《内部审计在企业风险管理中的作用外文翻译.doc》由会员分享,可在线阅读,更多相关《内部审计在企业风险管理中的作用外文翻译.doc(13页珍藏版)》请在三一办公上搜索。
1、外文文献翻译原文:Internal auditings role in ERMAs organizations lay their enterprise risk groundwork, many auditors are taking on managements oversight responsibilities, new research finds.Internal audit departments have played a variety of roles in their organizations enterprise risk management (ERM) activ
2、ities since The Committee of Sponsoring Organizations of the Tread way Commission (COSO) released its Enterprise Risk Management-Integrated Framework in September 2004. An IIA position paper issued in the wake of COSO ERM, The Role of Internal Auditing in Enterprise-wide Risk Management, indicates t
3、he roles that the internal audit function should and should not play throughout the ERM process, ranging from full involvement to no involvement. According to the paper, internal auditors should have a core role in five ERM-related assurance activities: giving assurance on risk management processes,
4、 giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the reporting of key risks, and reviewing the management of key risks.A recent IIA Research Foundation study examined the extent to which internal audit functions adhere to the ERM roles recommende
5、d in the IIA paper. During October 2005, researchers disseminated an online survey to 7,200 IIA members through The Institutes Global Auditing Information Network. The survey generated 361 responses from a mix of large, mid-sized, and small organizations in a variety of industries, including busines
6、ses, government agencies, and not for profit organizations. Nearly 60 percent of respondents identified themselves as a chief audit executive or audit director, 23 percent were audit managers, and 7.8 percent were staff or senior auditors. Approximately 90 percent were from the United States and Can
7、ada.Respondents organizations are at different stages of implementing ERM, as defined by COSO. More than 11 percent say their organizations ERM infrastructure is mature or relatively mature, and 37 percent have recently adopted or are in the process of implementing ERM. Among all organizations surve
8、yed, the internal audit function is primarily responsible for ERM-related activities in 36 percent of respondents organizations, while 27 percent say the primary responsibility belongs to a chief risk officer (CRO) who is not part of the audit function. Nearly one-third of respondents say another ex
9、ecutive or function oversees ERM.The hours and dollars internal audit functions spend on ERM-related activities are minimal for many respondents. Nearly half say their audit department spent 10 percent or less of its hourly and financial budgets on ERM-related activities during fiscal year 2004. Mor
10、e than one-third of audit departments spent II percent to 50 percent of their time on ERM, and 28 percent spent n percent to 50 percent of their financial budgets, while less than 10 percent of departments Spent more than 50 percent of their time and money.The IIA position paper categorizes 18 ERM-r
11、elated activities according to the appropriate level of responsibility for the internal audit function. Survey respondents reported their current and ideal level of responsibility for these activities: no responsibility, limited responsibility, moderate responsibility, substantial responsibility, an
12、d total responsibility.CORE ACTIVITIESDifferences between respondents current and ideal responsibilities are greatest for the five core ERM assurance activities identified In the IIA paper. Respondents Indicated that their current responsibility for each of the core ERM related activities is moderat
13、e, but they say they should have a substantial level of responsibility. These views agree with the IIA guidance. Additionally, roughly half of internal audit functions surveyed currently have substantial or full responsibility for at least one core activity, and more than two-thirds say they should
14、have till or substantial responsibility for at least one core activity.Within the core category, the audit functions two highest levels of current responsibility involve reviewing management of key risks and evaluating the risk management process. Evaluating the risk management process and giving as
15、surance on risk management processes are the highest-rated ideal responsibilities. Conversely, giving assurance that risks are evaluated correctly is the lowest-rated current and ideal responsibility.The following respondent comments offer some insight into why audit departments are not currently in
16、volved in core ERM-related activities at the level they deem appropriate; We have just recently begun implementing ERM activities in our company. We do not yet have complete understanding of the process and buy-in from management.The audit committee and management are not aware of what ERM is. The i
17、nternal audit function has just initiated an awareness campaign among the audit committee members.These comments suggest that educating management and the audit committee on ERM issues can be critical to ensuring that the audit function takes on an appropriate level of responsibility for ERM. LEGITI
18、MATE ACTIVITIESThe IIA paper prescribes seven legitimate ERM-related activities for which internal committee audit functions may be responsible as long as safeguards are in place: facilitating the identification and evaluation of risks, coaching management in responding to risks, coordinating ERM-re
19、lated activities, consolidating the reporting on risks, maintaining and developing the ERM framework, championing establishment of ERM, and developing risk management strategy for board approval. These activities are described as consulting activities. Although respondents current responsibility for
20、 each of these legitimate activities ranges from limited to moderate, they say their ideal level should be moderate, which is consistent with the guidance.Within the legitimate category, the highest level of current internal audit responsibility involves facilitating the identification and evaluatio
21、n of risks the top-rated ERM-related activity, including core activities. This activity is also the highest-rated ideal activity among legitimate activities, suggesting that auditors consider it a core responsibility. This finding is not surprising. because risk detection and evaluation are traditio
22、nal considerations in developing annual audit plans. The lowest-rated current and ideal activity is developing a risk management strategy for board approval, which is an activity that might best be handled by management.The IIA guidance cautions that when internal auditors undertake these legitimate
23、 consulting activities, safeguards should be in place to ensure that they do not take on management responsibility for actually managing risks. One possible preventive measure would include documenting the auditors ERM responsibilities in an audit committee-approved audit charter. Further, if audito
24、rs take on any ERM-related activities that fall within this consulting role, they should treat these engagements as consulting engagements and apply the relevant IIA standards to help ensure their independence and objectivity.INAPPROPRIATE ACTIVITIESAccording to the IIA position paper. It is inappro
25、priate for internal auditors to be responsible for six ERM-related activities: setting the risk appetite, imposing risk management processes, providing management assurance on risks, making decisions on risk responses, implementing risk responses on managements behalf, and having accountability for
26、risk management. Overall, audit functions in the survey have greater responsibility for these activities than the IIA paper recommends. However, auditors say they should have some limited responsibility for the inappropriate activities.Within the inappropriate category, internal auditors highest lev
27、el of current and ideal responsibility is providing management assurance on risks, while their lowest level of responsibility is for setting the risk appetite. Respondents comments suggest that auditors currently have greater responsibilities in these areas because the audit function is playing a le
28、ading role during the early stages of ERM development.ORGANIZATIONAL CHARACTERISTICSThe perceived current and ideal FRM roles for the internal audit function may vary across organizations, depending on the organizations industry, size, and audit department size, as well as the firms need to comply w
29、ith the U.S. Sarbanes-Oxley Act of 2002.INDUSTRY Respondents work in a variety of sectors, including financial services, manufacturing, transportation, communications, utilities, health care, retail and wholesale, government, and education. Researchers compared responses from the two largest industr
30、y groups: financial services and manufacturing. On average, financial service industry audit departments have greater current responsibility for core activities than those from manufacturing. With respect to inappropriate activities, manufacturing audit departments tend to say their ideal involvemen
31、t should be higher than their current responsibility, while financial service industry audit departments rate their current and ideal responsibilities at the same level.ORGANIZATION SIZE Approximately half of respondents work in organizations that had 2004 revenues between US $500 million and US $5
32、billion. Nearly 25 percent of respondents work in organizations that had revenues under US $500 million in 2004, while a similar number of respondents work in organizations that had more than US $5 billion in revenue that year. Researchers compared responses from organizations with revenues of less
33、than US $1 billion with organizations with revenues greater than US $1 billion. On average, auditors from both types of organizations have relatively equal levels of responsibility for current core activities. However, smaller organizations rated their ideal involvement for these core activities hig
34、her than large organizations. Smaller organizations have a slightly higher current level of responsibility for inappropriate activities than larger organizations and say their ideal involvement in these areas should be higher.AUDIT STAFF SIZE More than half of respondents work in audit departments w
35、ith 10 or fewer auditors, slightly more than one-quarter work in departments with between 11 and 50 auditors, and approximately one-tenth of respondents work in departments with more than 50 auditors. Internal audit functions with more than 10 auditors currently have somewhat more responsibility for
36、 core activities than audit departments with 10 or fewer auditors. Both large and small audit functions have roughly equal levels of responsibility for all other ERM-related activities. However, unlike large audit organizations, respondents from small audit departments want to have more responsibili
37、ty for activities in the inappropriate category.SARBANES-OXLEY Most respondents organizations are required to comply with Sarbanes-Oxley Section 404. Researchers found few differences between those organizations and respondents from organizations that do not have to comply with the act. The primary
38、difference related to core activities, where compliers report a higher level of current responsibility than non-compliers.Although the IIA guidance is equally applicable to all organizations, the research indicates that smaller internal audit departments and those from smaller organizations tend to
39、take on ERM responsibilities that would be more appropriate for management. In these cases, internal auditing should work to develop an ERM implementation and maintenance plan that includes a stratcgy and timeline for migrating responsibilities for these activities to managementTHE AUDITORS ROLEAlth
40、ough the survey results suggest that the current levels of responsibility audit departments have may differ somewhat from that levels recommended by The IIAS position paper, the respondents comments offer some evidence that auditors understand the underlying concepts of the guidance:There needs to b
41、e a shift in the doing of the ERM to being an internal audit function that relies on and evaluates the ERM process. ERM should be in sync with the audit universe and plan,In the past i8 months, the corporation has appointed a CRO to provide oversight and guidance to evolving ERM processes. During th
42、is period, much of internal auditings previous ERM roles have migrated to this officer. More importantly, respondents identified significant barriers in their organizations to following the guidance:These ERM responsibilities and processes are not well defined in many organizations and should be mor
43、e clearly articulated by senior management. There is not enough emphasis from the top that risk management is important and must be done effectively. Management is still trying to hide things from internal auditing. Its not them against us, were all in it together. Most auditors and enterprise manag
44、ers lack clarity on the distinction between responsibility for risk assurance implementation versus responsibility for risk assurance compliance and monitoring.These comments stress that a key element to establishing a successful ERM program is education on the importance of ERM and the appropriate
45、roles management and internal auditing have in the process. Internal auditors can play a key role in providing this education. The audit department, management, hoard of directors, and audit committee need to be clear about which ERM related activities internal auditors should perform and which acti
46、vities should always be performed by management. Relevant training should highlight that internal auditing could serve in a monitoring or consulting role throughout much of the ERM process, but the formal decision-making authority must reside with management if the audit department is to maintain it
47、s independence and objectivity.Auditors should take steps to ensure that the board and audit committee are aware of the COSO ERM framework and are actively engaged in overseeing the ERM process. Additionally, auditors should consider training senior management, the board, and others throughout their
48、 organization on COSO ERM and related guidance.Responses to the survey provide useful insights into additional steps that the internal audit profession should take. Auditors whose organizations are in the early stages of adopting ERM or will be implementing ERM in the future have many opportunities
49、to ensure that the process is effective and efficient. For example, audit departments that currendy perform ERM-related activities that should be managements responsibility can take proactive steps to open up the lines of communication between internal auditing and management, the board and audit committee, and external auditors about the risks of this situation. Such communication should encourage management to take on appropriate ERM responsibilities. One approach
