Expand +



Do you perform a risk analysis of your internal audit team?

by Scott Priest, Editorial Director

July 20, 2010

by Scott Priest, managing editor, GRC Expert

OCEG raises this interesting question in one of their one-minute polls given earlier this year, and I found the results somewhat surprising:

22%: Yes, using our own approach

16%: Yes, using industry best practices adapted for our environment

13%: No, but plan to do so

49%: No, and no plans to do so

So 62% of respondents perform no risk assessment related to their internal audit (and color me skeptical that the 13% who "plan to do so" actually do).

Now, if this were a worldwide survey of thousands of businesses, the figure might not surprise me. What's startling is that it's an OCEG poll, so inevitably it is skewed to people who are interested in, and believe in, GRC principles. Even at these folks' companies, policies don't appear to be in place to keep checks and balances against the internal audit team, who, while in most cases are very trustworthy, also have access to a lot of sensitive information.

Coming on the heels of reading this article yesterday about the massively expanding nature of top-secret organizations in the US government, often with little to no accountability or checks and balances against them, I can't help but think about what teams, groups, or individuals unmonitored are capable of. Whether it's a public, private, non-profit, or governmental organization, monitoring and assessing risks is critical to keep catastrophes at bay.

By the way, if you're not familiar with OCEG, go here to see more about the organization and the principles they espouse.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!