Paper Menu >>

Journal Menu >>

iBusiness, 2012, 4, 287-292
http://dx.doi.org/10.4236/ib.2012.43036 Published Online September 2012 (http://www.SciRP.org/journal/ib)
287
The Enterprise Risk Management and the Risk Oriented
Internal Audit
Jie Liu
School of Accounting, Shandong Institute of Trade Unions’ Administration Cadres, Jinan, China.
Email: Old-bu@163.com
Received May 18th, 2012; revised June 18th, 2012; accepted July 18th, 2012
ABSTRACT
With the development of the economic globalization, the risks that enterprises faced are increasing. In order to cope
with the risks, the enterprise risk management requires the internal audit. As an important part of the internal control,
the risk oriented internal audit emerges to monitor the process of the enterprise risk management. So enterprises can
control and evaluate the risks more and more suitable. The research focused on the importance of the risk oriented in-
ternal audit, and also studied the status of our risk oriented audit, then the research proposed some strategies and sug-
gestions to promote the application of the risk oriented internal audit so as to ensure the effectiveness of the enterprise
risk management.
Keywords: Risk Management; Internal Audit; Risk Oriented
1. Introduction
The 21st century is a century that can bring challenges
and chances to enterprises. The economical globalization,
the information technology revolution and the brand-new
form of enterprise, have caused the risks which the en-
terprise faces complex and intense day by day. The risks
have been the most important factor that influences the
goal of enterprise to realize. Therefore, how to manage
the risks and avoid them is the most important thing to
the management of the enterprises now. The manage-
ment of the enterprises has to analyze and avoid risks
from the entire enterprise’s angle. Modern risk manage-
ment is a process that participated by everyone of the en-
terprise, applies in the enterprise strategy plan and every
interior departments, distinguish the potential risk and
manage them in their tolerable risk scope, so as to assure
the goal of the business to be realized. The managerial
staff control the risks and reduce loses, enhance the profit
and social effect of the enterprise through the enterprise
risk management. The development of the enterprise
needs the risk management, yet the development of the
risk management needs the support of the internal audit.
Gerrit Sarens, et al. [1] and George Bartsiotas [2] pointed
out that the internal auditors should put forward sugges-
tions and help the managerial staff fulfill its responsibil-
ity through monitoring the adequacy and the effective-
ness of the risk management.
Therefore, the risk oriented internal audit is not only
the result of the changes of the environment and the de-
velopment of the enterprises, but also the development of
the internal audit and the development of the exterior
audit. Liu Jie [3] pointed out that the risk oriented inter-
nal audit is an independent, objective guarantee and
consulting activity that oriented by risk. It sets up the
precedence of the audit project according to the quantifi-
cation analysis level; sets up the audit scope and the key
points of the audit according to the basis risk determina-
tion; appraise the process of the risk management, the
internal control and the corporate governance so as to
propose the constructive suggestion to realize the value
increment of the enterprise. Its objects, aims, audit ranges,
audit technologies, audit routes and functions are all
changed enormously. Through examine the risk manage-
ment, the internal auditors can find out the risks, estimate
the risk management and give advices to improve it, and
help to add values to the enterprises. The function of the
risk oriented internal audit in the enterprise risk man-
agement including evaluate the sufficiency of risk recog-
nition, evaluate the appropriateness of the risk assess-
ment, evaluate the properness of the risk-avoid measure,
understand the acceptable risk level of management, and
report the risk management appraisal situation to the
management regularly. In a word, the duty of the risk
oriented internal audit in the risk management including:
1) Assisting the management of the enterprises in estab-
lishing the risk management system; 2) Appraising the
sufficiency and effectiveness of the risk management; 3)
Assisting the management of the enterprises in determine-
ing, appraising and implementing the risk management
Copyright © 2012 SciRes. IB
The Enterprise Risk Management and the Risk Oriented Internal Audit
288
methods and the control measures.
The foreign internal audit has entered into the risk
guidance stage, and their fundamental researches have
been mature. The English Internal Audit Association
promulgated “Position Statement: The Role of Internal
Audit in Enterprise-Wide Risk Management”, the Inter-
national Internal Auditor Association promulgated “In-
ternal Audit Practice Standard”, McNamee D. and G.
Selim put forward the risk oriented internal audit model,
which provided the theory instruction for the risk ori-
ented internal audit. The foreign internal audit has plen-
tiful audit types, their audit methods are advanced, and
their relationships with others are harmonious. However,
the risk oriented internal audit in our country is still at the
prime stage. Through the investigation, we discovered
that the internal audit in our country has such problems
as the imperfect risk management system in the enter-
prise, the under-developed risk management method used
in the enterprise, the internal audit can not play its role
perfectly and the single internal audit personnel structure,
etc. In view of the above questions, this article proposed
some strategies and suggestions of the risk oriented in-
ternal audit to promote the development of our risk ori-
ented internal audit.
2. The Relationship of the Risk Oriented
Internal Audit
2.1. Risk Management Requires the Internal
Audit
Yang Rui and Diao Min [4] pointed out that just because
the risk oriented internal audit can help other depart-
ments of the enterprise to control the risks through effec-
tive consulting and evaluating activities. The enterprise
risk management requires the internal audit to monitor,
control, inspect, evaluate, and report the proceeding of
the enterprise risk management. As the risks that enter-
prises may faced are comprehensive, a sort of risks
which caused by one department may be transferred to
other departments, even lead the whole enterprise into
trouble, so understanding the risks, precaution and con-
trol the risks must under overall consideration. Just as
each department has its own limitations to realize the
risks from the entire situation, so that the internal audit is
important enough to resolve these problems, for example,
the internal auditors can distinguish different sorts of
risks from the economic activities and give applicable
suggestions in time.
Many organizers of the enterprises have realized that
the effectiveness of the enterprise risk management and
the appropriateness risk management strategy is closely
related to the goal of the enterprises. The risk oriented
internal audit targets the enterprise risk management as
the main point of the audit, it inspects, evaluates all sorts
of the risks they may face in the continuance operate of
the enterprise, and appraises whether the enterprise risk
management is effective and efficient, whether the strat-
egy of the enterprise risk management is appropriate to
the development of the enterprise. The risk oriented in-
ternal audit can meet the need of the enterprise risk
management, and can help the enterprise risk manage-
ment system be more and more suitable at the same time.
2.2. Internal Audit Requires the Risk
Management
The risk oriented internal audit is the internal control
expanding to the enterprise risk management, which has
important influence on the traditional internal audit. Tra-
ditional internal audit puts emphasis on direct testing of
the internal control, appraising and considering, whether
the internal control is sound and effective or not. It tries
to find out the weak links of the internal control in order
to achieve the goal of preventing mistakes and frauds.
Just because it suggests that some weak links should in-
crease control points, so that more and more control
points lead the business process to slow and no efficiency.
Therefore, the traditional internal audit gradually reduced
to increasing the business value.
While the risk oriented internal audit pays attention to
the possibility of all sorts of the risks that maybe face in
the process of the corporate governance, it puts the audit
key forward to the present and future program. It selects
audit projects by using the risk criteria and each audit ob-
jective is closely related to the goals of the enterprise.
The risk oriented internal audit begins with risks and
ends at risks, and risks connect with the audit process
closely from the beginning to the end. It provides more
relevant information to the management which is needed
to achieve its goal.
2.3. The Risk Oriented Internal Audit Integrated
the Corporate Governance, the Enterprise
Risk Management and the Internal Control
The traditional internal audit limited to the internal con-
trol, it has not paid much attention to the corporate gov-
ernance and the enterprise risk management. However,
the corporate governance requires the internal control to
provide protection, and the enterprise risk management
also requires the internal control to realize the effective
risk management through a variety of methods. There-
fore, the internal audit should integrate the corporate
governance, the enterprise risk management and the in-
ternal control, so as to strengthen the management, im-
prove the efficiency and establish a good operation order.
3. The Status of Our Risk Oriented Audit
The risk oriented internal audit not only pays attention to
Copyright © 2012 SciRes. IB
The Enterprise Risk Management and the Risk Oriented Internal Audit 289
the enterprise risk management, but also becomes one of
the important parts of the enterprise risk management.
Just because the significance status of the risk oriented
internal audit, many states issued various policies to ex-
tend it. For example, in September 2004, COSO formally
issued “Enterprise Risk Management Framework”, whose
outstanding theoretical value and practical significance
makes it arouse widespread concern.
However, the application situation of our risk oriented
internal audit is not optimistic.
To understand our risk oriented internal audit applica-
tion status, this article adopts questionnaire and interview
method, release 200 questionnaires in June, 2010 to
January, 2011. The questionnaire is formed on interviews
and literature analysis. The initial questionnaire is based
on the interview to 14 enterprises which carried out the
risk oriented internal audit, through the depth interviews
and the investigation, we found out the common prob-
lems and the difficulties existed in the development of
our risk oriented internal audit, and according to the
findings to revise the questionnaire again. We selected
200 enterprises which want to carry out the risk oriented
internal audit to do the investigation and retrieve 178
samples, in which the effective samples are 137. Through
the questionnaire survey, we discovered some ubiquitous
questions, and provided the corresponding suggestions.
The questionnaire and the survey results are as shown in
Table 1.
3.1. Our Risk Oriented Internal Audit Is Still in
the Initial Stage
Our circles of theory and practice have realized the im-
portance of the risk oriented internal audit and begin to
study it already, but our internal auditors still mainly
concern on the financial revenues, economic benefits and
economic responsibilities. Some of the internal audits do
not play any role in the enterprise risk management,
Table 1. The status of our risk oriented audit questionnaire.
Questions Results
1) The position of our internal audit organization
a) An independent organization 43 62.32%
b) Combined with other departments 23 32.59%
c) Have not established a special internal audit
organization 3 4.35%
2) The education situation of our internal audit organization
a) Master 2 0.37%
b) Bachelor 499 91.90%
c) College degree 39 7.18%
d) Under the College degree 3 0.55%
Continued
3) The professional situation of our internal audit organization
a) Audit 152 27.99%
b) Accounting 265 48.43%
c) Management 55 10.13%
d) Computer 4 0.74%
e) Engineering 54 9.94%
f) Others 13 2.39%
4) What kinds of audit project is the internal audit carried out?
a) Financial revenues audit 48 69.57%
b) Economic benefits audit 46 66.67%
c) Economic responsibilities audit 50 72.46%
d) Capital construction audit 35 50.72%
e) Law and order special audit 16 17.42%
f) Assessment of internal control 33 47.83%
g) Audit investigation 30 43.48%
h) Risk oriented internal audit 14 17.39%
5) Who are responsible for the risk management?
a) The board of the enterprise 12 19.67%
b) The board of supervisors 0 0
c) The Audit Committee 4 6.56%
d) The president 32 39.02%
e) The vice president 6 9.84%
f) The internal audit 15 24.59%
g) Others 13 21.31%
6) How did the enterprise control and evaluate the risks faced by the
enterprise?
a) The requirements of laws and regulations 37 60.66%
b) There are a specialized group to identify the
risks 7 11.48%
c) Identify the risks by qualitative methods 13 21.31%
d) Identify the risks by quantitative methods 4 6.55%
7) What role is the internal audit played in the enterprise risk
management?
a) Participated in the process of the enterprise
risk management 53 64.39%
b) Set up the risk preferences and risk
tolerance 7 8.54%
c) Monitor the process of the enterprise risk
management 7 8.54%
d) Training the enterprise risk management
personnel 17 20.73%
e) Did not participate in 15 18.29%
f) Others 5 6.10%
Copyright © 2012 SciRes. IB
The Enterprise Risk Management and the Risk Oriented Internal Audit
290
partly of them can remind the management to pay atten-
tion to the risk, a few of them provide personnel training
to the enterprise risk management. How to apply the in-
ternal audit to the enterprise risk management still needs
to be researched.
3.2. Our Enterprise Risk Management Is Not
Perfect
According to the survey, there are 80.49% of the enter-
prises have not set up a special risk management organi-
zation, 39.02% of the enterprises carried out the risk
management activities by the president, 21.31% of the
enterprises did not have formal risk management activi-
ties, 60.66% of the enterprises purchase mandatory in-
surance according to the law, rarely according to their
own consideration. The survey shows that we have not
established a perfect risk management system yet, the
enterprise risk management activities are in accordance
with the laws and requirements of passive, which does
not in accordance with the requirements of enterprises’
own account. Therefore, this kind of behavior is instan-
taneous and intermittent, and usually carried out after the
events, which obviously can not meet the needs of the
enterprise to deal with the fierce market competition and
the requirements of the development in the multiple risk
environment.
3.3. Our Enterprise Risk Management Measures
Are Under-Developed
Li Xiaochun, et al. [5] pointed out that just a few of the
enterprises are using the quantitative analysis method to
carry out the enterprise risk management. Most of the
enterprises are still adopting qualitative analysis method,
compared with the mathematical statistical model, finan-
cial engineering and other advanced measures are widely
used by the advanced international enterprises, our en-
terprise risk management measures are relatively under-
developed. The backward measures of our enterprise risk
management due to lack of the instruction of mature the-
ory, while the backward measures of our enterprise risk
management directly cause the enterprises can not ap-
propriate to predict risks, identify risks, assess risks and
respond to risks, thus will affect the enterprises to realize
its goal.
3.4. The Internal Audit Personnel Structure Is
Single
From the investigation, most of our internal auditors have
the higher education, there are 99.45% of the internal
auditors have the education in college or above. However,
the internal audit personnel structure is too single, nearly
half of the internal auditors graduated from accounting
major, nearly 1/4 of the internal auditors graduated from
audit major, less than 1/4 of the internal auditors gradu-
ated from the management, computer, engineering or
other related major. Single structure of the internal audi-
tors affects the internal audit and leads to the narrow au-
dit scope, low efficiency, and difficult to give compre-
hensive evaluation to the enterprise risk management and
the corporate governance.
3.5. Our Internal Audit Organization Lack of
Independence
Our internal audit organization is established by the gov-
ernment’s intervention and promotion, which lacks of
relative independence and suitable standard. As the oper-
ating expenses and personnel salaries all depend on the
enterprise management, when the management does
something illegal or unreasonable, the internal auditors
are full of worries to perform the functions of supervision
and evaluation.
In addition, the different risks faced by the enterprise
need the internal audit blend with the enterprise risk
management and participate in the strategic planning
positively, yet our internal audit organization always
accept instructions from the management passively, so
when the internal auditors making the audit plan, carry-
ing out audit procedures and issuing the audit report,
there are all kinds of prevention to carry out independent
audit activities.
4. Strategies and Suggestions
4.1. Mobilize the Enthusiasm of the Internal
Audit Blend with the Enterprise Risk
Management
We should change our internal auditors’ ideas as soon as
possible, it will backward if the modern internal audit
does not pay attention to the enterprise risk management.
The western enterprises have modified the internal audit
charter, and require the internal audit to participate in the
enterprise risk management, provide independent evalua-
tion and recommendations. Our internal audit also need
to update their concepts, switch their roles, and strengthen
communication with every department of the enterprise,
mobilize the enthusiasm of internal audit blend with the
enterprise risk management.
4.2. Accelerate the Construction of Laws and
Regulations
A suitable law system will promote the development of a
new method, if the relevant departments can accelerate
the laws and regulations to be issued, and emphasize the
importance of carrying out the risk oriented internal audit,
the effect will be more obvious.
Copyright © 2012 SciRes. IB
The Enterprise Risk Management and the Risk Oriented Internal Audit 291
4.3. Make Full Use of the Audit Conclusion
Internal auditors should verify the target of the enterprise
together with the departments be audited, and should
inform them all of the discoveries found out from the
audit process. The departments should assist in the audit
work more efficiently by using their professional skills
and insights, as for the difficulties among the audit proc-
ess, which should be resolved by consultations. The de-
partments be audited should participate in the fully dis-
cussion on the audit reports with the internal auditors, so
as to ensure the problems found out by the internal audi-
tors can be discussed thoroughly, and the audit conclu-
sion can be used thoroughly.
4.4. Establish a Learning Organization of the
Internal Audit, and Improve the Internal
Auditors’ Quality
Yang Huixian and Fu Rong [6] pointed out that the qual-
ity of internal auditors determines whether the risk ori-
ented internal audit can be carried out effectively, and
whether the efficiency of the internal audit can be im-
proved effectively. So the risk oriented internal audit
asked for higher requirements than traditional internal
audit. The risk oriented internal auditors should not only
master the audit knowledge, but also have the economic
management knowledge, the finance knowledge, the sta-
tistics knowledge, the engineering knowledge, the law
knowledge, the information and computer expertise, and
should be good at the enterprise risk management know-
ledge, they can be more proficient in using scientific me-
thod to measure the risks, assess the risks and control the
risks. They can help the enterprises to establish a perfect
risk management system, which includes the enterprise
management strategies and methods. Establish a learning
organization of internal audit, and improve the internal
auditors’ quality is not only based on the objective re-
quirements of the risk oriented internal audit, but also
based on the objective needs of the internal audit’s sur-
vival and development.
Therefore, we should establish strict internal auditor’s
selection system, recruitment system, training system and
performance evaluation system, in order to ensure the
quality of the internal auditors and the diversification of
the internal audit personnel structure. For example, we
can select the staff who are familiar with the enterprise’s
production and operation activities to enrich the internal
audit organization, or recruit experienced professionals
from colleges and universities or from the accounting
firms or other industries. We should pay attention to the
continuing education and the occupation morality con-
struction of the internal auditors, strengthen the person-
nel’s consciousness of responsibility, promote the strict
principles, diligent principles and the enterprising spirit
of the occupation.
4.5. Improving Communication Skills,
Modifying the Interpersonal
Relationship
Most of our internal audit organizations are established
by the external forces, as the need of the government or
relevant regulations, the departments audited are always
in strong feelings with the internal auditors, which are
obviously not conducive to the audit work.
However, in the environment where most of the inter-
nal auditors have the same intelligence quotient level,
whether the work can proceed smoothly or not mostly
depends on the emotional quotient level, which is mostly
depends on the interpersonal skills and communication
ability. The particular duty of the internal auditors de-
cides that they must improve their communication skills,
self-control ability, innovation ability, comprehension
ability and cooperation ability. All of that are helpful to
improve the ability of their emotional intelligence, mod-
ify their interpersonal relationship, which will help them
to change the attitude of the other departments to the
internal auditors, and help them to understand the role,
the responsibilities and the work procedures of the inter-
nal audit, which will change the passive resistance to
actively cooperate with the internal audit.
5. Conclusion
In a word, the risk-oriented internal audit is not only the
result of the changes of the environment and the devel-
opment of the enterprise, but also the development of the
internal audit and the development of the enterprise risk
management. We should follow the suggestions im-
proved above to promote the development of the risk-
oriented internal audit, so that the risk management can
play a better role.
REFERENCES
[1] G. Sarens, I. De Beelde and P. Everaert, “Internal Audit: A
Comfort Provider to the Audit Committee,” The British
Accounting Review, Vol. 41, No. 2, 2009, pp. 90-106.
doi:10.1016/j.bar.2009.02.002
[2] G. Bartsiotas, “An Expanding Role,” Internal Auditor, Vol.
2, No. 4, 2008, pp. 86-91.
[3] J. Liu, “The New Pattern of Internal Audit—Risk Oriented
Internal Audit,” Finance and Accounting Monthly, Vol. 3,
No. 8, 2006, pp. 77-79.
[4] R. Yang and M. Diao, “The Enterprise Risk Management
and the Risk Oriented Internal Audit,” Finance and Ac-
counting Monthly, Vol. 12, No. 36, 2008, pp. 52-54.
[5] X. C. Li, W. H. Gao and Y. P. Li, “The Research on the
Application of the Risk Oriented Internal Audit in Our
Country,” Accounting Communications, Vol. 4, No. 12,
Copyright © 2012 SciRes. IB
The Enterprise Risk Management and the Risk Oriented Internal Audit
Copyright © 2012 SciRes. IB
292
2011, pp. 98-100.
[6] H. X. Yang and R. Fu, “The Research on the Risk Ori-
ented Internal Audit Literature Review,” Accounting Com-
munications, Vol. 7, No. 21, 2009, pp. 73-89.