance, with a common set of assessment procedures that align with the OCEG GRC Capability Model™ (“Red Book”) and a common understanding of what can be expected during a capability assessment of a GRC Capability.
OCEG’S goals in creating the GRC Capability Assessment Tools are to (1) help organizations evaluate the design and operating effectiveness of their GRC capability(s), (2) reduce the cost of such evaluations by eliminating the time and expense of creating procedures, (3) raise the overall level of maturity and quality of organizational GRC globally by helping individual organizations create their prioritized improvement plans, and (4) provide external judgment and recognition of sound practices.
The OCEG Capability Assessment Tools are designed to be scalable. The toolkit can be applied to a review of individual risk-specific programs (i.e., anti-fraud program, privacy program, etc.), discrete business units, sub- capabilities (i.e., hotline, risk management, values management, training, etc.) and the entire enterprise. It is also designed so that the same procedures may be used for self-assessment by GRC personnel, internal assurance to the Executive suite and the Board by Internal Audit, or external assurance for the Board and other stakeholders by third-party evaluators, generally CPAs or their equivalents.
The format utilized for evaluation of all elements in the Red Book includes:
- Objectives (the objectives of this element in the GRC Capability Model
- Requested Information (what the organization being evaluated needs to provide the evaluators
- Red Book Deliverables (defined in the Red Book)
- Management Narratives (Management’s description of processes that may not be documented or fully documented)
- Other Information (Data created or used by the organization being evaluated)
- Review Procedures (the agreed-upon-procedures to be performed by the evaluator)
An example of this format is presented as Exhibit A (A2 Analysis from the Burgundy Book).
Work aides included in the Burgundy Book to make the evaluation process efficient are:
- Preliminary procedures that should be performed as a foundation for any Burgundy Book evaluation.
- Pre-requisite procedures
- Streamlining procedures
- Reporting procedures
- Appendices containing useful information (Selected appendices are shown in Exhibit B)
- Templates for the efficient gathering of information (Exhibits C & D) and reporting of information (Exhibit E)
A COPY OF THIS EXECUTIVE SUMMARY AND THE REFERENCED EXHIBITS MAY BE DOWNLOADED FROM THE LINK BELOW