The GRC Assessment Tools (Burgundy Book) provides audit and assurance professionals, as well as those overseeing GRC capabilities, with a common set of assessment procedures to be used in reviewing GRC capabilities.
We are updating the GRC Assessment Tools to version 3.5. Until the new version is finalized, this version 3.0 is the authoritative version of GRC Assessment Tools used for the GRCA Certification.
These agreed upon procedures were developed and vetted by a team of professionals from leading audit firms together with risk, compliance and audit in-house professionals. These procedures are directly related to elements of the GRC Capability Model.
GRC Assessment Tools (also known as the OCEG Burgundy Book):
- Helps organizations evaluate the design and operating effectiveness of their GRC capabilities
- Reduces the cost of such evaluations by eliminating the time and expense of creating procedures
- Provides standard methods for external judgment and recognition of sound practices
- Offers a review process that enables creation of prioritized improvement plans
- Raises the level of maturity and quality of GRC capabilities in all organizations
The Burgundy Book is designed to be scalable. The tools can be applied to a review of individual risk-specific programs (i.e., anti-fraud program, privacy program, etc.), discrete business units, sub- capabilities (i.e., hotline, risk management, values management, training, etc.) and the entire enterprise.
It is also designed so that the same procedures may be used for self-assessment by GRC personnel, assurance reporting to the executive suite and the board by internal audit, and external assurance for the Board and other stakeholders by third-party auditors.
OCEG encourages those intending to use the Burgundy Book for assurance reports to obtain the OCEG GRC Audit (GRCA) certification, which demonstrates understanding of these procedures and the GRC capabilities to which they are applied. In house GRC professionals using the Burgundy Book should consider obtaining the GRC Professional (GRCP) certification.