![[interface] image of software security protocols (for a ai fintech company)](https://cdn.prod.website-files.com/69bc9c2bc7894aa4ed499bff/6a4fcb77987efdd21620c3a5_GRC%20Assessment%20vs%20GRC%20Audit.jpeg)
Understanding the difference between a GRC assessment vs audit is one of the most common points of confusion for boards and senior leadership teams planning their governance, risk and compliance programme. Both activities review an organisation's GRC position, but they serve different purposes, involve different parties and produce different outputs. This guide explains what each one is, covers all five major audit types used by UK organisations and tells you how to choose the right approach at the right time.
A GRC assessment is a diagnostic review. It identifies where your controls and governance processes stand against a framework or standard and produces a prioritised action plan. It has no formal pass or fail outcome.
A GRC audit is a formal examination by a qualified auditor, accredited body or regulator. It produces an opinion, certificate or report that carries legal, regulatory or contractual weight.
Assessments come first: they identify gaps and guide remediation. Audits come second: they confirm the result and provide the evidence third parties require.
The most important distinction is one of purpose. A GRC assessment is diagnostic. Its job is to tell the organisation where it is and what it needs to fix. A GRC audit is evaluative. Its job is to tell a third party whether specific requirements are met. This difference in purpose flows through everything else: who conducts the activity, what evidence is required, what the output looks like and what the consequences of a poor result are.
A GRC assessment can be conducted by the organisation's own team, an independent consultant or a specialist GRC advisory firm. There are no formal qualification requirements for the person conducting the assessment, although a credible assessment requires a defined methodology and genuine independence. The output is an internal report: findings, a maturity score or rating and a prioritised action plan.
A GRC audit must be conducted by a qualified auditor, accredited certification body or licensed professional with the credentials required by the relevant standard or regulation. The output is a formal document: a certificate, an assurance report or a regulatory finding. This output is intended for use by parties beyond the organisation, including clients, investors, regulators and certifying bodies.
Neither replaces the other. Organisations that try to use an assessment as a substitute for an audit will not satisfy third-party requirements. Organisations that go straight to an audit without a prior assessment are taking a significant risk with a high-stakes process.
A GRC assessment is a structured review of an organisation's governance, risk and compliance controls, processes and documentation against a defined framework, regulatory standard or best practice benchmark. Its purpose is to give the board and senior leadership team an accurate, evidence-based view of the organisation's current GRC position.
A GRC assessment typically covers the following areas:
The output of a GRC assessment is a written report. It includes findings for each area reviewed, a maturity score or rating, specific gaps relative to the target framework and a prioritised action plan with recommended timelines and owners. The assessment report is an internal document: it is not shared with third parties unless the organisation chooses to do so.
GRC assessments are most valuable when conducted regularly. A single assessment establishes the baseline. Subsequent assessments track improvement, re-evaluate priorities as the regulatory environment changes and give the board a repeatable view of the programme's health over time.
A GRC audit is a formal examination conducted by a qualified auditor, accredited certification body or regulatory authority. It tests whether specific controls, requirements or obligations are in place and operating effectively, then produces a formal conclusion. That conclusion is an opinion, a certificate or a written report that carries legal, regulatory or contractual weight.
The key characteristic of a GRC audit is that its output is intended for external reliance. Clients rely on ISO 27001 certificates and SOC 2 reports when assessing suppliers. Regulators rely on skilled person review reports when making enforcement decisions. Audit committees rely on internal audit reports when providing assurance to the board. In each case, the output of the audit is used by someone beyond the organisation to make a decision or form a view.
GRC audits have formal consequences. If an ISO 27001 certification audit finds major non-conformities, the certificate is not issued. If a SOC 2 audit results in an adverse opinion, clients may terminate contracts. If a regulatory inspection finds material control failures, the regulator may require remediation, impose conditions or initiate enforcement proceedings. These consequences make GRC audits high-stakes in a way that assessments are not.
The most important distinction within GRC auditing is between internal audit and external audit. Many organisations need both.
Internal audit is an in-house assurance function that provides independent assurance to the board and audit committee on the effectiveness of risk management, control and governance processes. It operates under a charter approved by the audit committee and follows a risk-based annual audit plan. The Institute of Internal Auditors (IIA) sets the professional standards, known as the IIA Standards, which define how internal audit functions should be structured, resourced and operated.
Internal audit reports are confidential to the organisation. They are presented to the audit committee and board, and sometimes shared with external auditors as part of the statutory audit process. They are not published and are not intended for external reliance.
The internal audit function is part of the three lines of defence model. Management (first line) owns the controls. The risk and compliance function (second line) provides oversight and challenge. Internal audit (third line) provides independent assurance. The board and audit committee rely on internal audit to confirm that the first and second lines are working effectively.
External audit is conducted by an independent third party outside the organisation. External auditors have no employment or financial interest in the organisation being audited. Their reports, certificates and opinions are intended for use by parties beyond the organisation itself.
External audit encompasses a wide range of activities, from statutory financial audit (conducted by registered audit firms under UK law) to ISO 27001 certification audits (conducted by accredited certification bodies) to SOC 2 and ISAE 3402 reports (conducted by licensed CPA firms and registered audit firms). Each type of external audit has its own standards, qualification requirements and output format.
An ISO 27001 certification audit is conducted by an accredited certification body, such as BSI, LRQA, Bureau Veritas, DNV or SGS. The audit follows a two-stage process. Stage 1 (the documentation review) assesses the organisation's ISMS documentation against the requirements of ISO/IEC 27001:2022 and confirms readiness for Stage 2. Stage 2 (the certification audit) tests whether the ISMS is implemented, operating effectively and achieving its intended outcomes.
A successful Stage 2 audit results in a three-year ISO 27001 certificate, subject to annual surveillance audits. Any non-conformities found during the audit must be addressed before the certificate is issued (for major non-conformities) or within a defined corrective action period (for minor non-conformities).
ISO 27001 certification is most commonly required by technology companies, financial services firms and any organisation handling significant volumes of personal data on behalf of clients. Enterprise procurement teams in the UK and internationally treat a valid ISO 27001 certificate as a baseline supplier qualification.
A SOC 2 audit is performed by a licensed CPA firm and produces a SOC 2 Type I or Type II report. The audit tests controls against the AICPA Trust Services Criteria (TSC): Security (required for all reports), Availability, Processing Integrity, Confidentiality and Privacy (each optional, added based on the services provided and client requirements).
A Type I report assesses the design of controls at a point in time and is typically used when a service organisation wants to provide initial assurance to clients quickly. A Type II report assesses whether controls operated effectively over a defined period, normally six to twelve months. Type II reports are considered more rigorous and are the standard requirement for US enterprise clients and financial services sector procurement.
The SOC 2 report includes the auditor's opinion, a description of the service organisation's system and detailed test results for each control tested. Unlike ISO 27001 certificates, SOC 2 reports are not publicly available. They are shared under a non-disclosure agreement with clients and prospects who request them.
An ISAE 3402 audit is conducted under International Standard on Assurance Engagements 3402, issued by the International Auditing and Assurance Standards Board (IAASB). It is the international equivalent of SOC 2 and is widely used by UK and European financial services clients to obtain assurance over the controls of their service providers.
Like SOC 2, ISAE 3402 produces Type I and Type II reports. Type II is the standard for established engagements. The report addresses the controls at a service organisation that are relevant to user organisations' financial reporting. ISAE 3402 reports are commonly required by UK banks, investment managers, insurance companies and other FCA-regulated firms as part of their third-party risk management and operational resilience obligations under FCA rules.
The ISAE 3402 audit is conducted by a registered audit firm. The auditor tests a defined set of controls across the observation period, interviews staff and reviews documentation. The report is addressed to user organisations and provides them with formal assurance that the described controls were operating effectively throughout the period.
An internal audit programme is a structured series of individual audits conducted by the internal audit function across the organisation. Each audit tests a specific area against the applicable control framework, policy or regulatory requirement. Findings are rated by severity, reported to the audit committee and tracked through to resolution by management.
A mature internal audit programme follows an annual risk-based audit plan, approved by the audit committee, that allocates audit resource to the areas of highest risk. The plan is informed by the organisation's risk register, changes in the regulatory environment and findings from previous audits. The IIA's Three Lines Model provides the governance framework within which the internal audit function operates.
Internal audit is a continuous programme, not a one-off event. It provides the board and audit committee with ongoing, systematic assurance that the organisation's controls are operating effectively. It also provides a body of evidence that supports the organisation's response to external audit requests, regulatory inquiries and client due diligence.
Regulatory inspections and supervisory reviews by the FCA, PRA, ICO and other bodies are not audits in the standard sense, but they produce findings with significant legal and regulatory consequences. The FCA's supervisory toolkit includes thematic reviews, firm-specific information requests, supervisory visits and skilled person reviews.
A Section 166 skilled person review is the most significant FCA supervisory intervention short of enforcement action. Under Section 166 of the Financial Services and Markets Act 2000, the FCA can require a regulated firm to appoint an FCA-approved skilled person to review a specific aspect of the firm's business and report directly to the FCA. The review is commissioned and paid for by the regulated firm but conducted on behalf of the FCA. Findings are reported to both the firm and the FCA. Adverse findings can result in requirements for remediation, imposition of conditions on the firm's regulatory permissions or, in serious cases, referral to the FCA's enforcement division.
A GRC assessment is diagnostic. It tells the organisation where it is and what to fix. A GRC audit is evaluative. It tells a qualified third party whether specific requirements are met. Confusing these two purposes leads to misallocated effort and, in the case of going to audit without prior assessment, significant financial and reputational risk.
A GRC assessment can be conducted by the organisation's own team, an independent consultant or a specialist GRC advisory firm. No specific professional qualification is required, although the methodology must be credible and the assessor must have sufficient independence to give objective findings.
A GRC audit must be conducted by someone with specific qualifications and independence requirements. ISO 27001 audits require an accredited certification body. SOC 2 and ISAE 3402 audits require a licensed CPA firm or registered audit firm. Internal audits are conducted by qualified internal auditors following IIA Standards. FCA skilled person reviews are conducted by an FCA-approved individual or firm.
A GRC assessment produces a diagnostic report: findings, a maturity rating and a prioritised action plan. The report is internal and not intended for third-party reliance.
A GRC audit produces a formal document: a certificate (ISO 27001), an assurance report (SOC 2, ISAE 3402), an internal audit report (internal audit programme) or a regulatory finding (FCA review). Each of these outputs is intended to be relied upon by a specific audience: clients, investors, the audit committee or the regulator.
A GRC assessment has no formal pass or fail. Even a poor result is constructive: it identifies what needs to be fixed before the organisation proceeds to a formal audit or faces regulatory scrutiny. The assessment report stays internal unless the organisation chooses to share it.
A GRC audit has a formal outcome. Non-conformities in an ISO 27001 audit prevent certification. An adverse opinion in a SOC 2 report may result in client loss. Adverse findings in an FCA skilled person review can trigger enforcement. The consequences of a poor audit outcome can be significant, which is why pre-audit preparation using a GRC assessment is the established best practice.
GRC assessments are most useful before the remediation work is done. They identify the gaps, inform the action plan and help the organisation understand its readiness. Conducting a GRC assessment first means arriving at the formal audit with known issues already addressed.
GRC audits are most useful after the remediation work is complete. They confirm the result and produce the evidence that third parties need. Going to audit before the remediation work is done risks adverse findings that could have been avoided.
A GRC assessment is the right choice when:
A GRC assessment is lower in cost, faster to complete and lower in risk than a formal audit. It produces actionable findings without the reputational consequences of an adverse audit outcome. For most organisations, it is the right first step in any GRC programme.
A formal GRC audit is required when:
In each of these situations, an assessment report alone is not sufficient. The client, certifying body or regulator needs the independent formal output that only a qualified auditor can produce.
GRC assessments and audits are sequential, not alternative. The most effective GRC programmes use assessments to prepare and audits to confirm. The cycle typically works as follows.
The organisation commissions a GRC assessment to establish its current maturity level and identify control gaps against the target framework (ISO 27001, SOC 2, NIST CSF or COSO). The assessment produces a prioritised action plan.
Management implements the recommended controls and improvements over a defined period. The action plan is tracked to completion. Progress is reported to the board.
A second assessment confirms that the remediation work has been completed and that controls are operating as intended. This readiness assessment is the final check before the formal audit begins.
The organisation proceeds to the formal audit with known issues already addressed. The auditor conducts their work, tests controls and issues the certificate, report or opinion. The pre-audit preparation significantly reduces the likelihood of major non-conformities or adverse findings.
After certification or audit completion, regular GRC assessments between audit cycles keep the board informed of the programme's health and ensure controls do not drift from the standard they were certified against. The assessment cycle feeds into the next audit and keeps maturity on an upward trajectory.
Organisations that follow this pattern consistently achieve better audit outcomes, lower remediation costs and more credible board-level reporting than organisations that treat assessments and audits as separate, unconnected activities.
GRC Index is an independent assessment and advisory service for UK organisations. The GRC Index assessment is specifically designed to help organisations prepare for formal GRC audits. It covers all five major GRC frameworks used in UK audit contexts: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2.
The assessment maps your current governance, risk and compliance controls against each framework's requirements, identifies gaps and produces a prioritised action plan. The report is written for board and C-Suite audiences: it presents findings clearly, without jargon, and gives management the information needed to brief the audit committee, respond to client due diligence requests or begin a formal certification process.
Whether you are preparing for an ISO 27001 Stage 1 audit, a SOC 2 Type II engagement, an ISAE 3402 report, an FCA supervisory visit or an internal audit cycle, the GRC Index assessment gives you an objective, documented view of your readiness before the formal process begins. The assessment takes approximately 20 minutes to complete and produces an immediate indicative report, followed by a detailed written report from the GRC Index team.
Visit grci.net/questionnaire to begin the GRC Index assessment.
Coverage: COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2.
Output: prioritised gap analysis and board-ready report.
Designed for C-Suite and Board members at UK regulated organisations.
Use it before any formal audit to reduce risk and accelerate certification.
A GRC assessment is a diagnostic review that identifies where an organisation's controls and governance processes stand relative to a framework or standard. It produces a prioritised internal action plan and has no formal pass or fail outcome. A GRC audit is a formal examination conducted by a qualified auditor, accredited body or regulator. It produces a formal opinion, certificate or report that carries legal, regulatory or contractual weight. Assessments identify gaps; audits confirm that gaps have been closed.
No. Internal audit is an in-house function (or outsourced equivalent) that provides independent assurance to the board and audit committee. Its reports are confidential to the organisation. External audit is conducted by an independent third party outside the organisation and produces reports, certificates or opinions intended for use by clients, investors, regulators or certifying bodies. Examples of external audit include ISO 27001 certification audits, SOC 2 Type I and Type II reports, ISAE 3402 reports and FCA skilled person reviews.
While there is no formal requirement to complete a GRC assessment before an ISO 27001 certification audit, organisations that go directly to audit without prior readiness assessment are significantly more likely to receive major non-conformities. A pre-audit GRC assessment identifies control gaps, produces a remediation plan and confirms readiness before the accredited certification body begins its Stage 1 and Stage 2 audit. This reduces audit risk, saves time and reduces the cost of post-audit remediation.
A SOC 2 audit is performed by a licensed CPA firm and tests controls against the AICPA Trust Services Criteria. A Type I report assesses whether controls are suitably designed at a point in time. A Type II report assesses whether controls operated effectively over a defined period of six to twelve months. The auditor tests sample controls, interviews staff, reviews documentation and produces a report that includes the audit opinion, a description of the service organisation's system and detailed test results for each control.
No. A GRC assessment and a GRC audit serve different purposes and cannot substitute for each other. An assessment produces an internal diagnostic report. It does not produce the formal certificate, opinion or assurance report that clients, regulators or certifying bodies require. If a third party requires evidence of compliance, a formal audit is needed. A GRC assessment is the appropriate preparation step before any formal audit: it reduces the risk of adverse findings but does not replace the audit itself.
The time required depends on the scope and methodology. The GRC Index assessment takes approximately 20 minutes to complete online and produces an immediate indicative report. A more detailed assessment covering all five GRC frameworks (COSO, ISO 31000, ISO 27001, NIST CSF and SOC 2) typically takes one to three days of engagement, including interviews with senior stakeholders and a review of existing documentation. A full written report follows within five to ten working days.
A Section 166 skilled person review is an FCA supervisory tool under Section 166 of the Financial Services and Markets Act 2000. The FCA requires the regulated firm to appoint an approved skilled person to review a specific aspect of the firm's business and report directly to the FCA. The review is paid for by the firm. Findings are reported to both the firm and the FCA and may lead to remediation requirements, conditions on the firm's permissions or, in serious cases, enforcement action. It is one of the most significant regulatory interventions a UK financial services firm can face.
© 2025 GRC Index. All rights reserved.