Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors- Download PDF
- Item No. : 5027.dl
- ISBN : 978-0-89413-808-9
- Publisher : The IIA Research Foundation
- Publish Date : July 2013
- Authors : The IIA Research Foundation
- Media : Download
- Page count : 127
- Member Price : $0.00
- Non-Member Price : $25.00
To download your copy, Select "Add To Cart" NEW!! From The IIA Research Foundation
To download your copy, Select "Add To Cart"
NEW!! From The IIA Research Foundation
Governance, risk, and control (GRC) and enterprise risk management (ERM) are two topics frequently discussed within the business community. This research study explores the perceptions about the meanings of GRC and ERM and internal audit’s involvement. The findings provide insight into strategic steps for the internal audit profession as a whole, plus useful perspectives for practitioners.
Researchers used The IIA’s extensive network of internal audit contacts around the world to conduct a survey involving 23 countries. Many of the results were interpreted through follow-up interviews with internal audit experts in the field of GRC. Finally, the researchers conducted a review of current publications about GRC and ERM to describe current thinking on the topic.
Key findings include:
While most internal auditors describe ERM as a component of GRC (60%), a significant proportion had the opposite viewpoint—that GRC was a component of ERM (24%).
Approximately four out of 10 respondents described ERM (39%) or GRC (44%) in their organizations as ad hoc or preliminary.
Significant percentages of respondents indicated that their internal audit functions did not conduct assessments of governance (25%) or ERM (34%).
Seventy-seven percent of respondents indicated that their organizations have a process for establishing risk tolerance levels, whether formal or informal.
Approximately two-thirds (63%) of respondents used a top-down, risk-based approach for internal audit planning compared to one-third (33%) who used a risk-ranked units, bottom-up approach.
For many questions in the survey, respondents gave almost identical answers for GRC and ERM, suggesting a lack of differentiation between the concepts.
In conclusion, this report provides a snapshot of internal audit’s expanding roles in risk, ERM, and governance. To meet existing and future challenges, the internal audit profession would benefit by clarifying the concepts and language relative to GRC and ERM.
Generously sponsored by IIA-Albany, IIA-Downeast Maine, IIA-Southern New England, and IIA-Westchester-Fairfield.