ENTERPRISE RISK MANAGEMENT (ERM) IS DEMANDING its share of attention from management and internal auditing, but it still has a respectable distance to go before receiving its due. In September, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the final version of its ERM framework, Enterprise Risk Management--Integrated Framework, which outlines internal auditing's role in supporting ERM. An exposure draft of the framework had been issued more than a year before the final release, and many organizations have embraced ERM. Still, fewer than half the organizations responding to an IIA Research Foundation survey have an ERM framework--full or partial--in place. Those organizations that do not have an ERM framework are evenly divided as to their plans: one-third plan to implement ERM in the future; one-third have no plans to implement ERM, and one-third have yet to make a decision regarding ERM.
Thus, it appears that adoption of ERM is still evolving. In light of the increasing interest in the topic of risk management, as well as internal control reporting, it would seem that most organizations ultimately will implement ERM, and the survey results support this. But ERM adoption may not occur immediately. As one respondent commented, "Internal auditing believes this is an important issue and needs greater support for the idea of ERM. Funding seems to be the biggest stumbling block at the moment, and no one area wants to be responsible for this function."
The COSO framework lays out key elements of a process for managing all types of risk (see "Bringing ERM into Focus," Internal Auditor, June 2003). It calls for internal audit functions to "assist management and the board of directors or audit committee by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of the entity's enterprise risk management processes." This call from COSO is consistent with the IIA's definition of internal auditing, which specifically mentions "risk management, control, and governance processes" as elements of internal auditing's responsibilities.
Given the rising interest in ERM and the existing focus of many internal auditors on risk management, a study funded by the IIA Research Foundation was conducted to examine internal auditing's involvement in ERM and to extend two previous IIA Research Foundation studies--Enterprise Risk Management: Trends and Emerging Practices (2001) and Enterprise Risk Management: Putting It All Together (2002). The specific objectives of the new study were to: (1) gather information on organizations' stage of ERM development and specific risks addressed and (2) assess the role of the internal audit function in organizations' ERM processes, including the impact of ERM on internal auditing.
RESEARCH METHOD AND RESPONDENTS
In spring 2004, an electronic communication from The IIA directed more than 1,700 IIA Global Auditing Information Network (GAIN) members to an online survey, The Role of the Internal Audit Function in Enterprise Risk Management. The findings discussed here are based on 175 survey responses received after two invitations to complete the online survey. Approximately 90 percent of respondents identified themselves as chief audit executives...
This is a preview. Get the full text through your school or public library.