The GRAPA Standards

I. Disciplines

 II. Domains

III. Levels of Assurance

IV. Principles

I. Disciplines

    The GRAPA "Disciplines" define the 4 major categories of activity  associated with the practice of revenue assurance.

    It is important to note that the disciplines define HOW revenue assurance is done, not WHO is responsible for doing it. Internal Auditors, I/T Professionals and Operational Management teams often have primary responsibility for performing these functions. What is important is that the job is done properly, NOT who does it.

    The GRAPA Disciplines include: 
    1. Forensic Analysis - The assessment of risk, root cause analysis and the determination of the appropriate level or correction for a given area.
    2. Controls Management - The design, implementation, execution and monitoring of controls.
    3. Corrections - Assuring that recommended changes to operational methods and systems are implemented in response to identified risks.
    4. Compliance Management - Making sure that forensic investigations, corrections and controls are being executed and managed as specified.


Forensic Revenue Assurance  - Assessment and Investigation 

When a particular area or domain is identified as a candidate for revenue assurance attention, the first responsibility of the revenue assurance practitioner is to perform a preliminary assessment in order to understand:

  • How the area functions
  • What the major revenue risk and loss vulnerabilities are
  • What the different ways the containment or repair of the risk might be

 Key to this process is that the analyst QUANTIFY the RISK or LOSS . ( In other words, determine the degree of loss or risk in measurable and reportable terms).

The basic tools utilized in the performance of an assessment are known as Forensic Revenue Assurance Techniques (See the Forensic Revenue Assurance section of this standards document for detailed information about these techniques).

 Upon completion of the assessment a report will be made summarization:

  • The size and extent of revenue risk or loss
  • A recommendation regarding how the areas should be covered in the future.

 Recommendations for follow-up can include:

  • The scheduling of another assessment at a future date
  • The creation of a set of operational controls (controls management)
  • A serious reengineering of aspects of the operation (correction)

Operational Revenue Assurance (Controls Management)

If the findings of the Forensic Revenue Assurance analysis indicate that the area under consideration harbors a level of risk higher than that set by management, a recommendation for the creation of a coverage plan will be required.

A revenue assurance coverage plan is a well defined, systematic plan for the continuous monitoring and reporting of the risk of loss, or the actual revenue loss within a specified area.

The key to a coverage plan is the identification and implementation of “controls”. Controls are operational mechanisms (systems, reports, procedures) which allow the business to keep track of the revenue, loss of revenue and risk of revenue loss, and report that to management on a regular and reliable basis.

Coverage plans can be light (involving changes in existing procedures, and recommendations for periodic review) or heavy (involving recommendations for the installation of monitoring controls, new policies and procedures or even the creation of new departments or functions). (For more information about coverage plans see the “Forensic Revenue Assurance” and “Operational Revenue Assurance” sections of this standards document.

Coverage plans are developed in order to provide management with assurance that the desired level of risk of loss is maintained for each area under consideration (each explicitly identified domain).  

Responsibility for the execution of a coverage plan is left up to management to decide.  Primary responsibility for execution of a coverage plan will fall to the operational manager that is responsible for the area being assured, however, the revenue assurance team, or some other group , may be asked to assist that manager if there are operational or other constraints.

Corrections Management

Corrections management is the process of making sure that any recommended changes to procedures, operations or systems are implemented in a timely, efficient and effective manner.

 The person managing the corrections process is the person that assures management that the corrections that have been identified are implemented per specification. Responsibility for the execution of a correction is most often relegated to the operational manager responsible for the area under review. Sometimes a specialist or an RA practitioner will be asked to step in and assist with the process.


Compliance management is the process of reporting to management on:

  • The status and progress of all forensics activities
  • The status and progress of specified corrections activities
  • Assurance that all specified controls are being utilized and reported and that all escalation events (events that indicate that a risk or loss has gone beyond the levels set within the control) are being followed up