Risks Confronting Boards 2016 - Enterprise Risk Management
In prior surveys, directors were asked if their organizations had implemented an enterprise risk management ("ERM") program. The responses had not shown overwhelming adoption of this approach to risk. This year reflects a similar sentiment:
Across the 3 board types, those who responded "no, we do not have a program" rose 22% from 2014. Those who responded "yes, we have a comprehensive program that is fully implemented" decreased 24%. When breaking out these results by board type, the majority of public and private organizations have some sort of ERM program in place, while not-for-profit organizations do not. Next year, we plan to further explore why there has been a shift away from ERM programs, particularly if there were concerns about the value of the investment.
Internal audit can and should be seen as a resource to help address and manage risk. We ask directors about their internal audit programs year after year. How does your organization compare?
Across all 3 organization types, internal audit functions (either in-house or co-sourced) have increased since 2015. For the majority of organizations, the size of the internal audit team overwhelmingly falls in the 1-5 people range.
As the number of organizations growing internal audit functions increases, it makes sense that 40% of respondents indicate they are also prioritizing strengthening the skills of this function. While public and private boards have indicated a steadily decreasing need (over the past three years) to grow their internal audit staff, not-for-profits' have demonstrated growth, increasing the number of staff since 2014.
Given the stabilization of the role in public and private organizations and the continued growth in not- for-profits, we asked what, specifically, these organizations are assigning to the internal audit function:
Overall, 71% of respondents indicated that internal auditors focus on internal controls over financial reporting or operational audits.
Public boards rely heavily on internal audit to address many different risk concerns (e.g., risk, security and financial/operational audits) and almost half of public boards are not proposing any changes to their internal audit function. This, again, leads us to ask the question: Does internal audit have the bandwidth to sufficiently address the risks that face these organizations?
Concerns About Risks Confronting Boards - 2016 Survey Results