中英文对照外文翻译文献(文档含英文原文和中文翻译)原文：Internal auditing's role in ERMAs organizations lay their enterprise risk groundwork, many auditors are taking on management's oversight responsibilities, new research finds.Internal audit departments have played a variety of roles in their organization's enterprise risk management (ERM) activities since The Committee of Sponsoring Organizations of the Tread way Commission (COSO) released its Enterprise Risk Management-Integrated Framework in September 2004. An IIA position paper issued in the wake of COSO ERM, "The Role of Internal Auditing in Enterprise-wide Risk Management," indicates the roles that the internal audit function should and should not play throughout the ERM process, ranging from full involvement to no involvement. According to the paper, internal auditors should have a core role in five ERM-related assurance activities: giving assurance on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk managementprocesses, evaluating the reporting of key risks, and reviewing the management of key risks.A recent IIA Research Foundation study examined the extent to which internal audit functions adhere to the ERM roles recommended in the IIA paper. During October 2005, researchers disseminated an online survey to 7,200 IIA members through The Institute's Global Auditing Information Network. The survey generated 361 responses from a mix of large, mid-sized, and small organizations in a variety of industries, including businesses, government agencies, and not for profit organizations. Nearly 60 percent of respondents identified themselves as a chief audit executive or audit director, 23 percent were audit managers, and 7.8 percent were staff or senior auditors. Approximately 90 percent were from the United States and Canada.Respondents' organizations are at different stages of implementing ERM, as defined by COSO. More than 11 percent say their organization's ERM infrastructure is mature or relatively mature, and 37 percent have recently adopted or are in the process of implementing ERM. Among all organizations surveyed, the internal audit function is primarily responsible for ERM-related activities in 36 percent of respondents' organizations, while 27 percent say the primary responsibility belongs to a chief risk officer (CRO) who is not part of the audit function. Nearly one-third of respondents say another executive or function oversees ERM..The hours and dollars internal audit functions spend on ERM-related activities are minimal for many respondents. Nearly half say their audit department spent 10 percent or less of its hourly and financial budgets on ERM-related activities during fiscal year 2004. More than one-third of audit departments spent II percent to 50 percent of their time on ERM, and 28 percent spent n percent to 50 percent of their financial budgets, while less than 10 percent of departments Spent more than 50 percent of their time and money.The IIA position paper categorizes 18 ERM-related activities according to the appropriate level of responsibility for the internal audit function. Survey respondents reported their current and ideal level of responsibility for these activities: no responsibility, limited responsibility, moderate responsibility, substantialresponsibility, and total responsibility.CORE ACTIVITIESDifferences between respondents' current and ideal responsibilities are greatest for the five core ERM assurance activities identified In the IIA paper. Respondents Indicated that their current responsibility for each of the core ERM related activities is moderate, but they say they should have a substantial level of responsibility. These views agree with the IIA guidance. Additionally, roughly half of internal audit functions surveyed currently have substantial or full responsibility for at least one core activity, and more than two-thirds say they should have till or substantial responsibility for at least one core activity.Within the core category, the audit function's two highest levels of current responsibility involve reviewing management of key risks and evaluating the risk management process. Evaluating the risk management process and giving assurance on risk management processes are the highest-rated ideal responsibilities. Conversely, giving assurance that risks are evaluated correctly is the lowest-rated current and ideal responsibility.The following respondent comments offer some insight into why audit departments are not currently involved in core ERM-related activities at the level they deem appropriate;"We have just recently begun implementing ERM activities in our company. We do not yet have complete understanding of the process and buy-in from management.""The audit committee and management are not aware of what ERM is.""The internal audit function has just initiated an awareness campaign among the audit committee members."These comments suggest that educating management and the audit committee on ERM issues can be critical to ensuring that the audit function takes on an appropriate level of responsibility for ERM.LEGITIMATE ACTIVITIESThe IIA paper prescribes seven legitimate ERM-related activities for which internal committee audit functions may be responsible as long as safeguards are inplace: facilitating the identification and evaluation of risks, coaching management in responding to risks, coordinating ERM-related activities, consolidating the reporting on risks, maintaining and developing the ERM framework, championing establishment of ERM, and developing risk management strategy for board approval. These activities are described as "consulting" activities. Although respondents' current responsibility for each of these legitimate activities ranges from limited to moderate, they say their ideal level should be moderate, which is consistent with the guidance.Within the legitimate category, the highest level of current internal audit responsibility involves facilitating the identification and evaluation of risks —the top-rated ERM-related activity, including core activities. This activity is also the highest-rated ideal activity among legitimate activities, suggesting that auditors consider it a core responsibility. This finding is not surprising. because risk detection and evaluation are traditional considerations in developing annual audit plans. The lowest-rated current and ideal activity is developing a risk management strategy for board approval, which is an activity that might best be handled by management.The IIA guidance cautions that when internal auditors undertake these legitimate consulting activities, safeguards should be in place to ensure that they do not take on management responsibility for actually managing risks. One possible preventive measure would include documenting the auditors' ERM responsibilities in an audit committee-approved audit charter. Further, if auditors take on any ERM-related activities that fall within this consulting role, they should treat these engagements as consulting engagements and apply the relevant IIA standards to help ensure their independence and objectivity.INAPPROPRIATE ACTIVITIESAccording to the IIA position paper. It is inappropriate for internal auditors to be responsible for six ERM-related activities: setting the risk appetite, imposing risk management processes, providing management assurance on risks, making decisions on risk responses, implementing risk responses on management's behalf, and having accountability for risk management. Overall, audit functions in the survey have greater responsibility for these activities than the IIA paper recommends. However,auditors say they should have some limited responsibility for the inappropriate activities.Within the inappropriate category, internal auditors' highest level of current and ideal responsibility is providing management assurance on risks, while their lowest level of responsibility is for setting the risk appetite. Respondents' comments suggest that auditors currently have greater responsibilities in these areas because the audit function is playing a leading role during the early stages of ERM development.ORGANIZATIONAL CHARACTERISTICSThe perceived current and ideal FRM roles for the internal audit function may vary across organizations, depending on the organization's industry, size, and audit department size, as well as the firm's need to comply with the U.S. Sarbanes-Oxley Act of 2002.INDUSTRY Respondents work in a variety of sectors, including financial services, manufacturing, transportation, communications, utilities, health care, retail and wholesale, government, and education. Researchers compared responses from the two largest industry groups: financial services and manufacturing. On average, financial service industry audit departments have greater current responsibility for core activities than those from manufacturing. With respect to inappropriate activities, manufacturing audit departments tend to say their ideal involvement should be higher than their current responsibility, while financial service industry audit departments rate their current and ideal responsibilities at the same level.ORGANIZATION SIZE Approximately half of respondents work in organizations that had 2004 revenues between US $500 million and US $5 billion. Nearly 25 percent of respondents work in organizations that had revenues under US $500 million in 2004, while a similar number of respondents work in organizations that had more than US $5 billion in revenue that year. Researchers compared responses from organizations with revenues of less than US $1 billion with organizations with revenues greater than US $1 billion. On average, auditors from both types of organizations have relatively equal levels of responsibility for current core activities. However, smaller organizations rated their ideal involvement for thesecore activities higher than large organizations. Smaller organizations have a slightly higher current level of responsibility for inappropriate activities than larger organizations and say their ideal involvement in these areas should be higher.AUDIT STAFF SIZE More than half of respondents work in audit departments with 10 or fewer auditors, slightly more than one-quarter work in departments with between 11 and 50 auditors, and approximately one-tenth of respondents work in departments with more than 50 auditors. Internal audit functions with more than 10 auditors currently have somewhat more responsibility for core activities than audit departments with 10 or fewer auditors. Both large and small audit functions have roughly equal levels of responsibility for all other ERM-related activities. However, unlike large audit organizations, respondents from small audit departments want to have more responsibility for activities in the inappropriate category.SARBANES-OXLEY Most respondents' organizations are required to comply with Sarbanes-Oxley Section 404. Researchers found few differences between those organizations and respondents from organizations that do not have to comply with the act. The primary difference related to core activities, where compliers report a higher level of current responsibility than non-compliers.Although the IIA guidance is equally applicable to all organizations, the research indicates that smaller internal audit departments and those from smaller organizations tend to take on ERM responsibilities that would be more appropriate for management. In these cases, internal auditing should work to develop an ERM implementation and maintenance plan that includes a stratcgy and timeline for migrating responsibilities for these activities to managementTHE AUDITOR'S ROLEAlthough the survey results suggest that the current levels of responsibility audit departments have may differ somewhat from that levels recommended by The IIA'S position paper, the respondents' comments offer some evidence that auditors understand the underlying concepts of the guidance:"There needs to be a shift in the 'doing' of the ERM to being an internal audit function that relies on and evaluates the ERM process. ERM should be in sync withthe audit universe and plan,""In the past i8 months, the corporation has appointed a CRO to provide oversight and guidance to evolving ERM processes. During this period, much of internal auditing's previous ERM roles have migrated to this officer." More importantly, respondents identified significant barriers in their organizations to following the guidance:"These ERM responsibilities and processes are not well defined in many organizations and should be more clearly articulated by senior management."'There is not enough emphasis from the top that risk management is important and must be done effectively. Management is still trying to hide things from internal auditing. It's not them against us, we're all in it together.""Most auditors and enterprise managers lack clarity on the distinction between responsibility for risk assurance implementation versus responsibility for risk assurance compliance and monitoring."These comments stress that a key element to establishing a successful ERM program is education on the importance of ERM and the appropriate roles management and internal auditing have in the process. Internal auditors can play a key role in providing this education. The audit department, management, hoard of directors, and audit committee need to be clear about which ERM related activities internal auditors should perform and which activities should always be performed by management. Relevant training should highlight that internal auditing could serve in a monitoring or consulting role throughout much of the ERM process, but the formal decision-making authority must reside with management if the audit department is to maintain its independence and objectivity.Auditors should take steps to ensure that the board and audit committee are aware of the COSO ERM framework and are actively engaged in overseeing the ERM process. Additionally, auditors should consider training senior management, the board, and others throughout their organization on COSO ERM and related guidance.Responses to the survey provide useful insights into additional steps that the internal audit profession should take. Auditors whose organizations are in the earlystages of adopting ERM or will be implementing ERM in the future have many opportunities to ensure that the process is effective and efficient. For example, audit departments that currendy perform ERM-related activities that should be management's responsibility can take proactive steps to open up the lines of communication between internal auditing and management, the board and audit committee, and external auditors about the risks of this situation. Such communication should encourage management to take on appropriate ERM responsibilities. One approach audit departments could take is to develop a business plan describing how management can assume responsibility for ERM related activities for which they should be accountable. However, internal auditors should recognize that completing this plan and convincing management to accept these ERM responsibilities might not occur quickly.With appropriate planning, communication, and education, internal auditors, management, the board, and external auditors should be ready to work together to achieve the many benefits of ERM. Ideally, this coordination will result in performing ERM-related activities at appropriate places within the organization, management accepting its responsibility for ERM, and that audit function playing a role that is consistent with appropriate professional guidance.译文：内部审计在企业风险管理中的作用新的研究发现：随着企业以组织风险为基础，许多审计人员对管理层采取职责监督措施。