Research on the Relevant Issues of Risk-oriented Internal Audit

Research on the Relevant Issues of Risk-oriented Internal Audit
YANG Guoli1,2, SUN Kexin1,2,DI Mengyan2
1. Management School, Wuhan University of Technology, P.R.China, 430070
2. Accounting Institute, Hebei University of Economics and Business, P.R.China, 050091
lee7301 @126.com
Abstract: This paper focuses on theoretical research and the implementation of conditions, analyzes the
problems in light of risk-based internal audit in our country's specific situation, proposes solution
suggestions. Overall, based on the necessary conditions that the implementation of risk-oriented internal
audit should have, the paper combined with the latest developments of risk-oriented internal audit theory,
considers the current specific situation of internal audit in China. Through theoretical research, the
author hopes to help enterprises establish a risk-oriented internal audit mode and strengthen operation
management, increase economic efficiency, realize the goal of value increasing of target enterprise better,
protect the interests of investors.
Keywords: internal audit, risk-oriented internal audit, risk management
1 Introduction
In “Organizational Governance – Internal Audit Guide” IIA points out clearly that: “Internal audit
confirms organizational risk management, control and governance procedures, thus becoming one of the
important cornerstones of effective governance.” We can say that IIA’s professional standards lead
internal audit work to be on the road of risk-oriented audit completely, make the risk- oriented audit run
through the whole process of internal audit.
Most of the domestic research draws on theories of foreign audit results. According to the representative
of Chinese scholars, Chunyuan Hu, the most significant feature of “risk-oriented internal audit” is that it
will put customers into a big economic environment, use three-dimensional observation theory to
determine the factors that affect the business continuous operation. Both internal and external sides of
all those factors, from the business environment, conditions of the enterprise to the mode of operation
and management mechanism, are used to analyze and evaluate audit’s risk level. And customers
operational risk is implanted into the assessment of its own internal audit. On January 1, 2002 China
began to implement it. “Internal Audit Practice Standards” changed in 2004 and 2005 push the
enterprises’ internal audit work to the track of risk-oriented audit. The basic norms and concrete
standards of internal auditing also take full account of this new trend. China’s internal audit will follow
the risk-oriented thinking identified by these guidelines, and use enterprise risk management methods to
carry out internal audit work.
2 Problems of the Application of the Risk-oriented Internal Auditing in China
The risk-oriented internal auditing is of advanced and scientific nature. But as a new auditing model,
China should carry on a dialectical understanding to it. Before applying the risk-oriented internal
auditing, China should analyze the restrictive factors of carrying out this auditing model in the light of
its own economic development level and internal auditing industry development condition in order to
guarantee its implementation effect better.
2.1 The Internal Audit Doesn’t Play a Significant Role in the Risk Management
Internal auditing function display in risk management depends on the mind extent and the specific
implementation methods made by the enterprise management and internal auditing staff.For a long time,
the lack of knowledge on how to involve internal auditing into enterprise risk management results in
136
inadequate control of internal audit risk, which mainly shows in the following aspects:
2.1.1 Enterprises risk management method is backward
In practical internal auditing in china, enterprises mainly use qualitative analytical methods, less
methods of risk based assessment skills, internal control self-assessment, analytical test, etc; and do not
properly use risk assessment models to determine its work focus so as to give auditing priority to
high-risk activities.Therefore, enterprises can’t decide its auditing focus and find auditing weaknesses
loopholes in the light of the internal control system. Risk management of china is relatively backward
compared with the international advanced enterprises in making extensive use of mathematical
statistical models, financial engineering and other advanced methods.The lag of risk management stems
from a lack of mature theoretical guidance, while the backward risk management methods directly. As a
result, enterprise cannot properly predict, identify, assess and hedge the risks, thus affecting the smooth
realization of business objectives.
2.1.2 The weakness of enterprise risk management consciousness
In china, a lot of units are lack of strong risk management consciousness. Some internal auditors don’t
think internal auditing play a role in risk management. This shows that the internal audit staff have no
enough knowledge of risk management, lack risk management awareness and hasn’t realized the
importance of risk management. That’s an important reason why internal auditing is unable to play a
role in risk management.
2.2 Weak Consciousness of Internal Auditing Benefit and Cost Control
Internal auditing benefit is divided into measurable auditing benefit and immeasurable auditing benefit.
Measurable auditing benefit directly indicates audit effect in currency, including: the value saved or
reduced by means of correcting accounting errors and the value saved by correcting the wrong actions.
Immeasurable auditing benefit indicates auditing effect in non-currency, mainly including: strengthening
risk management, enhancing internal control mechanism, providing reference for leader’s decision,
promoting work efficiency, etc; internal auditing cost is to cost less than the loss of auditing case.
However, internal auditing belongs to enterprises management function, which brings invisible benefit
and inestimable cost and benefit directly. In china, internal auditor’s weak cost consciousness (especially
in project cost management), mainly shows in the following aspects: first,time cost; second,leaving the
cost benefit principle out of consideration when project approved; third,labor cost. At present, few
enterprises have strict real time cost control and sense of cost control measures.
2.3 Inadequate Corporate Governance Structure
2.3.1 An imbalance between the setting of enterprise governance structure and internal audit
organizations
Independence and authority of internal auditing to achieve its value-added features are the most basic
and important prerequisite. In order to ensure the independence and authority of enterprise in internal
audit institutions to make it a better role, internal audit institution is an important part of the corporate
governance control mechanism all the time.
Internal audit organization model in China is mainly divided into the following types: First, internal
audit institution is the subordination of the team of General Manager. Company’s financial department is
in charge of managing. Because of the lowest independence and authority, and the worst effect, it has
been basically eliminated; Second, internal audit institution is the subordination of the team of General
Manager which is directly in charge of internal audit institution. Despite a little higher independence and
authority, internal audit institution cannot control operation of senior management; Third, internal audit
institution which is the subordination of board of directors or governance committees has much higher
independence and authority and can go deeply into all levels of management to assist the board of
directors of the company’s business process monitoring. But if the Audit Committee’s role is weakened,
its independence and authority will be unable to be enhanced. Fourth, internal audit institution is the
subordination of supervisory board. Company’s Chief Supervisor is in charge of managing it. It has the
137
highest independence and is capable of monitoring the actions of directors, senior management. If the
board of supervisors has no right, but only a post, then the result is not satisfactory; Fifth, under the dual
leadership of general manager and board of directors, internal audit institution has maximum
independence of internal audit and the highest authority.
From the perspective of organizational model of internal audit, the fifth model is most reasonable. But
the internal audit organizational model of most enterprises in China fails to achieve this level. According
to incomplete statistics, more than 60% China’s joint-stock company’s chairman holds a concurrent post
with general manager. At present, a considerable portion of china’s joint-stock company’s management
structure has been seriously distorted: Some chairmen ask for holding a concurrent post with general
manager: some managers disagree with the rules of procedure and decision-making procedures, so that
the board of directors and the board of supervisors exist in name only; Decision-making organization
and executing organization blurred responsibilities and duty, so that the board of directors strategic
decision-making functions are not full played. In addition, checking and balancing mechanisms within a
certain range are not good enough, as well.
2.3.2. The senior management personnel ignore internal audit work
At present , China’s current supervision of internal controls mostly caters to the Commission’s rules and
regulations and is intervened by the government’s administration. That’s why the internal audit in
Chinese enterprises lack internal motivation compared with the work in Western countries where the
enterprises carry out internal audit work required by make decisions on their own. It results in senior
management of companies not paying sufficient attention to the internal audit work.Furthermore, some
senior leaders one-sided think that internal audit is to check their internal economic problems that will
affect the unity and stability of enterprise workers, and decentralize management of energy, while others
think that the internal audit limits their operational autonomy, and weakens their own authority. For this
reason, many enterprises have ineffective internal audit bodies; internal audit personnel have no power
but a post; and even many internal audit institutions are put aside in the actual work and ignored; the
internal audit’s role of strengthening the internal management is not fully understood or not understood
correctly. The internal auditor institution has not been seen as a whole or a relatively independent part of
the enterprise but is treated as alien or assimilated power. Some enterprises management staff
psychologically exclude the internal audit or see it as its subordinate. The hostile attitude of the senior
management make the internal audit work more difficult to be carry out so that internal auditors will
lack sense of achievement and lose enthusiasm for internal audit work. There will be no active
co-ordination power for other departments’ employees so that corporate internal control system will be
in name only. As a result, the right of Business interests’ level is not actually protected and it is difficult
to achieve the goal of maximizing enterprise value.
2.4 Strengthen Internal Audit Quality Control
2.4.1 Internal audit of quality control being not strict
Follow-up audit is an important audit step in the internal audit work process. In 2003, International
Institute of Internal Auditors amended and published “Practical Internal Auditing Standard” which
points out that the internal auditors carried out the follow-up audit to ensure whether the management
react fully, efficiently and timely in accordance with the findings and advice of the report of the audit
findings and recommendations to take actions by the full, effective and timely processor the
management of (including the audit findings and recommendations of the external auditors and other
staff). Follow-up audit begins the audited units made in a written reply to the audit report of audit
findings and recommendations. In the follow-up audit process, if the audited unit has taken the
corrective measures and are reaching the desired results, the follow-up audit procedures can be ended. If
the audited unit fails to take corrective actions or declare a state of not intending to take any corrective
measures, the follow-up auditors should confirm that senior management or board of directors has
undertaken the risk of the report of taking the audit findings without corrective measures. At present, a
few enterprises carry out normal follow-up audit, many enterprises’ internal audit of follow-up audit
138
work is imperfect mainly because unit’s main leaders lack the recognition about the importance and the
nature of the internal audit. Some senior management staffs think that the audit is to check accounts. The
audit work is over as long as the accounts check finished. Therefore, the problems found out in the audit
work are not investigated and the audit suggestions for improvements are not implemented. Receiving
the audit report, some leaders read it through because of busy work, and pay little attention to the
problems, not mention implementing them.
2.4.2 Internal audit procedures are standard
Compared with external audits, internal audit has no much fixed procedures and workflow, nor strict
audit time limits, which makes internal audit staff have greater flexibility in many ways. Due to this
flexibility, the internal audit work have greater randomness, making the quality of internal audit difficult
to be guaranteed easily. Generally speaking, risk-oriented internal audit work should follow three phases
from beginning to end: preparation phase, implementation phase, the termination phase. Each phase
includes different content and process. However, in actual audit work, many internal audit staff members
rarely strictly carry out operations in accordance with standardized audit procedures, specifically
showing in the following areas: First, the audit plan developed for the audit project is too simple or even
no audit plan is developed. There is no information about the audit content, audit scope, the specific
audit procedures or division of the audit work; Second, the preparation of the audit working manuscript
is incomplete, non-standard, and lack of objectivity. It cannot accurately record the audit procedures
implemented and all the problems found out; Third, internal audit reports lack check and signature of
leaders. Generally, the internal audit reports are prepared by the project leader, amended by the
department manager and finalized without any sign or issue by senior leadership.
3 Strategies of Promoting the Application of the Risk-oriented Internal Audit
Work in China
Risk-oriented internal audit is currently the most popular and most advanced internal auditing method in
western countries, and also aims the development direction of China’s internal audit. However,
risk-oriented internal audit’s expansion and extending in China face various difficulties because of the
condition of our country as well as the internal audit situation of domestic enterprises at present.
3.1 Strengthen the Overall Risk Management Philosophy, Optimize Risk Management Business
Process
The core concept of risk-based internal audit is risk management, and its operating environment and
auditing objects can not be separated from enterprise risk management, but the two are complementary
to each other. First of all, the overall risk management concept should be strengthened if we want to
apply the risk management technique to the internal audit and implement risk-based internal audit.
Comprehensive risk management is the overall management of the entire enterprise at all levels, in all
management aspects and for each risk category. Strengthening the comprehensive risk management
concept is to popularize and execute comprehensive risk management fully in all the parts of the
enterprise. Secondly, we should realize comprehensiveness of risk management process, make risk
management throughout every aspect of business development which is from supplying raw materials,
production, pricing, marketing, accounts collecting to the risk early-warning monitoring, risk
compensation, the follow-up monitoring and disposal. Optimize the risk management business processes
and effectively evaluate and response to all sectors of risk. At the same time, we should intensify the risk
management information construction, use client resources and historical data to build risk management
information systems to provide technical support for the enhancement of the internal audit risk
management level.
3.2 Strengthening the Audit Efficiency and Cost Management, and Realize Value Added
It is very important to measure the benefits and the cost of inputs of internal audit in order to find out
139
how to play the role of internal audit under the cost-saving prerequisite. The effective role of internal
audit cannot be measured by using specific standards. The monitoring defense which it constitutes is
invisible. Enterprises should make the management of audit cost and benefits going throughout the
whole audit process: As for the cost management of the audit preparation phase, we need to optimize
audit organizations, integrate audit resources, strengthen budgetary control and reduce expenses; As for
the cost management of the auditing implementation phase, we should strictly control audit procedures
to minimize the intermediate links; The cost management of auditing reporting phase is primarily
conducted by deep screening and refining the audit results comprehensively, using obtained information
from the auditing project implementation phase. Finally, establishing a scientific and effective audit
cost-effective management model is integrating cost management and personnel management with
internal audit of benefits as a whole internal audit management model.
3.3 Improving the Corporate Governance Structure
In the process of carrying out sustained and comprehensive risk-based internal audit in the framework of
corporate governance for realizing business value added strategic goal, the Audit Committee play the
role of supervision and guidance in risk management and internal audit; Strategic Committee needs to
communicate with risk management committee on risk management problems found out in the
internal audit work, and keep concerned about significant strategic risks the enterprises face; Risk
Management Committee mainly organizes and coordinate risk management conducting; CEO is
responsible for operation matters and ensures the effective implementation of risk-based internal audit.
Risk management departments are responsible for taking the implementation of enterprise risk
management. Internal audit department conducts risk assessments, develops audit plans and give advices.
Other functional departments cooperate with the internal audit department to conduct risk-based internal
audit, corporate risk management, other employees in company should keep up with the project
development plan under the guidance of risk management concept.
3.4Improving Internal Audit Quality Control System
3.4.1. Regulating the internal audit procedures
3.4.1.1 working out the internal audit plan
While compiling the audit plan, we should give full consideration to the workload and manpower,
time and costs. Scientific internal audit plan should be worked out in accordance with the following
order: The internal auditing items that can be audited are to be listed as audit objects; Then, internal
control and risk management effectiveness should be assessed in accordance with each specific matter to
determine high-risk able-audit matters; the last, audit resources and investor requirements, and audited
matters special circumstances are to be considered comprehensively to determine the audit projects and
sequencing. Internal audit departments in the development of the project plan should widely listen to
opinions in all directions including: the Board and various management personnel advice; the opinions
of external auditors; laws and regulations requirements; Materials as well as industry or economic
development trends before the financial and operational situation analysis audit. On this basis, the
internal audit program is to be adjusted appropriately.
3.4.1.2the implementation management of the internal audit plan
Audit plan implementation management refers to the implementation of organizing and controlling audit
plan as well as the process of modifying and supplying the original plan. As the auditing plan
implementation is actually that internal audit takes various organizations and controlling measures to
manage it according to plans requirement for their business activities, auditing plans should be checked
and examined when it finished aiming to further strengthen auditing plan management.
3.4.2 Strengthening the internal audit project management
The operating mechanism of audit project team should be established gradually in the audit project
management. We should implement audit project team responsibility, support self-management and
self-design project team, give full play to the whole effectiveness of the audit project team. At the same
；
140
time, corresponding appraisal system need to be developed to evaluate the results of the audit project
team, and establish a scientific and well defined rights and responsibility mechanism of upper and lower
linkage and a team leader responsibility regulation system. We should make the audit quality the main
assessment objective, well defined rights, profits and responsibilities as assessment content, and
combine evaluation system with avoiding internal audit risk, observing professional ethics, and
executing every management systems.
4 Conclusion
After the actual study of the real situation of risk-oriented internal audit, this paper identify gaps and
propose relevant measures: strengthen the overall risk management philosophy; optimize risk
management business process; enhance audit effectiveness and cost management; realize value-added
business value; improve internal audit quality control system. As the internal audit risk-oriented
enterprise in China’s promote gradually, enterprises should establish risk-oriented internal audit
mechanism to ensure the effective operation mode: responsibility ascertain mechanisms, ownership
alternative management mechanism, staff incentives mechanism and risk concept management
mechanism.
Acknowledgment:
This paper is supported by a grant No.HB10XGL021 from the Social Science Foundation of Hebei
Province.
References
[1]. Christina Brune. Embracing internal controls. The Internal Auditor[J]. 2004(6).
[2]. Nixon,Alice. Analysis:Corporate governance-Internal audit:the new rock and
Accountancy[J].2005(1).
[3]. Dana R. Hermanson. The value of internal control audits. Internal Auditing[J].2005(1).
141
roll.