Menu Close Menu

Menu

Account

GRC Auditor Certification (GRCA™)

Become a versatile assurance professional who can audit governance, strategy, performance, risk, compliance, ethics, security, privacy, internal control, and other activities. The GRC Auditor (GRCA) certification builds on the GRCP and demonstrates that you have the understanding and skills to audit the GRC capability model.

Become a versatile assurance professional who can audit governance, strategy, performance, risk, compliance, ethics, security, privacy, internal control, and other activities. The GRC Audit (GRCA) certification builds on the GRCP and demonstrates that you have the understanding and skills to audit the GRC capability model. We strongly recommend earning the GRCP before the GRCA but it is not required.

Get an all access pass Log in
Read more

This certification is your current focus. If you want to change your focus, remove your focus from this certification and pick another one to focus on.

More info about this certification

GRC Auditor (GRCA™) Certification is your current focus. Go to your program dashboard for more information on resources and examination.

Go to program dashboard
My certifications
Loading...
Loading...
CPE and maintenance information

Become a versatile assurance professional who can audit governance, strategy, performance, risk, compliance, ethics, security, privacy, internal control, and other activities. The GRC Audit (GRCA) certification builds on the GRCP and demonstrates that you have the understanding and skills to audit the GRC capability model. We strongly recommend earning the GRCP before the GRCA but it is not required.

Show me alternatives

Become a versatile professional who integrates governance, strategy, performance, risk, compliance, ethics, security, privacy, and audit to achieve Principled Performance. The GRC Professional (GRCP) certification demonstrates that you have the understanding and skills to apply GRC in your organization.

Show me alternatives

Back

Back

Globally Recognized GRC Auditor Certification

Get certified by the global nonprofit that invented GRC 20 years ago

What is the GRCA?

The GRC Auditor (GRCA) certification validates that you understand and can apply audit and assurance skills to evaluate established or planned GRC capabilities in your organization. It ensures that you have the versatile skill set to evaluate and report on the strengths and weaknesses in governance, strategy, performance management, risk management, compliance, ethics, internal control, security, privacy, and audit activities.

We strongly recommend that anyone planning to conduct GRC audits also obtain the GRC Professional (GRCP) certification, which provides the necessary foundational GRC knowledge.

What does the GRCA Cover?

The GRCA is based on the essential body of knowledge used daily by GRC Professionals who provide assurance. With the help of hundreds of experts, this body of knowledge was identified, analyzed, and documented in the GRC Capability Model. The GRCA also relies on procedures documented in the GRC Assessment Framework ("OCEG" Burgundy Book) and general audit and assurance concepts found in the public domain.

We recommend using these resources to prepare for the GRCA Exam

While the exam does not require course attendance, most people who pass on the first attempt report that a course helped them pass.

Benefits of certification from the creators of GRC

GRCA comes from the organization and community that created GRC more than 20 years ago. You are learning from and getting certified by THE authoritative source!

Unique Benefits of GRCA

GRCA provides versatile and foundational skills to apply assurance activities in many scenarios. GRCA doesn't assume you will exclusively be an internal auditor, external auditor, or quality auditor for 20 years.

GRCA assumes that you can and should apply assurance skills in every GRC role. So whether you plan to provide assurance by self-assessing your work in IT security or compliance or risk management ... or if you are taking on a full-time role in internal audit ... GRCA provides a perfect foundation.

By addressing assurance and audit in the context of GRC and applying a purpose-built set of GRC assessment tools (as set out in the Burgundy Book), GRCA provides a foundation of understanding and skills that both the assessor and the manager whose operations are being assessed can apply.

GRCA builds on the GRCP certification, providing the audit and assurance skills that take you to the next level. Whether you are primarily in an audit role or are managing a GRC capability aspect that will be subject to assurance reviews, it helps you increase:

  1. Integration. Integrate your work with business operations.
  2. Versatility. Cut across the critical disciplines to be more effective.
  3. Communication. Communicate with diverse audiences.
  4. Compensation. Obtain new jobs and accelerate your career.
Learn how to get GRCA

Is GRCA right for me?

GRCA is perfect for anyone who works in - governance, strategy, performance, risk, compliance, ethics, internal control, security, continuity, audit, assurance, or IT. GRCA helps to elevate your ability to self-assess your own performance or judge the performance of other units.

Our certifications are open and accessible to all professionals. We accept candidates from diverse cultural, educational, and professional backgrounds. We do not require specific experience or educational degrees to apply.

When should I get GRCA?

GRCA is a versatile certification aimed to serve the versatile needs of professionals in all stages of their careers. Professionals can use the GRCA in several scenarios:

  • Starter. Some professionals use the GRCA as a starting point for their careers in audit and assurance roles. By understanding and applying key audit and assurance concepts, standards, and workflows, you can act as an assessor of GRC capabilities, and you can communicate well with audit professionals inside and outside of your organization. You will be able to move in and out of audit roles, taking your knowledge into business operations or GRC roles you may seek in the future. You will gain traction ahead of your peers no matter what role you are in today – and it also gives you a well-rounded and versatile foundation to grow into other roles in other disciplines over time.
  • Enhancer. Some professionals use the GRCA to enhance an existing certification in audit and assurance. For example, you may be a certified or chartered accountant or hold a certification such as Certified Fraud Examiner or Certified Internal Auditor. The GRCA helps to put your current knowledge into context, expand your understanding of the unique nature of an assessment of GRC capabilities, and improve your communication with business managers and governing authorities. All of this makes you well-rounded and versatile.
  • Capstone. Some professionals use the GRCA as a capstone “on top of” a collection of existing certifications. GRCA, together with your foundational GRCP, uniquely integrates the many disciplines of governance, strategy, risk, compliance, security, and audit. Professionals who have one or more certifications in those disciplines find value in the way GRCA cohesively pulls everything together into a framework and methodology for assessment and assurance.

For new and experienced professionals

  1. New Professionals

    Becoming a GRCP and adding the GRCA is the perfect way to start your career. Adding knowledge of audit and assurance further expands your skill set to understand how to evaluate the inner workings within and between other departments, including how to develop a greater understanding of how they operate and determine where they need improvement to be successful.

  2. Experienced Professionals

    Becoming a GRCA is the perfect way to enhance existing certifications or upgrade your skills. You may already have an audit-related certification from one of the many professional associations. Most of these associations focus on a particular discipline (e.g., internal audit, external audit, fraud, quality). GRCA addresses all of these aspects and helps to make you more well-rounded.

What are you waiting for?

Purchase an All Access Pass to access the GRCA and all of our other certifications.

Purchase All Access Pass

100 questions over 120 minutes

What is on the GRCA Exam?

Correctly answer 70 of the 100 questions to pass!

The GRCA certification exam covers both awareness (definitions, terms, and lists) and applying concepts and knowledge of the GRC Capability Model and GRC Assessment Framework. The exam breaks out as follows:

22% General Knowledge

  • Understand key terms and definitions related to GRC
  • Understand key principles and business drivers behind GRC
  • Understand the benefits of integrating GRC
  • Understand how GRC relates to other disciplines/professions

67% Assurance and Assessment

  • Understand assurance and assessment models
  • Understand key steps in planning and performing assessments
  • Understand report design and follow-up

11% GRC Assessment Framework

  • Understand the content of the GRC Assessment Framework
  • Understand how to apply based on the scope of the assessment

An extensive job analysis of GRC Professionals who also held various audit certifications (CPA, CA, CIA, CISA) determined GRCA topics and questions. Participants in the job analysis analyzed hundreds of skills and determined their significance to a GRC auditor.

The job analysis and other research yielded a blueprint that serves as a competency model for the GRCA. We update the GRCA Exam periodically to reflect important and relevant changes.

  1. Concepts, attributes and frameworks. Demonstrate your understanding of key audit and assurance concepts, professional standards, frameworks and models.
  2. Assessment design, performance and follow-up. Define an assessment planning workflow and outline key performance steps and evidentiary requirements leading to a valid, reliable report of findings and necessary follow-up.
  3. GRC assessment requirements and available tools. Discuss the assurance element of the GRC Capability Model and outline how to apply the tools provided by the Burgundy Book to address each aspect of the GRC capability.
Learn how to get GRCA

How do I get the GRCA Certification?

All of our certifications use a similar streamlined process. We pride ourselves on simplicity and accessibility. All of our exams are online and available at any time. No need to schedule! We include everything you need as part of your All Access Pass. To be clear, everything is included for no additional fees.

  1. 1. Get All Access Pass

    Our All Access Pass provides everything you need to prepare for the GRCA and all of our other certification exams. One fee for education, preparation, certification, and maintenance.

    Everything is included for no additional fees.

  2. 2. Prepare for GRCA

    Study the essential body of knowledge contained in the GRC Capability Model (“Red Book”) and the GRC Assessment Framework ("Burgundy Book). Attend GRC Audit Fundamentals to learn how to apply it.

    We offer GRC Audit Fundamentals via self-study or by attending an in-person course delivered by one of our authorized partners (a great choice if you want localized language and additional examples).

    Essential body of knowledge and self-study are included for no additional fees.

  3. 3. Apply for GRCA

    Our certifications are open and accessible to all professionals. We accept candidates from diverse cultural, educational, and professional backgrounds.

    We do not require specific experience or educational degrees to apply.

    Just complete a simple form at the beginning of the exam to update your information and agree to the code of conduct.

    Application is included for no additional fees.

  4. 4. Earn the GRCA (Pass!)

    Access the online exam anywhere and anytime.

    The exam is limited to two hours (120 minutes) to answer 100 questions. Correctly answer 70 questions to pass. Exams are "open book," which means that you may use Google and other resources while taking an exam.

    You can retake an exam up to six times per year to pass it.

    The GRCA Exam is offered at the end of the GRC Audit Fundamentals course, but you may directly access it at any time without watching the GRC Audit Fundamentals videos.

    All retakes are included for no additional fees.

  5. 5. Maintain the GRCA

    Participate in the streamlined Unified Certification Maintenance program to maintain your certification. All continuing education is automatically tracked and administered under this unified program. Whenever you watch a video or attend an event on our website, it is automatically tracked and counted toward your certifications as appropriate.

    DOUBLE CREDIT! One CPE credit may track to multiple certifications. For example, a course on “Risk Assessments” counts toward all certifications that use Risk Assessment skills.

    All maintenance and CPEs are included for no additional fees.

  6. 6. BONUS! Add More Certifications

    Apply to gain additional certifications. We add new certifications regularly.

    All certifications are included for no additional fees.

How long is my certificate valid?

A streamlined approach to gain and maintain your certification.

We use continuing education requirements to ensure that you stay current with new developments in GRC. You can review the other requirements to maintain your GRCA certification.

  1. When a certificate is awarded, it is awarded for a full year starting on the day you passed the exam.
  2. Your first full year has no CPE requirement (because you spent at least 8 hours preparing for and taking the exam).
  3. Starting your second year, you must earn at least eight (8) credits of continuing education related to the certification topic annually.
  4. When a certificate renews, it renews for a full year. Automatic renewal on the day of certificate expiration happens if both of these conditions are true: a) Member has an active AAP and b) CPE requirement has been met (if applicable).
  5. If the expiration date passes and you do not meet both conditions, you have a grace period of 90 days to fulfill both requirements. After the grace period is over, your certification gets deleted from our records, and certificates are no longer available for display.
How to get the GRCA

What are you waiting for?

Purchase an All Access Pass to get access to the GRCA and all of our other certifications.

Purchase All Access Pass

FAQ about Preparing for GRCA

How long does it take to prepare for GRCA?

Preparation time varies based on your experience. People who pass the exam report anywhere from 2 hours to 10 hours of preparation before the exam.

This wide range is explained by the differences in background. If you are more experienced in governance, strategy, risk, compliance, ethics, security, or audit, then less time may be required to prepare vs. someone new to GRC and auditing concepts.

What is the best way to prepare for GRCA?

The essential body of knowledge for the GRCA is contained in the open-source GRC Capability Model (“Red Book”) and the GRC Assessment Framework ("Burgundy Book"), as well as audit concepts in the public domain. We recommend that you:

  • Carefully study the GRC Capability Model
  • Carefully study the GRC Assessment Framework
  • Attend the online self-study GRC Audit Fundamentals course
  • (optionally) Attend in-person GRC Audit Fundamentals LIVE! course
How do I get GRCA Training?

We offer GRC Audit Fundamentals via self-study or by attending an in-person course delivered by one of our authorized partners. Training partners are a great choice if you want the training delivered in your native language and want additional context and examples for applying the concepts. Our self-study programs are delivered in English and some are subtitled in English, Spanish, Arabic, and Bahasa.

What does it cost to get GRCA training?

All of our self-study preparation courses are included for no additional fees. This means that GRC Audit Fundamentals is part of your All Access Pass.

Our global training partners charge separate fees for in-person experiences delivered in the localized language. These experiences also provide additional context and examples so that you understand how to implement solutions.

FAQ about the GRCA Exam

How do I schedule the GRCA Exam?

All of our exams are online and available at any time. No need to schedule!

How do I apply for the GRCA exam?

Applying is simple! If you are already an OCEG member, we have most of the information necessary. Just complete a simple form at the beginning of the exam to update your information and agree to the code of conduct.

As a reminder, our certifications are open and accessible to all professionals. We accept candidates from diverse cultural, educational, and professional backgrounds. We do not require specific experience or educational degrees to apply.

How difficult is the GRCA Exam?

Most people who pass the exam report that they carefully studied the GRC Capability Model and the GRC Assessment Framework, and completed the GRC Audit Fundamentals course.

Those who fail tend to pass on a subsequent attempt if they study and complete GRC Audit Fundamentals or attend a training course with an OCEG training partner.

In other words ... STUDY and WATCH the videos or attend a class if you want to pass the exam.

What is on the GRCA Exam?

The GRCA certification exam covers both awareness (definitions, terms, and lists) and applying concepts and knowledge of the GRC Capability Model and GRC Assessment Framework. The exam breaks out as follows:

22% General Knowledge

  • Understand key terms and definitions related to GRC
  • Understand key principles and business drivers behind GRC
  • Understand the benefits of integrating GRC
  • Understand how GRC relates to other disciplines/professions

67% Assurance and Assessment

  • Understand assurance and assessment models
  • Understand key steps in planning and performing assessments
  • Understand report design and follow-up

11% GRC Assessment Framework

  • Understand the content of the GRC Assessment Framework
  • Understand how to apply based on the scope of the assessment

An extensive job analysis of GRC Professionals who also held various audit certifications (CPA, CA, CIA, CISA) determined GRCA topics and questions. Participants in the job analysis analyzed hundreds of skills and determined their significance to a GRC auditor.

The job analysis and other research yielded a blueprint that serves as a competency model for the GRCA. We update the GRCA Exam periodically to reflect important and relevant changes.

How was the GRCA Exam developed?

An extensive job analysis of GRC Professionals who also held various audit certifications (CPA, CA, CIA, CISA) determined GRCA topics and questions. Participants in the job analysis analyzed hundreds of skills and determined their significance to a GRC auditor.

The job analysis and other research yielded a blueprint that serves as a competency model for the GRCA. We update the GRCA Exam periodically to reflect important and relevant changes.

How many questions are on the GRCA Exam?

There are 100 scored questions and up to 15 unscored questions on the exam. We calculate your final score on the 100 scored questions. Scored questions have gone through a rigorous validation process.

The unscored questions are used to introduce and validate new questions without affecting your score. However, the unscored items are not labeled – so make sure you answer each question as if it counts!

All questions are multiple-choice.

How do I pass the GRCA Exam?

You have two hours to complete the exam. You must correctly answer 70 of the 100 scored questions.

Is the GRCA Exam "open book" like the real world?

Yes! The exam is open-book, meaning you may use Google and other resources while taking the exam.

We believe that the exam process should reflect modern reality and user experiences. In your job, you use Google and online resources daily. You should be able to use these resources when you learn and when you take the exam.

However, don't be fooled! The exam is challenging even with the help of these resources.

When do I find out if I passed the GRCA?

You get your result immediately after taking the exam. If you pass, your certificate is immediately available for sharing and printing from your Certification Dashboard.

What happens if I fail the GRCA?

You may retake the exam up to six (6) times per year. Almost everyone is able to accomplish this goal. We believe that certification should be part of the learning process and help reinforce understanding and not just be a point-in-time proof of memorized knowledge.

Consider being fully prepared each time that you attempt the exam. Our database of questions is extensive, so it is unlikely that you will see the same questions each time that you attempt the exam.

FAQ about Maintaining GRCA

How long is my certificate valid?
  1. When a certificate is awarded, it is awarded for a full year starting on the day you passed the exam.
  2. Your first full year has no CPE requirement (because you spent at least 8 hours preparing for and taking the exam).
  3. Starting your second year, you must earn at least eight (8) credits of continuing education related to the certification topic annually.
  4. When a certificate renews, it renews for a full year. Automatic renewal on the day of certificate expiration happens if both of these conditions are true: a) Member has an active AAP and b) CPE requirement has been met (if applicable).
  5. If the expiration date passes and you do not meet both conditions, you have a grace period of 90 days to fulfill the requirements (renewing your AAP and/or getting enough credits). After the grace period is over, your certification gets deleted from our records, and certificates are no longer available for display.
Do I need to recertify every year?

NO! You only need to pass the exam once every five (5) years. We use continuing education requirements to ensure that you stay current with new developments.

How do I maintain the GRCA?

Maintaining ALL of your certifications is simple and straightforward. We use a Unified Certification Maintenance program on our website. Whenever you watch a video or attend an event on our website, it is automatically tracked and counted toward your certification.

You can see all of your current CPE credits on your Certification Dashboard and CPE Transcript.

The unified program allows you to track one CPE credit to multiple certifications. So, for example, a course on “Risk Assessments” would count toward not only THIS certification but also ALL other certifications that rely on Risk Assessment skills.

How do I submit CPEs for the GRCA?

You don’t have to!

All continuing education for OCEG certifications is automatically tracked and administered under a unified program on our website.

Whenever you watch a video or attend an event, such as a webinar on our website, it is automatically tracked and counted toward your GRCA (or other OCEG certifications as appropriate).

You may also manually submit CPEs from other pre-approved continuing education experiences.

You can check your CPE progress at any time on your CPE Dashboard.

Do I get "double credit" for CPEs?

Yes! Many of our continuing education experiences count toward multiple OCEG certifications. The unified program also allows you to track one CPE credit to multiple certifications. This means that a single webinar or course can count toward one or more of your certifications.

One experience. Multiple credits.

So, for example, a course on “Risk Assessments” would count toward not only GRCA but also several other certifications that rely on Risk Assessment skills.

Because GRCA is one of our core certifications, almost every CPE experience on our website counts toward your GRCA.

What are you waiting for?

Purchase an All Access Pass to get access to the GRCA and all of our other certifications.

Purchase All Access Pass
OCEG © 2002 - 2025 OCEG

Terms of Service

Privacy Policy

Refund Policy

support@oceg.org

Contact Us

2942 N 24th St Ste 115 PMB 85352, Phoenix, AZ, 85016-7849, USA

Information & Billing
+1 (602) 234-9278

Principled Performance®, Driving Principled Performance®, Putting Principles Into Practice®, OCEG®, GRC360°®, ActiveLearning®, EventDay® and LeanGRC® are registered trademarks of OCEG®.

Protector Skillset™, Protector Mindset™, Protector Code™, Lines of Accountability™, GRC Professional™, GRCP™, GRC Fundamentals™, GRC Auditor™, GRCA™, GRC Audit Fundamentals™, Data Privacy Fundamentals™, Integrated Data Privacy Professional™, IDPP™, Policy Management Fundamentals™, Integrated Policy Management Professional™, IPMP™, Integrated Audit & Assurance Professional™, IAAP™, Integrated Governance & Oversight Professional™, IGOP™, Integrated Strategy & Performance Professional™, ISPP™, Integrated Risk Management Professional™, IRMP™, Integrated Decision Management Professional™, IDMP™, Integrated Compliance & Ethics Professional™, ICEP™, Integrated Business Continuity Professional™, IBCP™, Integrated Information Security Professional™, IISP™ are trademarks of OCEG®.

You purchased an automatically renewing subscription. Do you want a reminder?

Your automatically renewing subscription is active. It will automatically renew 12 months from your original purchase. If you do not want it to automatically renew, remember that you must cancel BEFORE renewal. OCEG does offer refunds AFTER charges per our Terms of Service. Would you like a reminder?