Categories
Auditing

Renaming internal audit to better represent its stature

Internal audit. The name leaves something to be desired, in my opinion, and unless you’re familiar with IA, it could be a bit confusing.

It also creates this false dichotomy with external audit that really doesn’t exist. Within the IA context, the audit of financial statements is supplemental and focused on only one risk: reporting risk. Granted, reporting risk holds a special place in the pantheon of enterprise risks, critical to obtaining and maintaining financing, but still.

Why is internal audit content with naming itself only in terms of where its practitioners reside in relation to the organization under audit? Seems quite narrow and vague. Given that IA concerns itself with all enterprise risks, it makes more sense to me to called it Enterprise Audit. This would also dovetail nicely with Enterprise Risk Management. ERM and EA, two sides of the governance coin.

Better branding in this manner would attract more and higher quality people to the profession as well. It sounds far more interesting and rewarding to be in the business of enterprise auditing than internal auditing.

What do you think? Is it too late in the game to make a change like this? Does it matter, so long as those in business understand the role and responsibilities of the auditors?

Categories
Risk Management

Survey says: ERM implementations maturing

A survey conducted in July and August of 2009 by Aon has revealed that companies are moving beyond “basic” ERM implementations:

62% of the survey respondents in the Global Enterprise Risk Management Survey 2010 reported going beyond basic ERM, compared with only 38% in Aon’s inaugural ERM survey in 2007.

I wonder what happened between now and 2007 that would’ve affected companies’ willingness to ramp up their risk management practices…

The survey asked respondents (of which there were 201) to rate the maturity of their ERM implementation, from “initial/lacking” through “basic”, “defined”, “operational” and “advanced”.

My take is that respondents are more likely to overestimate the maturity of their implementation and generally more likely to respond the more advanced they (feel they) are in the process. Still, the survey is a welcome indicator that ERM efforts are on the rise.

I also think the fact that ratings firms are taking ERM into account when they determine their grading is helping executives point to a tangible financial benefit and obtain buy-in from all stakeholders, which is critical. In my mind the primary indicator of maturity in a company’s risk management program is how comprehensive it is across all departments and divisions, as the “initial/lacking” stage is exhibited by a rigid, siloed approach.

The survey is available on Aon’s website (if you give them some personal information first).