The Office of Audit, Enterprise Risk and Operational Excellence offers both IA and ERM services. While ERM and IA serve distinct roles, they are mutually reinforcing. ERM provides a framework to proactively identify and assess risks inherent to the University with the goal of providing transparency of the risk universe to leadership, while IA provides independent assurance that risk mitigation efforts and controls are functioning as intended.
ERM – Proactive Risk Transparency
Role: ERM is a continuous, structured, and enterprise-wide process designed to identify and assess risks and evaluate risk mitigation activities that may impact the University’s ability to achieve its mission and strategic goals. It involves leadership at all levels and is integrated into planning and decision-making processes.
Focus and Methodology: ERM is forward-looking and strategic in nature. It uses a centralized framework to identify, evaluate, and monitor risks across academic, administrative, research, financial, and operational areas. The ERM function works closely with stakeholders across the institution to assess risk likelihood and impact, evaluate mitigation strategies, and provide relevant information for consideration into strategic planning and decision making.
IA – Independent Assurance and Insight
Role: IA operates as an independent and objective assurance and consulting function, reporting functionally to the board (or audit committee) and administratively to senior leadership. Its independence enables it to provide unbiased evaluations of the University’s control environment and governance processes.
Focus and Methodology: IA delivers point-in-time assessments of how well key controls and processes are functioning. It evaluates operations, systems, and activities to ensure they are efficient, effective, and aligned with the University’s objectives. Through risk-based audit planning, data-driven analysis, and collaborative engagement with departments, Internal Audit not only detects issues but also recommends actionable improvements that strengthen the University’s overall control environment.
ERM is strategic and provides a university-wide perspective of significant risks. ORM is more tactical and is primarily concerned with insurance risk management. ERM and ORM work closely together to align risk management processes and expectations.
There is no single “standard” ERM program that all organizations follow. Purdue’s ERM program is continually evaluated against industry standards, peers, and best practices to identify strengths, gaps, and opportunities for improvement.
