1、文献、资料题目:Auditing Risk Management: Fine in Theory but who can doit In Practice?文献、资料来源:International Journal of Auditing文献、资料发表(出版)日期:2006.6.外文文献:Auditing Risk Management: Fine in Theory but who can do it in Practice?This paper investigates risk management structures in organizations and how these co
2、mply with best practice in corporate governance. We carried out an exploratory study (in 2001) of four large public and private sector organizations in the United Kingdom. Interviews were conducted with risk managers and internal auditors to ascertain the extent to which emerging structures complied
3、 with the Turnbull Guidance to the Combined Code.We found that structures are in place to deliver a sound system of internal control including risk management. Internal auditors and risk managers are both involved but their respective roles are often not sufficiently well to avoid overlaps and gaps.
4、 We also found that several of the organizations studied rely on external auditors to conduct the required annual review of risk management. Key words: business risk assessment, Combined Code, corporate governance, disclosure, internal audit, internal control, risk assessment, risk management.SUMMAR
5、YIn the UK risk management has come to the fore in the wake of the Combined Code of best practice in corporate governance (1998,the Combined Code), as expanded by the Turnbull Guidance of 1999. From accounting periods ending on or after 23rd December 2000, UK listed companies are required to conduct
6、 a review of their procedures to ensure that any threats to the organization have been systematically identified, carefully evaluated and effectively controlled. They must make a statement to that effect in their annual financial statements. The Combined Code has also influenced statements of good p
7、ractice in the public sector. Corporate governance is thus extended to consideration of all business risks operational, financial and compliance which may prevent an organization from achieving its objectives. In other words, internal control must now include risk management. To meet this responsibi
8、lity, organizations require adapt and combine the expertise of existing internal audit with that of risk management functions and relate the resulting effort to the business and operational needs of the organization.This exploratory study examines the policies and structures adopted by organisations
9、 for identifying, controlling and reporting on risks. Four organisations were studied in 2001, covering the private and public sectors. Internal auditors and risk managers were questioned on their organisations risk management policies and the scope of their respective responsibilities. The structur
10、es in place and the backgrounds and responsibilities of the various players are discussed. Overall a range of approaches was found and differences between the public and private sector organisations became apparent.The responses were mapped on to the provisions of the Combined Code and relevant sect
11、ions of the Turnbull guidance. This revealed areas where procedures were incomplete. While structures were in place to enable the delivery of a sound system of internal control including risk management, overlaps and gaps were apparent in all four of the organisations studied. Further, our mapping r
12、eveals that three of the four organisations rely on external auditors to address the issue of independent review. This annual review forms part of the disclosure requirements in annual financial statements in the private and public sectors.On the basis of our findings in the exploratory study recomm
13、endations are made for procedures which enable organisations to comply with all provisions of the Combined Code relating to internal control including risk management.Historically, internal control systems are seen as the province of accountants, and are reviewed by internal and external auditors. R
14、isk management is a newer field. The term was first coined in the 1950s by large American corporations seeking alternatives to costly or inadequate insurance cover. Although risk management began to develop as a distinct field of business management it was initially mainly populated by people from a
15、n insurance background. Protection of physical assets and transfer of risk exposures by insurance or other means remains a core skill for most risk managers (Ward, 2001). Expertise in both financial controls and traditional risk management skills is rare, yet the Combined Code requires a company or
16、group to take an overall view of its risk profile. Organisations are currently in the process of establishing structures and allocating responsibilities to meet these requirements. Are auditors able to take on this new role, or should risk managers be given overall responsibility?This paper reports
17、the results of an exploratory study addressing some of the issues that arise from applying the Combined Code in practice. The next section sets out the background to corporate governance and risk, and also describes the two main groups working in this area within organisations. The subsequent sectio
18、ns discuss the research question and method, and present the findings of the empirical results. After a discussion of the findings the final section presents tentative conclusions and highlights the studys implications and limitations.RiskInternal control in the private and public sectors is therefo
19、re now extended to consideration of all business risks, operational, financial, which may prevent an organization from meeting its objectives. Risks inherent in the activities of most organisations, regardless of the purpose or the scale of operations. Risks arise from current activity, from changin
20、g external environments, and from the related decisions and actions of the board and management. For private sector businesses, the worst possible outcome of risk may be financial ruin. Although public sector organisations such as central government, the National Health Service (NHS) and local autho
21、rities are cushioned to the extent that resources have always been found to pay for essential services, the adverse consequences of reputational risk for organisations and for individuals may be dire. There is, however, a need always to acknowledge the positive side of risk from the financial gain o
22、f risky entrapper- neural behavior to the life-saving, yet experimental, techniques at the frontiers of medicine.While a checklist approach to identifying risks is not recommended, it may be helpful to indicate the types of risks that may require to be addressed at different levels in an organisatio
23、n.In many organisations two different functions are often involved in aspects of risk management and internal control: Risk Management and Internal Audit.()Risk Management (RM)Risk management covers the identification and mitigation of risks which may prevent an organisation from achieving its objec
24、tives. Risks can be managed to acceptable levels by:transferring them to other parties (such as suppliers, insurers, dealers in futures); controlling them by applying appropriate internal control policies and procedures; risks can be knowingly and objectively accepted, providing they clearly satisfy
25、 the companys policy and criteria on risk tolerance, and are monitored.RM originated in property and liability areas where a focus on physical hazards led to the dominance of engineering and statistical approaches to risk management. Later ideas emphasized the significance of social structures and o
26、f risk perception. As ideas on the nature of risk have developed, so have obligations to manage these new risks. For example, in the finance sector risk has been extended to cope with the speculative risks associated with investment. Intangible assets such as brand and reputation create new problems
27、 as does new technology e.g. the opportunities for fraud created by the growth of e-commerce. In government and the public sector, RM is being developed to manage political risks associated with decisions and actions. A range of risk specialists has grown from the diversity of ways of thinking about
28、 risk and of practical management of such risk. In the UK now as elsewhere, there exists a coherent group who regard themselves as professional managers of risk. The Institute of Risk Management provides qualifications through examination and the Association of Insurance & Risk Managers (AIRMIC) act
29、s as a trade association. Risk management should be integral to policy planning and operational management in local government. It cannot be seen as a bolt-on. (Accounts Commission for Scotland, 1999).Despite the opportunity recognized by AIRMIC (quoted above), a recent study by Ward (2001) found fe
30、w risk managers in the senior, strategic roles required by an integrated risk management model. Ward found risk managers in a wide variety of roles at that time i.e. there was no generally accepted dentition of the risk management role in the organizations he surveyed. Identification of risksThree o
31、f the organizations in our exploratory study are at the early stages of applying RM models i.e. identifying risks at the operational level. One is using a big bang method of brainstorming workshops in each large operational unit, facilitated by external consultants. The consultants were chosen from
32、firms familiar with the organisation i.e. their insurance brokers, and their external auditors. The auditing firm was rejected because a previous exercise by them was too limited. Financial risk is not seen as the most important type of risk to identify as it is usually well controlled. The most sig
33、nificant risks are strategic and operational. In contrast to that approach, company 2 is operating a system of ongoing identification by educating managers in risk matters and disseminating information between units: all our top management development programmers and induction courses will have some
34、thing on risk. The NHS trust initiates risk assessment projects throughout the organization using specialists, with responsibility for ordinary risks left to a low operational level.Risk reportingThe organisations which carry out continuous identification of risks at operational level use risk regis
35、ters as a record of risks and their management. Two of the organisations report risks to the Board on a regular cycle, the other two make ad-hoc reports as required. One organisation includes the risk report as part of the financial report the finance departments being the most geared up for produci
36、ng regular reports. One, with a separate RM function, reports risk matters as part of IA reports where IA had identified them; items identified by RM may also be included because if you put it up as an audit report they take a different perspective on it. ()Internal audit (IA)The developments in cor
37、porate governance have led to a greatly increased emphasis on the internal audit function, to the extent that the Combined Code itself requires companies which do not have one to reconsider from time to time. Internal auditing has its roots in the need for managers of large organisations to be assur
38、ed that recorded information is complete and accurate. This role has steadily expanded since the 1970s to include operational auditing, encompassing the consideration of economy, efficiency and effectiveness over the whole organisation. However, the internal auditing profession sees the Combined Cod
39、e requirements as a natural extension of their remit.An internal audit function should have a key role in helping organisations respond to the challenges of the Turnbull report. It can contribute to the achievement of business objectives. Internal auditors also add value by the identification of opp
40、ortunities to improve the cost-effective management of risk, thereby benefiting shareholder return. (ICAEW, 2000).Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and
41、 governance processes. (Institute of Internal Auditors (IIA).For many organizations looking at implementing a more formal risk management structure, internal audit can play a valuable part. Each of the organizations has structures and procedures in place which enable risks to be identified at operat
42、ional level, reported and managed. However an independent review of the process is essential for two main reasons (i) to provide independent monitoring and (ii) to avoid overlaps and gaps. (i) Independent monitoringIn the process of identifying risks, recording in a register, reporting to first leve
43、l management and eventually to the Board, filtering is necessary to avoid information overload. Filtering also allows the opportunity to lose sight of risks which may cause awkward questions to be raised. The RM process should therefore be subject to review as other controls are. (ii)Overlaps and ga
44、psThe two functions of IA and RM have many interests in common and can easily have overlapping roles. Consequently, gaps in RM processes can easily arise where areas which could be covered by either are in fact covered by neither. In the organisations studied which had separate IA and RM functions,
45、a reluctance to tread on each others turf was apparent. In this situation, gaps in the management of risks are almost inevitable.Recognition of the overlapping roles has led to merging the functions of IA and RM in one organisation studied, and a proposal to do so in another. This proposal however w
46、as not favored by the risk manager concerned, as he believed that if he was part of an audit function he would not obtain the same co-operation from operational management in discussing the risks they faced. More importantly, merging the two may make it difficult to prove that an independent review
47、of the effectiveness of all internal controls and risk management is taking place, without requiring regular input from external consultants.Risk assessmentAudit risk assessment was developed by external auditing firms and has also influenced internal auditing. It provides a means of selecting the m
48、ost sensitive areas to examine in order to make best use of their scarce resources of time and expertise. This type of risk assessment is now well established and is codified in Statements of Auditing Standards. A risk model incorporating assessments of the inherent risk, control risk, and detection risk in all areas of operations is used
浙ICP备2021020529号-1 | 浙B2-20240490 
