-
中英文对照外文翻译文献
(
文档含英文原文和中文翻译
)
原文:
Internal auditing's role in
ERM
As organizations lay
their enterprise risk groundwork, many auditors
are taking
on management's oversight
responsibilities, new research finds.
Internal audit departments have played
a variety of roles in their organization's
enterprise
risk
management
(ERM)
activities
since
The
Committee
of
Sponsoring
Organizations
of
the
Tread
way
Commission
(COSO)
released
its
Enterprise
Risk
Management-Integrated
Framework in September 2004. An IIA position paper
issued
in the wake of COSO ERM,
Management,
the roles
that
the
internal
audit
function should
and
should
not
play
throughout
the
ERM
process,
ranging
from
full
involvement
to
no
involvement. According to the paper,
internal auditors should have a core role in five
ERM-related
assurance
activities:
giving
assurance
on
risk
management
processes,
giving
assurance
that
risks
are
evaluated
correctly,
evaluating
risk
management
processes, evaluating the reporting of
key risks, and reviewing the management of key
risks.
A recent IIA Research
Foundation study examined the extent to which
internal
audit
functions
adhere
to
the
ERM
roles
recommended
in
the
IIA
paper.
During
October
2005,
researchers
disseminated
an
online
survey
to
7,200
IIA
members
through The Institute's Global Auditing
Information Network. The survey generated
361 responses from a mix of large, mid-
sized, and small organizations in a variety of
industries, including businesses,
government agencies, and not for profit
organizations.
Nearly 60 percent of
respondents identified themselves as a chief audit
executive or
audit director, 23 percent
were audit managers, and 7.8 percent were staff or
senior
auditors. Approximately 90
percent were from the United States and Canada.
Respondents'
organizations
are
at
different
stages
of
implementing
ERM,
as
defined by COSO. More
than 11 percent say their organization's ERM
infrastructure
is
mature
or
relatively
mature,
and
37
percent
have
recently
adopted
or
are
in
the
process of implementing
ERM. Among all organizations surveyed, the
internal audit
function
is
primarily
responsible
for
ERM-related
activities
in
36
percent
of
respondents' organizations, while 27
percent say the primary responsibility belongs to
a chief risk officer (CRO) who is not
part of the audit function. Nearly one-third of
respondents say another executive or
function oversees ERM..
The hours
and dollars internal
audit
functions spend on ERM-related
activities
are
minimal
for
many
respondents.
Nearly
half
say
their
audit
department
spent
10
percent
or less of its
hourly
and financial budgets
on
ERM-related activities during
fiscal
year
2004.
More
than
one-third
of
audit
departments
spent
II
percent
to
50
percent of
their time on ERM, and 28 percent spent n percent
to 50 percent of their
financial
budgets,
while
less
than
10
percent
of
departments
Spent
more
than
50
percent of their time and money.
The
IIA
position
paper
categorizes
18
ERM-related
activities
according
to
the
appropriate level of responsibility for
the internal audit function. Survey respondents
reported
their
current
and
ideal
level
of
responsibility
for
these
activities:
no
responsibility,
limited
responsibility,
moderate
responsibility,
substantial
responsibility, and total
responsibility.
CORE ACTIVITIES
Differences
between
respondents'
current
and
ideal
responsibilities
are
greatest
for the five core
ERM assurance
activities identified
In the
IIA paper.
Respondents
Indicated that their
current responsibility for each of the core ERM
related activities is
moderate, but
they say they should have
a
substantial
level
of
responsibility.
These
views
agree
with
the
IIA
guidance.
Additionally,
roughly
half
of
internal
audit
functions
surveyed
currently
have
substantial
or
full
responsibility
for
at
least
one
core
activity,
and
more
than
two-thirds
say
they
should
have
till
or
substantial
responsibility
for at least one core activity.
Within
the
core
category,
the
audit
function's
two
highest
levels
of
current
responsibility
involve
reviewing
management
of
key
risks
and
evaluating
the
risk
management process. Evaluating the risk
management process and giving assurance
on risk management processes are the
highest-rated ideal responsibilities. Conversely,
giving assurance that risks are
evaluated correctly is the lowest-rated current
and ideal
responsibility.
The
following
respondent
comments
offer
some
insight
into
why
audit
departments are not
currently involved in core ERM-related activities
at the level they
deem appropriate;
do not yet have
complete understanding of the process and buy-in
from management.
audit committee
members.
These comments suggest that
educating management and the audit committee on
ERM issues can be critical to ensuring
that the audit function takes on an appropriate
level of responsibility for ERM.
LEGITIMATE ACTIVITIES
The
IIA
paper
prescribes
seven
legitimate
ERM-
related
activities
for
which
internal
committee
audit
functions
may
be
responsible
as
long
as
safeguards
are
in
place: facilitating the
identification and evaluation of risks, coaching
management in
responding to risks,
coordinating ERM-related activities, consolidating
the reporting
on
risks,
maintaining
and
developing
the
ERM
framework,
championing
establishment of
ERM, and developing risk management strategy for
board approval.
These activities are
described as
responsibility for each of
these legitimate activities ranges from limited to
moderate,
they say their ideal level
should be moderate, which is consistent with the
guidance.
Within
the
legitimate
category,
the
highest
level
of
current
internal
audit
responsibility
involves
facilitating
the
identification
and
evaluation
of
risks
—
the
top-rated
ERM-related
activity,
including
core
activities.
This
activity
is
also
the
highest-
rated
ideal
activity
among
legitimate
activities,
suggesting
that
auditors
consider it a core responsibility. This
finding is not surprising. because risk detection
and
evaluation
are
traditional
considerations
in
developing
annual
audit
plans.
The
lowest-rated current and ideal activity
is developing a risk management strategy for
board approval, which is an activity
that might best be handled by management.
The IIA guidance cautions that when
internal auditors undertake these legitimate
consulting activities, safeguards
should be in place to ensure that they do not take
on
management
responsibility
for
actually
managing
risks.
One
possible
preventive
measure
would
include
documenting
the
auditors'
ERM
responsibilities
in
an
audit
committee-approved
audit
charter.
Further,
if
auditors
take
on
any
ERM-
related
activities that fall within
this consulting role, they should treat these
engagements as
consulting
engagements
and
apply
the
relevant
IIA
standards
to
help
ensure
their
independence and objectivity.
INAPPROPRIATE ACTIVITIES
According to the IIA position paper. It
is inappropriate for internal auditors to be
responsible
for
six
ERM-related
activities:
setting
the
risk
appetite,
imposing
risk
management processes,
providing management assurance on risks, making
decisions
on risk responses,
implementing risk responses on management's
behalf, and having
accountability
for
risk
management.
Overall,
audit
functions
in
the
survey
have
greater
responsibility
for
these
activities
than
the
IIA
paper
recommends.
However,
auditors
say
they
should
have
some
limited
responsibility
for
the
inappropriate
activities.
Within the inappropriate category,
internal auditors' highest level of current and
ideal
responsibility
is
providing
management
assurance
on
risks,
while
their
lowest
level of responsibility is for setting
the risk appetite. Respondents' comments suggest
that
auditors
currently
have
greater
responsibilities
in
these
areas
because
the
audit
function is playing a leading role
during the early stages of ERM development.
ORGANIZATIONAL CHARACTERISTICS
The perceived current
and
ideal
FRM
roles for the
internal
audit function may
vary
across
organizations,
depending
on
the
organization's
industry,
size,
and
audit
department size, as well as the firm's
need to comply with the U.S. Sarbanes-Oxley
Act of 2002.
INDUSTRY
Respondents
work
in
a
variety
of
sectors,
including
financial
services,
manufacturing,
transportation,
communications,
utilities,
health
care,
retail
and wholesale,
government, and education. Researchers compared
responses from the
two
largest
industry
groups:
financial
services
and
manufacturing.
On
average,
financial
service
industry
audit
departments
have
greater
current
responsibility
for
core activities than
those from manufacturing. With respect to
inappropriate activities,
manufacturing
audit departments tend to say their ideal
involvement should be higher
than
their
current
responsibility,
while
financial
service
industry
audit
departments
rate their
current and ideal responsibilities at the same
level.
ORGANIZATION
SIZE
Approximately
half
of
respondents
work
in
organizations
that
had
2004
revenues
between
US
$$500
million
and
US
$$5
billion.
Nearly 25 percent of respondents work
in organizations that had revenues under US
$$500 million in 2004, while a similar
number of respondents
work in
organizations
that
had
more
than
US
$$5
billion
in
revenue
that
year.
Researchers
compared
responses
from
organizations
with
revenues
of
less
than
US
$$1
billion
with
organizations
with
revenues
greater
than
US
$$1
billion.
On
average,
auditors
from
both
types
of organizations
have
relatively
equal
levels
of responsibility for current
core activities. However, smaller
organizations rated their ideal involvement for
these
core activities
higher than large organizations. Smaller
organizations have a slightly
higher
current
level
of
responsibility
for
inappropriate
activities
than
larger
organizations and say their ideal
involvement in these areas should be higher.
AUDIT STAFF SIZE
More than half of respondents work in
audit departments
with 10 or fewer
auditors, slightly more than one-quarter work in
departments with
between
11
and
50
auditors,
and
approximately
one-tenth
of
respondents
work
in
departments with more
than 50 auditors. Internal audit functions with
more than 10
auditors
currently
have
somewhat
more
responsibility
for
core
activities
than
audit
departments
with
10
or
fewer
auditors.
Both
large
and
small
audit
functions
have
roughly equal levels of
responsibility for all other ERM-related
activities. However,
unlike
large
audit
organizations,
respondents
from
small
audit
departments
want
to
have more responsibility
for activities in the inappropriate category.
SARBANES-OXLEY
Most
respondents'
organizations
are
required
to
comply
with Sarbanes-Oxley
Section 404. Researchers found few differences
between those
organizations and
respondents from organizations that do not have to
comply with the
act. The primary
difference related to core activities, where
compliers report a higher
level of
current responsibility than non-compliers.
Although the IIA guidance is equally
applicable to all organizations, the research
indicates that smaller internal audit
departments and those from smaller organizations
tend to take on ERM responsibilities
that would be more appropriate for management.
In these cases, internal auditing
should work to develop an ERM implementation and
maintenance plan that includes a
stratcgy
and timeline for migrating
responsibilities
for these activities
to management
THE AUDITOR'S ROLE
Although the survey results suggest
that the current levels of responsibility audit
departments have may differ somewhat
from that levels recommended by The
IIA'S
position
paper,
the
respondents'
comments
offer
some
evidence
that
auditors
understand the
underlying concepts of the guidance:
function that relies on and
evaluates the ERM process. ERM should be in sync
with
-
-
-
-
-
-
-
-
-
上一篇:《企业内部控制》习题答案
下一篇:管理信息系统