内部审计在企业风险管理中的作用外文翻译

外文文献翻译

原文：

Internal auditing's role in ERM

As organizations lay their enterprise risk groundwork, many auditors are taking

on management's oversight responsibilities, new research finds.

Internal audit departments have played a variety of roles in their organization's

enterprise risk management (ERM) activities since The Committee of Sponsoring

Organizations of the Tread way Commission (COSO) released its Enterprise Risk

Management-Integrated Framework in September 2004. An IIA position paper issued

in the wake of COSO ERM, "The Role of Internal Auditing in Enterprise-wide Risk

Management," indicates the roles that the internal audit function should and should

not play throughout the ERM process, ranging from full involvement to no

involvement. According to the paper, internal auditors should have a core role in five

ERM-related assurance activities: giving assurance on risk management processes,

giving assurance that risks are evaluated correctly, evaluating risk management

processes, evaluating the reporting of key risks, and reviewing the management of key

risks.

A recent IIA Research Foundation study examined the extent to which internal

audit functions adhere to the ERM roles recommended in the IIA paper. During

October 2005, researchers disseminated an online survey to 7,200 IIA members

through The Institute's Global Auditing Information Network. The survey generated

361 responses from a mix of large, mid-sized, and small organizations in a variety of

industries, including businesses, government agencies, and not for profit organizations.

Nearly 60 percent of respondents identified themselves as a chief audit executive or

audit director, 23 percent were audit managers, and 7.8 percent were staff or senior

auditors. Approximately 90 percent were from the United States and Canada.

Respondents' organizations are at different stages of implementing ERM, as

defined by COSO. More than 11 percent say their organization's ERM infrastructure

is mature or relatively mature, and 37 percent have recently adopted or are in the

process of implementing ERM. Among all organizations surveyed, the internal audit

function is primarily responsible for ERM-related activities in 36 percent of

respondents' organizations, while 27 percent say the primary responsibility belongs to

a chief risk officer (CRO) who is not part of the audit function. Nearly one-third of

respondents say another executive or function oversees ERM..

The hours and dollars internal audit functions spend on ERM-related activities

are minimal for many respondents. Nearly half say their audit department spent 10

percent or less of its hourly and financial budgets on ERM-related activities during

fiscal year 2004. More than one-third of audit departments spent II percent to 50

percent of their time on ERM, and 28 percent spent n percent to 50 percent of their

financial budgets, while less than 10 percent of departments Spent more than 50

percent of their time and money.

The IIA position paper categorizes 18 ERM-related activities according to the

appropriate level of responsibility for the internal audit function. Survey respondents

reported their current and ideal level of responsibility for these activities: no

responsibility, limited responsibility, moderate responsibility, substantial

responsibility, and total responsibility.

CORE ACTIVITIES

Differences between respondents' current and ideal responsibilities are greatest

for the five core ERM assurance activities identified In the IIA paper. Respondents

Indicated that their current responsibility for each of the core ERM related activities is

moderate, but they say they should have a substantial level of responsibility. These

views agree with the IIA guidance. Additionally, roughly half of internal audit

functions surveyed currently have substantial or full responsibility for at least one

core activity, and more than two-thirds say they should have till or substantial

responsibility for at least one core activity.

Within the core category, the audit function's two highest levels of current

responsibility involve reviewing management of key risks and evaluating the risk

management process. Evaluating the risk management process and giving assurance

on risk management processes are the highest-rated ideal responsibilities. Conversely,

giving assurance that risks are evaluated correctly is the lowest-rated current and ideal

responsibility.

The following respondent comments offer some insight into why audit

departments are not currently involved in core ERM-related activities at the level they

deem appropriate;

"We have just recently begun implementing ERM activities in our company. We

do not yet have complete understanding of the process and buy-in from management."

"The audit committee and management are not aware of what ERM is."

"The internal audit function has just initiated an awareness campaign among the

audit committee members."

These comments suggest that educating management and the audit committee on

ERM issues can be critical to ensuring that the audit function takes on an appropriate

level of responsibility for ERM.

LEGITIMATE ACTIVITIES

The IIA paper prescribes seven legitimate ERM-related activities for which

internal committee audit functions may be responsible as long as safeguards are in

place: facilitating the identification and evaluation of risks, coaching management in

responding to risks, coordinating ERM-related activities, consolidating the reporting

on risks, maintaining and developing the ERM framework, championing

establishment of ERM, and developing risk management strategy for board approval.

These activities are described as "consulting" activities. Although respondents' current

responsibility for each of these legitimate activities ranges from limited to moderate,

they say their ideal level should be moderate, which is consistent with the guidance.

Within the legitimate category, the highest level of current internal audit

responsibility involves facilitating the identification and evaluation of risks —the

top-rated ERM-related activity, including core activities. This activity is also the

highest-rated ideal activity among legitimate activities, suggesting that auditors

consider it a core responsibility. This finding is not surprising. because risk detection

and evaluation are traditional considerations in developing annual audit plans. The

lowest-rated current and ideal activity is developing a risk management strategy for

board approval, which is an activity that might best be handled by management.

The IIA guidance cautions that when internal auditors undertake these legitimate

consulting activities, safeguards should be in place to ensure that they do not take on

management responsibility for actually managing risks. One possible preventive

measure would include documenting the auditors' ERM responsibilities in an audit

committee-approved audit charter. Further, if auditors take on any ERM-related

activities that fall within this consulting role, they should treat these engagements as

consulting engagements and apply the relevant IIA standards to help ensure their

independence and objectivity.

INAPPROPRIATE ACTIVITIES

According to the IIA position paper. It is inappropriate for internal auditors to be

responsible for six ERM-related activities: setting the risk appetite, imposing risk

management processes, providing management assurance on risks, making decisions

on risk responses, implementing risk responses on management's behalf, and having

accountability for risk management. Overall, audit functions in the survey have

greater responsibility for these activities than the IIA paper recommends. However,

auditors say they should have some limited responsibility for the inappropriate

activities.

Within the inappropriate category, internal auditors' highest level of current and

ideal responsibility is providing management assurance on risks, while their lowest

level of responsibility is for setting the risk appetite. Respondents' comments suggest

that auditors currently have greater responsibilities in these areas because the audit

function is playing a leading role during the early stages of ERM development.

ORGANIZATIONAL CHARACTERISTICS

The perceived current and ideal FRM roles for the internal audit function may

vary across organizations, depending on the organization's industry, size, and audit

department size, as well as the firm's need to comply with the U.S. Sarbanes-Oxley

Act of 2002.

INDUSTRY Respondents work in a variety of sectors, including financial

services, manufacturing, transportation, communications, utilities, health care, retail

and wholesale, government, and education. Researchers compared responses from the

two largest industry groups: financial services and manufacturing. On average,

financial service industry audit departments have greater current responsibility for

core activities than those from manufacturing. With respect to inappropriate activities,

manufacturing audit departments tend to say their ideal involvement should be higher

than their current responsibility, while financial service industry audit departments

rate their current and ideal responsibilities at the same level.

ORGANIZATION SIZE Approximately half of respondents work in

organizations that had 2004 revenues between US $500 million and US $5 billion.

Nearly 25 percent of respondents work in organizations that had revenues under US

$500 million in 2004, while a similar number of respondents work in organizations

that had more than US $5 billion in revenue that year. Researchers compared

responses from organizations with revenues of less than US $1 billion with

organizations with revenues greater than US $1 billion. On average, auditors from

both types of organizations have relatively equal levels of responsibility for current

core activities. However, smaller organizations rated their ideal involvement for these

core activities higher than large organizations. Smaller organizations have a slightly

higher current level of responsibility for inappropriate activities than larger

organizations and say their ideal involvement in these areas should be higher.

AUDIT STAFF SIZE More than half of respondents work in audit departments

with 10 or fewer auditors, slightly more than one-quarter work in departments with

between 11 and 50 auditors, and approximately one-tenth of respondents work in

departments with more than 50 auditors. Internal audit functions with more than 10

auditors currently have somewhat more responsibility for core activities than audit

departments with 10 or fewer auditors. Both large and small audit functions have

roughly equal levels of responsibility for all other ERM-related activities. However,

unlike large audit organizations, respondents from small audit departments want to

have more responsibility for activities in the inappropriate category.

SARBANES-OXLEY Most respondents' organizations are required to comply

with Sarbanes-Oxley Section 404. Researchers found few differences between those

organizations and respondents from organizations that do not have to comply with the

act. The primary difference related to core activities, where compliers report a higher

level of current responsibility than non-compliers.

Although the IIA guidance is equally applicable to all organizations, the research

indicates that smaller internal audit departments and those from smaller organizations

tend to take on ERM responsibilities that would be more appropriate for management.

In these cases, internal auditing should work to develop an ERM implementation and

maintenance plan that includes a stratcgy and timeline for migrating responsibilities

for these activities to management

THE AUDITOR'S ROLE

Although the survey results suggest that the current levels of responsibility audit

departments have may differ somewhat from that levels recommended by The IIA'S

position paper, the respondents' comments offer some evidence that auditors

understand the underlying concepts of the guidance:

"There needs to be a shift in the 'doing' of the ERM to being an internal audit

function that relies on and evaluates the ERM process. ERM should be in sync with

the audit universe and plan,"

"In the past i8 months, the corporation has appointed a CRO to provide oversight

and guidance to evolving ERM processes. During this period, much of internal

auditing's previous ERM roles have migrated to this officer." More importantly,

respondents identified significant barriers in their organizations to following the

guidance:

"These ERM responsibilities and processes are not well defined in many

organizations and should be more clearly articulated by senior management."

'There is not enough emphasis from the top that risk management is important

and must be done effectively. Management is still trying to hide things from internal

auditing. It's not them against us, we're all in it together."

"Most auditors and enterprise managers lack clarity on the distinction between

responsibility for risk assurance implementation versus responsibility for risk

assurance compliance and monitoring."

These comments stress that a key element to establishing a successful ERM

program is education on the importance of ERM and the appropriate roles

management and internal auditing have in the process. Internal auditors can play a key

role in providing this education. The audit department, management, hoard of

directors, and audit committee need to be clear about which ERM related activities

internal auditors should perform and which activities should always be performed by

management. Relevant training should highlight that internal auditing could serve in a

monitoring or consulting role throughout much of the ERM process, but the formal

decision-making authority must reside with management if the audit department is to

maintain its independence and objectivity.

Auditors should take steps to ensure that the board and audit committee are

aware of the COSO ERM framework and are actively engaged in overseeing the ERM

process. Additionally, auditors should consider training senior management, the board,

and others throughout their organization on COSO ERM and related guidance.

Responses to the survey provide useful insights into additional steps that the

internal audit profession should take. Auditors whose organizations are in the early

stages of adopting ERM or will be implementing ERM in the future have many

opportunities to ensure that the process is effective and efficient. For example, audit

departments that currendy perform ERM-related activities that should be

management's responsibility can take proactive steps to open up the lines of

communication between internal auditing and management, the board and audit

committee, and external auditors about the risks of this situation. Such

communication should encourage management to take on appropriate ERM

responsibilities. One approach audit departments could take is to develop a business

plan describing how management can assume responsibility for ERM related

activities for which they should be accountable. However, internal auditors should

recognize that completing this plan and convincing management to accept these ERM

responsibilities might not occur quickly.

With appropriate planning, communication, and education, internal auditors,

management, the board, and external auditors should be ready to work together to

achieve the many benefits of ERM. Ideally, this coordination will result in performing

ERM-related activities at appropriate places within the organization, management

accepting its responsibility for ERM, and that audit function playing a role that is

consistent with appropriate professional guidance.

Source:al auditing's role in ERM.2004:2-4.

译文：

内部审计在企业风险管理中的作用

新的研究发现：随着企业以组织风险为基础，许多审计人员对管理层采取职责监督措施。

自2004年9月COSO组织发布的《企业风险管理的集成框架》起，内部审计部门在组织的企业风险管理中扮演管理的角。在COSO发布企业风险管理文件之后，国际投资协定发布：内部审计在企业风险管理中的作用。表明内部审计的职能应该在整个管理过程中发挥，从没有充分参与到充分参与的过程。根据该文件，内部审计人员应该从五个参与风险管理有关的活动中保证其核心作用：提供有关风险管理流程保证；使正确评估风险保证；评估风险管理流程；评估报告的主要风险；以及检讨管理的主要风险。

在IIA研究基金会最新的一项研究报告审查中得出，有关内部审计职能，坚持以国际投资协议文件中的定义，以企业风险管理为主要职能。2005年10月期间，研究人员通过该研究所的全球审计信息网络，对7200位国际投资协定的成员作了一个在线调查。调查发现：来自361个大型、大中型混合及部分小型营利组织（包括企业和政府机构）做出了积极的响应。近60%的受访者为首席审计执行官或者是审计署署长，23%为审计经理，7.8%为工作人员或者高级审核员。大约90%来自美国和加拿大。

受访者在不同阶段对组织实施企业风险管理，结果类似于COSO中描述的一样。11%以上的人认为，他们组织的企业风险管理基础设施成熟或者相对成熟，有37%左右的人认为，组织的ERM最近通过并在执行中。在所有调查的组织中，有36%受访者负责的企业反应内部审计职能主要是负责组织的风险管理，而27%的人认为，主要的责任是属于首席执行官（CRO）的，他不属于国家审计职能的

一部分；将近三分之一的人反应，认为应该由另一行政领导或职能部门监督企业风险管理。

大部分受访者反应：对于时间和金钱，内部审计职能风险管理活动花费是最少的。将近一半的人说，2004年他们花了审计部门在每小时企业风险管理和财政预算中的百分之十，甚至更少。三分之一的人员反映审计部门花费仅20%~50%的企业风险管理时间，花了28%~50%的财政预算；少于10%部门金钱和时间花费超过50%。

国际内部审计师协会的立场文件归类中18号文件指出，根据内部审计职能的适当水平明确企业风险管理有关活动的责任。

核心活动：

目前受访者之间的差异和理想的职责最显著的是：在国际内部审计师协会文件中，保证企业风险管理中的五个核心活动是最大的。受访者表示，根据国税，他们对当前每一个ERM核心活动的责任是温和的，但他们也表示，他们应该有一个责任重大的水平。这些意见是同意国际内部审计师协会的指导的。此外，大约一半的人认为，内部审计职能目前调查的全部活动或有重大责任，至少有一个核心，并且超过三分之二认为他们应该有全部或重大活动的责任，至少有一个核心。

在这一核心范畴，对审计职能的两个最高级别的现时义务主要包括审查风险管理和评价风险管理过程。评估风险管理过程，并给予保证过程的风险管理是最高的理想责任。相反，给予保证，正确评估风险是最低要求的理想责任。

以下是申请人提供的一些说法，他们认为目前审计部门在适当的活动所涉及的洞察力，为什么没有核心企业风险管理相关的水平：

“我们最近刚刚开始实施我们公司的企业风险管理活动。我们还没有完全理解和掌握风险过程中的管理。”

“审计委员会和管理是不知道什么是企业风险管理。内部审计职能在刚刚开始的审计委员会成员之间开展宣传活动。”

这些言论表明，教育管理和风险管理问题是：审计委员会在企业风险管理问题上，可以确保审计职能在企业风险管理中发挥在一个适当的水平。

合法活动：

国际内部审计师协会规定了七个文件，有关企业风险管理的合法活动，而内部审计委员会可能发挥职能，需要负责的地方，需要的保障措施是：便利的识别和风险管理评价和训练管理者应对风险，协调企业风险管理有关的活动，巩固报告的风险，维护和发展企业风险管理框架，倡导建立企业风险管理，并制定董事会批准的风险管理策略。

这些活动被称为“咨询”活动，虽然受访者目前的责任范围有限，从这些合法活动中可以看到，他们说自己的理想水平应该是适度的，这是根据国际审计师协会文件指导意见确定的。在合法的类别的当前内部审计责任的最高级别涉及：促进识别风险和风险评估，一流的ERM 相关活动，包括核心活动。 这项活动也是最高要求，建议审计人员的核心职责是合法活动中的理想活动。 这一结果并不令人惊讶，因为风险监测和评估是在制定年度审计计划中的传统因素。最低要求和理想的活动是得到一个董事会的批准，这是一个可能由管理者处理企业风险管理活动最好的管理策略。

国际内部审计师协会的指导告诫说，当内部审计人员进行这些合法的咨询活动时，保障措施到位，确保他们在不承担实际管理风险的责任。一个可能的预防措施将包括记录在审计委员会批准的审计章程中，审计师对企业风险管理的责任。此外，如果审计人员承担任何风险管理责任，是从事有关属于这一咨询的活动的作用，他们应该把这些约定的咨询业务，应用相关协会标准，以确保其独立性和客观性。

不当行为：

根据国际内部审计师协会的立场文件。这是内部审计人员认为的6中不恰当风险管理有关的活动职能：设置风险承受能力，实行风险管理流程，提供风险管理保证，使风险应对决策，执行有关管理部门的代表风险的反应，并且有风险的责任管理。总体而言，在调查审计职能的这些活动有比国际内部审计师协会文件建议更大的的责任。然而，审计人员说，他们应该对一些不适当的活动承担有限责任。

在不恰当的类别中，审计人员的内部责任程度最高水平和理想责任应该是为当前风险管理提供保证，而他们的责任程度最低要求是设置的风险。受访者建议，审计人员目前已在这些地区承担更大的责任，因为审计职能在企业风险管理发展

的早期阶段的中发挥着主导作用。

组织特征：

理解与理想的内部审计职能在FRM组织中的角可能各不相同，这取决于该组织的行业、规模、和审计部门的大小，以及该公司的需要，和是否符合2002年美国萨班斯法案。

工业：工业被访者中包括 金融服务、 制造、 运输、 通信、 公用事业、 卫生保健、 零售和批发、 政府和教育的部门的各种行业。 研究人员比较了来自两个最大的产业体的响应： 金融服务业和制造业。当前，金融服务行业审计部门平均有比从事制造业核心活动更大的责任。 对不适当的活动，制造业审计部门往往说他们理想的参与应高于其当前的责任，而 金融服务性行业审计部门表示其当前和理想的责任，在同一级别。

组织：大约一半的受访者2004 年财政收入在5亿美元和50亿美元之间的组织工作。 近 25%的受访者都是在2004年收入在500万美元以下的组织，而在那一年的收入已超过50亿美元的组织中工作的数目类似的被访者在组织中的工作比例。 研究人员比较来自组织收入少于10亿美元对组织的响应远远比10美元更多。审计人员平均了这两种类型的组织具有较同等级别的核心活动的当前责任。 但是，在核心活动中，较小的组织对他们理想的参与比这些较大型组织更加重视。 较小的组织对待当前不恰当的行为、活动有比较大组织稍高级别的责任，他们认为在这些地区，他们应该更加理想的参与。

会计检查：超过一半的受访者在只拥有10名或更少的审计人员的审计部门工作，略高于四分之一受访者在11~50名审计师的审计部门工作，大约十分之一的被访者拥有50 多个审计人员的审计部门工作。 拥有10多个内部审计人员的审计部门，在企业核心活动中有着比仅拥有10人一下的审计部门更多的责任。在其他 的ERM 有关活动中，这两个大型和小型审计职能具有大致相同级别的责任。 不过，与大审计组织不同，小审计部门的受访者想要组织承担更多对不适当活动的责任。

大部分被访者组织都必须遵守萨班斯-奥克斯利法案第 404条。 研究人员发现这些组织和被访者没有遵守行为的一些差异。主要的不同在于遵守契约与不遵守之间的一个一个较高水平的核心活动的差异。

尽管国际投资协定的指导是同样适用于所有组织，但研究显示较小的内部审计部门和那些较小的公司往往要求有企业风险管理的责任，和会较为适当的管理。 在这些情况下内部审计应制定一个 ERM 实施和维护计划，包括一些策划和迁移的时间轴管理活动的责任。

审计师的角：

虽然调查结果表明从当前入世级别的国际投资协定的立场文件所建议的水平的责任审计部门有可能有所不同，但是受访者的意见提供了一些证据，让审计师了解本指南的基本概念：

“需要能够将ERM 的 ‘做’转移到依赖内部审计职能、ERM 过程中的计算结果，ERM 应与审计范围和计划同步”

“过去18月中该公司已委任一个 CRO 提供监督和不断变化的 ERM 过程指导。 在这段期间之前内部审计在ERM 角中有很多已经迁移到这位官员。”更重要的是被访者确定在其组织中的重大障碍，遵循指导原则：

这些 ERM 责任和进程在许多文件中并没有很好的定义，应该通过高级管理人员表现的更清楚一些。

没有足够的证据说明，管理是重要的并且必须有效率的完成。管理仍试图隐藏内部审计的东西。这并不是他们针对我们，我们都是在一起的。

大多数审计人员和企业管理人员缺乏明确责任，来保证法规遵从性风险责任与风险保证实施和监测之间的区别。

这些意见强调建立一个成功的 ERM 程序，其中一个关键因素是在这一进程的适当角管理和内部审计在ERM 中的重要性教育。提供这种教育，内部审计人员可以发挥关键作用。 该审计部门管理，董事，和审计委员会需要明确有关的 ERM 活动，内部审计员应执行和管理哪些活动。 内部审计可对整个ERM

进行监测或扮演多个咨询角，但管理审计部门如果要保持其独立性和客观性，最终决策当局必须应突出显示相关的培训。

审计人员应采取一定步骤，以确保委员会和审计委员会都知道 COSO ERM

框架，并积极参与监督 ERM 过程。 此外，审计人员应考虑对高级管理人员、所有者和其他管理人员进行 COSO ERM培训 和相关的指导。

这项统计调查的回应为内部审计行业应采取的额外步骤提供了有益的见解。

其组织处于早期阶段采用 ERM 的或在将来实施 ERM 的审计人员有很多机会，确保这一进程是有效和高效率的。例如审计部门执行 ERM 有关的活动，应是管理层的责任，可以采取积极步骤，开放的内部审计是管理层、董事会、审计委员会和外聘审计师是对风险之间这种情况的通信线路。 这种通信方式应鼓励采取适当的 ERM 责任管理。一个前进的审计部门可采取这样一个措施来发展内部审计，制定开发描述如何管理，可以承担的责任，应负责任的 ERM活动的业务计划。 不过，内部审计人员应认识到，完成这项计划可能不会快速的令人信服并接受这些 ERM 责任管理。

与适当的规划、沟通和教育、内部审计人员、管理、老板及外聘审计师应共同努力实现 ERM 的很多好处。理想情况下，这种协调将使该组织管理接受其负责的ERM，在适当的位置执行 ERM 有关的活动，并使入世审计职能作用与适当的专业指导一致。

奥德丽.格莱姆林.内部审计在企业风险管理中的作用.2004:2-4