|Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors brings clarity to the gray area regarding enterprise risk management (ERM) and governance, risk, and control (GRC). |
Governance, risk, and control (GRC) and enterprise risk management (ERM) are two topics frequently discussed within the business community. This research study explores the perceptions about the meanings of GRC and ERM and internal audit’s involvement. The findings provide insight
into strategic steps for the internal audit profession as a whole, plus useful perspectives for practitioners.
Researchers used The IIA’s extensive network of internal audit contacts around the world to conduct
a survey involving 23 countries. Many of the results were interpreted through follow-up interviews with
internal audit experts in the field of GRC. Finally, the researchers conducted a review of current publications
about GRC and ERM to describe current thinking on the topic.
Key findings include:
In conclusion, this report provides a snapshot of internal audit’s expanding roles in risk, ERM, and
- While most internal auditors describe ERM as a component of GRC (60%), a
- significant proportion had the opposite viewpoint—that GRC was a component of
- ERM (24%).
- Approximately four out of 10 respondents described ERM (39%) or GRC (44%) in
- their organizations as ad hoc or preliminary.
- Significant percentages of respondents indicated that their internal audit functions
- did not conduct assessments of governance (25%) or ERM (34%).
- Seventy-seven percent of respondents indicated that their organizations have a
- process for establishing risk tolerance levels, whether formal or informal.
- Approximately two-thirds (63%) of respondents used a top-down, risk-based
- approach for internal audit planning compared to one-third (33%) who used a riskranked
- units, bottom-up approach.
- For many questions in the survey, respondents gave almost identical answers for
- GRC and ERM, suggesting a lack of differentiation between the concepts.
governance. To meet existing and future challenges, the internal audit profession would benefit by clarifying
the concepts and language relative to GRC and ERM.
Download the report