文献、资料题目：Auditing Risk Man ageme nt:Fine in Theory but who can doit In Practice?文献、资料来源：Intern atio nal Jour nal of Audit ing文献、资料发表(出版)日期：20066外文文献：Auditing Risk Management: Fine in Theory but who can do it in Practice?This paper investigates risk management structures in organizations andhow these comply with best practice in corporate governance. We carried out an exploratory study (in 2001) of four large public and private sector organizations in the Un ited Kin gdom .In terviews were con ducted with risk man agers and internal auditors to ascerta in the exte nt to which emerg ing structures complied with the Turn bull Guida nee to the Comb ined Code.We found that structures are in place to deliver a sound system of internal control including risk management. Internal auditors and risk managers are both invoIved but their respective roles are often not sufficiently well to avoid overlaps and gaps. We also found that several of the orga ni zatio ns studied rely on exter nal auditors to con duct the required annual review of risk man ageme nt.Key words: bus in ess risk assessme nt,Comb ined Code, corporate gover nan ce, disclosure, internal audit, internal con trol, risk assessme nt, risk man ageme nt.SUMMARYIn the UK risk management has come to the fore in the wake of the Combined Code of best practice in corporate governance (1998,the Combined Code), as expa nded by the Turn bull Guida nee of 1999. From acco un ti ng periods ending on or after 23rd December 2000, UK listed compa nies are required to con duct a review oftheir procedures to ensure that any threats to the organization have been systematically identified, carefully evaluated and effectively controlled. They must make a statement to that effect in their annual financial statements. The Combined Code has also influenced statements of good practice in the public sector. Corporate gover nance is thus exte nded to con siderati on of all bus in ess risk—operati on al, finan cial and complianee -which may prevent an organization from achieving its objectives. In other words, internal control must now include risk management. To meet this responsibility, organizations require adapt and combine the expertise of existing internal audit with that of risk management functions and relate the resulting effort to the business and operational needs of the organization.This exploratory study examines the policies and structures adopted by organisations for identifying, controlling and reporting on risks. Four organisations were studied in 2001, covering the private and public sectors. Internal auditors and risk managers were questioned on their organisations r'isk management policies and the scope of their respective responsibilities. The structures in place and the backgrounds and responsibilities of the various players are discussed. Overall a range of approaches was found and differences between the public and private sector organisations became apparent.The responses were mapped on to the provisions of the Combined Code and relevant sections of the Turnbull guidance. This revealed areas where procedures were incomplete. While structures were in place to enable the delivery of a sound system of internal control including risk management, overlaps and gaps were apparent in all four of the organisations studied. Further, our mapping reveals that three of the four organisations rely on external auditors to address the issue of independent review. This annual review forms part of the disclosure requirements in annual financial statements in the private and public sectors.On the basis of our findings in the exploratory study recommendations are made for procedures which enable organisations to comply with all provisions of the Combined Code relating to internal control including risk management.Historically, internal control systems are seen as the province of accountants, and are reviewed by internal and external auditors. Risk management is a newer field. The term was first coined in the 1950s by large American corporations seeking alternatives to costly or inadequate insurance cover. Although risk management began to develop as a distinct field ofbusiness managementit was initially mainly populated by people from an insurance background. Protection of physical assets and transfer of risk exposures by insurance or other means remains a core skill for most risk managers (Ward, 2001). Expertise in both financial controls and traditional risk management skills is rare, yet the Combined Code requires a company or group to take an overall view of its risk profile. Organisations are currently in the process of establishing structures and allocating responsibilities to meet these requirements. Are auditors able to take on this new role, or should risk managers be given overall responsibility?This paper reports the results of an exploratory study addressing some of the issues that arise from applying the Combined Code in practice. The next section sets out the background to corporate governance and risk, and also describes the two main groups working in this area within organisations. The subsequentsections discuss the research question and method, and present the findings of the empirical results. After a discussion of the findings the final section presents tentative conclusions and highlights the study 'im s plications and limitations.RiskInternal control in the private and public sectors is therefore now extended to consideration of all business risks, operational, financial, which may prevent an organization from meeting its objectives.Risks inherent in the activities of most organisations, regardless of the purpose or the scale of operations. Risks arise from current activity, from changing external environments, and from the related decisions and actions of the board and management. For private sector businesses, the worst possible outcome of risk may be financial ruin. Although public sector organisations such as central government, the National Health Service (NHS) and local authorities are cushioned to the extent that resources have always been found to pay for essential services, the adverse consequences of reputational risk for organisations and for individuals may be dire. There is, however, a n eed always to ack no wledge the positive side of risk-from the finan cial gai n of risky entrapper- neural behavior to the life-saving, yet experimental, techniques at the frontiers of medicine.While a checklist approach to identifying risks is not recommended, it may be helpful to indicate the types of risks that may require to be addressed at different levels in anorganisation.In many organisations two different functions are often involved in aspects of risk management and internal control: Risk Management and Internal Audit.(i) Risk Management (RM)Risk management covers the identification and mitigation of risks which may prevent an organisation from achieving its objectives. Risks can be managed to acceptable levels by: •transferring them to other parties (such as suppliers, insurers, dealers in futures);-con troll ing them by appl ying appropriate in ternal con trol policies and procedures;-risks can be knowingly and objectively accepted, providing they clearly satisfy the company's policy and criteria on risk tolerance, and are monitored.RM originated in property and liability areas where a focus on physical hazards led to the dominance of engineering and statistical approachesto risk management. Later ideas emphasized the significance of social structures and of risk perception. As ideas on the nature of risk have developed, so have obligations to managethese ‘new' riskFso.r example, in the finance sector risk has been extended to cope with the speculative risks associatedwith investment. Intangible assetssuch as brand and reputation create new problems as does new technology e.g. the opportunities for fraud created by the growth of e-commerce. In government and the public sector, RM is being developed to manage political risks associated with decisions and actions. A range of risk specialists has grown from the diversity of ways of thinking about risk and of practical management of such risk. In the UK now as elsewhere, there exists a coherent group who regard themselves as professional managers of risk. The Institute of Risk Management provides qualifications through examination and the Association of Insurance & Risk Managers (AIRMIC) actsas a trade association.‘Risk management should be integral to policy planning and operational management in local government. It cannot be seen as a ‘ bo-lot n'. '(Accounts Commission for Scotland, 1999).Despite the opportunity recognized by AIRMIC (quoted above), a recent study by Ward (2001) found few risk managers in the senior, strategic roles required by an integrated riskmanagement model. Ward found risk managers in a wide variety of roles at that time i.e. there was no generally accepted dentition of the risk management role in the organizations he surveyed.Identification of risksThree of the organizations in our exploratory study are at the early stages of applying RM models i.e. identifying risks at the operational level. One is using a ‘big bang' method of brainstorming workshops in each large operational unit, facilitated by external consultants. The consultants were chosen from firms familiar with the organisation i.e. their insurance brokers, and their external auditors. The auditing firm was rejected because ‘a previous exercise by them was too limited. Financial risk is not seen as the most important type of risk to iden tify as it is usually well con trolled.…The most sig nifica nt risks are strategic and operational I'n . contrast to that approach, company 2 is operating a system of ongoing identification by educating managers in risk matters and disseminating information between units: ‘all our top management development programmers and induction courses will have something on risk '. The NHS trust initiates risk assessmentprojects throughout the organization using specialists, with responsibility for ‘ordinary ' risks left to a low operational level.Risk reportingThe organisations which carry out continuous identification of risks at operational level use risk registers as a record of risks and their management. Two of the organisations report risks to the Board on a regular cycle, the other two make ad-hoc reports as required. One organisation includes the risk report as part of the financial report ‘tfhineance departments being the most geared up for producing regular reports 'O. ne, with a separate RM function, reports risk matters as part of IA reports where IA had identified them; items identified by RM may also be included because ‘ ifyou put it up as an audit report they take a different perspectiveon it '.(n) Internal audit (IA)The developments in corporate governance have led to a greatly increased emphasis on the internal audit function, to the extent that the Combined Code itself requires companies which do not have one to reconsider ‘from time to time 'I.nternal auditing has its roots in theneed for managers of large organisations to be assured that recorded information is complete and accurate. This role has steadily expanded since the 1970s to include operational auditing, encompassing the consideration of economy, efficiency and effectiveness over the whole organisation.However, the internal auditing profession sees the Combined Code requirements as a natural extension of their remit.‘An internal audit function should have a key role in helping organisations respond to the challenges of the Turnbull report. It can contribute to the achievement of business objectives.Internal auditors also add value by the identification of opportunities to improve the cost-effective management of risk, thereby benefiting shareholder return. ' (ICAEW, 2000).‘ Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governanceprocesses. '(Institute of Internal Auditors (IIA)).For many organizations looking at implementing a more formal risk management structure, internal audit can play a valuable part.Each of the organizations has structures and procedures in place which enable risks to be identified at operational level, reported and managed. However an independent review of the process is essential for two main reasons (i) to provide independent monitoring and (ii) to avoid overlaps and gaps.(i) Independent monitoringIn the process of identifying risks, recording in a register, reporting to first level management and eventually to the Board, filtering is necessary to avoid information overload. Filtering also allows the opportunity to lose sight of risks which may cause awkward questions to be raised. The RM process should therefore be subject to review as other controls are.(ii)Overlaps and gapsThe two functions of IA and RM have many interests in common and can easily have overlapping roles. Consequently, gaps in RM processes can easily arise where areas which could be covered by either are in fact covered by neither. In the organisations studied whichhad separate IA and RM functions, a reluctance to tread on each other tur'f wsas apparent. In this situation, gaps in the management of risks are almost inevitable.Recognition of the overlapping roles has led to merging the functions of IA and RM in one organisation studied, and a proposal to do so in another. This proposal however was not favored by the risk manager concerned, as he believed that if he was part of an audit function he would not obtain the same co-operation from operational management in discussing the risks they faced. More importantly, merging the two may make it difficult to prove that an independent review of the effectiveness of all internal controls and risk management is taking place, without requiring regular input from external consultants.Risk assessmentAudit risk assessmentwas developed by external auditing firms and has also influenced internal auditing. It provides a means of selecting the most sensitive areas to examine in order to make best use of their scarce resources of time and expertise. This type of risk assessment is now well established and is codified in Statements of Auditing Standards. A risk model incorporating assessments of the inherent risk, control risk, and detection risk in all areas of operations is used to calculate the overall risk of material misstatements occurring in the annual financial statements.Use of a standard model provides a verifiable process for ranking areas of the audit as high, medium or low risk, and carrying out differing amounts of substantive testing as a result. The risk assessment is, in a sense, done for selfish motives in that the auditors are concerned with the risk that they themselves will be called to account if they fail to take reasonablemeasuresto identify the areas most likely to hide irregularities in the financial statements.When used in internal audit risk assessmentmay perform a useful function in widening the scope of the audit, but it can also be used to legitimize ignoring whole areas of detailed work.A further development in recent years is business risk assessment,which is designed to give a top-down, business risk orientation to audit work (Bell et al., 1997). The approach widens the audit focus (initially) to include any risks that may prevent the organisation from meeting its objectives; The new approach is intended to provide valuable insights andinformation to management. Two points should be noted however in relation to business risk assessment. Firstly, despite the initial focus being wider than a traditional audit, there is in fact no change in the final audit objective of giving an opinion on the annual financial statements (Lemon et al., 2000). Secondly, the assessment tends to see the business through the same eyes (the same high-level controls) as management (Heathery, 1998)V. iewing risk at entity level in this way does not perform the same function as risk assessmentat operational level. While this may meet the requirements of external audit it does not perform the same function as the Integrated Risk Management models developed in RM literature.It is therefore apparent that application of a seemingly objective technique with the name Audit Risk Assessment or Business Risk Assessment may obscure the fact that the risks thus assessed are mainly financial, and may not addressthe most important risks facing the organisation.This research was carried out under the auspices of the Institute of Chartered Accountants of Scotland research strategy and was funded by the Scottish Accountancy Research Trust.中文译文：审计风险管理: 理论上不错, 但实际操作呢？本文探讨在组织中的风险管理结构和在公司治理中如何寻找最佳做法。