ERS is divided into two parts, one is business risk and the other is IT risk.
Business risk is mainly engaged in the audit of internal process control, which is often a one-time project to help enterprises evaluate internal control system. For example, if an enterprise wants an IPO, it is required to make such an assessment.
IT Risk is mainly engaged in IT auditing and consulting projects on enterprise information systems, such as information security, privacy protection, data analysis and compliance. The service lines of local companies may be different because not all companies are capable of providing such a wide range of services.
IT audit is the business of assisting financial audit, because almost all the financial data of enterprises now involve information systems, so if the information system is unsafe and the information is easily tampered with, the data obtained by financial audit will be unreliable, and it will be meaningless to use it for auditing. Therefore, ERS is usually required to do an IT audit with customers at the same time to see if the problem is big or not. There are two basic contents of audit. One is GC(general control), which refers to common problems in information systems, such as data security, data center protection, authority of relevant personnel, etc. The second is AC (automated control), which refers to the security control of information systems in the daily operation of enterprises. For example, an incorrect password will pop up a corresponding warning, or a higher level of permission is needed to change information. Sometimes I will look at other things, such as separation of duties test (SOD) or do some simple data analysis with ACL (called CAATs).
In addition to the above two, there are also some compliance projects, such as SOX, IT and business.
Work is often shorter and less stressful than financial auditing, but it is more independent. You need to take the initiative to learn knowledge and do projects. Because it involves both auditing and consulting, it is also more complicated. The disadvantage is unprofessional. You may be confused about what job you can change after this, but the advantage is that you have the opportunity to learn more skills. If you are willing to learn, it is still good.
Development prospects, if you are doing business risks, you can go to the enterprise to do internal control in the future; If you want to do IT, you can turn to IT consulting or be an internal control compliance officer in the enterprise. Another hot direction is to be a business analyst in an investment bank. This position is a coordinating role, transforming the business requirements of the front desk into information that the IT department can understand, so you have to know something about IT and business. Of course, it varies from person to person. The Big Four was originally the starting point. Most people don't live forever. It is actually possible to go out for investment banking, consulting and going to a big company. Deloitte is also a big international enterprise with abundant resources, which can be well utilized.