内部审计在企业风险管理中的作用外文翻译.doc

外文文献翻译原文：Internal auditings role in ERMAs organizations lay their enterprise risk groundwork, many auditors are taking on managements oversight responsibilities, new research finds.Internal audit departments have played a variety of roles in their organizations enterprise risk management (ERM) activities since The Committee of Sponsoring Organizations of the Tread way Commission (COSO) released its Enterprise Risk Management-Integrated Framework in September 2004. An IIA position paper issued in the wake of COSO ERM, The Role of Internal Auditing in Enterprise-wide Risk Management, indicates the roles that the internal audit function should and should not play throughout the ERM process, ranging from full involvement to no involvement. According to the paper, internal auditors should have a core role in five ERM-related assurance activities: giving assurance on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the reporting of key risks, and reviewing the management of key risks.A recent IIA Research Foundation study examined the extent to which internal audit functions adhere to the ERM roles recommended in the IIA paper. During October 2005, researchers disseminated an online survey to 7,200 IIA members through The Institutes Global Auditing Information Network. The survey generated 361 responses from a mix of large, mid-sized, and small organizations in a variety of industries, including businesses, government agencies, and not for profit organizations. Nearly 60 percent of respondents identified themselves as a chief audit executive or audit director, 23 percent were audit managers, and 7.8 percent were staff or senior auditors. Approximately 90 percent were from the United States and Canada.Respondents organizations are at different stages of implementing ERM, as defined by COSO. More than 11 percent say their organizations ERM infrastructure is mature or relatively mature, and 37 percent have recently adopted or are in the process of implementing ERM. Among all organizations surveyed, the internal audit function is primarily responsible for ERM-related activities in 36 percent of respondents organizations, while 27 percent say the primary responsibility belongs to a chief risk officer (CRO) who is not part of the audit function. Nearly one-third of respondents say another executive or function oversees ERM.The hours and dollars internal audit functions spend on ERM-related activities are minimal for many respondents. Nearly half say their audit department spent 10 percent or less of its hourly and financial budgets on ERM-related activities during fiscal year 2004. More than one-third of audit departments spent II percent to 50 percent of their time on ERM, and 28 percent spent n percent to 50 percent of their financial budgets, while less than 10 percent of departments Spent more than 50 percent of their time and money.The IIA position paper categorizes 18 ERM-related activities according to the appropriate level of responsibility for the internal audit function. Survey respondents reported their current and ideal level of responsibility for these activities: no responsibility, limited responsibility, moderate responsibility, substantial responsibility, and total responsibility.CORE ACTIVITIESDifferences between respondents current and ideal responsibilities are greatest for the five core ERM assurance activities identified In the IIA paper. Respondents Indicated that their current responsibility for each of the core ERM related activities is moderate, but they say they should have a substantial level of responsibility. These views agree with the IIA guidance. Additionally, roughly half of internal audit functions surveyed currently have substantial or full responsibility for at least one core activity, and more than two-thirds say they should have till or substantial responsibility for at least one core activity.Within the core category, the audit functions two highest levels of current responsibility involve reviewing management of key risks and evaluating the risk management process. Evaluating the risk management process and giving assurance on risk management processes are the highest-rated ideal responsibilities. Conversely, giving assurance that risks are evaluated correctly is the lowest-rated current and ideal responsibility.The following respondent comments offer some insight into why audit departments are not currently involved in core ERM-related activities at the level they deem appropriate; We have just recently begun implementing ERM activities in our company. We do not yet have complete understanding of the process and buy-in from management.The audit committee and management are not aware of what ERM is. The internal audit function has just initiated an awareness campaign among the audit committee members.These comments suggest that educating management and the audit committee on ERM issues can be critical to ensuring that the audit function takes on an appropriate level of responsibility for ERM. LEGITIMATE ACTIVITIESThe IIA paper prescribes seven legitimate ERM-related activities for which internal committee audit functions may be responsible as long as safeguards are in place: facilitating the identification and evaluation of risks, coaching management in responding to risks, coordinating ERM-related activities, consolidating the reporting on risks, maintaining and developing the ERM framework, championing establishment of ERM, and developing risk management strategy for board approval. These activities are described as consulting activities. Although respondents current responsibility for each of these legitimate activities ranges from limited to moderate, they say their ideal level should be moderate, which is consistent with the guidance.Within the legitimate category, the highest level of current internal audit responsibility involves facilitating the identification and evaluation of risks the top-rated ERM-related activity, including core activities. This activity is also the highest-rated ideal activity among legitimate activities, suggesting that auditors consider it a core responsibility. This finding is not surprising. because risk detection and evaluation are traditional considerations in developing annual audit plans. The lowest-rated current and ideal activity is developing a risk management strategy for board approval, which is an activity that might best be handled by management.The IIA guidance cautions that when internal auditors undertake these legitimate consulting activities, safeguards should be in place to ensure that they do not take on management responsibility for actually managing risks. One possible preventive measure would include documenting the auditors ERM responsibilities in an audit committee-approved audit charter. Further, if auditors take on any ERM-related activities that fall within this consulting role, they should treat these engagements as consulting engagements and apply the relevant IIA standards to help ensure their independence and objectivity.INAPPROPRIATE ACTIVITIESAccording to the IIA position paper. It is inappropriate for internal auditors to be responsible for six ERM-related activities: setting the risk appetite, imposing risk management processes, providing management assurance on risks, making decisions on risk responses, implementing risk responses on managements behalf, and having accountability for risk management. Overall, audit functions in the survey have greater responsibility for these activities than the IIA paper recommends. However, auditors say they should have some limited responsibility for the inappropriate activities.Within the inappropriate category, internal auditors highest level of current and ideal responsibility is providing management assurance on risks, while their lowest level of responsibility is for setting the risk appetite. Respondents comments suggest that auditors currently have greater responsibilities in these areas because the audit function is playing a leading role during the early stages of ERM development.ORGANIZATIONAL CHARACTERISTICSThe perceived current and ideal FRM roles for the internal audit function may vary across organizations, depending on the organizations industry, size, and audit department size, as well as the firms need to comply with the U.S. Sarbanes-Oxley Act of 2002.INDUSTRY Respondents work in a variety of sectors, including financial services, manufacturing, transportation, communications, utilities, health care, retail and wholesale, government, and education. Researchers compared responses from the two largest industry groups: financial services and manufacturing. On average, financial service industry audit departments have greater current responsibility for core activities than those from manufacturing. With respect to inappropriate activities, manufacturing audit departments tend to say their ideal involvement should be higher than their current responsibility, while financial service industry audit departments rate their current and ideal responsibilities at the same level.ORGANIZATION SIZE Approximately half of respondents work in organizations that had 2004 revenues between US $500 million and US $5 billion. Nearly 25 percent of respondents work in organizations that had revenues under US $500 million in 2004, while a similar number of respondents work in organizations that had more than US $5 billion in revenue that year. Researchers compared responses from organizations with revenues of less than US $1 billion with organizations with revenues greater than US $1 billion. On average, auditors from both types of organizations have relatively equal levels of responsibility for current core activities. However, smaller organizations rated their ideal involvement for these core activities higher than large organizations. Smaller organizations have a slightly higher current level of responsibility for inappropriate activities than larger organizations and say their ideal involvement in these areas should be higher.AUDIT STAFF SIZE More than half of respondents work in audit departments with 10 or fewer auditors, slightly more than one-quarter work in departments with between 11 and 50 auditors, and approximately one-tenth of respondents work in departments with more than 50 auditors. Internal audit functions with more than 10 auditors currently have somewhat more responsibility for core activities than audit departments with 10 or fewer auditors. Both large and small audit functions have roughly equal levels of responsibility for all other ERM-related activities. However, unlike large audit organizations, respondents from small audit departments want to have more responsibility for activities in the inappropriate category.SARBANES-OXLEY Most respondents organizations are required to comply with Sarbanes-Oxley Section 404. Researchers found few differences between those organizations and respondents from organizations that do not have to comply with the act. The primary difference related to core activities, where compliers report a higher level of current responsibility than non-compliers.Although the IIA guidance is equally applicable to all organizations, the research indicates that smaller internal audit departments and those from smaller organizations tend to take on ERM responsibilities that would be more appropriate for management. In these cases, internal auditing should work to develop an ERM implementation and maintenance plan that includes a stratcgy and timeline for migrating responsibilities for these activities to managementTHE AUDITORS ROLEAlthough the survey results suggest that the current levels of responsibility audit departments have may differ somewhat from that levels recommended by The IIAS position paper, the respondents comments offer some evidence that auditors understand the underlying concepts of the guidance:There needs to be a shift in the doing of the ERM to being an internal audit function that relies on and evaluates the ERM process. ERM should be in sync with the audit universe and plan,In the past i8 months, the corporation has appointed a CRO to provide oversight and guidance to evolving ERM processes. During this period, much of internal auditings previous ERM roles have migrated to this officer. More importantly, respondents identified significant barriers in their organizations to following the guidance:These ERM responsibilities and processes are not well defined in many organizations and should be more clearly articulated by senior management. There is not enough emphasis from the top that risk management is important and must be done effectively. Management is still trying to hide things from internal auditing. Its not them against us, were all in it together. Most auditors and enterprise managers lack clarity on the distinction between responsibility for risk assurance implementation versus responsibility for risk assurance compliance and monitoring.These comments stress that a key element to establishing a successful ERM program is education on the importance of ERM and the appropriate roles management and internal auditing have in the process. Internal auditors can play a key role in providing this education. The audit department, management, hoard of directors, and audit committee need to be clear about which ERM related activities internal auditors should perform and which activities should always be performed by management. Relevant training should highlight that internal auditing could serve in a monitoring or consulting role throughout much of the ERM process, but the formal decision-making authority must reside with management if the audit department is to maintain its independence and objectivity.Auditors should take steps to ensure that the board and audit committee are aware of the COSO ERM framework and are actively engaged in overseeing the ERM process. Additionally, auditors should consider training senior management, the board, and others throughout their organization on COSO ERM and related guidance.Responses to the survey provide useful insights into additional steps that the internal audit profession should take. Auditors whose organizations are in the early stages of adopting ERM or will be implementing ERM in the future have many opportunities to ensure that the process is effective and efficient. For example, audit departments that currendy perform ERM-related activities that should be managements responsibility can take proactive steps to open up the lines of communication between internal auditing and management, the board and audit committee, and external auditors about the risks of this situation. Such communication should encourage management to take on appropriate ERM responsibilities. One approach audit departments could take is to develop a business plan describing how management can assume responsibility for ERM related activities for which they should be accountable. However, internal auditors should recognize that completing this plan and convincing management to accept these ERM responsibilities might not occur quickly.With appropriate planning, communication, and education, internal auditors, management, the board, and external auditors should be ready to work together to achieve the many benefits of ERM. Ideally, this coordination will result in performing ERM-related activities at appropriate places within the organization, management accepting its responsibility for ERM, and that audit function playing a role that is consistent with appropriate professional guidance.Source:Audrey.A.Gramling.Internal auditings role in ERM.2004:2-4.译文：内部审计在企业风险管理中的作用新的研究发现：随着企业以组织风险为基础，许多审计人员对管理层采取职责监督措施。自2004年9月COSO组织发布的企业风险管理的集成框架起，内部审计部门在组织的企业风险管理中扮演管理的角色。在COSO发布企业风险管理文件之后，国际投资协定发布：内部审计在企业风险管理中的作用。表明内部审计的职能应该在整个管理过程中发挥，从没有充分参与到充分参与的过程。根据该文件，内部审计人员应该从五个参与风险管理有关的活动中保证其核心作用：提供有关风险管理流程保证；使正确评估风险保证；评估风险管理流程；评估报告的主要风险；以及检讨管理的主要风险。在IIA研究基金会最新的一项研究报告审查中得出，有关内部审计职能，坚持以国际投资协议文件中的定义，以企业风险管理为主要职能。2005年10月期间，研究人员通过该研究所的全球审计信息网络，对7200位国际投资协定的成员作了一个在线调查。调查发现：来自361个大型、大中型混合及部分小型营利组织（包括企业和政府机构）做出了积极的响应。近60%的受访者为首席审计执行官或者是审计署署长，23%为审计经理，7.8%为工作人员或者高级审核员。大约90%来自美国和加拿大。受访者在不同阶段对组织实施企业风险管理，结果类似于COSO中描述的一样。11%以上的人认为，他们组织的企业风险管理基础设施成熟或者相对成熟，有37%左右的人认为，组织的ERM最近通过并在执行中。在所有调查的组织中，有36%受访者负责的企业反应内部审计职能主要是负责组织的风险管理，而27%的人认为，主要的责任是属于首席执行官（CRO）的，他不属于国家审计职能的一部分；将近三分之一的人反应，认为应该由另一行政领导或职能部门监督企业风险管理。大部分受访者反应：对于时间和金钱，内部审计职能风险管理活动花费是最少的。将近一半的人说，2004年他们花了审计部门在每小时企业风险管理和财政预算中的百分之十，甚至更少。三分之一的人员反映审计部门花费仅20%50%的企业风险管理时间，花了28%50%的财政预算；少于10%部门金钱和时间花费超过50%。国际内部审计师协会的立场文件归类中18号文件指出，根据内部审计职能的适当水平明确企业风险管理有关活动的责任。核心活动：目前受访者之间的差异和理想的职责最显著的是：在国际内部审计师协会文件中，保证企业风险管理中的五个核心活动是最大的。受访者表示，根据国税，他们对当前每一个ERM核心活动的责任是温和的，但他们也表示，他们应该有一个责任重大的水平。这些意见是同意国际内部审计师协会的指导的。此外，大约一半的人认为，内部审计职能目前调查的全部活动或有重大责任，至少有一个核心，并且超过三分之二认为他们应该有全部或重大活动的责任，至少有一个核心。在这一核心范畴，对审计职能的两个最高级别的现时义务主要包括审查风险管理和评价风险管理过程。评估风险管理过程，并给予保证过程的风险管理是最高的理想责任。相反，给予保证，正确评估风险是最低要求的理想责任。以下是申请人提供的一些说法，他们认为目前审计部门在适当的活动所涉及的洞察力，为什么没有核心企业风险管理相关的水平：“我们最近刚刚开始实施我们公司的企业风险管理活动。我们还没有完全理解和掌握风险过程中的管理。”“审计委员会和管理是不知道什么是企业风险管理。内部审计职能在刚刚开始的审计委员会成员之间开展宣传活动。”这些言论表明，教育管理和风险管理问题是：审计委员会在企业风险管理问题上，可以确保审计职能在企业风险管理中发挥在一个适当的水平。合法活动：国际内部审计师协会规定了七个文件，有关企业风险管理的合法活动，而内部审计委员会可能发挥职能，需要负责的地方，需要的保障措施是：便利的识别和风险管理评价和训练管理者应对风险，协调企业风险管理有关的活动，巩固报告的风险，维护和发展企业风险管理框架，倡导建立企业风险管理，并制定董事会批准的风险管理策略。这些活动被称为“咨询”活动，虽然受访者目前的责任范围有限，从这些合法活动中可以看到，他们说自己的理想水平应该是适度的，这是根据国际审计师协会文件指导意见确定的。在合法的类别的当前内部审计责任的最高级别涉及：促进识别风险和风险评估，一流的ERM 相关活动，包括核心活动。 这项活动也是最高要求，建议审计人员的核心职责是合法活动中的理想活动。 这一结果并不令人惊讶，因为风险监测和评估是在制定年度审计计划中的传统因素。最低要求和理想的活动是得到一个董事会的批准，这是一个可能由管理者处理企业风险管理活动最好的管理策略。国际内部审计师协会的指导告诫说，当内部审计人员进行这些合法的咨询活动时，保障措施到位，确保他们在不承担实际管理风险的责任。一个可能的预防措施将包括记录在审计委员会批准的审计章程中，审计师对企业风险管理的责任。此外，如果审计人员承担任何风险管理责任，是从事有关属于这一咨询的活动的作用，他们应该把这些约定的咨询业务，应用相关协会标准，以确保其独立性和客观性。不当行为：根据国际内部