The GRAPA Standards

I. Disciplines

 II. Domains

III. Levels of Assurance

IV. Principles

IV. Principles and Guidelines

The GRAPA "Principles and Guidelines " specifications provide a clear guidelines for the way that the revenue assurance professional is to approach their tasks. It defines the way that The RA professional should work with other departments, with top management and with other risk management professionals in the organization.

Key to the guidelines area specification for the code of ethics and commitment to integrity intrinsic in the definition of RA.

IV. Principles and Guidelines

The the execution of revenue assurance is a responsibility similar in scope and trust to that of any other financial assurance profession (like auditing or financial reporting). For this reason it is critical that our members subscribe to a code of ethics that assures that the work that they do, and the findings that they report can be trusted.  The GRAPA principles and ethics statement summarizes these areas of concern. The core principles describe the foundational concepts upon which the practice of revenue should be based. These include:

A. Consensus

It is primary objective of the revenue assurance team to promote cooperation between the operational teams involved in each of the different aspects of revenue management, accounting and delivery. Revenue assurance should be a vehicle for collaboration first and foremost. The goal of RA is to create a solution that involves the consensus of all parties involved. RA is not an internal audit or policing function, it is a problem solving function and most problem solving requires the willful cooperation of all parties involved in the problem.

B. Integrity

All revenue assurance activities are to be performed with a primary focus on the integrity of the activities performed. Integrity includes the integrity of relations with other managers, the integrity with which the job is conducted and the integrity of the findings and reporting utilized.

C. Rationalization

All revenue assurance activities should be based on the principle of rationalization of investment. Any investment of the companies’ resources (time, money, effort) in pursuit of revenue assurance objectives must be balanced against the anticipated benefit in risk reduction, revenue retention or revenue maximization anticipated. The RA practitioner is responsible for understanding, documenting and assuring the rationalization of all investments and decisions.  

Every revenue assurance decision requires that a balance be struck between the degree of risk mitigated and the cost of accomplishing that degree. The revenue assurance team will at all times be aware of this tradeoff and make the rationale and criteria for making those decisions clear.

D. Delegation of Responsibility for RA

It is not the job of the RA Professional to insist that they do all of the RA job. The overriding goal of the RA professional is to make sure that the RA job is performed with integrity with a goal of maximum effectiveness for minimum cost.

The directive to accomplish maximum effectiveness for minimum cost means that the RA manager will work with other departments (operational teams, operational managers, internal audit, I/T and other groups) and encourage the development of solutions, and the allocation of responsibilities in a manner that makes the most sense for the entire organization.

E. Corporate Responsibility

It is the responsibility of the revenue assurance practitioner to stay alert for and aware of any and all risks to the revenues of the firm and well as to any assets of the firm that are involved. The RA practitioner will always and without fail report any serious risk of loss to the appropriate agencies or authorities whether it is directly within the scope of the RA persons responsibilities or not.  

F. Competency Requirement

Revenue assurance functions should be staffed with those who collectively have knowledge and skills necessary to conduct RA activities.   Outside consultants with requisite knowledge may need to be hired to complement internal staff.  GRAPA recommends staff receive a minimum number of hours of continuing education each year and maintain a record of training.  The RA practitioner is responsible for conducting activities with competence.

G. Transparency Requirement

All RA activities are to be conducted in a straightforward and transparent manner. All processes and activities are to be documented and published for review of the appropriate persons involved. Forensic analysis techniques, assessment reports, quantification findings, correction and control recommendations should be clearly documented and published in a manner that makes the process, intention and results clear to all parties involved.

I. Operational Independence Requirement

Each revenue assurance professional is responsible for maintaining independence so that opinions, conclusions, judgments, and recommendations will be viewed as impartial by third parties.  This includes personal, external, and organizational impairments. 

A personal impairment might be financial relationship, and an external impairment might be unreasonable restrictions on the time to complete an assurance activity.  To achieve organizational independence RA organizations and compliance professionals should report the results of their assessments and compliance findings and be accountable to the head of the organization and should be located organizationally outside the staff or line function being reviewed or reported upon.

This helps to ensure that staff is free from political repercussion. (Assessment and Compliance reporting should be done separate from the operational unit. RA teams may also perform operational reporting as long as the team reports to the RA team not the operational team).

J. Responsibility and Relationship to Management

It is the responsibility of the RA practitioner to assess and report actual revenue loss, potential revenue loss and to assess the potential risk of loss due to leakage or fraud to management.

It is management’s responsibility to review and decide upon the degree and nature of the mitigation of that risk (if any).

RA professionals do not choose levels of risk or determine policies regarding how operations should be performed or who should perform what task. That is the responsibility of management.

K. Responsibility and Relationship to Operational Managers and Peers

It is the responsibility of the RA practitioner to work with and assist operational managers with the accuracy , efficiency and effectiveness of their operational areas. The addressing of leakage, risk of loss or other risk or fraud exposures are the clear and full responsibility of the operational team in assigned to that area.

Revenue assurance is present to assist those operational teams but not to assume their responsibility.

(unless at the explicit direction of top management the RA team takes on certain aspects of this operational responsibility).

L. Maximum Effect for Minimum Cost

It is the responsibility of the RA professional to always attempt to attain the maximum impact (in terms of the reduction of revenue loss, risk of loss or other objective) for the minimum investment. The best cost solution is always preferred.

M. Responsibility and Relationship to Related Departments

It is the responsibility of the RA practitioner to work with and assist the people responsible for Internal Audit, Business Process Reengineering or any other staff discipline which might overlap with the scope or RA. The objective of RA is to attain maximum impact for minimum cost and if the related department can do the job (Forensics, Controls Management, Compliance and Corrections) better, faster or more efficiently, then it is the responsibility of the RA practitioner to do everything possible to help that group to accomplish those objectives.

N. GRAPA Inter-organizational Principles (Review)  

Under the GRAPA standards, it is the responsibility of the Revenue Assurance practitioner to assess and report on the risk of revenue loss, or the extent of revenue loss suffered within a particular operational area as directed by management , and in cooperation with the operational manager responsible for the area under review.

Based upon these guidelines, the following conclusions ensue:  

  • It is the job of RA to assess risk and loss only in areas where management has directed it to. It is not the job of RA to look for risk without this direction.
  • It is the job of RA to report the risk of loss, but it is NOT the job of RA to recommend or enforce a particular level of loss. The appetite for risk, and the level of acceptable risk is a parameter set explicitly by the management team.
  • If so directed, the RA team can be commissioned with responsibility to investigate, develop and promote recommendations for the reduction of a risk exposure from its current level, to a level set by management.
  • The RA team will only be involved in the assessment of risk and loss in areas where the manager responsible for the operational area in question has agreed to cooperate. We believe that it is impossible to accurate assess risk , report risk and remedy risk without the full commitment of the operational management team.
  • The RA team can be invited by the operational manager, or by top management to proactively and aggressively assist the operational manager in the assessment of his risk exposure and in the development of a coverage plan.
  • Coverage plans and the institution of new controls must be approved by operational managers and top management before they are to be executed.
  • Primary responsibility for the execution of a coverage plan and implementation of new controls will be the responsibility of the operational manager.
  • The RA team may assist or execute a coverage plan at the request of top management and/or the operational manager.

Compliance reporting will be developed as part of the coverage plan, and all ultimate compliance and risk/loss reporting will be managed by the RA team, separate from the operational area