会计学外文翻译外文文献英文文献审计风险管理

《会计学外文翻译外文文献英文文献审计风险管理》由会员分享，可在线阅读，更多相关《会计学外文翻译外文文献英文文献审计风险管理（13页珍藏版）》请在装配图网上搜索。

1、文献、资料题目：Auditing Risk Management: Fine in Theory but who can doit In Practice?文献、资料来源：International Journal of Auditing文献、资料发表（出版）日期：2006.6.外文文献：Auditing Risk Management: Fine in Theory but who can do it in Practice?This paper investigates risk management structures in organizations and how these co

2、mply with best practice in corporate governance. We carried out an exploratory study (in 2001) of four large public and private sector organizations in the United Kingdom. Interviews were conducted with risk managers and internal auditors to ascertain the extent to which emerging structures complied

3、 with the Turnbull Guidance to the Combined Code.We found that structures are in place to deliver a sound system of internal control including risk management. Internal auditors and risk managers are both involved but their respective roles are often not sufficiently well to avoid overlaps and gaps.

4、 We also found that several of the organizations studied rely on external auditors to conduct the required annual review of risk management. Key words: business risk assessment, Combined Code, corporate governance, disclosure, internal audit, internal control, risk assessment, risk management.SUMMAR

5、YIn the UK risk management has come to the fore in the wake of the Combined Code of best practice in corporate governance (1998,the Combined Code), as expanded by the Turnbull Guidance of 1999. From accounting periods ending on or after 23rd December 2000, UK listed companies are required to conduct

6、 a review of their procedures to ensure that any threats to the organization have been systematically identified, carefully evaluated and effectively controlled. They must make a statement to that effect in their annual financial statements. The Combined Code has also influenced statements of good p

7、ractice in the public sector. Corporate governance is thus extended to consideration of all business risks operational, financial and compliance which may prevent an organization from achieving its objectives. In other words, internal control must now include risk management. To meet this responsibi

8、lity, organizations require adapt and combine the expertise of existing internal audit with that of risk management functions and relate the resulting effort to the business and operational needs of the organization.This exploratory study examines the policies and structures adopted by organisations

9、 for identifying, controlling and reporting on risks. Four organisations were studied in 2001, covering the private and public sectors. Internal auditors and risk managers were questioned on their organisations risk management policies and the scope of their respective responsibilities. The structur

10、es in place and the backgrounds and responsibilities of the various players are discussed. Overall a range of approaches was found and differences between the public and private sector organisations became apparent.The responses were mapped on to the provisions of the Combined Code and relevant sect

11、ions of the Turnbull guidance. This revealed areas where procedures were incomplete. While structures were in place to enable the delivery of a sound system of internal control including risk management, overlaps and gaps were apparent in all four of the organisations studied. Further, our mapping r

12、eveals that three of the four organisations rely on external auditors to address the issue of independent review. This annual review forms part of the disclosure requirements in annual financial statements in the private and public sectors.On the basis of our findings in the exploratory study recomm

13、endations are made for procedures which enable organisations to comply with all provisions of the Combined Code relating to internal control including risk management.Historically, internal control systems are seen as the province of accountants, and are reviewed by internal and external auditors. R

14、isk management is a newer field. The term was first coined in the 1950s by large American corporations seeking alternatives to costly or inadequate insurance cover. Although risk management began to develop as a distinct field of business management it was initially mainly populated by people from a

15、n insurance background. Protection of physical assets and transfer of risk exposures by insurance or other means remains a core skill for most risk managers (Ward, 2001). Expertise in both financial controls and traditional risk management skills is rare, yet the Combined Code requires a company or

16、group to take an overall view of its risk profile. Organisations are currently in the process of establishing structures and allocating responsibilities to meet these requirements. Are auditors able to take on this new role, or should risk managers be given overall responsibility?This paper reports

17、the results of an exploratory study addressing some of the issues that arise from applying the Combined Code in practice. The next section sets out the background to corporate governance and risk, and also describes the two main groups working in this area within organisations. The subsequent sectio

18、ns discuss the research question and method, and present the findings of the empirical results. After a discussion of the findings the final section presents tentative conclusions and highlights the studys implications and limitations.RiskInternal control in the private and public sectors is therefo

19、re now extended to consideration of all business risks, operational, financial, which may prevent an organization from meeting its objectives. Risks inherent in the activities of most organisations, regardless of the purpose or the scale of operations. Risks arise from current activity, from changin

20、g external environments, and from the related decisions and actions of the board and management. For private sector businesses, the worst possible outcome of risk may be financial ruin. Although public sector organisations such as central government, the National Health Service (NHS) and local autho

21、rities are cushioned to the extent that resources have always been found to pay for essential services, the adverse consequences of reputational risk for organisations and for individuals may be dire. There is, however, a need always to acknowledge the positive side of risk from the financial gain o

22、f risky entrapper- neural behavior to the life-saving, yet experimental, techniques at the frontiers of medicine.While a checklist approach to identifying risks is not recommended, it may be helpful to indicate the types of risks that may require to be addressed at different levels in an organisatio

23、n.In many organisations two different functions are often involved in aspects of risk management and internal control: Risk Management and Internal Audit.（）Risk Management (RM)Risk management covers the identification and mitigation of risks which may prevent an organisation from achieving its objec

24、tives. Risks can be managed to acceptable levels by:transferring them to other parties (such as suppliers, insurers, dealers in futures); controlling them by applying appropriate internal control policies and procedures; risks can be knowingly and objectively accepted, providing they clearly satisfy

25、 the companys policy and criteria on risk tolerance, and are monitored.RM originated in property and liability areas where a focus on physical hazards led to the dominance of engineering and statistical approaches to risk management. Later ideas emphasized the significance of social structures and o

26、f risk perception. As ideas on the nature of risk have developed, so have obligations to manage these new risks. For example, in the finance sector risk has been extended to cope with the speculative risks associated with investment. Intangible assets such as brand and reputation create new problems

27、 as does new technology e.g. the opportunities for fraud created by the growth of e-commerce. In government and the public sector, RM is being developed to manage political risks associated with decisions and actions. A range of risk specialists has grown from the diversity of ways of thinking about

28、 risk and of practical management of such risk. In the UK now as elsewhere, there exists a coherent group who regard themselves as professional managers of risk. The Institute of Risk Management provides qualifications through examination and the Association of Insurance & Risk Managers (AIRMIC) act

29、s as a trade association. Risk management should be integral to policy planning and operational management in local government. It cannot be seen as a bolt-on. (Accounts Commission for Scotland, 1999).Despite the opportunity recognized by AIRMIC (quoted above), a recent study by Ward (2001) found fe

30、w risk managers in the senior, strategic roles required by an integrated risk management model. Ward found risk managers in a wide variety of roles at that time i.e. there was no generally accepted dentition of the risk management role in the organizations he surveyed. Identification of risksThree o

31、f the organizations in our exploratory study are at the early stages of applying RM models i.e. identifying risks at the operational level. One is using a big bang method of brainstorming workshops in each large operational unit, facilitated by external consultants. The consultants were chosen from

32、firms familiar with the organisation i.e. their insurance brokers, and their external auditors. The auditing firm was rejected because a previous exercise by them was too limited. Financial risk is not seen as the most important type of risk to identify as it is usually well controlled. The most sig

33、nificant risks are strategic and operational. In contrast to that approach, company 2 is operating a system of ongoing identification by educating managers in risk matters and disseminating information between units: all our top management development programmers and induction courses will have some

34、thing on risk. The NHS trust initiates risk assessment projects throughout the organization using specialists, with responsibility for ordinary risks left to a low operational level.Risk reportingThe organisations which carry out continuous identification of risks at operational level use risk regis

35、ters as a record of risks and their management. Two of the organisations report risks to the Board on a regular cycle, the other two make ad-hoc reports as required. One organisation includes the risk report as part of the financial report the finance departments being the most geared up for produci

36、ng regular reports. One, with a separate RM function, reports risk matters as part of IA reports where IA had identified them; items identified by RM may also be included because if you put it up as an audit report they take a different perspective on it. （）Internal audit (IA)The developments in cor

37、porate governance have led to a greatly increased emphasis on the internal audit function, to the extent that the Combined Code itself requires companies which do not have one to reconsider from time to time. Internal auditing has its roots in the need for managers of large organisations to be assur

38、ed that recorded information is complete and accurate. This role has steadily expanded since the 1970s to include operational auditing, encompassing the consideration of economy, efficiency and effectiveness over the whole organisation. However, the internal auditing profession sees the Combined Cod

39、e requirements as a natural extension of their remit.An internal audit function should have a key role in helping organisations respond to the challenges of the Turnbull report. It can contribute to the achievement of business objectives. Internal auditors also add value by the identification of opp

40、ortunities to improve the cost-effective management of risk, thereby benefiting shareholder return. (ICAEW, 2000).Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and

41、 governance processes. (Institute of Internal Auditors (IIA).For many organizations looking at implementing a more formal risk management structure, internal audit can play a valuable part. Each of the organizations has structures and procedures in place which enable risks to be identified at operat

42、ional level, reported and managed. However an independent review of the process is essential for two main reasons (i) to provide independent monitoring and (ii) to avoid overlaps and gaps. (i) Independent monitoringIn the process of identifying risks, recording in a register, reporting to first leve

43、l management and eventually to the Board, filtering is necessary to avoid information overload. Filtering also allows the opportunity to lose sight of risks which may cause awkward questions to be raised. The RM process should therefore be subject to review as other controls are. (ii)Overlaps and ga

44、psThe two functions of IA and RM have many interests in common and can easily have overlapping roles. Consequently, gaps in RM processes can easily arise where areas which could be covered by either are in fact covered by neither. In the organisations studied which had separate IA and RM functions,

45、a reluctance to tread on each others turf was apparent. In this situation, gaps in the management of risks are almost inevitable.Recognition of the overlapping roles has led to merging the functions of IA and RM in one organisation studied, and a proposal to do so in another. This proposal however w

46、as not favored by the risk manager concerned, as he believed that if he was part of an audit function he would not obtain the same co-operation from operational management in discussing the risks they faced. More importantly, merging the two may make it difficult to prove that an independent review

47、of the effectiveness of all internal controls and risk management is taking place, without requiring regular input from external consultants.Risk assessmentAudit risk assessment was developed by external auditing firms and has also influenced internal auditing. It provides a means of selecting the m

48、ost sensitive areas to examine in order to make best use of their scarce resources of time and expertise. This type of risk assessment is now well established and is codified in Statements of Auditing Standards. A risk model incorporating assessments of the inherent risk, control risk, and detection

49、 risk in all areas of operations is used to calculate the overall risk of material misstatements occurring in the annual financial statements.Use of a standard model provides a verifiable process for ranking areas of the audit as high, medium or low risk, and carrying out differing amounts of substa

50、ntive testing as a result. The risk assessment is, in a sense, done for selfish motives in that the auditors are concerned with the risk that they themselves will be called to account if they fail to take reasonable measures to identify the areas most likely to hide irregularities in the financial s

51、tatements.When used in internal audit risk assessment may perform a useful function in widening the scope of the audit, but it can also be used to legitimize ignoring whole areas of detailed work. A further development in recent years is business risk assessment, which is designed to give a top-down

52、, business risk orientation to audit work (Bell et al., 1997). The approach widens the audit focus (initially) to include any risks that may prevent the organisation from meeting its objectives; The new approach is intended to provide valuable insights and information to management. Two points shoul

53、d be noted however in relation to business risk assessment. Firstly, despite the initial focus being wider than a traditional audit, there is in fact no change in the final audit objective of giving an opinion on the annual financial statements (Lemon et al., 2000). Secondly, the assessment tends to

54、 see the business through the same eyes (the same high-level controls) as management (Heathery, 1998). Viewing risk at entity level in this way does not perform the same function as risk assessment at operational level. While this may meet the requirements of external audit it does not perform the s

55、ame function as the Integrated Risk Management models developed in RM literature.It is therefore apparent that application of a seemingly objective technique with the name Audit Risk Assessment or Business Risk Assessment may obscure the fact that the risks thus assessed are mainly financial, and ma

56、y not address the most important risks facing the organisation.This research was carried out under the auspices of the Institute of Chartered Accountants of Scotland research strategy and was funded by the Scottish Accountancy Research Trust.中文译文：审计风险管理:理论上不错,但实际操作呢？本文探讨在组织中的风险管理结构和在公司治理中如何寻找最佳做法。我们

57、2001年在英国的四个大型公共和私营部门组织进行了一项探索性研究。围绕着风险管理以及由内部审计人员来查明特恩布尔准则与新兴的联合准则相符合的程度。我们发现机构会在适当的时候来传递内部控制制度的声音,包括风险管理。内部审计人员和风险管理者都参与,但他们各自的角色对于避免重叠和缝隙经常是不足够好。我们也有几个机构依靠外部审计人员来引导实施关于风险管理的所必须的年度复查。关键词：商业风险评估；联合准则；公司治理；信息披露制度；内部审计；内部控制风险评估；风险管理摘要在英国，风险管理已脱颖而出，紧接而来的是联合准则的最佳实践,因而扩充了1999年的特恩布尔指导。从会计期间结束后,英国在2000年12月

58、23日必须实施对上市公司必进行审查程序,以确保已经确认任何风险,仔细地评估和有效的控制。他们必须在年度财务报表中做出声明。联合准则公共部门中也受到良好的实践。公司治理也因此扩展到所有的商业风险，包括运营、财务和依从性,可防止组织实现其目标。换句话说,内部控制现在必须包括风险管理。为了满足这一职责,组织需要去适应和融合现有的内部审计技术。这个探索性研究调查了组织采用的政策和结构进行识别、控制和汇报的风险。四个组织在2001年进行研究,头覆盖了私人和公共领域。内部审计人员和风险管理是在他们风险管理政策下,在各自的职责范围的责任内的组织的。这个结构的背景和责任与各种各样的参与者进行了讨论。总的来说一

59、系列方法已经被发现，而公共和私营机构之间的差异就变得很明显了。这个反应是建立在联合准则和特恩布尔基础上建立起来的。这个程序虽然有的地方显示不完整。然而这个程序使其在适当的地方传递内部控制的声音包括风险管理。更进一步,我们通过调查得出的绘图显示3 / 4的机构依靠外部审计人员解决独立审核这一问题。本年度的财务报表要求披露私人和公共领域的信息。根据我们的研究性学习，我们试图建立一种程序，使组织来符合所有规定的有关内部控制的联合准则,包括风险管理。介绍从历史上看,内部控制制度被看作是该省的财会人员,由内部及外部审计人员进行评估。风险管理是一个新的领域。这个术语最初是在二十世纪六十年代由美国大公司在寻

60、求替代昂贵的或不完全的保险项目时杜撰的。虽然风险管理开始发展是作为一门独立的商业管理领域，它最初主要是由具有保险背景的人组成饿。通过保险或其他方式保护有形资产和转移暴露的风险对大多数的风险管理者来说，是一种核心的技术（沃德，2001）。在财务控制与传统的风险管理技术是一种罕见的专门技术,但联合准则需要一个公司或团体采取全面的风险预测。机构当前正在致力于建立结构分配责任来满足这些要求。审计能够承担这个新角色吗？或者风险管理者应该承担全部的责任吗？本文结合实际应用的联合准则在实际应用联合准则时产生的一些问题，并报告了这些探索性研究的结果。下一部分陈述了对公司治理背景和风险,也阐述了这一领域内在组织

61、工作的两种主要的团体组织。后续段落讨论研究的问题和方法,并给出了实证结果。最后部分的摘要分析了初步研究得出的结论以及该结论的局限性。在私人和公共领域的内部控制现在延伸到考虑所有的经营风险，包括在操作上和金融上，它可防止组织满足它的目标。在组织中的大多数活动中，风险是固有的，除非意志或经营规模。风险产生于当前的活动，不断变化的外部环境，相关的决策和董事会及其管理层的行动。对私营企业而言,风险最坏的可能结果就是是财政破产。尽管公营机构如中央政府、国家卫生服务系统和地方当局正在努力降低风险,但都要付出必要的服务,这种信誉风险的不良后果对于组织和个人来说可能是致命的。但是,有一个总是需要认识到风险值得

62、肯定的地方会引导有关部门来找到新的方法从而规避风险。同时通过备忘录去接近识别风险是不可取的,它可以帮助识别风险的类型，但它需要在组织中不同的层次进行处理。在很多机构里两种不同的作用常常涉及到风险管理和内部控制两个方面，即风险管理、内部审计。1、风险管理风险管理覆盖识别和降低减风险,这种风险可防止组织达到它的目标。风险管理水平可以通过以下措施做到被接受的水平。将其转移到其它当事人(如供应商、保险公司、做期货的经销商)。运用适当的内部控制政策和程序来控制它们。风险可以故意和客观地接受,给他们提供可以满足其公司的政策和标准,并对风险可接受水平进行检测。RM起源于统计财产和责任领域关注的危害的一种分析

63、方法，最初是对工程项目的风险进行管理。后来风险观念又强调了社会结构、风险认知的重要性。因为风险观念不断发展,所以就有了管理这种新的风险的义务。比如,在金融行业的风险已经扩展到应对投机的风险投资。无形资产如品牌和声誉创造新的技术问题，并随着电子商务的发展而产生。在政府和公共部门,风险管理随着与决策和行为有关系的政策风险而发展。一系列的风险管理专家已经随着风险的多样化成长起来。在英国和其他地方一样,现在存在一个专业的人群，他们把自己看成职业的风险管理人。风险管理协会提供了任职要求,风险管理人要通过相应的考试。风险管理的政策规划和运作管理在当地政府中应该是一体的。不能视一个为另一个的“附件” (苏格

64、兰帐目委员会,1999)。尽管机会被风险管理者协会意识到,沃德在2001年的一系列研究发现，在年长者中，几乎没有风险管理者具备综合风险管理模型所要求的素质。沃德发现，那个时候很多的风险管理者难以胜任风险管理角色。可识别的风险在我们的研究中有三个组织早期是运用风险管理模型来识别操作层面的风险。一个是使用集思广益“大爆炸”的方法,得益于外部咨询人员。外部咨询人员是从熟悉本单位的保险经纪人和外部审计人员中选出来的。审计事务所被拒绝对单位进行审计是因为审计师的经营太有限了。金融风险并不视为最重要的可识别的风险类型因为它是可以做到较好的控制的。它通常是最重要的风险是公司战略和运作上的。二是正在操作的进行的识别教育管理者的风险和传播信息:“我们对单位之间的高层管理人员开设关于风险发展规划的课程。NHS信托者通过专家启动风险管理方案,并担