1、THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT2009年1月发布IntroductionThe importance to strong corporate governance of managing risk has been increasinglyacknowledged. Organizations are under pressure to identify all the business risks theyface; social, ethical and environmental as we
2、ll as financial and operational, and toexplain how they manage them to an acceptable level. Meanwhile, the use ofenterprise-wide risk management frameworks has expanded, as organizationsrecognize their advantages over less coordinated approaches to risk management.Internal auditing, in both its assu
3、rance and its consulting roles, contributes to themanagement of risk in a variety of ways.What is Enterprise-wide Risk Management?People undertake risk management activities to identify, assess, manage, and controlall kinds of events or situations. These can range from single projects or narrowlydef
4、ined types of risk, e.g. market risk, to the threats and opportunities facing theorganization as a whole. The principles presented in this paper can be used to guide theinvolvement of internal auditing in all forms of risk management but we are particularlyinterested in enterprise-wide risk manageme
5、nt because this is likely to improve anorganizations governance processes.Enterprise-wide risk management (ERM) is a structured, consistent and continuousprocess across the whole organization for identifying, assessing, deciding on responsesto and reporting on opportunities and threats that affect t
6、he achievement of itsobjectives.Responsibility for ERMThe board has overall responsibility for ensuring that risks are managed. In practice,the board will delegate the operation of the risk management framework to themanagement team, who will be responsible for completing the activities below. There
7、may be a separate function that co-ordinates and project-manages these activities andbrings to bear specialist skills and knowledge.Everyone in the organization plays a role in ensuring successful enterprise-wide riskmanagement but the primary responsibility for identifying risks and managing them l
8、ieswith management.Benefits of ERMERM can make a major contribution towards helping an organization manage the risksto achieving its objectives. The benefits include:Greater likelihood of achieving those objectives;Consolidated reporting of disparate risks at board level;Improved understanding of th
9、e key risks and their wider implications;Identification and sharing of cross business risks;Greater management focus on the issues that really matter;Fewer surprises or crises;More focus internally on doing the right things in the right way;Increased likelihood of change initiatives being achieved;C
10、apability to take on greater risk for greater reward andMore informed risk-taking and decision-making.The activities included in ERMArticulating and communicating the objectives of the organization;Determining the risk appetite of the organization;Establishing an appropriate internal environment, in
11、cluding a risk managementframework;Identifying potential threats to the achievement of the objectives;Assessing the risk (i.e. the impact and likelihood of the threat occurring);Selecting and implementing responses to the risks;Undertaking control and other response activities;Communicating informat
12、ion on risks in a consistent manner at all levels in theorganization;Centrally monitoring and coordinating the risk management processes and theoutcomes, andProviding assurance on the effectiveness with which risks are managed.Providing assurance on ERMOne of the key requirements of the board or its
13、 equivalent is to gain assurance that riskmanagement processes are working effectively and that key risks are being managed toan acceptable level.It is likely that assurance will come from different sources. Of these, assurance frommanagement is fundamental. This should be complemented by the provis
14、ion ofobjective assurance, for which the internal audit activity is a key source. Other sourcesinclude external auditors and independent specialist reviews. Internal auditors willnormally provide assurances on three areas:Risk management processes, both their design and how well they are working;Man
15、agement of those risks classified as key, including the effectiveness of thecontrols and other responses to them; andReliable and appropriate assessment of risks and reporting of risk and controlstatus.The role of internal auditing in ERMInternal auditing is an independent, objective assurance and c
16、onsulting activity. Its corerole with regard to ERM is to provide objective assurance to the board on theeffectiveness of risk management. Indeed, research has shown that board directorsand internal auditors agree that the two most important ways that internal auditingprovides value to the organizat
17、ion are in providing objective assurance that the majorbusiness risks are being managed appropriately and providing assurance that the riskmanagement and internal control framework is operating effectively1.1 The Value Agenda, Institute of Internal Auditors UK and Ireland and Deloitte & Touche 2003F
18、igure 1 presents a range of ERM activities and indicates which roles an effectiveprofessional internal audit activity should and, equally importantly, should not undertake.The key factors to take into account when determining internal auditings role arewhether the activity raises any threats to the
19、internal audit activitys independence andobjectivity and whether it is likely to improve the organizations risk management,control and governance processes.Figure 1 Internal auditings role in ERMThe activities on the left of Figure 1 are all assurance activities. They form part of thewider objective
20、 of giving assurance on risk management. An internal audit activitycomplying with the International Standards for the Professional Practice of InternalAuditing can and should perform at least some of these activities.Internal auditing may provide consulting services that improve an organizationsgove
21、rnance, risk management, and control processes. The extent of internal auditorsconsulting in ERM will depend on the other resources, internal and external, available tothe board and on the risk maturity2 of the organization and it is likely to vary over time.Internal auditors expertise in considerin
22、g risks, in understanding the connectionsbetween risks and governance and in facilitation mean that the internal audit activity iswell qualified to act as champion and even project manager for ERM, especially in theearly stages of its introduction. As the organizations risk maturity increases and ri
23、skmanagement becomes more embedded in the operations of the business, internalauditings role in championing ERM may reduce. Similarly, if an organization employsthe services of a risk management specialist or function, internal auditing is more likelyto give value by concentrating on its assurance r
24、ole, than by undertaking the moreconsulting activities. However, if internal auditing has not yet adopted the risk-basedapproach represented by the assurance activities on the left of Figure 1, it is unlikely tobe equipped to undertake the consulting activities in the center.Consulting rolesThe cent
25、er of Figure 1 shows the consulting roles that internal auditing may undertakein relation to ERM. In general the further to the right of the dial that internal auditingventures, the greater are the safeguards that are required to ensure that itsindependence and objectivity are maintained. Some of th
26、e consulting roles that theinternal audit activity may undertake are:Making available to management tools and techniques used by internal auditing toanalyze risks and controls;Being a champion for introducing ERM into the organization, leveraging its expertisein risk management and control and its o
27、verall knowledge of the organization;Providing advice, facilitating workshops, coaching the organization on risk andcontrol and promoting the development of a common language, framework andunderstanding;Acting as the central point for coordinating, monitoring and reporting on risks; andSupporting ma
28、nagers as they work to identify the best way to mitigate a risk.The key factor in deciding whether consulting services are compatible with theassurance role is to determine whether the internal auditor is assuming anymanagement responsibility. In the case of ERM, internal auditing can provide consul
29、tingservices so long as it has no role in actually managing risks that is managementsresponsibility and so long as senior management actively endorses and supportsERM. We recommend that, whenever the internal audit activity acts to help themanagement team to set up or to improve risk management proc
30、esses, its plan of workshould include a clear strategy and timeline for migrating the responsibility for theseservices to members of the management team.2 The IIA-UK and Ireland Position Statement on Risk Based Internal Auditing 2003SafeguardsInternal auditing may extend its involvement in ERM, as s
31、hown in Figure 1, providedcertain conditions apply. The conditions are:It should be clear that management remains responsible for risk management.The nature of internal auditors responsibilities should be documented in the internalaudit charter and approved by the audit committee.Internal auditing s
32、hould not manage any of the risks on behalf of management.Internal auditing should provide advice, challenge and support to managementsdecision making, as opposed to taking risk management decisions themselves.Internal auditing cannot also give objective assurance on any part of the ERMframework for
33、 which it is responsible. Such assurance should be provided by othersuitably qualified parties.Any work beyond the assurance activities should be recognized as a consultingengagement and the implementation standards related to such engagements shouldbe followed.Skills and body of knowledgeInternal a
34、uditors and risk managers share some knowledge, skills and values. Both, forexample, understand corporate governance requirements; have project management,analytical and facilitation skills and value having a healthy balance of risk rather thanextreme risk-taking or avoidance behaviors. However, ris
35、k managers as such serve onlythe management of the organization and do not have to provide independent andobjective assurance to the audit committee. Nor should internal auditors who seek toextend their role in ERM underestimate the risk managers specialist areas ofknowledge (such as risk transfer a
36、nd risk quantification and modeling techniques) whichare outside the body of knowledge for most internal auditors. Any internal auditor whocannot demonstrate the appropriate skills and knowledge should not undertake work inthe area of risk management. Furthermore, the head of internal audit should n
37、ot provideconsulting services in this area if adequate skills and knowledge are not available withinthe internal audit activity and cannot be obtained from elsewhere.ConclusionRisk management is a fundamental element of corporate governance. Management isresponsible for establishing and operating th
38、e risk management framework on behalf ofthe board. Enterprise-wide risk management brings many benefits as a result of itsstructured, consistent and coordinated approach. Internal auditors core role in relationto ERM should be to provide assurance to management and to the board on theeffectiveness o
39、f risk management. When internal auditing extends its activities beyondthis core role, it should apply certain safeguards, including treating the engagements asconsulting services and, therefore, applying all relevant Standards. In this way, internalauditing will protect its independence and the obj
40、ectivity of its assurance services.Within these constraints, ERM can help raise the profile and increase the effectivenessof internal auditing.Definition of termsAssurance Services: An objective examination of evidence for the purpose ofproviding an independent assessment on governance, risk managem
41、ent, and controlprocesses for the organization. Examples may include financial, performance,compliance, system security, and due diligence engagements.Board: A board is an organizations governing body, such as a board of directors,supervisory board, head of an agency or legislative body, board of go
42、vernors or trusteesof a non profit organization, or any other designated body of the organization, includingthe audit committee to whom the chief audit executive may functionally report.Champion: Someone who supports and defends a person or cause. Therefore, achampion of risk management will promote
43、 its benefits, educate an organizationsmanagement and staff in the actions they need to take to implement it and willencourage them and support them in taking those actions.Consulting Services: Advisory and related client service activities, the nature andscope of which are agreed with the client, a
44、re intended to add value and improve anorganizations governance, risk management, and control processes without the internalauditor assuming management responsibility. Examples include counsel, advice,facilitation, and training.Control: Any action taken by management, the board, and other parties to
45、 manage riskand increase the likelihood that established objectives and goals will be achieved.Management plans, organizes, and directs the performance of sufficient actions toprovide reasonable assurance that objectives and goals will be achieved.Enterprise: Any organization established to achieve
46、a set of objectives.Enterprise-wide risk management (ERM):A structured, consistent and continuousprocess across the whole organization for identifying, assessing, deciding on responsesto and reporting on opportunities and threats that affect the achievement of itsobjectives.Facilitating:Working with
47、 a group (or individual) to make it easier for that group (orindividual) to achieve the objectives that the group has agreed for the meeting oractivity. This involves listening, challenging, observing, questioning and supporting thegroup and its members. It does not involve doing the work or taking decisions.Risk:The possibility of an event occurring that will have an impact on the achievementof objectives. Risk is measured in terms of impact and likelihood.Risk Appetite: The level of risk that an organization is willing to accept.Risk Management Fram
浙ICP备2021020529号-1 | 浙B2-20240490 
