文献、资料题目: Auditing Risk Man ageme nt: Fine in Theory but who can do it In Practice?
文献、资料来源: Intern atio nal Jour nal of Audit ing 文献、资料发表(出版)日期:20066 外文文献:
Auditing Risk Management: Fine in Theory but who can do it in Practice?
This paper investigates risk
management structures in organizations and
how these comply with best practice in corporate governance. We carried out an exploratory study (in 2001) of four large public and private sector organizations in the Un ited Kin gdom .In terviews were con ducted with risk man agers and internal auditors to ascerta in the exte nt to which emerg ing structures complied with the Turn bull Guida nee to the Comb ined Code.
We found that structures are in place to deliver a sound system of internal control including risk management. Internal auditors and risk managers are both invoIved but their respective roles are often not sufficiently well to avoid overlaps and gaps. We also found that several of the orga ni zatio ns studied rely on exter nal auditors to con duct the required annual review of risk man ageme nt.
Key words: bus in ess risk assessme nt,Comb ined Code, corporate gover nan ce, disclosure, internal audit, internal con trol, risk assessme nt, risk man ageme nt.
SUMMARY
In the UK risk management has come to the fore in the wake of the Combined Code of best practice in corporate governance (1998,the Combined Code), as expa nded by the Turn bull Guida nee of 1999. From acco un ti ng periods ending on or after 23rd December 2000, UK listed compa nies are required to con duct a review of
their procedures to ensure that any threats to the organization have been systematically identified, carefully evaluated and effectively controlled. They must make a statement to that effect in their annual financial statements. The Combined Code has also influenced statements of good practice in the public sector. Corporate gover nance is thus exte nded to con siderati on of all bus in ess risk—operati on al, finan cial and complianee -which may prevent an organization from achieving its objectives. In other words, internal control must now include risk management. To meet this responsibility, organizations require adapt and combine the expertise of existing internal audit with that of risk management functions and relate the resulting effort to the business and operational needs of the organization.
This exploratory study examines the policies and structures adopted by organisations for identifying, controlling and reporting on risks. Four organisations were studied in 2001, covering the private and public sectors. Internal auditors and risk managers were questioned on their organisations r'isk management policies and the scope of their respective responsibilities. The structures in place and the backgrounds and responsibilities of the various players are discussed. Overall a range of approaches was found and differences between the public and private sector organisations became apparent.
The responses were mapped on to the provisions of the Combined Code and relevant sections of the Turnbull guidance. This revealed areas where procedures were incomplete. While structures were in place to enable the delivery of a sound system of internal control including risk management, overlaps and gaps were apparent in all four of the organisations studied. Further, our mapping reveals that three of the four organisations rely on external auditors to address the issue of independent review. This annual review forms part of the disclosure requirements in annual financial statements in the private and public sectors.
On the basis of our findings in the exploratory study recommendations are made for procedures which enable organisations to comply with all provisions of the Combined Code relating to internal control including risk management.
Historically, internal control systems are seen as the province of accountants, and are reviewed by internal and external auditors. Risk management is a newer field. The term was first coined in the 1950s by large American corporations seeking alternatives to costly or inadequate insurance cover. Although risk management began to develop as a distinct field of
- 1 -
business managementit was initially mainly populated by people from an insurance
background. Protection of physical assets and transfer of risk exposures by insurance or other means remains a core skill for most risk managers (Ward, 2001). Expertise in both financial controls and traditional risk management skills is rare, yet the Combined Code requires a company or group to take an overall view of its risk profile. Organisations are currently in the process of establishing structures and allocating responsibilities to meet these requirements. Are auditors able to take on this new role, or should risk managers be given overall responsibility?
This paper reports the results of an exploratory study addressing some of the issues that arise from applying the Combined Code in practice. The next section sets out the background to corporate governance and risk, and also describes the two main groups working in this area within organisations. The subsequentsections discuss the research question and method, and present the findings of the empirical results. After a discussion of the findings the final section presents tentative conclusions and highlights the study 'imsplications and limitations.
Risk
Internal control in the private and public sectors is therefore now extended to
consideration of all business risks, operational, financial, which may prevent an organization from meeting its objectives.
Risks inherent in the activities of most organisations, regardless of the purpose or the scale of operations. Risks arise from current activity, from changing external environments, and from the related decisions and actions of the board and management. For private sector businesses, the worst possible outcome of risk may be financial ruin. Although public sector organisations such as central government, the National Health Service (NHS) and local authorities are cushioned to the extent that resources have always been found to pay for essential services, the adverse consequences of reputational risk for organisations and for individuals may be dire. There is, however, a n eed always to ack no wledge the positive side of risk-from the finan cial gai n of risky entrapper- neural behavior to the life-saving, yet experimental, techniques at the frontiers of medicine.
While a checklist approach to identifying risks is not recommended, it may be helpful to indicate the types of risks that may require to be addressed at different levels in an
- 2 -
会计学外文翻译外文文献英文文献审计风险管理
