GRC Assessment Tools (Burgundy Book) 3.0


OCEG offers the GRC Assessment Tools (Burgundy Book) version 3.0 to provide internal and external assurance professionals, as well as those overseeing GRC capabilities, with a common set of assessment procedures to be used in reviewing GRC capabilities as described in the OCEG GRC Capability Model (Red Book).

You must have an OCEG All Access Pass to download the Burgundy Book but you can get a free excerpt with sample procedures.

OCEG developed the Burgundy Book to:

  1. Help organizations evaluate the design and operating effectiveness of their GRC capabilities
  2. Reduce the cost of such evaluations by eliminating the time and expense of creating procedures
  3. Provide standard methods for external judgment and recognition of sound practices
  4. Offer a review process that enables creation of prioritized improvement plans
  5. Raise the level of maturity and quality of GRC capabilities in all organizations

The Burgundy Book is designed to be scalable. The tools can be applied to a review of individual risk-specific programs (i.e., anti-fraud program, privacy program, etc.), discrete business units, sub- capabilities (i.e., hotline, risk management, values management, training, etc.) and the entire enterprise. It is also designed so that the same procedures may be used for self-assessment by GRC personnel, assurance reporting to the executive suite and the board by internal audit,  and external assurance for the Board and other stakeholders by third-party auditors.  OCEG encourages those intending to use the Burgundy Book for assurance reports to obtain the OCEG GRC Auditor (GRCA) certification, which demonstrates understanding of these procedures and the GRC capabilities to which they are applied. In house GRC professionals using the Burgundy Book should consider obtaining the GRC Professional (GRCP) certification.

These agreed upon procedures have been developed and vetted by a team of professionals from several leading audit and advisory firms together with risk, compliance and audit in-house professionals. The current version 3.0 corresponds directly to version 3.0 of the GRC Capability Model.