Assurance activities are fundamental to a GRC capability as they provide an objective and independent evaluation of a specific subject matter (e.g., a process, control, or performance report) against defined criteria. The primary purpose of this evaluation is to provide stakeholders—the consumers of this information—with a justified basis for confidence and trust in the claims being made. This process of verification and validation is essential for forming reliable conclusions about the overall performance and the effectiveness of GRC activities, ensuring that objectives are met and risks are managed appropriately.

B. By implementing new technologies and software systems: This is an operational or management activity. Assurance would evaluate the effectiveness of the new technology, not implement it.

C. By conducting market research and analyzing customer feedback: This is a marketing or strategic function. While the results could be subject to an assurance review, the activity itself is not assurance.

D. By organizing team-building activities and workshops: This is a human resources or management function aimed at improving morale and is not related to the objective evaluation role of assurance.

---

1. OCEG, "GRC Capability Model," Version 3.5 (2021).

Section 4.4, PROACTIVELY ASSURE: This section details the role of assurance. It states, "Assurance is any activity that provides an objective and relevant evaluation of subject matter against criteria to provide information to stakeholders... The purpose of assurance is to provide justified confidence to stakeholders that GRC capabilities are designed and operating effectively." This directly supports that assurance evaluates subject matter to build trust for information consumers (stakeholders).

2. The Institute of Internal Auditors (IIA), "International Professional Practices Framework (IPPF)," (2017).

Glossary, Definition of Assurance Services: The IPPF, a globally recognized standard for assurance providers, defines assurance services as "An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization." This aligns with the concept of evaluating subject matter to provide trusted conclusions.

3. Marks, N., "The GRC Capability Model ('The Red Book')," Norman Marks on Governance, Risk Management, and Audit (Blog), referencing OCEG principles.

In discussions of the OCEG model, assurance is consistently framed as the mechanism for providing confidence. Marks explains that assurance functions (like internal audit) "provide assurance, advice, and insight" by evaluating whether GRC processes are working as intended, which directly supports option A's focus on evaluation for trust.