(完整版)立场公告x

THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK

MANAGEMENT

2009年1月发布

In troduct ion

The importa nee to stro ng corporate gover nance of man agi ng risk has bee n

in creas in gly

ack no wledged. Orga ni zati ons are un der pressure to ide ntify all the bus in ess risks

they

face; social, ethical and en viro nmen tal as well as finan cial and operati on al, and

to

expla in how they man age them to an acceptable level. Mean while, the use of en terprise-wide risk man ageme nt frameworks has expa nded, as orga ni zati ons recog nize their adva ntages over less coord in ated approaches to risk man ageme nt.

Internal audit in g, in both its assura nce and its con sult ing roles, con tributes to

the

management of risk in a variety of ways.

What is En terprise-wide Risk Man ageme nt?

People un dertake risk man ageme nt activities to ide ntify, assess, man age, and control

all kinds of events or situations. These can range from single projects or narrowly defined types of risk, e.g. market risk, to the threats and opportunities facing the

organization as a whole. The principles presented in this paper can be used to guide

the

in volveme nt of internal audit ing in all forms of risk man ageme nt but we are

particularly

interested in enterprise-wide risk management because this is likely to improve an

organization ' s governance processes.

Enterprise-wide risk management (ERM) is a structured, consistent and continuous

process across the whole orga ni zati on for ide ntify ing, assess ing, decidi ng on responses

to and reporting on opportunities and threats that affect the achievement of its

objectives.

Respo nsibility for ERM

The board has overall resp on sibility for en suri ng that risks are man aged. In practice,

the board will delegate the operati on of the risk man ageme nt framework to the management team, who will be responsible for completing the activities below. There

may be a separate function that co-ord in ates and project-ma nages these activities and

brings to bear specialist skills and kno wledge.

Everyone in the orga ni zati on plays a role in en suri ng successful en terprise-wide

risk

management but the primary responsibility for identifying risks and managing them

lies

with man ageme nt.

Ben efits of ERM

ERMca n make a major con tributi on towards help ing an orga ni zati on man age the risks

to achievi ng its objectives. The ben efits in clude:

Greater likelihood of achievi ng those objectives;

Con solidated report ing of disparate risks at board level;

Improved understanding of the key risks and their wider implications;

Iden tificati on and shari ng of cross bus in ess risks;

Greater man ageme nt focus on the issues that really matter;

Fewer surprises or crises;

More focus intern ally on doing the right things in the right way;

In creased likelihood of cha nge in itiatives being achieved;

Capability to take on greater risk for greater reward and

More in formed risk-tak ing and decisi on-mak ing.

The activities in cluded in ERM

Articulati ng and com muni cati ng the objectives of the orga ni zati on;

Determining the risk appetite of the organization;

Establishing an appropriate internal environment, including a risk management framework;

Iden tify ing pote ntial threats to the achieveme nt of the objectives;

Assessing the risk (i.e. the impact and likelihood of the threat occurring);

Selecting and implementing responses to the risks;

Un dertak ing con trol and other resp onse activities;

Communicating information on risks in a consistent manner at all levels in the

orga ni zati on;

Centrally monitoring and coord inating the risk management processes and the

outcomes, and

Providi ng assura nee on the effective ness with which risks are man aged.

Providi ng assura nee on ERM

One of the key requireme nts of the board or its equivale nt is to gain assura nee that risk

man ageme nt processes are worki ng effectively and that key risks are being man aged

to

an acceptable level.

It is likely that assura nee will come from differe nt sources. Of these, assura nee

from

man ageme nt is fun dame ntal. This should be compleme nted by the provisi on of objective assura nee, for which the in ternal audit activity is a key source. Other sources

in elude exter nal auditors and in depe ndent specialist reviews. Internal auditors

will

no rmally provide assura nces on three areas:

Risk man ageme nt processes, both their desig n and how well they are work ing;

Managementof those risks classified as ‘ key' , including the effectiveness of the

con trols and other resp on ses to them; and

Reliable and appropriate assessment of risks and reporting of risk and control status.

The role of internal audit ing in ERM

Internal audit ing is an in depe ndent, objective assura nee and con sult ing activity.

Its core

role with regard to ERM is to provide objective assura nee to the board on the

effectiveness of risk management. Indeed, research has shown that board directors

and internal auditors agree that the two most important ways that internal auditing

provides value to the orga ni zati on are in providi ng objective assura nee that the major

bus in ess risks are being man aged appropriately and providi ng assura nee that the

risk

man ageme nt and internal con trol framework is operat ing effectivelyl.

UK and Ireland and Deloitte1 The Value Age nda, In stitute of Internal Auditors

UK and Ireland and Deloitte

& Touche 2003

Figure 1 presents a range of ERMactivities and indicates which roles an effective

professi onal internal audit activity should and, equally importa ntly, should not un dertake.

The key factors to take in to acco unt whe ndeterm ining in ternal audit ing ' s role are

whether the activity raises any threats to the internal audit activity ' s

independence and

objectivity and whether it is likely to improve the organization ' s risk

man ageme nt,

con trol and gover nance processes.

Figure 1 - Internal auditing '

Figure 1 - Internal auditing ' s role in

ERM

linYTeftiail Audit

Wllh ta，啣 触

RolM rtfiriTiil ftutl rt ■heuld Mt lx科

C<n- EnltsmaJ andH n^ln 血 to ERH

The activities on the left of Figure 1 are all assuranee activities. They form part of the

wider objective of giving assuranee on risk management. An internal audit activity complyi ng with the Intern ati onal Stan dards for the Professi onal Practice of

In ternal

Audit ing can and should perform at least some of these activities.

Internal audit ing may provide con sult ing services that improve an orga ni zati on

s

governance, risk management, and control processes. The extent of internal auditor ' con suit ing in ERM will depe nd on the other resources, internal and exter nal,

available to

the board and on the risk maturity2 of the organization and it is likely to vary over time.

Internal auditor ' s expertise in considering risks, in understanding the

conn ecti ons

between risks and governance and in facilitation mean that the internal audit

activity is

well qualified to act as champion and even project manager for ERM, especially in

the

early stages of its in troduct ion. As the orga ni zati on ' s risk maturity in creases

and risk

man ageme nt becomes more embedded in the operati ons of the bus in ess, internal

auditing ' s role in championing ERM may reduce. Similarly, if an organization employs

the services of a risk management specialist or function, internal auditing is more

likely

to give value by concentrating on its assuranee role, than by undertaking the more

consulting activities. However, if internal auditing has not yet adopted the

risk-based

approach represented by the assurance activities on the left of Figure 1, it is

unlikely to

be equipped to un dertake the con sult ing activities in the cen ter.

Con sult ing roles

The cen ter of Figure 1 shows the con sult ing roles that internal audit ing may

un dertake

in relation to ERM. In general the further to the right of the dial that internal

audit ing

ven tures, the greater are the safeguards that are required to en sure that its

independence and objectivity are maintained. Someof the consulting roles that the

in ternal audit activity may un dertake are:

Making available to management tools and techniques used by internal auditing to

an alyze risks and con trols;

Being a champion for introducing ERM into the organization, leveraging its expertise

in risk management and control and its overall knowledge of the organization;

Providing advice, facilitating workshops, coaching the organization on risk and

con trol and promoti ng the developme nt of a com mon Ian guage, framework and

un dersta nding;

Acting as the cen tral point for coord in ati ng, mon itori ng and report ing on risks;

and

Supporting managers as they work to identify the best way to mitigate a risk.

The key factor in decidi ng whether con sult ing services are compatible with the assurance role is to determine whether the internal auditor is assuming any man ageme nt resp on sibility .In the case of ERM, internal audit ing can provide con sult ing services so long as it has no role in actually managing risks - that is management'

s

responsibility - and so long as senior managementactively endorses and supports ERM. We recommend that, whenever the internal audit activity acts to help the

management team to set up or to improve risk management processes, its plan of work should include a clear strategy and timeline for migrating the responsibility for these

services to members of the man ageme nt team.

2 The IIA-UK and Ireland Position Statement on Risk Based Internal Auditing 2003

Safeguards

Internal auditing may extend its involvement in ERM, as shown in Figure 1, provided

certa in con diti ons apply. The con diti ons are:

It should be clear that man ageme nt rema ins resp on sible for risk man ageme nt.

The nature of internal auditor ' s responsibilities should be documented in the

in ternal audit charter and approved by the audit committee.

Internal audit ing should not man age any of the risks on behalf of man ageme nt.

Internal auditing should provide advice, challenge and support to management ' s

decisi on making, as opposed to tak ing risk man ageme nt decisi ons themselves.

In ternal audit ing cannot also give objective assura nce on any part of the ERM

framework for which it is responsible. Such assurance should be provided by other

suitably qualified parties.

Any work bey ond the assura nce activities should be recog ni zed as a con sult ing

en gageme nt and the impleme ntati on sta ndards related to such en gageme nts should be followed.

Skills and body of kno wledge

Internal auditors and risk managers share some knowledge, skills and values. Both, for

example, understand corporate governance requirements; have project management,

analytical and facilitation skills and value having a healthy balanee of risk rather

tha n

extreme risk-tak ing or avoida nee behaviors. However, risk man agers as such serve

on ly

the man ageme nt of the orga ni zati on and do not have to provide in depe ndent and objective assura nee to the audit committee. Nor should in ternal auditors who seek to

exte nd their role in ERM un derestimate the risk man agers ' specialist areas of

knowledge (such as risk transfer and risk quantification and modeling techniques) which

are outside the body of knowledge for most internal auditors. Any internal auditor who

cannot dem on strate the appropriate skills and kno wledge should not un dertake work

in

the area of risk man ageme nt. Furthermore, the head of internal audit should not

provide

consulting services in this area if adequate skills and knowledge are not available

within

the internal audit activity and cannot be obtained from elsewhere.

Con clusi on

Risk man ageme nt is a fun dame ntal eleme nt of corporate gover nance. Man ageme nt is

responsible for establishing and operating the risk managementframework on behalf

of

the board. Enterprise-wide risk management brings manybenefits as a result of its structured, con siste nt and coord in ated approach. Internal auditor ' s core role in

relation

to ERM should be to provide assurance to management and to the board on the

effective ness of risk man ageme nt. When internal audit ing exte nds its activities

beyond

this core role, it should apply certa in safeguards, in clud ing treati ng the

en gageme nts as

con sult ing services and, therefore, appl ying all releva nt Stan dards. In this way,

in ternal

audit ing will protect its in depe ndence and the objectivity of its assura nce services.

Within these con stra in ts, ERM can help raise the profile and in crease the

effective ness

of internal audit ing.

Defi niti on of terms

Assura nee Services : An objective exam in ati on of evide nee for the purpose of providi ng an in depe ndent assessme nt on gover nan ce, risk man ageme nt, and con trol processes for the orga ni zati on. Examples may in clude finan cial, performa nee, complia nee, system security, and due dilige nee en gageme nts.

Board: A board is an organization ' s governing body, such as a board of directors,

supervisory board, head of an age ncy or legislative body, board of gover nors or trustees of a non profit organization, or any other designated body of the organization, in cludi ng the audit committee to whom the chief audit executive may fun eti on ally report.

Champi on: Some one who supports and defe nds a pers on or cause. Therefore, a champi on of risk man ageme nt will promote its ben efits, educate an orga ni zati on '

s management and staff in the actions they need to take to implement it and will en courage them and support them in tak ing those actions.

Con sult ing Services : Advisory and related clie nt service activities, the n ature

and

scope of which are agreed with the clie nt, are inten ded to add value and improve

an

organization ' s governance, risk management, and control processes without the

in ternal

auditor assu ming man ageme nt resp on sibility. Examples in clude coun sel, advice, facilitati on, and training.

Con trol : Any acti on take n by man ageme nt, the board, and other parties to man age

risk

and in crease the likelihood that established objectives and goals will be achieved.

Management plans, organizes, and directs the performanee of sufficient actions to

provide reas on able assura nee that objectives and goals will be achieved.

En terprise : Any orga ni zati on established to achieve a set of objectives.

En terprise-wide risk man ageme nt (ERM): A structured, con siste nt and continu ous

process across the whole orga ni zati on for ide ntify ing, assess ing, decidi ng on responses to and reporting on opportunities and threats that affect the achievement of its

objectives.

Facilitat ing: Work ing with a group (or in dividual) to make it easier for that group

(or

in dividual) to achieve the objectives that the group has agreed for the meeti ng or activity. This in volves liste ning, challe nging, observ ing, questi oning and support ing the

group and its members. It does not in volve doing the work or tak ing decisi ons.

Risk: The possibility of an eve nt occurri ng that will have an impact on the

achieveme nt

of objectives. Risk is measured in terms of impact and likelihood.

Risk Appetite : The level of risk that an organization is willing to accept.

Risk Management Framework : The totality of the structures, methodology, procedures

and definitions that an organization has chosen to use to implement its risk

man ageme nt processes.

Risk Man ageme nt Processes : Processes to ide ntify, assess, man age, and con trol

pote ntial eve nts or situati ons, to provide reas on able assura nee regard ing the achievement of the organization ' s objectives.

Risk Maturity: The exte nt to which a robust risk man ageme nt approach has bee n

adopted and applied, as pla nn ed, by man ageme nt across the orga ni zati on to iden tify, assess, decide on responses to and report on opportunities and threats that affect

the achievement of the organization ' s objectives.

Risk Resp on ses: The means by which an orga ni zati on elects to man age in dividual

risks. The main categories are to tolerate the risk; to treat it by reducing its impact or likelihood; to transfer it to another organization or to terminate the activity creat ing it.

Internal controls are one way of treating a risk.

***

Copyright

The copyright of this paper is jointly held. For permission to reproduce in the UK

or

Irela nd, please con tact IIA-UK and Irela nd at tech ni cal@iia.org.uk. For permissi on

to

reproduce elsewhere, please con tact The In stitute of Internal Auditors at guida nce@theiia.org.

THE ROLE OF INTERNAL AUDITING IN RESOURCING THE INTERNAL

AUDIT ACTIVITY

In troduct ion

When con sideri ng the resourci ng of the internal audit activity a questi on that ofte n arises is, “ Who or what resources can be utilized to provide

internal audit ing? ” In practice, orga ni zati ons utilize a nu mber of differe nt

alternatives ranging from a fully resourced activity housed within the organization to external resources obtained from outside the organization, or any

comb in ati on thereof. This diversity of practice raises a questi on in some

orga ni zati ons concerning the optimum bala nee of in ternally and externally

supplied resources. The purpose of this paper is to provide guidanee and clarify the roles of the board, man ageme nt, and the chief audit executive on resourci ng

the internal audit activity and the various issues in volved. An ecdotal

evide nee in dicates most practiti oners agree that utilizati on of some amount of

exter nal resources, or partial outsourci ng, is appropriate. However, there is

little consen sus on what might be an appropriate amount of exter nal resources,

not to men tio n how to measure it. This is because it is not possible to an swer

such a questi on without un dersta nding the size, n ature, and complexity of the

orga ni zati on for which the internal audit activity is providi ng services.

The practice of total outsourci ng or obta ining 100 perce nt of internal audit resources from outside the orga ni zati on gen erates additi onal questi ons about how

to man age this arran geme nt. There are many con sideratio ns that should be

evaluated in determ ining the optimal structure and source for internal audit

resources. Those resp on sible for making such determ in atio ns should evaluate the

additi onal guida nee and con siderati ons outl ined in this Positi on Paper whe n

con sideri ng outsourci ng as an alter native. The optimal soluti on can be differe nt

for every orga ni zati on and also may cha nge over time as the variables that

in flue nee the evaluati on cha nge periodically.

(IIA) PerspectiveThe In stitute of Internal Auditors

(IIA) Perspective

Internal audit ing is defi ned as “ an in depe ndent, objective assura nee

and con sult ing activity desig ned to add value and improve an

organization's operations. It helps an organization accomplish its objectives by

bringing a systematic, discipli ned approach to evaluate and improve the

effective ness of risk man ageme nt, con trol, and gover nance processes. ” The

IIA ' s principal interest is to promote internal audit activities that provide

the maximum overall effectiveness in helping achieve the organization ' s

strategic objectives. The IIA believes internal audit ing best addresses managemenf s strategic objectives when internal audits are performed by

compete nt professi on als in con forma nee with the Intern ati onal Stan dards for

the Professional Practice of Internal Auditing (Standards) as promulgated by The

IIA. From The IIA ' s perspective, internal auditing, regardless of who

provides the service, should be performed in con forma nee with the Stan dards. The IIA believes that a fully resourced and professi on ally compete nt staff that is a key part of the orga ni zati on, whether in-house or outsourced, best provides internal audit services. The IIA recognizes that many “ partnering ” arrangements with outside providers have bee n effecti

推荐访问:公告书 完整版 立场 公告 (完整版)立场公告x