(完整版)立场公告x
THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK
MANAGEMENT
2009年1月发布
In troduct ion
The importa nee to stro ng corporate gover nance of man agi ng risk has bee n
in creas in gly
ack no wledged. Orga ni zati ons are un der pressure to ide ntify all the bus in ess risks
they
face; social, ethical and en viro nmen tal as well as finan cial and operati on al, and
to
expla in how they man age them to an acceptable level. Mean while, the use of en terprise-wide risk man ageme nt frameworks has expa nded, as orga ni zati ons recog nize their adva ntages over less coord in ated approaches to risk man ageme nt.
Internal audit in g, in both its assura nce and its con sult ing roles, con tributes to
the
management of risk in a variety of ways.
What is En terprise-wide Risk Man ageme nt?
People un dertake risk man ageme nt activities to ide ntify, assess, man age, and control
all kinds of events or situations. These can range from single projects or narrowly defined types of risk, e.g. market risk, to the threats and opportunities facing the
organization as a whole. The principles presented in this paper can be used to guide
the
in volveme nt of internal audit ing in all forms of risk man ageme nt but we are
particularly
interested in enterprise-wide risk management because this is likely to improve an
organization ' s governance processes.
Enterprise-wide risk management (ERM) is a structured, consistent and continuous
process across the whole orga ni zati on for ide ntify ing, assess ing, decidi ng on responses
to and reporting on opportunities and threats that affect the achievement of its
objectives.
Respo nsibility for ERM
The board has overall resp on sibility for en suri ng that risks are man aged. In practice,
the board will delegate the operati on of the risk man ageme nt framework to the management team, who will be responsible for completing the activities below. There
may be a separate function that co-ord in ates and project-ma nages these activities and
brings to bear specialist skills and kno wledge.
Everyone in the orga ni zati on plays a role in en suri ng successful en terprise-wide
risk
management but the primary responsibility for identifying risks and managing them
lies
with man ageme nt.
Ben efits of ERM
ERMca n make a major con tributi on towards help ing an orga ni zati on man age the risks
to achievi ng its objectives. The ben efits in clude:
Greater likelihood of achievi ng those objectives;
Con solidated report ing of disparate risks at board level;
Improved understanding of the key risks and their wider implications;
Iden tificati on and shari ng of cross bus in ess risks;
Greater man ageme nt focus on the issues that really matter;
Fewer surprises or crises;
More focus intern ally on doing the right things in the right way;
In creased likelihood of cha nge in itiatives being achieved;
Capability to take on greater risk for greater reward and
More in formed risk-tak ing and decisi on-mak ing.
The activities in cluded in ERM
Articulati ng and com muni cati ng the objectives of the orga ni zati on;
Determining the risk appetite of the organization;
Establishing an appropriate internal environment, including a risk management framework;
Iden tify ing pote ntial threats to the achieveme nt of the objectives;
Assessing the risk (i.e. the impact and likelihood of the threat occurring);
Selecting and implementing responses to the risks;
Un dertak ing con trol and other resp onse activities;
Communicating information on risks in a consistent manner at all levels in the
orga ni zati on;
Centrally monitoring and coord inating the risk management processes and the
outcomes, and
Providi ng assura nee on the effective ness with which risks are man aged.
Providi ng assura nee on ERM
One of the key requireme nts of the board or its equivale nt is to gain assura nee that risk
man ageme nt processes are worki ng effectively and that key risks are being man aged
to
an acceptable level.
It is likely that assura nee will come from differe nt sources. Of these, assura nee
from
man ageme nt is fun dame ntal. This should be compleme nted by the provisi on of objective assura nee, for which the in ternal audit activity is a key source. Other sources
in elude exter nal auditors and in depe ndent specialist reviews. Internal auditors
will
no rmally provide assura nces on three areas:
Risk man ageme nt processes, both their desig n and how well they are work ing;
Managementof those risks classified as ‘ key' , including the effectiveness of the
con trols and other resp on ses to them; and
Reliable and appropriate assessment of risks and reporting of risk and control status.
The role of internal audit ing in ERM
Internal audit ing is an in depe ndent, objective assura nee and con sult ing activity.
Its core
role with regard to ERM is to provide objective assura nee to the board on the
effectiveness of risk management. Indeed, research has shown that board directors
and internal auditors agree that the two most important ways that internal auditing
provides value to the orga ni zati on are in providi ng objective assura nee that the major
bus in ess risks are being man aged appropriately and providi ng assura nee that the
risk
man ageme nt and internal con trol framework is operat ing effectivelyl.
UK and Ireland and Deloitte1 The Value Age nda, In stitute of Internal Auditors
UK and Ireland and Deloitte
& Touche 2003
Figure 1 presents a range of ERMactivities and indicates which roles an effective
professi onal internal audit activity should and, equally importa ntly, should not un dertake.
The key factors to take in to acco unt whe ndeterm ining in ternal audit ing ' s role are
whether the activity raises any threats to the internal audit activity ' s
independence and
objectivity and whether it is likely to improve the organization ' s risk
man ageme nt,
con trol and gover nance processes.
Figure 1 - Internal auditing '
Figure 1 - Internal auditing ' s role in
ERM
linYTeftiail Audit
Wllh ta,啣 触
RolM rtfiriTiil ftutl rt ■heuld Mt lx科
C<n- EnltsmaJ andH n^ln 血 to ERH
The activities on the left of Figure 1 are all assuranee activities. They form part of the
wider objective of giving assuranee on risk management. An internal audit activity complyi ng with the Intern ati onal Stan dards for the Professi onal Practice of
In ternal
Audit ing can and should perform at least some of these activities.
Internal audit ing may provide con sult ing services that improve an orga ni zati on
s
governance, risk management, and control processes. The extent of internal auditor ' con suit ing in ERM will depe nd on the other resources, internal and exter nal,
available to
the board and on the risk maturity2 of the organization and it is likely to vary over time.
Internal auditor ' s expertise in considering risks, in understanding the
conn ecti ons
between risks and governance and in facilitation mean that the internal audit
activity is
well qualified to act as champion and even project manager for ERM, especially in
the
early stages of its in troduct ion. As the orga ni zati on ' s risk maturity in creases
and risk
man ageme nt becomes more embedded in the operati ons of the bus in ess, internal
auditing ' s role in championing ERM may reduce. Similarly, if an organization employs
the services of a risk management specialist or function, internal auditing is more
likely
to give value by concentrating on its assuranee role, than by undertaking the more
consulting activities. However, if internal auditing has not yet adopted the
risk-based
approach represented by the assurance activities on the left of Figure 1, it is
unlikely to
be equipped to un dertake the con sult ing activities in the cen ter.
Con sult ing roles
The cen ter of Figure 1 shows the con sult ing roles that internal audit ing may
un dertake
in relation to ERM. In general the further to the right of the dial that internal
audit ing
ven tures, the greater are the safeguards that are required to en sure that its
independence and objectivity are maintained. Someof the consulting roles that the
in ternal audit activity may un dertake are:
Making available to management tools and techniques used by internal auditing to
an alyze risks and con trols;
Being a champion for introducing ERM into the organization, leveraging its expertise
in risk management and control and its overall knowledge of the organization;
Providing advice, facilitating workshops, coaching the organization on risk and
con trol and promoti ng the developme nt of a com mon Ian guage, framework and
un dersta nding;
Acting as the cen tral point for coord in ati ng, mon itori ng and report ing on risks;
and
Supporting managers as they work to identify the best way to mitigate a risk.
The key factor in decidi ng whether con sult ing services are compatible with the assurance role is to determine whether the internal auditor is assuming any man ageme nt resp on sibility .In the case of ERM, internal audit ing can provide con sult ing services so long as it has no role in actually managing risks - that is management'
s
responsibility - and so long as senior managementactively endorses and supports ERM. We recommend that, whenever the internal audit activity acts to help the
management team to set up or to improve risk management processes, its plan of work should include a clear strategy and timeline for migrating the responsibility for these
services to members of the man ageme nt team.
2 The IIA-UK and Ireland Position Statement on Risk Based Internal Auditing 2003
Safeguards
Internal auditing may extend its involvement in ERM, as shown in Figure 1, provided
certa in con diti ons apply. The con diti ons are:
It should be clear that man ageme nt rema ins resp on sible for risk man ageme nt.
The nature of internal auditor ' s responsibilities should be documented in the
in ternal audit charter and approved by the audit committee.
Internal audit ing should not man age any of the risks on behalf of man ageme nt.
Internal auditing should provide advice, challenge and support to management ' s
decisi on making, as opposed to tak ing risk man ageme nt decisi ons themselves.
In ternal audit ing cannot also give objective assura nce on any part of the ERM
framework for which it is responsible. Such assurance should be provided by other
suitably qualified parties.
Any work bey ond the assura nce activities should be recog ni zed as a con sult ing
en gageme nt and the impleme ntati on sta ndards related to such en gageme nts should be followed.
Skills and body of kno wledge
Internal auditors and risk managers share some knowledge, skills and values. Both, for
example, understand corporate governance requirements; have project management,
analytical and facilitation skills and value having a healthy balanee of risk rather
tha n
extreme risk-tak ing or avoida nee behaviors. However, risk man agers as such serve
on ly
the man ageme nt of the orga ni zati on and do not have to provide in depe ndent and objective assura nee to the audit committee. Nor should in ternal auditors who seek to
exte nd their role in ERM un derestimate the risk man agers ' specialist areas of
knowledge (such as risk transfer and risk quantification and modeling techniques) which
are outside the body of knowledge for most internal auditors. Any internal auditor who
cannot dem on strate the appropriate skills and kno wledge should not un dertake work
in
the area of risk man ageme nt. Furthermore, the head of internal audit should not
provide
consulting services in this area if adequate skills and knowledge are not available
within
the internal audit activity and cannot be obtained from elsewhere.
Con clusi on
Risk man ageme nt is a fun dame ntal eleme nt of corporate gover nance. Man ageme nt is
responsible for establishing and operating the risk managementframework on behalf
of
the board. Enterprise-wide risk management brings manybenefits as a result of its structured, con siste nt and coord in ated approach. Internal auditor ' s core role in
relation
to ERM should be to provide assurance to management and to the board on the
effective ness of risk man ageme nt. When internal audit ing exte nds its activities
beyond
this core role, it should apply certa in safeguards, in clud ing treati ng the
en gageme nts as
con sult ing services and, therefore, appl ying all releva nt Stan dards. In this way,
in ternal
audit ing will protect its in depe ndence and the objectivity of its assura nce services.
Within these con stra in ts, ERM can help raise the profile and in crease the
effective ness
of internal audit ing.
Defi niti on of terms
Assura nee Services : An objective exam in ati on of evide nee for the purpose of providi ng an in depe ndent assessme nt on gover nan ce, risk man ageme nt, and con trol processes for the orga ni zati on. Examples may in clude finan cial, performa nee, complia nee, system security, and due dilige nee en gageme nts.
Board: A board is an organization ' s governing body, such as a board of directors,
supervisory board, head of an age ncy or legislative body, board of gover nors or trustees of a non profit organization, or any other designated body of the organization, in cludi ng the audit committee to whom the chief audit executive may fun eti on ally report.
Champi on: Some one who supports and defe nds a pers on or cause. Therefore, a champi on of risk man ageme nt will promote its ben efits, educate an orga ni zati on '
s management and staff in the actions they need to take to implement it and will en courage them and support them in tak ing those actions.
Con sult ing Services : Advisory and related clie nt service activities, the n ature
and
scope of which are agreed with the clie nt, are inten ded to add value and improve
an
organization ' s governance, risk management, and control processes without the
in ternal
auditor assu ming man ageme nt resp on sibility. Examples in clude coun sel, advice, facilitati on, and training.
Con trol : Any acti on take n by man ageme nt, the board, and other parties to man age
risk
and in crease the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performanee of sufficient actions to
provide reas on able assura nee that objectives and goals will be achieved.
En terprise : Any orga ni zati on established to achieve a set of objectives.
En terprise-wide risk man ageme nt (ERM): A structured, con siste nt and continu ous
process across the whole orga ni zati on for ide ntify ing, assess ing, decidi ng on responses to and reporting on opportunities and threats that affect the achievement of its
objectives.
Facilitat ing: Work ing with a group (or in dividual) to make it easier for that group
(or
in dividual) to achieve the objectives that the group has agreed for the meeti ng or activity. This in volves liste ning, challe nging, observ ing, questi oning and support ing the
group and its members. It does not in volve doing the work or tak ing decisi ons.
Risk: The possibility of an eve nt occurri ng that will have an impact on the
achieveme nt
of objectives. Risk is measured in terms of impact and likelihood.
Risk Appetite : The level of risk that an organization is willing to accept.
Risk Management Framework : The totality of the structures, methodology, procedures
and definitions that an organization has chosen to use to implement its risk
man ageme nt processes.
Risk Man ageme nt Processes : Processes to ide ntify, assess, man age, and con trol
pote ntial eve nts or situati ons, to provide reas on able assura nee regard ing the achievement of the organization ' s objectives.
Risk Maturity: The exte nt to which a robust risk man ageme nt approach has bee n
adopted and applied, as pla nn ed, by man ageme nt across the orga ni zati on to iden tify, assess, decide on responses to and report on opportunities and threats that affect
the achievement of the organization ' s objectives.
Risk Resp on ses: The means by which an orga ni zati on elects to man age in dividual
risks. The main categories are to tolerate the risk; to treat it by reducing its impact or likelihood; to transfer it to another organization or to terminate the activity creat ing it.
Internal controls are one way of treating a risk.
***
Copyright
The copyright of this paper is jointly held. For permission to reproduce in the UK
or
Irela nd, please con tact IIA-UK and Irela nd at tech ni cal@iia.org.uk. For permissi on
to
reproduce elsewhere, please con tact The In stitute of Internal Auditors at guida nce@theiia.org.
THE ROLE OF INTERNAL AUDITING IN RESOURCING THE INTERNAL
AUDIT ACTIVITY
In troduct ion
When con sideri ng the resourci ng of the internal audit activity a questi on that ofte n arises is, “ Who or what resources can be utilized to provide
internal audit ing? ” In practice, orga ni zati ons utilize a nu mber of differe nt
alternatives ranging from a fully resourced activity housed within the organization to external resources obtained from outside the organization, or any
comb in ati on thereof. This diversity of practice raises a questi on in some
orga ni zati ons concerning the optimum bala nee of in ternally and externally
supplied resources. The purpose of this paper is to provide guidanee and clarify the roles of the board, man ageme nt, and the chief audit executive on resourci ng
the internal audit activity and the various issues in volved. An ecdotal
evide nee in dicates most practiti oners agree that utilizati on of some amount of
exter nal resources, or partial outsourci ng, is appropriate. However, there is
little consen sus on what might be an appropriate amount of exter nal resources,
not to men tio n how to measure it. This is because it is not possible to an swer
such a questi on without un dersta nding the size, n ature, and complexity of the
orga ni zati on for which the internal audit activity is providi ng services.
The practice of total outsourci ng or obta ining 100 perce nt of internal audit resources from outside the orga ni zati on gen erates additi onal questi ons about how
to man age this arran geme nt. There are many con sideratio ns that should be
evaluated in determ ining the optimal structure and source for internal audit
resources. Those resp on sible for making such determ in atio ns should evaluate the
additi onal guida nee and con siderati ons outl ined in this Positi on Paper whe n
con sideri ng outsourci ng as an alter native. The optimal soluti on can be differe nt
for every orga ni zati on and also may cha nge over time as the variables that
in flue nee the evaluati on cha nge periodically.
(IIA) PerspectiveThe In stitute of Internal Auditors
(IIA) Perspective
Internal audit ing is defi ned as “ an in depe ndent, objective assura nee
and con sult ing activity desig ned to add value and improve an
organization's operations. It helps an organization accomplish its objectives by
bringing a systematic, discipli ned approach to evaluate and improve the
effective ness of risk man ageme nt, con trol, and gover nance processes. ” The
IIA ' s principal interest is to promote internal audit activities that provide
the maximum overall effectiveness in helping achieve the organization ' s
strategic objectives. The IIA believes internal audit ing best addresses managemenf s strategic objectives when internal audits are performed by
compete nt professi on als in con forma nee with the Intern ati onal Stan dards for
the Professional Practice of Internal Auditing (Standards) as promulgated by The
IIA. From The IIA ' s perspective, internal auditing, regardless of who
provides the service, should be performed in con forma nee with the Stan dards. The IIA believes that a fully resourced and professi on ally compete nt staff that is a key part of the orga ni zati on, whether in-house or outsourced, best provides internal audit services. The IIA recognizes that many “ partnering ” arrangements with outside providers have bee n effecti
推荐访问:公告书 完整版 立场 公告 (完整版)立场公告x