For a long time, China's internal audit has been influenced by many factors such as management system, functional orientation, personnel quality, laws and regulations. , lack of necessary independence and authority, it is difficult to play its due supervisory role. From the analysis of the internal audit profession itself, there is a widespread problem of weak audit risk awareness. Many people mistakenly believe that internal audit has no specific requirements for work objectives, the internal audit report submitted has no legal effect, and internal audit has no "risk"; Or think that under the leadership of the person in charge of the unit, the internal audit work is just "following orders", and even if there are mistakes or omissions in the work, there is no need to bear "risks". Under the guidance of this idea, internal audit is bound to fall into the dilemma of passivity and inaction, and the quality of internal audit work is difficult to be guaranteed.
I. Internal Audit Risks and Their Characteristics
The characteristic of modern audit is "risk-oriented audit". Audit risk is not only a key factor to determine audit quality, but also a prerequisite for allocating audit resources. Generally speaking, the generalized internal audit risk includes audit professional risk and audit work risk. The former refers to the sum of factors and environment that are not conducive to the professional development of internal audit; The latter is the possibility that the internal auditor makes improper audit judgment or fails to reveal the existing mistakes and disadvantages when auditing the business management activities of the enterprise due to uncertain factors or limited auditor's ability, thus causing the enterprise to suffer losses.
The striking feature of modern enterprise system is clear rights and responsibilities. This is not only reflected in the owners and managers of enterprises, but also in the multi-level and multi-link of various functional departments and employees within enterprises, thus forming a decentralized management system and entrusted economic responsibility relationship. As a relatively independent third party, internal audit plays a role in monitoring and evaluating the performance of entrusted economic responsibilities. In this way, the appointment of managers by enterprise owners and the supervision and performance evaluation of managers on the business behavior of their respective functional management departments are completed by internal audit institutions at all levels. If internal auditors adopt improper audit procedures and methods for accepted audit projects, fail to find major mistakes or defects or issue incorrect audit conclusions, resulting in adverse consequences, this is the internal audit risk. Therefore, the existence of entrusted economic responsibility within the enterprise makes the internal audit risk inevitable.
Compared with external audit, internal audit risk has its own characteristics.
First of all, the purpose of internal audit is to improve the operating efficiency of enterprises, which is consistent with the objectives of enterprises. As one of the components of enterprise organization, the interests of internal audit are closely related to the overall interests of the enterprise, which can be described as * * * in the same boat, honor and disgrace and * * *. Therefore, the risk of internal audit is consistent with the risk faced by enterprises to achieve business objectives.
Secondly, the scope of internal audit risk has expanded. When entrusting social audit, its risks are limited to the agreed audit matters, while internal audit, as a functional department of an enterprise, is not limited to financial problems according to the needs of management. All business activities of an enterprise can be audited. Therefore, from violation of financial regulations to mistakes in business activities, if the internal audit department fails to reveal or make improper judgments, audit risks will arise. However, if the internal auditors have fully and objectively revealed the existing problems in the submitted audit report or management proposal, and the enterprise management authorities have failed to pay enough attention to it and take corresponding solutions, the losses caused by it are not the responsibility of the internal auditors.
Thirdly, the limitation of internal audit environment increases the audit risk coefficient. In essence, internal audit belongs to the management control behavior of enterprise self-restraint. When audit matters involve foreign units, it is often difficult to investigate and collect evidence, and internal auditors have long-term ambiguous relationships with their employees, and they have certain interests and emotional ties with each other. When the audit involves specific people and things, the audit avoidance system is difficult to follow, which affects the objectivity and impartiality of the audit and ultimately makes the internal auditors bear greater audit risks.
Fourth, internal audit has no selectivity to audit matters. Before accepting the audit commission, social audit can evaluate the audit risk by understanding the basic situation of the audited entity, implementing compliance testing procedures. When the expected audit risk level is higher than the acceptable risk level, you can refuse to accept the audit commission. However, as a function of enterprise management control, internal audit must focus on realizing the overall goal of the enterprise and carry out daily work under the overall arrangement of the audit Committee. We can't choose audit projects with different risk levels, and we can only try to reduce audit risks by continuously improving audit quality.
Second, the internal audit risk management and prevention mechanism
The emergence and development of internal audit has its internal motivation and its own laws. To prevent internal audit risks, we should pay attention to the analysis of the characteristics and laws of internal audit, not only implement risk management for specific audit projects, but also comprehensively manage various environmental factors of internal audit, form an internal audit risk prevention mechanism, and strive to reduce audit risks to the lowest level in order to achieve business objectives.
1. Organizational guarantee mechanism. The audit committee established under the leadership of the board of directors is a reasonable choice to improve the corporate governance structure and avoid internal audit risks. According to "Guiding Opinions on Establishing Independent Directors in Listed Companies" issued by China Securities Regulatory Commission, an independent director with accounting expertise is the chairman of the audit committee. The Audit Committee formulates internal audit policies, decides internal audit matters, examines and approves internal audit reports, coordinates the relationship between various departments of the enterprise, is responsible for and reports to the board of directors, and has the right to express opinions (including reserved opinions, no opinions and objections) on the board of directors, thus ensuring the independence and authority of internal audit to a certain extent. We believe that not only listed companies, but all enterprises under the modern enterprise system should gradually establish audit committees, so that there is a reliable organizational guarantee mechanism to prevent internal audit risks. 2. Industry self-discipline mechanism. Since 1998 institutional reform in the State Council, the Institute of Internal Audit has been responsible for the coordination and guidance of internal audits in various industries. The internal audit association is an industry self-regulatory organization of internal audit institutions of enterprises. In the modern economic society, if enterprises want to survive and develop in the market competition, they must attach importance to shaping their social image, maintaining their reputation and improving their social status. Therefore, enterprises have the inherent need to make an objective and fair evaluation of their own laws and regulations, pay taxes according to regulations, and protect the interests of investors and social environment, which is the basis for the internal audit association to guide and evaluate the internal audit work of enterprises. On the one hand, the Institute of Internal Audit should disseminate internal audit information and knowledge for its members, devote itself to improving the professional ethics and professional quality of internal auditors, study the working mode of internal audit, and constantly create a new situation in internal audit work; On the other hand, enterprise internal audit institutions should actively participate in the activities of the internal audit association, support the development of internal audit, and create a good professional environment for preventing internal audit risks.
3. Communication mechanism. As the functional management department of an enterprise, internal audit should, on the one hand, accept the professional guidance of the national audit and serve the national economic interests; On the other hand, we should work under the leadership of enterprise management authorities to serve the economic interests of enterprises. Under this two-way responsibility orientation, there is not a single relationship between internal audit and the audited object. Internal audit should be put in a correct position, change ideas, establish a professional image of serving enterprise management and improving enterprise economic benefits, and improve the understanding of internal audit by enterprise leaders and functional management departments. Through exchanges and communication, actively publicize the consistency of the fundamental interests of enterprises and the state to business leaders. When there is a conflict between national interests and enterprise interests, only under the premise of abiding by laws and safeguarding national interests can we enhance the social reputation of enterprises and better safeguard their interests. Through exchanges and communication, enterprise leaders truly realize that internal audit is their own staff and assistant, and plays an irreplaceable role in safeguarding the legitimate rights and interests of enterprises and improving economic benefits, thus gaining the understanding and trust of enterprise leaders and the support and cooperation of various functional management departments.
4. Risk assessment mechanism. In addition to the professional quality and professional ethics of auditors, internal audit risks mainly come from the business risks and financial risks of enterprises. Therefore, it is an effective way to reduce the internal audit risk for auditors to assist enterprise managers in risk control and management and establish a risk assessment mechanism. Risk assessment is to evaluate the risk of the implementation plan in the expected possible state in combination with the major business decisions of the enterprise. The focus of risk assessment is to remind managers of the nature and intensity of risks faced by enterprises, so that managers can take corresponding countermeasures to avoid or reduce risks, rather than control risks.
To establish a risk assessment mechanism, internal auditors should first fully communicate with managers on the changes in the business environment, decision-making objectives, strategic rules and future business conditions of enterprises, understand the nature and size of risks, and determine the audit scope, key audit objects and audit methods. Secondly, it is necessary to collect audit data related to operational risk and financial risk, make clear the risk profile of each audit project, formulate an annual audit work plan and submit it to the audit Committee for approval. Finally, in the specific implementation stage of the audit project, we should evaluate the actual risk and the effect of risk control, and put forward some suggestions on risk control.
5. Interactive audit mechanism. In large enterprise groups, there are many holding subsidiaries and branches. In order to adapt to the internal business relationship, financial relationship and audit supervision relationship in this enterprise organizational structure, it is necessary to establish a multi-level internal audit system and form an interactive audit mechanism. Under this mechanism, enterprise organizations at all levels set up internal audit institutions to carry out audit business under the guidance of higher-level organizations. Under the unified leadership of higher-level organizations, enterprise organizations at the same level conduct interactive audits on the quality of internal audit business every year (or half a year), exchange audit resources, sum up audit experience, expose existing problems in audit work, conduct audit work evaluation, and promote the improvement of audit work level. The formation of an interactive audit mechanism of self-examination, mutual inspection and spot check in the whole enterprise group is conducive to mobilizing the enthusiasm of internal auditors, enhancing the awareness of self-discipline and self-supervision of enterprises at all levels and reducing the risk of internal audit.
6. Incentive and restraint mechanism. In order to assess the professional level of internal auditors and stimulate their enthusiasm, enterprises should formulate a set of audit quality assessment standards according to their own characteristics, including audit efficiency, audit procedure norms, audit risk management, audit effect, audit professional ethics and so on. Under the unified organization of the audit committee, the internal auditors and their audit service quality are evaluated regularly. According to the evaluation results, the internal audit institutions with remarkable audit results, specific audit projects with excellent audit quality and outstanding internal auditors are given spiritual and material rewards, which are linked to the promotion of internal auditors. The internal audit institutions and relevant internal auditors who neglect their duties and have low quality of internal audit services, causing losses to enterprises or affecting their social reputation, shall be given administrative and handling penalties. Internal auditors who have caused gross negligence should file the punishment results and decide whether to stay or not according to the nature and degree of negligence; For those who have obtained the qualification of registered internal auditors, their performance evaluation (reward or punishment) should be reported to the local internal audit association for the record, so as to encourage and restrain the improvement of internal audit quality from the perspective of the whole industry. Posted in China Paper Download Center.