by Scott Priest, managing editor, GRC Expert
OCEG raises this interesting question in one of their one-minute polls given earlier this year, and I found the results somewhat surprising:
22%: Yes, using our own approach
16%: Yes, using industry best practices adapted for our environment
13%: No, but plan to do so
49%: No, and no plans to do so
So 62% of respondents perform no risk assessment related to their internal audit (and color me skeptical that the 13% who "plan to do so" actually do).
Now, if this were a worldwide survey of thousands of businesses, the figure might not surprise me. What's startling is that it's an OCEG poll, so inevitably it is skewed to people who are interested in, and believe in, GRC principles. Even at these folks' companies, policies don't appear to be in place to keep checks and balances against the internal audit team, who, while in most cases are very trustworthy, also have access to a lot of sensitive information.
Coming on the heels of reading this article yesterday about the massively expanding nature of top-secret organizations in the US government, often with little to no accountability or checks and balances against them, I can't help but think about what
teams, groups, or individuals unmonitored are capable of. Whether it's a public, private, non-profit, or governmental organization, monitoring and assessing risks is critical to keep catastrophes at bay.
By the way, if you're not familiar with OCEG, go here to see more about the organization and the principles they espouse.