School of Management, University of Glamorgan

Research on Internal Audit Participate in Risk Management-Based on the ERM Framework of COSO

By: Weichen Zhu Candidate no: September 2012 Supervised by:

The dissertation is submitted as part of the requirement for the award of Masters of Science:

Declaration This Dissertation has been prepared on the basis of my own work and that where other published and unpublished source materials have been used, these have been acknowledged. Word Count: Student Name: __________________ Signature: ______________________ Date of Submission:______________

Acknowledgement

This is my first time to go aboard for studying. During different campus life in the UK, it is wonderful with deep impression. I learned how to use my internal power to make things happen and how to live my own life. All efforts contribute to my growth, but I cannot forget people who encourage and help me. Probably, I am not happy to study in my whole postgraduate time without support.

Firstly, I would like to thank my supervisor. He helps me develop the ideas and complete this dissertation. Especially, when I make a survey in China, I communicate with him through email. Sometimes, I am afraid that my timetable could have bad effects on him. However, he usually gives me feedback as soon as possible.

Therefore, I only use 20 days to finish my survey. This kind of strong professional ethic is worth to learn for me in the future.

Secondly, I am truly grateful for all teacher lectures who taught me. With your support, I had a great time in University of Glamorgan.

Thirdly, I thank my parents sincerely for giving me huge money to further my study. I will forever remember their kindness.

Table of Contents
Executive Summary .......................................................................................................................... 6 CHAPTER 1: INTRODUCTION ..................................................................................................... 8 1.1 Research Background ................................................................................................................. 9 1.2 Research Objects ....................................................................................................................... 10 1.3 Research Method and Structure ................................................................................................ 11 1.3.1 Research Method............................................................................................................ 11 1.3.2 Research Structure ......................................................................................................... 12 CHAPTER 2: LITERATURE REVIEW ......................................................................................... 15 2.1 Introductions of Internal Audit and Risk Management ............................................................. 16 2.2 Background and Components of ERM Framework .................................................................. 17 2.2.1 Background of ERM Framework ................................................................................... 17 2.2.2 Components of ERM Framework .................................................................................. 18 2.3 Internal Audit's Role in ERM Framework ................................................................................ 22 2.3.1 Factors Affecting Internal Audit's Role in ERM Framework ......................................... 22 2.3.2 Internal Audit's Role in ERM Framework...................................................................... 23 2.4 Internal Audit's Effect on Risk Management under ERM Framework ..................................... 25 2.5 Summary on Current Situation of Study around the World ...................................................... 28 2.5.1 Summary on Current Situation of Study by American and European Countries ........... 28 2.5.2 Summary on Current Situation of Study by China......................................................... 29 CHAPTER3: IMPLICATIONS OF THEORIES AND MODELS .................................................. 32 3.1 Introduction of Internal Audit's Participation in Risk Management under ERM Framework... 33 3.2 Association with Corporate Objective, Strategy and Risk ........................................................ 34 3.3 Monitoring Environment........................................................................................................... 39 3.4 Assessment on Internal Environment of Enterprise .................................................................. 41 3.4 Guaranteeing Integrity of Risk Event Identification ................................................................. 44 3.5 Confirmation of risk assessment ............................................................................................... 51 3.6 Inspection on Risk Reaction of Enterprise ................................................................................ 54 3.7 Evaluation on Enterprise Control Activity ................................................................................ 55 3.8 Evaluation on Information and Communication of Enterprise ................................................. 57 3.9 Monitoring on Enterprise Risk Management ............................................................................ 59 CHAPTER 4: METHDOLOGY ..................................................................................................... 60 4.1 Qualitative Analysis .................................................................................................................. 61 4.2 Quantitative Analysis ................................................................................................................ 61 4.2.1 Data Collection .............................................................................................................. 62 4.2.2 Sample............................................................................................................................ 63 4.2.3 Inclusion Criteria............................................................................................................ 63 4.2.4 Exclusion Criteria .......................................................................................................... 64 4.2.5 Data Duration ................................................................................................................. 64 4.3 Limitations and Assumptions .................................................................................................... 64 4.4 Ethical Issues ............................................................................................................................ 64 Chapter 5: FINDINGS AND ANALYSIS ....................................................................................... 66 5.1. Results ...................................................................................................................................... 67 5.2 Analysis on Causes of Internal Audits Participation in Risk Management under ERM
4

Framework ...................................................................................................................................... 69 5.2.1 Change of External Environment Needs Internal Audits Participation in Risk Management ............................................................................................................................ 69 5.2.2 Development of Internal Audit Itself Needs Internal Audits Participation in Risk Management ............................................................................................................................ 70 5.3 Specific Cases of Internal Audit's Participation in Risk Management under ERM Framework ........................................................................................................................................................ 70 5.3.1 Case of China Aviation Oil (Singapore) Corporation Ltd .............................................. 71 5.3.2 Case of ABC Beijing Branch ......................................................................................... 73 5.4 Enlightenment ........................................................................................................................... 75 CHAPTER 6: DISCUSSIONS........................................................................................................ 78 6.1 Build and Perfect Laws and Regulations, Continuously Perfect Criterion System................... 79 6.2 Define Internal Audit Objective, Cultivate Risk Management Concept ................................... 80 6.3 Extend Internal Audit Function, Integrate Risk Management Comprehensively...................... 81 6.4 Strengthen Audit Team Construction, Improve Quality of Auditors ......................................... 81 CHAPTER 7: CONCLUSIONS ..................................................................................................... 83 Reference ........................................................................................................................................ 87 Appendix ......................................................................................................................................... 96

Executive Summary

Entering the 21st century, with the development of the information technology and the change of competitive environment, the risks of enterprises has become increasingly complex and changeable. Risk management has become a very important task of enterprise operation. In the process of the development of risk management, it needs a guide to lead enterprises grow up sustainably. Therefore, establishing risk management frame work becomes an inevitable trend. In 2004, COSO issued the enterprise risk management integrated framework on the base of internal controlintegrated framework. This framework make the enterprise risk management get on a new level.

As an independent objective assurance and consulting activity, internal auditing helps an organization accomplish its objectives by bringing a systematic and displined approach to valuate and improve the effectiveness of risk management so that it could control and governance processes. Its aim is to add value and improve an organizations operation condition. From this definition, it can be seen the internal audits scope has been expanded to the risk management. Accordingly, internal audit participating in risk management become the need of enterprise development. This paper mainly focuses on the internal audit participating in risk management under ERM framework.

Firstly, this paper is introducing background of the topic, study objectives, study method and content. In the meanwhile, it summarizes the current situation of developed countries about internal audit and risk management. Secondly, it is suggested that elaborating relevant theory on internal audit and risk management under ERM framework. After stating internal audit and risk management as a whole, this part introduces background and components of ERM framework, defines internal audits role in ERM framework, and finally indicates the effect internal audit exerts on
6

risk management under ERM framework. Thirdly, it is studying on procedures and contents of internal audit and risk management under ERM framework. The specific procedures include eight aspects: assess enterprises internal environment, assess enterprises objective setting, distinguish enterprises risk event, confirm enterprises risk assessment, inspect enterprises risk reaction, track enterprises control activity, evaluate enterprises information and communication, and supervise enterprises risk management. Fourthly, through survey, it is comprehensively analyzing current situation and cause of internal audit and risk management under ERM framework. Fifthly, it is conducting a survey on Chinas current situation of internal audit and risk management at present in form of questionnaire and analyzes results. After that, specifically analyzing two causes of internal audit and risk management, that is, increase of enterprise risk and development of internal audit itself require internal audit participate in process of risk management. It is specifically introducing cases

of internal audit and risk management under ERM framework. Sixthly, it is deeply probing the specific countermeasures which perfect internal audits participation in risk management under ERM framework. Four major aspects are included: 1. perfect laws and regulations, complete criterion system; 2. Define objective of internal audit, cultivate idea of risk management; 3. Extend internal audit function, blend in risk management comprehensively; 4. Strengthen construction of audit team, improve quality of auditors. Finally, it is conclusion that comprehensively summarizing innovations and shortcomings of this Thesis.

CHAPTER 1: INTRODUCTION

1.1 Research Background

Since 21st Century, along with increasing development of information technology and continuous change of competition environment, all kinds of risks enterprises are confronted with have increased continuously, especially, various crises which have broken out continuously have caused great losses, and people have come to realize that it will bring some unexpected losses to enterprises if these risks cannot be controlled effectively, just then, the risk management has started. When risk management is developed continuously, it is inevitable to establish risk management framework. Having made great efforts for more than 3 years, America COSO (Committee of Sponsoring Organizations of the Treadway Commission) issued Enterprise Risk Management---Integrated Framework (ERM Framework for short) in Oct.2004, which has made more enterprises realize the importance of risk management, and offered reference for enterprises to prevent and avoid risk . In 2008, America's subprime crisis erupted global financial crisis, whose great losses shocked the whole world, not only exerting a severe influence on financial market of America and Europe, but also having a great impact on the Asian-Pacific region, which made us realize the significance of risk management again. Facing global financial crisis this time, enterprises have profoundly realized that strengthening risk management and control as a whole should be taken as a compulsory course, which should be passed successfully. In new definition, internal audit is extended to fields of risk management and corporate governance, which thinks that internal audit plays an important role in evaluating effectiveness of risk management, internal control and governance process, therefore, internal audit will play the important part of pushing forward and promoting enterprise risk management, besides, risk management has become a part of internal audit, under the very underground, the thesis studies internal audit's participation in risk management based on ERM framework.

1.2 Research Objects

With development of economy, environment of competition has been more and more fierce, issues on internal audit and risk management has been paid attention increasingly, internal audit's participation in risk management is objective need of economic society functioning and also an inevitable selection when internal audit is grown up to a certain stage, with important theoretical value and practical significance, this Thesis studies internal audit's participation in risk management systematically under ERM framework issued by COSO, the research object is reflected in the following aspects:

(1) Internal audit's participation in risk management is objective requirement to complete audit mission satisfactorily. Audit engenders along with generation of accountability, as an independent and objective confirmation and consultation activity, internal audit develops along with development of accountability as well. During unceasing change of economic environment, demand of enterprise development has made internal audit turn to paying close attention to commissioned management responsibility from commissioned financial responsibility, object of internal audit has extended to internal control and now to field of risk management from financial accounts, uncertainty of risk has appealed to participation of internal audit, therefore, internal audit's participation in risk management becomes a trend of enterprise development, and also the objective requirement to complete audit mission satisfactorily.

(2) Internal audit's participation in risk management can offer basis to enterprise management and decision. Complexity and variety of risk requires the enterprises control risk, as a management mechanism, internal audit examines and evaluates all business of enterprises, hence, it can distinguish and assess risks and push forward relevant advice in the large, which supplies basis on which enterprises management
10

layer makes management and decision.

(3) Internal audit's participation in risk management is an effective way to realize rise in enterprise value. Only know relationship between internal audit and risk management well can enterprises realize target better, only define motive of internal audit's participation in risk management and play full and positive role of internal audit in risk management, can enterprises help to distinguish and evaluate important risk factor, thus, promoting enterprises to perfect risk management system so that enterprises avoid, transfer and control risk effectively and improve enterprises' whole benefit and efficient performance, finally adding value to enterprises.

(4) Internal audit's participation in risk management is the important guaranty of enterprise development. At present, the independence and authority of China's internal audit has not been very high, boundedness has existed in scope and effect of internal audit's participation in risk management, so it will still encounter various obstacles in practice. Therefore, enterprise development requires internal audit participate in risk management, internal auditors should strengthen consciousness of risk, master risk assessment methods, improve comprehensive quality and then fully evaluate enterprise risk, thus, offering guaranty to enterprise development.

Consequently, based on ERM framework issued by COSO, this Thesis studies on internal audit's participation in risk management, which has theoretical value and also profound practical significance.

1.3 Research Method and Structure

1.3.1 Research Method

The main study methods this Thesis adopts:

11

(1) Method of literature consultation. Consulting Chinese and developed countries relevant literature on internal audit and risk management, processing, settling and systemizing the literatures so as to obtain the contents which have study value on this Thesis, on basis of processing

(2) Method of comparative analysis. Introducing, comparing and analyzing current situation of Chinese and developed countries study on internal audit and risk management, and comparing and analyzing successful case and failed case, so as to obtain experience and enlightenment we can use for reference.

(3) Method of summary and conclusion. Introducing components of ERM framework, so as to summarize procedures and contents of internal audits participation in risk management comprehensively and systematically, and to put forward relevant countermeasures for development of internal audits participation in risk management in future

(4) Method of chart presentation. Presenting the statistical result of questionnaire in chart, so as to find out the problems existing in Chinas internal audits participation in risk management at present more clearly

1.3.2 Research Structure

The study content of this Thesis is mainly divided into seven parts:

Part I it is introducing background of the topic, study objectives, study method and content. In the meanwhile, it summarizes the current situation of developed countries about internal audit and risk management.

Part II it is suggested that elaborating relevant theory on internal audit and risk
12

management under ERM framework. After stating internal audit and risk management as a whole, this part introduces background and components of ERM framework, defines internal audits role in ERM framework, and finally indicates the effect internal audit exerts on risk management under ERM framework.

Party III it is studying on procedures and contents of internal audit and risk management under ERM framework. The specific procedures include eight aspects: assess enterprises internal environment, assess enterprises objective setting, distinguish enterprises risk event, confirm enterprises risk assessment, inspect enterprises risk reaction, track enterprises control activity, evaluate enterprises information and communication, and supervise enterprises risk management.

Part IV through survey, it is comprehensively analyzing current situation and cause of internal audit and risk management under ERM framework.

Part V it is conducting a survey on Chinas current situation of internal audit and risk management at present in form of questionnaire and analyzes results. After that, specifically analyzing two causes of internal audit and risk management, that is, increase of enterprise risk and development of internal audit itself require internal audit participate in process of risk management. It is specifically introducing cases

of internal audit and risk management under ERM framework

Part VI it is deeply probing the specific countermeasures which perfect internal audits participation in risk management under ERM framework. Four major aspects are included: 1. perfect laws and regulations, complete criterion system; 2. Define objective of internal audit, cultivate idea of risk management; 3. Extend internal audit function, blend in risk management comprehensively; 4. Strengthen construction of audit team, improve quality of auditors.

Part VII it is conclusion that comprehensively summarizing innovations and

13

shortcomings of this Thesis.

14

CHAPTER 2: LITERATURE REVIEW

15

2.1 Introductions of Internal Audit and Risk Management

It has changed continuously since IIA made the first definition in Internal Audit Job Description in 1947, along with deepening study on internal audit and change to adapt internal audit environment, the definition of internal audit has been revised for 7 times successfully (IIA, 2004a). The modification and development of this definition has recorded how internal audit develops in detail.

Having been revised for seven times, internal audit was latest defined as: internal audit is an independent and objective confirmation and consultation activity. It evaluates and improves effect of risk management, control and governance process by using systematic and normative ways, with the purpose of helping improve enterprise state of operation and increase value for enterprise (IIA, 1999). This definition was the first to list risk management and governance process in internal audit definition and put it the first place, on one hand, it reflected that internal audit had been attached importance increasingly along with development of society, and range of internal audit had been expanded as well, on the other hand, it illustrated that internal audit was in a transitional period at present, that is, transition from paying attention to control before to risk management in audit operation flow, making risk management a core and emphasis of internal audit.

In ERM framework, risk management is defined (Gramling et al, 2006) as: "enterprise risk management is the process which is participated jointly by enterprise board of directors, management layer and other personnel, applies to enterprise strategy formulation and various administrative levels and departments of enterprise, is used to distinguish matters which are likely to cause potential influence on enterprise and to control risk within its risk appetite, and offers reasonable guarantee for enterprise to achieve the goal."
16

It can be seen from the definition, risk management is a dynamic process, and a way taken to achieve some result, as a daily management of enterprise, risk management may involve every employee of enterprise, therefore, every employee has responsibility and obligation to participate in risk management.

2.2 Background and Components of ERM Framework

2.2.1 Background of ERM Framework Since entering into 21st Century, because market environment has changed a lot, customer demand has diversified and individualized, enterprises are faced with a rapid and unpredictable buyer's market, whose external environment has much greater risk of uncertainty than usual, these influences exerted by internal and external factors make enterprises begin to value risk, and risk management Fraser et al, 2007). According to investigation made by IIA (2004b) to American board of directors and board of auditors, enterprise risk and risk supervision come out top of focus matters. Since a string of financial scandals at Enron Corporation, shareholders required more transparent risks enterprises are faced with effectiveness of enterprise risk management procedure, reliability of report and target. They appealed to use new laws, regulations and listing standard to strengthen corporate governance and risk management (Donnelly et al, 2003). Meanwhile, worldwide securities exchanges published many rules which strongly suggested board of directors or management layer confirm the risk in public that they had learnt and enterprise had been faced with currently and in future, besides. Enterprises had taken appropriate effective measures to control these risks (Cohen et al, 2004). Among all kinds of business activities of enterprise is there relativity which may result in natural hedging of various risks, and mutual reinforcement. Therefore, all kinds of risks enterprises are faced with should
17

be controlled comprehensively instead of partially, only risk's overall effect on enterprise is considered adequately can benefit of risk management be increased really (DeZoort et al, 2002). At this time, a universal risk management framework is needed to help enterprise establish effective risk management procedure. Having made great efforts for more than 3 years, America COSO issued Enterprise Risk Management---Integrated Framework (ERM Framework for short) in Oct of 2004 on the basis of Internal Control Integrated Framework, which mainly summarized comprehensive risk management practice that global transnational corporations had applied for years.

2.2.2 Components of ERM Framework According to ERM framework issued by COSO (2004), this thesis summarizes the components of ERM framework as three-four-eight, that is, three dimensionalities, four objectives, eight factors.

a. Three dimensionalities

ERM framework includes 3 dimensionalities: risk management objective, risk management factor, hierarchy of enterprise.

(1) Risk management objective (Bailey et al, 2007) is much related to organizational risk requirement, which decides organizational business operations' tolerance to risk, goal must be defined before management distinguishes risk and takes measures to avoid risk.

(2) Comprehensive risk management factor is integrated with enterprise management process (Ahlawat et al, 2004).

18

(3) Hierarchy of enterprise includes senior management, functional departments, service lines and subordinate subsidiaries (Adamec et al, 2005).

b. Four objectives

Risk management includes 4 objectives: strategic objective, operations objective, report objective, follow objective (Gray, 2000).

(1) Strategic objective, the highest level of organization, is the extent enterprise asks to achieve and effect enterprise asks to obtain during implementation of its mission in specific period with the consideration of possibility of internal and external environment condition, in line with enterprises' management idea, future expectation and development direction (Raghunandan, 2001).

(2) Operations objective is the objective enterprise formulates for utilizing resources fully and effectively (Keey, 2003).

(3) Report objective is a standard formulated by enterprise for reliability of assessment report (Bou-Raad, 2000).

(4) Follow objective is a standard formulated by enterprise to see laws and regulations can be followed or not (Cai, 1997).

c. Eight Factors

Risk management includes 8 factors: internal environment, objective setting, matter identification, risk assessment, risk reaction, control activity, information and communication, monitoring (Papas, 1999).

(1) Internal environment. Internal environment is the foundation of other factors of

19

risk management, including much content, such as, idea of risk management, risk culture, risk appetite, organization structure and value of board of directors (Spira et al., 2002).

(2) Objective setting. When formulating overall objective of enterprise, directors should select appropriate strategy and confirm relevant objectives according to the task defined by enterprise, as well as disintegrate the objectives to each level gradually and put them into practice. Only objective which is accurate and accords with enterprise development can offer guidance to direction of enterprise management, therefore, setting of objective is of great importance (Sawyer, 2003).

(3) Matter identification. Management of enterprise should, from perspective of the whole enterprise, combine enterprise objective, strategy and relevant policy to identify all potential matters that are likely to exert an influence on corporation. These potential matters may bring negative effects, and also positive effects, or both. Those matters having negative effects on enterprise are called enterprise risks, and enterprise should assess them and take measures to cope with risks; matters having positive effects may an opportunity of enterprise and also matters counteracting negative effects (Spencer et al., 2005).

(4) Risk assessment. Management should assess risk from two aspects of possibility of risk occurrence and extent to which risk exerts influence on enterprise (Leung et al., 2003). The way of risk assessment can use quantitative method or qualitative method, quantitative method means to apply quantity method to assess and describe possibility of risk occurrence and extent to which risk exerts influence, such as, computer analysis, statistical analysis. Qualitative method uses qualitative term to assess and describe possibility of risk occurrence and extent to which risk exerts influence, such as, questionnaire, SWOT analysis, and flow table. Because risk is difficult to quantify, and it is difficult to obtain data during quantitative assessment, qualitative method should be used generally (Power, 2004).
20

(5) Risk reaction. Management should take measures to cope with risks in accordance with enterprise risk appetite and within acceptable risk tolerance (Knechel et al., 2007). The strategies coping with risks mainly include risk control, risk reduction, joint risk and risk acceptance.

(6) Control activity. Control activity, existing in each level of enterprise, is relevant policy and procedure formulated for guaranteeing that risk solutions are carried out correctly (Eleftheriadis, 2006).

(7) Information and communication. Enterprise should deliver the financial and nonfinancial information to the staff within some time, so that they can work and feed back to higher authorities if any problem (Simkins et al., 2008). In this way, the information transfer between subordinate and superior can generate effective communication.

(8) Monitoring. Monitoring for enterprise risk management refers to a process of assessing and operating risk management factor as well as quality of implementation within a period (Hershey, 2007). Enterprise can supervise risk by two ways, that is, continuous supervision and individual evaluation, both in order to guarantee that enterprise risk management gets implemented continuously in each department (Griffiths, 2006).

As an organic whole, these 8 factors of comprehensive risk management are interacted and mutually restricted. As the foundation of risk management factors, internal environment decides the setting of risk management objective, while the setting of risk management objective is the premise of risk identification, risk assessment and risk reaction, which, as the specific flow, are guaranteed by control activity, information and communication are the media to guarantee implementation of risk management, while monitoring is re-controlling of risk management system (Beumer, 2006). Therefore, these 8 factors are interacted and dynamic process.
21

2.3 Internal Audit's Role in ERM Framework

2.3.1 Factors Affecting Internal Audit's Role in ERM Framework

a. Independence and Objectivity of Internal Audit

Internal audit is an "independent evaluation activity" (Gramling et al, 2006). The independence is unworldliness of audit subject and also fairness in spirit, and has become the soul of internal auditors, internal requirement of internal audit work, and essential condition for internal auditors to survive (PPF, 2004). "Objectivity" means a just and impartial attitude in work, and a mental state (Olson et al., 2007).

The risk enterprises are faced with is increasingly greater today, as the expert of risk management. Internal audit has become the object of management consultation obligatorily. Management applies advice put forward by internal audit to enterprise operating activities, and then evaluates these activities so as to prevent potential risk (Liebenberg et al., 2003). Because of management's relying on internal auditors, important position of internal audit activity, and internal auditors' assessment on their own work results (Ghita, 2004), these require internal auditors be independent and objective, only in this way can they participate in risk management effectively.

b. Nature of Internal Audit Activity

Because separation of ownership of property and power of operation engendered accountability relationship, existence and development of accountability engendered objective requirement on audit, the form of agent economic supervision, internal audit was also engendered along with generation of accountability (McVay et al., 2005 ). Therefore, internal audit is an agent form of economic supervision, besides, along
22

with development of accountability, consultation function of internal audit has formed gradually, which makes internal audit an independent and objective confirmation and consultation activity (Srinivasan, 2004). Confirmation service (Anderso, 2003) is the independent opinion or conclusion issued to procedure, system or other matters after internal auditors assess audit evidence objectively. Consultation service (Goodwin, 2004) is consultative essentially, carried out generally according to specific requirements of customers. Nature and scope of consultation service should be confirmed after negotiation with customers, with the ultimate purpose of improving enterprise operation and increasing enterprise value (Abbott et al., 2000).

c. Change of Audit Demand

As overall merit and monitoring department of enterprise risk, how internal audit prevents risk effectively becomes internal need of enterprise (Willekens et al, 2003). Besides, independent status of internal audits also need that enterprise define what role exactly it should play in enterprise (Peel et al., 2003). Along with implementation of enterprise strategy management, risk becomes the foundation to decide direction of internal audit. Therefore, internal audit's participation in risk management offers opportunity to development of internal audit itself, and as an independent and objective confirmation and consultation activity. Internal audit is able to play a part to create more value for enterprise (Bockus et al., 1998).

2.3.2 Internal Audit's Role in ERM Framework

Based on adequate consideration of independence, objectivity and nature of internal audit can be seen that internal audit and risk management blend in each other and depend on each other (Stewart et al., 2006). When enterprise formulates risk management strategy, as a line of defense of risk management, internal audit can assess and monitor the whole process of risk management, but main responsibilities of
23

internal audit in establishment and prevention of enterprise risk management are to affirm the whole process of risk management (Kishal et al., 2006). And then evaluate its effectiveness, and report to management as well as put forward advice. Therefore, it can be said that internal audit's primary role in enterprise risk management framework is supervisor, and secondary role is consultant, coordinator and proponent (Yardmc, 2008).

Anything is not changeless, internal audit does not play a fixed role in risk management but to change along with continuous change of enterprise environment (Walker, 2002). When enterprise risk management procedure is imperfect, as a proponent, internal auditors can offer a proposal to management; when enterprise has difference in opinion during implementing risk management, as coordinator, internal auditors can play a part in coordination. When enterprise has some experience in risk management, and gradually become matured and stable, internal auditors can gradually turn proponent and coordinator into supervisor and consultant (Sobel, 2005). The following diagram reflects internal audit's role in REM vividly:

Report Relationship Layer

It needs to be stressed that responsibilities of risk management are mainly undertaken by management, internal audit doesn't shoulder main responsibilities on establishment of risk management system, internal audit can give advice and consultation to
24

enterprise risk strategy, but cannot offer guarantee to risk management and set risk tolerance as well.

2.4 Internal Audit's Effect on Risk Management under ERM Framework

Under risk-oriented mode, internal audit participates in risk management comprehensively, finds and evaluates important risk factors, assists organization in improving risk control program, becoming the key link of enterprise risk management system (Scarbrough et al., 1998). It is thus clear that risk management is the main responsibility of internal audit; internal audit is a method and means of risk management (Francis, 2004). With risk management-oriented internal control times coming, modern enterprise internal audit pays more attention to effective risk management mechanism and sound corporate governance structure besides traditional internal control. On concept of risk-oriented internal audit, annual audit plan is combined with the risk strategy of the highest level of corporate, internal auditors analyze the current risk to guarantee the consistency of audit plan and operating plan, and use principles of risk management to change process of examination and verification (Brody et al., 2000). Risk management becomes critical process of organization, the key work urging internal audit is not only test control, but also methods of confirming risk and testing management risk. In risk-oriented internal audit, control is still important, but internal audit focuses on analyzing, affirming and announcing critical operational risk, emphasizing risk aversion, risk deflection and risk control (Adamec et al., 2005).

1. Inspection and evaluation. That is, internal audit department applies audit means to inspect, evaluate and report sufficiency and effectiveness of enterprise risk
25

management system, and proposes opinions on improvement, as well as offers help to management or board of auditors(Bailey , 2007 ), mainly including: (1) evaluating whether enterprise strategic objective is formulated combined with risk appetite of enterprise itself based on analyzing development and trend of organization (Mutchler et al, 2001 ) and industry, strength and weakness of enterprise, external opportunities and threats. (2) Discussing department objective with relevant management, assessing whether the specific objectives distributed to departments are consistent with enterprise overall strategic objective and have enough support (Turley et al, 2004). (3) Evaluating whether management' identification and assessment on risk is appropriate or not Scarbrough et al., 1998). (4) Analyzing whether risk control measures are enough or not to make possibility and influence of risk being out of control within enterprise risk tolerance (Cohen et al, 2004). (5) Assessing whether risk monitoring program is carried out continuously and effectively or not, whether monitoring report and risk management report is sufficient and timely or not (Church et al., 1991).

2. Management and coordination. That is, internal audit uses its superiorities to take an active part in establishment of enterprise risk management system, distinguishes, analyzes, coordinates and controls various risk factors, and offers the effective proposals to control risk (Valentine et al., 2002). (1) In organizational structure of enterprise, internal audit has relative independence, can and is able to distinguish and evaluate risk clearly from objective and open angle, in perspective of the present interest and reality of organization, and offers effective proposals to prevent risk (Nielson et al., 2005). (2) Relying on comprehensive and in-depth understanding on enterprise, and special status which can make influence on decision layer, internal audit takes an active part in establishment of enterprise risk system, organizes, controls and coordinates elements of risk control, promotes that the audited department and even the whole enterprise improve efficiency and effect of risk management continuously.

3. Consultant and consultation. That is, internal auditors assist enterprise in

26

confirming method and control measures of controlling risk, as the consultant, and evaluate its rationality and effectiveness (Kizirian et al, 2004). (1) Internal audit has superiorities which others cannot reach in understanding organization and insight into risk, so internal audit can actively assist enterprise in establishing risk management system or making us possible in forms of suggestion or consultation (Fatemi et al, 2000). (2) In terms of improve effect and efficiency of enterprise risk management process, internal audit can integrate inside and outside resources of enterprise, efficiently assist management or board of auditors in inspection, evaluation and proposal (Hoelter, 1983). (3) Internal audit can use professional knowledge to conduct risk assessment and control training so that consciousness of risk runs through each layer of enterprise, forming the all-around risk management gradually participated by the entire personnel in overall process (Julien et al, 2008). (4) The status of internal audit helps it make an in-depth study on overall risk of enterprise, and use modern technology to develop risk identification, assessment tool and control method suitable for the enterprise (Lindow et al., 2002).

4. Report and prevention. That is, internal audit delivers and supervises and urges to put achievement of risk audit into practice timely so that various risk factors are controlled and prevented effectively. How audit finding is delivered, how audit achievement is used and how fraud risk is prevented will directly concern internal audit's value and effect in risk management supervision system (Viator, 2001). (1) Internal audit communicates with relevant departments on risk management matters in due time, inspects, evaluates and reports sufficiency and effectiveness of risk management process, as well as reports the major audit finding and makes follow-up audit on rectification according to the clear delivery line, so that risk is controlled and prevented effectively. (2) Internal audit can use its superiorities to drive risk management consciousness to be part of enterprise culture while internal audit applies technical means to assess sufficiency and effectiveness of risk control procedure, thus constructing protective screen of risk prevention of enterprise ideologically.
27

2.5 Summary on Current Situation of Study around the World

2.5.1 Summary on Current Situation of Study by American and European Countries

The seventh definition of internal audit made by Institute of Internal Auditors (IIA) in June 1999 was the start at which American and European countries theoretically study on internal audit and risk management. The seventh definition (IIA, 1999) thinks that internal audit is an independent and objective confirmation and consultation activity. It evaluates and improves effect of risk management, control and governance process by using systematic and normative ways, with the purpose of helping improve enterprise state of operation and increase value for enterprise. The new definition extends the range of internal audit to the field of risk management, and begins the prelude of the study on relationship between them (IIA, 2001).

Risk Assessment and Risk Management Audit, written by William RKinney Jr, considered the relationship between internal audit and long-standing business strategy and continuous implementation, he (2000) pointed out, as an early warning tool, risk plays an important role in forecasting strategy and carrying out changes, puts forward integration of administrative decision, risk management and internal audit according to structure of comprehensive risk management.

In 2002, IIA pointed out in its research conclusions named ERM Trends and Emerging practices conclude, enterprise risk management will be the major part of organizational management process in 21st Century, which will not only effect how company is appointed by organization as chief risk officer to report to CEO and president, but also affect the performance of internal audit.

In 2004, COSO pointed out in its Enterprise Risk Management---Comprehensive Risk

28

Management Framework, internal auditors inspect, assess and report sufficiency and effectiveness of risk management process as well as offer a proposal so as to help enterprises board of directors, board of auditors, management layer to fulfill their obligation, therefore, internal auditors have played increasingly important role in risk management.

Robert. R. Moeller (2005) pointed out in Brinks Modern Internal Auditing, risk management is the constituent part of internal audit plan assessment process, internal auditors should use an official process to help understand risk and try best to focus the work on high-risk field.

The representative viewpoints from American and European scholars on internal audit and risk management: in process of enterprise risk management, on one hand, internal auditors assess enterprises internal environment, distinguish enterprises risk events, inspect enterprises risk countermeasures and evaluate key risk report so that enterprises risk gets effectively controlled, thus guaranteeing that enterprise runs effectively (Libby et al, 2004). On the other hand, internal auditors assist enterprise in formulating relevant risk management strategy, direct to formulate relevant risk countermeasures and strengthen enterprises report on risk, so as to offer consultation service better to enterprise risk management. However, to guarantee independence and objectivity of internal audit cannot be harmed, internal auditors cannot set risk appetite, guarantee risk for management layer, make decision on risk reaction, and cannot carry out risk countermeasures and undertake responsibilities on risk management on behalf of management layer.

2.5.2 Summary on Current Situation of Study by China

Chinas theoretical and practical study on internal audit and risk management started later, having quite a gap from advanced level of America and Europe, in general, it
29

can be the introduction and elaboration of research achievement and practical experience of America and Europe only.

Lin et a. (2004) pointed out that the integration of risk management and internal audit was the objective requirement for enterprise to improve efficiency of operation and management and inevitable outcome of enterprise pursuing its development, it was the need to improve corporate governance and to reduce transaction cost, enterprise risk management and internal audit had gradually blended in each other, depended on each other and developed continuously. When formulating enterprise risk management strategy, many enterprises took internal audit as an important defense line of risk management, and the whole flow of risk management was assessed and monitored by internal audit. He also stated that enterprise operation objectives must be taken as start of internal audit to establish enterprise risk management data and risk early warning system so as to improve organizational size and personnel structure of internal audit.

Tan (2006) analyzed superiority of internal audit's participation in risk management, stated internal audit's participation in risk management was beneficial to existence and development of internal audit and further corporate governance as well, meanwhile, the writer raised that internal audit should actively put forward relevant advice on process of establishing risk management to management layer, should participate in process of argumentation on feasibility of risk management scheme, should distinguish and analyze specific risk items as well as carry out tracking management for risk.

Wang (2009) indicated that internal auditors were potential important stakeholders and participants of risk management. Risk management exerted a profound influence on process of internal audit, while internal audit confirmed and evaluated process of risk management, its duty was to re-manage risk management actually.
30

Modern Enterprise Risk Management Audit, written by Chen (2009), was honored as "China's first book on modern enterprise risk management audit", the writer made a more comprehensive discussion on method of modern enterprise risk management, and structured frame of modern enterprise risk management audit.

Lin et al. (2009) raised that with a view to specialization and objectification, internal audit should play an important role in affairs on relevant risk management, and introduce maturity model of ERM. He analyzed internal audit and corresponding dynamic role at each stage of maturity model of ERM.

Liu et al. (2011), from the role of internal audit under ERM framework, analyzed the specific approaches to internal audit's participation in risk management under ERM framework, one was to develop risk management audit, the other was to develop risk-oriented audit.

In conclusion, Chinese and American and European theory circles and practice circles have paid sufficient attention to internal audit's participation in risk management, and have made systematic and extensive study, this Thesis will study on internal audit's participation in risk management, under guidance of ERM framework issued by COSO.

31

CHAPTER3: IMPLICATIONS OF THEORIES AND MODELS

32

3.1

Introduction

of

Internal

Audit's

Participation

in

Risk

Management under ERM Framework

Internal audit's participation in enterprise risk management has been paid greatly attention. ERM framework issued by COSO indicates that function of internal audit is "to help management and president or board of auditors through inspection, assessment, report and proposal to conduct effective enterprise risk management." Conceptual framework of enterprise risk management includes eight constituent parts: environmental analysis, objective setting, event identification, risk assessment, risk reaction, control activity, information and communication, supervision and review. Functional role of internal audit in enterprise risk management should be limited in supervision and review, the last constituent part of conceptual framework of enterprise risk management. This Thesis puts forward here that internal audit plays confirmation and consultation part in elements listed in conceptual framework of enterprise risk management, as shown in Chart 1. This Thesis has emphasis on discussing in which way internal audit plays confirmation and consultation part in conceptual framework of enterprise risk management.

33

Chart 1: Way of Internal Audit's Participation in Enterprise Risk Management

3.2 Association with Corporate Objective, Strategy and Risk

Enterprise objective, strategy for implementing objective, and business model and process needed by strategy implementation are decided by enterprise managers and board of directors, it is duty of managers and board of directors instead of internal
34

audit. Internal audit is responsible for systematically associating enterprise strategy, business model needed by strategy implementation and risk preventing objectives from realization so as to guarantee strategy and business model can cope with risk.

(1) Internal audit should first list all the key success factors which make objectives come true and risk factors which may prevent from success. Then, internal audit should list identified key success factors and risk factors (internal and external) which may prevent from success one by one, and analyze and judge to which extent risk factors affect objective realization from perspective of enterprise objective and organizational objective. Including:

Listing enterprise strategy, so as to analyze strategy appropriateness and competitive intensity by combining with current environment. Listing all assets. Listing personnel condition, so as to analyze their quality and morality. Listing other facilities and conditions: substance, nature, law, political

environment, etc.

Internal audit should formulate capability factor judgment chart as shown in table 3-1, and analyze physical truth of current capability. According to structure of current capability, internal audit should measure performance of various factors. After summarizing, enterprise key success factors and risk factors can be clear at a glance.

Performance of Current Capability Factors Capability Very Good 1. Popularity and Reputation
35

Good

Nor mal

Bad

Very Dad

2. Market Share Marketin3. Product Quality g 4. Cost of Production

Capabilit5. Cost of Distribution y 6. Sale 7. Capability of Study,

Development and Innovation 8. Geographic Advantage 9. Advantage of Raw Materials Table 3-1 Capability Factor Judgment

(2) Internal audit should establish risk analysis matrix and associate enterprise objectives with potential risks. As shown in Table3-2, define enterprise objective, business model and process which are confirmed by managers and board of directors, summarize the judgment of capability factors so as to get potential risks existing in enterprise, internal audit should establish risk analysis matrix, which associates enterprise strategic objectives and business model with potential risks.

Strategic Objective/Business Model

Potential Risk

Connection

Products are not good for If managers make wrong sale caused by change of decision, Development Products of New consumer demand and fails to

develop new products, it will bring losses to

enterprise, the amount of losses ascertained less cost of competitors Competitive Advantages
36

should

be

If the cost is lowered blindly regardless of

of Low Cost

condition itself, it is likely to make profit negative

Using

Financial Affairs Excessive liabilities cause If it is used properly and business failures the loan is repaid on schedule, it will get high profit Table3-2 Risk Analysis Matrix

Fully and Boldly

(3) For the enterprises which have not implemented risk management yet, internal audit should shoulder the responsibility on introducing enterprise risk management into organization, and develop special skill or knowledge on risk management and control to provide advice for managers and board of directors and to support its establishment of risk management training. For enterprises which have implemented enterprise risk management, internal audit should shoulder the responsibility on risk management training.

Assisting enterprise in establishment of risk management process

Internal audit can consider developing "corporatization" risk management process for respective enterprise. According to conceptual framework of enterprise risk management and the actual situation of the enterprise, enterprise internal audit department can help enterprise risk management department simplify eight procedures (environmental analysis, objective setting, event identification, risk assessment, risk reaction, control activity, information and communication, supervision and review) of enterprise risk management process into four procedures (collection of existing risk problems, risk analysis and assessment, summary of main business risk, specialized analysis of major risk problems and preliminary proposal on solution), as shown in Chart 2.

37

Chart 2: Enterprise Risk Management Procedure

Conducting risk management training

Though there are all sorts of books on risk management, few can be applied to specific enterprises. Internal audit knows enterprise best, so internal audit should develop risk management training products suitable for enterprise, and then, conduct training in different forms for different trainees of enterprise.

First, internal audit should know the purpose of risk management course training well, know importance of risk management well, introduce risk management mode of international relevant corporations, assist in risk management, and finally reaching operative objectives. Then, internal audit should carry out training mode in different
38

forms for different groups. For senior management, because it has few opportunities to come into contact with them and they have many affairs to handle, the slide of concise image should be adopted to tell them the main process of risk management; for middle management, because they are the major leading force of risk management, face-to-face advertisement and explanation should be adopted face to face; for executive staff of risk management, because they must be skilled in some technologies on risk management, training class should be adopted where they make practice and discussion, and take an examination to achieve the aim of training. For extensive employees of enterprise, in order to foster their risk responsibility and consciousness of risk, they should be trained in forms of articles published in enterprise's newspapers and periodicals, bulletin board and blackboard newspaper.

3.3 Monitoring Environment

Along with development of information technology, property and impact of enterprise risk have changed, which makes environment monitoring more and more important.

To monitor environment, enterprise's risk appetite should be defined first. Besides determining objective, strategy, business model and business process, managers and board of directors should determine how much risk they are willing to undertake to achieve the goal. This risk appetite is a constituent part of enterprise risk management environment. Internal audit does not need to formulate risk appetite, but needs to define risk appetite of managers and board of directors, and make regular comparison of risk assessment and risk appetite so as to offer limit to residual risk enterprise hopes to undertake. Internal audit should evaluate unit "inherent risk" and "residual risk" (acceptable risk after control activities are taken)

39

This part is about continuous monitoring on environmental change and accidental environment when environment assumed by enterprise conflicts with changes of external environment and enterprise business process, internal audit should offer feedback to managers and board of directors. Internal audit should list environmental factors for implementing monitoring, judge current situation of enterprise environment, monitor condition of environmental changes to forecast development tendency of environment. Table 3-3 analyzes situation of environment to help managers rethink. Analysis of external environment should be made as follows: first, judging current situation of industry development, forecasting development tendency. Internal audit should use information to analyze extent of competition among existing enterprises, new threats, products and service substitute, make situation analysis on environment of competition to position or reposition enterprise's competitive status of the industry in space and time. Second, analyzing customer demand, analyzing consumer's purchasing behavior is changing or not, considering suppliers' state, and helping the parties concerned find out the way and space to negotiate a price, contrasting performance recorded by business metering system to prospective performance in plan and budget and performance of competitors of the corresponding period. The different may result from changes of environment or business condition, so the differences and causes for differences should be decomposed. Contrast business data at the end of period to data planned at the beginning of period, and analyze the differences so as to conduct performance evaluation and assess risk of environmental changes.

Technological innovation of information technology has even changed optimal organizational form of some enterprises so that enterprises have to improve business efficiency through outsourcing activities. For this reason, outsourcing has increased risk of enterprise. Monitoring on outsourcing makes monitoring focus turn to error prevention from error correction, nipping in the bud. Internal audit should analyze changes of these environmental factors, further consider whether changes and control of organization structure's risk conform to changes of situation, and report analysis
40

result to management timely for reference when they make decision.

Environmental Factors Current Situation 1. Economic Development 2. Natural Environment 3. Supplier 4. Customer 5. Competitor 6. Social Public 7. internal functional departments Table 3-3 Monitoring on Environment Situation of Changes

3.4 Assessment on Internal Environment of Enterprise

Enterprise internal environment is the total of various elements owned by enterprise or elements in enterprise about business operation. The diagram is shown as follows:

41

Formulating Intention and Purpose

Sustainable Superiority Standard

Exploring Core Competence

Analysis On Value Chain

Core Competence (source of competitive advantage)

Capability (matching with resource)

Financial Resource

Tangible Resources

Material Resources

Resources

Organization Resources

Intangible Resources

Human Resource

Innovation

Enterprise Culture

42

It can be seen from the diagram that enterprise internal environment includes many elements, each of which contains indeterminate risk, when assessing enterprise internal environment, internal audit should consider the source of risks in different elements comprehensively.

(1) Enterprise Culture Accords with Enterprise Objective or Not

Enterprise culture is concentrated reflection of internal environment, formed in the long-term business process of enterprise, the values and spirit owned by enterprise different from other enterprises, the total of basic belief, values, life style, humanistic environment, and adaptive thinking and way of act. Enterprise culture generally connects closely with strategic objective of enterprise, strategic objective reflects core value of enterprise, core value of enterprise is the essential principle and driving force to realize strategy, however, not every enterprise culture can create value. When assessing enterprise culture, internal auditors should stress on evaluating what type enterprise culture is, whether enterprise culture accords with enterprise objective or not, whether enterprise culture can form dominant cultural atmosphere or not, etc.

(2) Enterprise Risk Appetite Accords with Enterprise Strategy or Not

In a broad sense, risk appetite is how much risk enterprise is willing to accept during realizing objective. Enterprise risk appetite is directly related to enterprise strategy, during formulating strategy, enterprise should combine established income of strategy with enterprise risk appetite to consider, with the purpose of helping enterprise management select the strategy which accords with enterprise risk appetite among different strategies. The judgment of management risk appetite concerns the judgments for all kinds of operational risk, financial risk, control risk and information risk degree which enterprise is faced with, therefore, when assessing management risk appetite, internal auditors should apply extensive knowledge and experience to estimate risk appetite comprehensively in terms of requirements of enterprise
43

objective, enterprise culture and enterprise stakeholder, hobby of enterprise management, so as to judge whether risk appetite of enterprise management accords with strategic objective of enterprise or not.

(3) Knowledge and Experience of Management Adapts to Enterprise Development or Not

As a part of internal environment, enterprise management is responsible for establishing enterprise risk management idea, confirming enterprise risk appetite, creating enterprise risk culture and combing enterprise risk management with relevant risk policy and procedure. In order to give full play to its responsibilities, knowledge and experience owned by management should fit with the present development of enterprise. Internal auditors must be able to judge whether the existing knowledge and experience owned by management can keep up with rapid expansion of enterprise, whether various trainings should be organized to strengthen their ability, and whether the ability is improved after training, etc.

3.4 Guaranteeing Integrity of Risk Event Identification

Identification of risk events is the foundation of the whole enterprise risk management. It means that enterprise risk administrative staff recognizes all kinds of risk factors existing in enterprise through systematically understanding and analyzing a large number of reliable information data. In order to have a full understanding of enterprise objective, strategy and plan as well as current inside and outside environmental condition, it is needed to identify all important events that are likely to bring negative effects to enterprise objective and identify all potential serious risks so as to guarantee integrity of risk outline. What's the most important to identification of risk events is the integrity of risk identification, which can guarantee that all important
44

risks are identified.

Integrity of risk event includes: risk identification is comprehensive or not; rationality of risks at all or different levels, scientificity for confirming controllable risk and uncontrollable risk. It requires that internal auditors use evidence obtained from inspecting and assessing identification of risk in units and departments concerned as well as offering a proposal by combining with formulation and layout of enterprise strategic objective so as to evaluate whether enterprise risk management flow can be able to complete risk management mission, objective and purpose. Internal auditors should study on concept and practice of management strategy so as to identify some risks. Internal audit should innovatively organize personnel with different background and professional knowledge to apply the activities, such as, "brainstorming method", "scheme construction", to generate the viewpoint of all possible risks. All kinds of templates (such as, flow chart, questionnaire) should be developed and used to reflect various possible risks. The confirmation of internal auditors' identification on risk event is shown as follows in Chart 3.

Chart 3: Identification of Risk Event Confirmation

45

(1) Related data acquisition

If internal auditors want to evaluate identification on risk event scientifically, relevant data should be understood first.

Define enterprise objective, property and scale of enterprise activities, make the key persons affecting activities certain.

Understand how much extent departments rely on each other in enterprise.

Obtain accounting record information of relevant activities, analyze risk control of activities, observe and study the efficiency and effect of activities.

Obtain balance sheet, profit and loss statement, cash flow statement, and statement of changes in financial position, analyze asset structure, quality and use effect, for example, analyze how much extent the financial objective is completed by marketing activity and influencing factors through profit and loss statement, analyze marketing activity's influence on cash flow through cash flow statement and statement of changes in financial position.

(2) Flow chart analysis

Flow chart is a way of reflecting enterprise business operations process by symbols and diagrams. Internal audit analyzes business process of enterprise to find out weak link of risk event identification and analyzes whether risk identification of business process is comprehensive as shown in Chart 4.

46

Chart 4: Flow chart analysis

(3) Risk analysis questionnaire formulation

For the potential risk which internal auditors can predict, internal auditors formulate risk analysis questionnaire to investigate the risk that enterprise activities are likely to encounter, and analyze the results as shown in Table 3-4.

Problems

Specific answer

Commentary internal audit

made

by

1. Enterprise environment (1) Whether to define the changes in terms of market size, growth rate, regional sales and profit of

enterprise products, main features and development

47

tendency of target market. (2) Whether to define

customer's attitudes toward enterprise and products, and what influence do these attitudes make on enterprise. (3) Whether to define laws and regulations as well as government policies' enterprise tactics. 2. Enterprise strategy (1) Whether enterprise with relevant on and

influence strategy

objective national

accords

macroeconomic

condition, and keeps pace with internal resource and enterprise adaptability to changes. (2) Whether relationship among enterprise

objectives are rationalized, whether the priority is confirmed. 3. Market (1) Whether marketing

objective is enough to
48

prevent that market is out of stock or products are overstocked. (2) Whether to define

market demand (3) How much profit at least enterprise can obtain in short or medium term, what opportunity can be offered to enterprise

development at a specified future date. (4) Whether to define

competitor's

products,

market position, marketing system, sales promotion, financial technology situation, and

management qualities, and natural resources. 4. Business organization (1) Whether to keep good communication cooperation and with

enterprise departments. (2) Whether the way and method department adopts to train, encourage,

supervise and evaluate its

49

employees is feasible. Table 3-4 Risk Analysis Questionnaires

(4) Risk questionnaire analysis

For the risk that internal auditors cannot foresee, internal auditors should issue the questionnaire on risk again which will be filled in by the personnel of the department surveyed so as to report the risk that may happen in department. As shown in Table 3-5, internal auditors get the questionnaires back and make statistical analysis to judge quality and effectiveness of the answers according to amount of issuance and questionnaire recovery, and then, make analysis on answers of questionnaires.

Risk location

Loss opportuni ty

Reas on for loss

Severity of loss

Credibil Loss ity loss estimat e of probabili ty estimate

Ris Advi k rat e ce made by intern al audit

Lin Loc k al

Be st

Wor st

Maxim um expecte d loss

Probab le minim um loss

Table 3-5: Risk Questionnaire Analysis

50

3.5 Confirmation of risk assessment

After all the potential important risks are identified, the grade of these risks should be measured, that is, the risks should be assessed, where internal auditors should confirm the risk assessment made by enterprise risk management department. In the activity of confirmation on risk assessment, internal audit should use management tool and technology to analyze risks and to promote risk identification and assessment. First, internal audit should analyze risk factor, collect relevant data and file them. Then, internal audit should make qualitative analysis and quantitative analysis on identified risk events, and make effective measurement on risk. In assessment, extent of adverse events relating to events should be paid attention to. Last, internal audit should make comprehensive evaluation; contrast the conclusion of internal audit department and enterprise risk management department so as to evaluate risk assessment.

(1) Risk factor analysis

First, collect relevant data and establish risk evaluation index system so as to establish scientific mathematical model. Marketing risk evaluation index system includes four major parts, risk of market segment, risk of marketing mix, risk of marketing personnel, risk of marketing information communication, as shown in Table 3-6.

Then, classify and file the data according to the characteristics or intervals. Collected data should have characteristics of integrity, unity, dependence and systematic, besides, human resources, financial resources and time should be arranged reasonably for filing the data.

51

Main factor layer

Sub-factor layer Risk of invalid market segment

Risk of market segment Marketing risk evaluation index system

Risk of wrong assessment of segment market Risk of target market selection Risk of market positioning Overall risk of marketing mix Product strategy risk

Risk of marketing mix

Price strategy risk Channel strategy risk Promotion strategy risk Ethical risk of marketing personnel

Risk

of

marketing Psychological risk of marketing personnel Market development capacity risk of marketing personnel

personnel

Risk

of

marketing Risk of market information distortion Risk of obstructed information channel Risk of market information communication failure

information communication

Table 3-6: Marketing Risk Evaluation Index System

(2) Effective measurement on risk

Degree of risk

Risk evaluation index system is preset in risk management, so enterprise risk management department can compare test value with normalized value and make early warning to specific risk. Internal auditors can adopt degree of risk to judge how
52

important the specific risk is, in the form of scoring. For example, five-grade grading method: "1 score" refers to the minimum risk, "5 scores" refers to the maximum risk, normalized value of risk degree for risk boundary point can be designated as "3 scores" or "2 scores".

Comprehensive analysis matrix on risk

If some risk events cannot be quantized in figures objectively in risk measurement, these possibilities will be described in subjective concept. If events are likely to happen, they will be called "possible"; if the events have potential or possibility to happen, they will be called "probably". Comprehensive measurement evaluation should be made aiming at risk factors according to risk characteristics (possibility, loss limit, frequency of occurrence) owned by risk factor. As shown in Table 3-7 Comprehensive Analysis Matrix on Risk, the risk is sequenced according to principle of risk priority so as to verify scientific risk assessment.

Possibility

Consequence Unimportant Minor (1) (2) S Secondary Major (3) H (4) H

Frequency Catastrophic High (5) H

(almost S

certain) B (probably) M C (possible) D (improbable) E (few) L L M S S L L S M L S S M H H S H H H Low Medium

Note: H refers to high risk; S refers to severe risk; M refers to medium risk; L refers to low risk Chart 3-7 Comprehensive Analysis Matrix on Risk
53

3.6 Inspection on Risk Reaction of Enterprise

Management should take corresponding measures to cope with risk according with enterprise risk appetite and within acceptable risk tolerance, the strategies for coping with risk mainly include risk aversion, risk reduction, joint risk and risk acceptance.

Risk aversion means taking steps to remove risk or reduce risk, what should be considered by internal auditors to use this method: firstly, risk aversion is not complete risk removal; secondly, risk aversion is the most economical, whose future income is less than control cost; thirdly, aversion of one risk may cause new risk. Risk reduction, also control risk, means reducing risk's possibility and influence or both, at this time, internal auditors should test and evaluate rationality of internal control design and effectiveness of execution. Joint risk means reducing risk's possibility or influence on enterprise through transferring risk or assuming risk with others. Risk acceptance means doing nothing but accept possible risk and influence, for every important risk, enterprise should consider all the risk reaction strategies, effective risk management requires that risk reaction strategies should be correct and proper.

Risk and benefit is balanced for implementation of each risk reaction strategy. Risk reaction of enterprise risk management framework divides risk into three types of risk benefit:

(1) Unconditional acceptance. Risk benefit relationship of this kind of risk is acceptable under existing size of measurement and probability level.

(2) Selective acceptance. Some risks have very large measurement size or probability, so that they cannot be accepted and restrained economically and effectively, thus beyond risk tolerance of organization, therefore, enterprise must give up relevant
54

plans to prevent from risk's influence or get rid of this kind of risk through preventing risk at the source. There are also some risks which enterprise encounters always, the balance of risk benefit is acceptable. However, if management doesn't take actions, it will not be acceptable.

(3) Conditional acceptance. Some risks can be transferred to others through insurance, hedging and derivative instruments, or be shared by means of joint operation, alliance and pricing. In order to judge whether risk management measures are proper or not, internal auditors should consider management's interest on risk appetite.

3.7 Evaluation on Enterprise Control Activity

After selecting and carrying out risk reaction measures, directors need carry out control activities or other activities which may alleviate risk so as to control risk in certain level. Enterprise risk control is the activity to control the whole risk of enterprise, inside and outside environment of enterprise has changed continuously and the risk enterprise is faced with has changed constantly as well, therefore, enterprise should control enterprise risk timely and accurately, and define rationality of risk countermeasures so as to confirm new risk agency method.

Enterprise risk control flow includes several steps, establishment of risk control system, implementation of risk control, tracking of risk control, evaluation of risk control effect. Enterprise risk control flow is shown in Chart 5. Establishment of risk control system and implementation of risk control should be completed by enterprise risk management department. Internal audit should track the risk control and evaluate its effect. Internal audit should test the effectiveness of these control procedures. Internal audit compares measured value with objective and restriction defined by
55

senior managers so as to monitor business. Internal audit knows the control activity well, if beyond the limit, internal audit should the deviation report to the senior managers so as to decide what to do next.

Chart 5: Enterprise Risk Control Flow

Generally, internal audit adopts flow chart method and questionnaire method to track and evaluate risk control. From the perspective of professional technology, flow chart is the most visualized and vivid method of describing risk control, contributing to finding the weak links in process of risk control. Questionnaire method can also be called "questionnaire", internal auditors list the problems of risk control test so as to obtain test result in forms of panel discussion, exchange, filling in forms, etc. Questionnaire mostly adopts questions and answers mode, taking "Yes", "No", "NA", as the alternative answers, the questions should be devised according to the respondents respectively.

56

Control activity refers to the policy and procedure which contributes to guaranteeing the implementation of management's instruction. Internal control includes general control and application control. General control makes overall control on enterprise business from perspective of environment control, while application control makes control in specific business process.

Internal auditors should evaluate rationality of control activity in the following aspects:

(1) Control measures for examining relevant transaction process. When examining relevant transaction process, internal auditors should guarantee that all procedures and documents for transaction are legal, and transaction objective accords with enterprise operations objective.

(2) General control and application control. Internal auditors should evaluate whether enterprise general control accords with strategic objective, operations objective and financial objective, whether application control is formulated under guidance of general control.

(3) Multi control. Multi control should be devised to avoid that a control measure is not able to find out the risk existing. It is simultaneously or alternately designed by authorization, performance evaluation, information processing, control of material object, separation of duty, etc.

3.8 Evaluation on Information and Communication of Enterprise

Along with approaching of information era, information has played increasingly

57

obvious and important part in business management, therefore, it is vital to obtain the useful information, when evaluating enterprise information, internal auditors should evaluate the value of the information first to see whether it is useful for development of enterprise, and then evaluate whether the information is delivered effectively and whether the information is communicated effectively among levels of enterprise.

Communication is a process of information transmission superficially, but in fact, communication has become a technology gradually, and is paid attention to by individuals and enterprises. According to the analysis on ten thousand personal files made by American famous Princeton University, "wisdom", "professional technology" and "knowledge" have played only 25% part in social success of individuals, and the 75% factor affecting personal success relates to good communication, and all the more so for enterprise, effective communication can affect operation state and future development of enterprise. Research states clearly that there is potential difference effect of communication in enterprise, that is, only about 20% of information from leadership can be delivered to the subordinates and be understood correctly, while subordinates' feedback information to the superior is not more than 10% of information, but, the efficiency of parallel communication can reach over 90%. Obstructed information transfer and poor communication will prevent enterprise from effective operation finally. Therefore, establishment of effective communication function is the safety valve of enterprise, when evaluating information and communication, internal auditors should judge whether the establishment of enterprise communication function is appropriate and the effect of communication is vigorous or not.

Enterprise staff should obtain the reliable information relating to risk management, in this way. Internal audit can participate in enterprises better. However, different staff demands different information, the ways of communication adopted among different tiers are different, internal auditors should balance it according to physical truth when evaluating information and communication.
58

3.9 Monitoring on Enterprise Risk Management

Internal audit's monitoring on risk management is actually the evaluation of management's performance on risk management, during this process, internal auditors need re-evaluating the process of risk assessment and offering improvement suggestion on enterprise risk management so as to realize rise in enterprise value.

Enterprises can supervise risk in two ways, that is, continuous supervision and individual evaluation, both of which guarantees that the enterprise risk management is carried out continuously in each department.

59

CHAPTER 4: METHDOLOGY

60

According to the aim of this research, it mainly analyzes the influence of internal audit participating in risk management. In order to achieve the correct results, this research has to focuses on quantitative and qualitative research methods. Considering the early literature work, the qualitative would be used to evaluate. Furthermore, considering selecting sample, it needs to use primary method to collect data such as quantitative research methods. In this research, there are four steps of qualitative research (Bryman and Bell, 2003), such as research design, methods of data collection, methods of data analysis and output. Therefore, the followings show research methods with these steps.

4.1 Qualitative Analysis

According to the qualitative analysis, it would collect relevant references about the effect of internal audit participating in risk management from websites, domestic and overseas electronic academic journals and databases and other materials, books and sums up the possible factors that can influence company development. The theory of this research is established from these possible influencing factors. The insight related to the topic from investigation has been provided by the literature cited. In addition, the evaluation of theories and models of ERP would be used for qualitative analysis to select variables. Through these models, the theoretical relationship based on the variables has been given. Otherwise, these models and theories could support the primary data and this research study would be more reliable with that.

4.2 Quantitative Analysis

In order to design the whole process of research, the quantitative analysis method should be considered. The primary data should be collected through a survey in China and involved different types of enterprises. The method of questionnaire is the best choice for this dissertation, because the primary data can be collected during some
61

SMEs. In this way, the current situation of internal audit participating in risk management can be investigated. In addition, the primary data has to collect from these companies. But if interview method has been selected, this will waste time and money for entrepreneurs and me. Therefore, questionnaire would be designed for this purpose and data collection from surveys will be analyzed through statistical software.

4.2.1 Data Collection

In terms of data, it can be collected from a questionnaire. The subject of the research was middle managers and above who would objectively evaluates members of senior executive team. Since the data needed were unavailable in public materials, the method of questionnaire was adopted to collect data. The theoretical part of the thesis has provided theoretical basis for questionnaire design and the questionnaire was worked out based on relevant references. Before formally distributed, questionnaires were adjusted according to results of preliminary test which was conducted in a small scale to ensure the validity of questionnaire. Final version of questionnaire was formed on that basis (Appendix).

The questionnaire consists of three parts. In the first part, the questions about basic situation have been asked including investigation on basic information of enterprises and individuals characteristic variables of enterprises include company type, basic information of internal audit department in the company, the education background of internal auditors and majors of internal auditors. In the second part, it focused on items often carried out by internal audit institution and factors restricting development of audit. For example, what internal audit institutions have carried out most is traditional financial audit, and what financial institutions only have carried out more are risk audit and internal control audit, governmental agencies and private enterprises have focused on accountability audit besides financial audit. Large proportion of traditional financial audit becomes the largest factor of restricting development of internal audit, auditors lack in skills also impacts development of internal audit. In
62

the third part, it would mainly talk about risk management system. Enterprises application of ERM framework issued by COSO is still in its infancy, and enterprises mostly control the risk according to Guidance on Comprehensive Risk Management of Central Enterprises issued by SASAC and condition of enterprise itself. Finally, it analyzes that the reasons of internal audits participation in risk management under ERM framework.

4.2.2 Sample

The status of internal audit and risk management of 100 enterprises was investigated in the form of network survey and written questionnaire. The questionnaire can be seen in Appendix. The purpose of this survey is to know current situation of internal audit and risk management of Chinese enterprises, due to limited time and funds, the enterprises inside of Beijing are mainly surveyed in forms of questionnaire and telephone, and enterprises outside of Beijing are mainly surveyed on internet. There are 100 questionnaires (70 inside of Beijing) in total are issued, of which, there are 71 effective questionnaires withdrawn (51 inside of Beijing), with efficiency of 71%. As Chinese enterprises have carried out internal audit and risk management not very perfectly at present, this questionnaire sets less and simpler questions so as to be answered by the people surveyed. ()

4.2.3 Inclusion Criteria

The inclusion criterion is defined that there is attention condition when the participants and enterprises are selecting for this survey. The participants are not retired and working in the selected enterprises.

The participants who have a strong business experience in China are familiar with Chinese culture.
63

The selected enterprises belong to small and medium enterprises.

4.2.4 Exclusion Criteria

Any participants who are not belonging to the scope of inclusion criteria have not been considered into this survey.

4.2.5 Data Duration

This research could be regarded as one-point-in-time study, because it should collect the data from the survey. In order to develop the findings, the sample size would be selected.

4.3 Limitations and Assumptions

This research study is very useful to explore the influence of internal audit participating in risk management, but there could be a few limitations for this study. The main limitation is about geography. Due to this survey existing China, the different background and culture of China may influence on the results of findings. In addition, due to individual work, selecting the whole Chinese SMEs is unpractical. Therefore, this sample size would be the limitation in this study. Moreover, the data from questionnaire is not accurate. This means that it cannot reflect actual situation of responders, because the same responders have different answers in different time for the same question. This is very subjective.

4.4 Ethical Issues

As conducting the research, different kinds of ethical issues could have done, but constant efforts would try to decrease these concerns. In order to avoid plagiarism in
64

the section of analysis, Havard reference will be used. Under the rules of Havard referencing, the whole literatures and sources could be referenced and cited. Due to entering the collected data to the SPSS software manually, inevitable errors could be occurred. When considering the confidential situation of responders, all the status of participants would be hidden and would not be mentioned the details such as name in the questionnaire. In order to avoid author individual interest influencing on investigators, the opinions of investigators would be respected and will be only used for this academic research.

65

Chapter 5: FINDINGS AND ANALYSIS

66

5.1. Results

a. Setting of Internal Audit Institution

The statistical result of the 71 questionnaires withdrawn shows that only 10 enterprises have set board of auditors, most of which are financial institutions, for governmental agencies and private enterprise, internal audit is mostly set together with other departments, such institution setting has badly impacted independent status of internal audit, so that the role of internal audit is difficult to play.

b. Education Background and Major of Internal Auditors

It can be seen from Table 3 that internal auditors with masters degree and doctors degree at present have accounted for only 20%, most of internal auditors are less educated, besides, accounting and auditing majors of internal auditors are dominant, accounting for nearly 70%, less than 10% for law majors, and even less for computer majors, such structure of major has restricted working scope of internal audit, and will impact the function of internal audit.

c. Items Often Carried Out by Internal Audit Institution and Factors Restricting Development of Audit

It can be seen from Table 4 that what internal audit institutions have carried out most is traditional financial audit, and what financial institutions only have carried out more are risk audit and internal control audit, governmental agencies and private enterprises have focused on accountability audit besides financial audit. Large proportion of traditional financial audit becomes the largest factor of restricting development of internal audit, auditors lack in skills also impacts development of
67

internal audit, besides, it can be seen from the survey result that internal audit is valued by the leaders but not implemented specifically.

d. Cognition of Risk Management and Establishment of Risk Management Framework

It can be seen from Table 5 that industries of different types have paid some attention to cognition of risk management, of which, 84.51% of industries think that it is necessary to control risk and establish risk management framework, which indicates that establishment of risk management framework has huge development potential, however, at present, most of institutions have just known the establishment of risk management framework, but not established it actually, only financial institutions have accounted for larger proportion of the establishment of risk management framework, which also brings challenge of the establishment of risk management framework.

e. Risk Management System or Standard Adopted

It can be seen from statistical result of Table 6 that enterprises application of ERM framework issued by COSO is still in its infancy, and enterprises mostly control the risk according to Guidance on Comprehensive Risk Management of Central Enterprises issued by SASAC and condition of enterprise itself.

f. Necessity of Internal Audits Participation in Risk Management

It can be seen from result of Table 7 that people have had specific cognition on internal audits participation in risk Management. however, specific implementation has made up half share of that of cognition, which has blocked the development of internal audit and risk management in future.
68

5.2 Analysis on Causes of Internal Audits Participation in Risk Management under ERM Framework

It can be seen from the survey result above that unreasonable setting of current Chinese internal audit institutions, internal auditors lack in comprehensive quality and backwardness of internal audit concept have restricted internal audits participation in risk management seriously, though people have gradually realized risk managements importance to enterprises, establishment of relevant risk management system is unable to keep pace, cognition of internal audits participation in risk management is even on the surface, in this section, the causes of internal audits participation in risk management will be analyzed specifically.

5.2.1 Change of External Environment Needs Internal Audits Participation in Risk Management

As the external environment has gradually been complex, such as, development and popularization of information technology, economic globalization and

internationalization, intensifying and aggravated competition among enterprises, diversified and individualized mode of business operation. Enterprises are faced with risks all the time. Therefore, intensifying prevention and control of risk becomes the priority of business management. Enterprise management should build consciousness of risk, and take risk aversion and response as the key to achieve the goal of enterprises.

Internal audit department is a functional department of enterprises, whose primary purpose is to improve operation condition of enterprises and then to add value for enterprises, therefore, internal audit department becomes the effective constituent part
69

of risk management, offering confirmation, consultation, suggestion to risk management department, and finally creates more value for enterprises together, which makes internal audits participation in risk management become an inevitable trend of development.

5.2.2 Development of Internal Audit Itself Needs Internal Audits Participation in Risk Management

As risk has been increased increasingly, enterprises have paid more and more attention to risk, which offers an opportunity of internal audit development. It can be seen from new definition of internal audit that internal audit has extended its range to the field of risk management, which makes internal audit participate in the whole process of risk management, and also give full play to internal audit. Therefore, in order to consolidate the status of internal audit, internal audit should get involved in risk management.

Internal audits involvement in risk management will assess enterprise risk comprehensively, and will provide consultation and suggestion for enterprises, which offers a platform for development of internal audit, and also the combination of the two can serve enterprises better.

5.3 Specific Cases of Internal Audit's Participation in Risk Management under ERM Framework

As competition among industries is increasingly fierce, management environment enterprises are faced with has been more and more complicated, and uncertainty of operational risk has increased increasingly, at this time, as the important constituent
70

part, internal audit should participate in process of risk management, and offer suggestion and consultation on efficiency and effect of enterprise risk management process through objectively identifying and evaluating risk. However, in reality, the cases of failure in risk management are very common, this section analyzes China National Petroleum Corporation's failure in risk management and Agricultural Bank of China, Beijing Branch's success in risk management so as to further define that risk management has become the key of enterprise management, and as an independent and objective confirmation and consultation activity, internal audit's participation in risk management has been imperative. However, this high growth has hidden the major risk behind.

5.3.1 Case of China Aviation Oil (Singapore) Corporation Ltd

China Aviation Oil (Singapore) Corporation Ltd was listed on the main board of Singapore Exchange on Dec.6, 2001. China Aviation Oil took up curb futures and options transaction since the latter half of 2003, and made a high profit from 200 barrels of oil trade at the first; rise in oil price in the first quarter of 2004 resulted in the hidden loss for 5 million USD, China Aviation Oil carried over the contract, and added to position of futures and options; in the second quarter of 2004, along with continuous rise in oil price, book losses of China Aviation Oil increased to 30 million USD, China Aviation Oil decided to carry over the contract after 2005, and increased volume of trade; in Oct. 2004, oil price set another record, at this time, the trade positions reached 52 million barrels of oil, and book losses increased again, during which, China Aviation Oil suffered market corner and repeated losses due to fail in adding cash deposit of contract; up to the end of November in 2004, China Aviation Oil was forced to file to Singapore's Court for bankruptcy protection after the total loss reached 550 million USD, which shocked the whole world.

Oil options speculation taken up by Singapore Corporation is prohibited by the

71

government of China. The immediate cause for bankruptcy of Singapore Corporation is the violations: 1. Having done what is prohibited by the state; 2. Curb exchange; 3. Having exceeded gross of spot transaction. The causes behind are that China Aviation Oil didn't have the essential consciousness of risk, but to believe its judgment; meanwhile, unsubstantial internal supervision and control mechanism also caused huge losses of China Aviation Oil. Having been engaged in the trade above for over one year, grown up into 52 million barrels of oil from 2 million barrels at first, Singapore Corporation hadn't reported to China Aviation Oil, and China Aviation Oil had not found it. Unfortunately, risk management system of China Aviation Oil and Singapore Corporation exists in name only. Singapore Corporation has established risk committee and formulated risk management manual (it stipulates that the losses over 5 million USD must be reported to board of directors), but actually, Singapore Corporation hasn't reported according to risk management manual, and China Aviation Oil hasn't adopted balanced way.

Price Water House Coopers employed by Singapore Exchange announced the investigation result which also confirmed that: risk of operation of China Aviation Oil is far more than what the corporation can undertake, it fails to supervise and carry out relevant trading limit, or fails to control extra trading of corporation; China Aviation Oil has a supervisory organ made up of department head, risk management committee and internal audit, but risk management system cannot be carried out effectively. Event of China Aviation Oil warns that consciousness of risk prevention must be strengthened, and risk assessment and handling mechanism must be established so as to guarantee the effective operation of risk management system; normative authorized approval system, risk loss settlement plan, accountability system, regular internal audit system, should be established; internal audit and self-assessment should play a role in supervision, reinsurance should be effected for internal risk.

72

5.3.2 Case of ABC Beijing Branch

ABC Beijing Branch (hereinafter referred to as "Beijing Branch") is the primary branch set up by Agricultural Bank of China in Beijing. Having set up branches again since 1979, staff of the whole bank has made great efforts to realize transition from state-owned specialized bank to modern commercial bank.

a. Comprehensive Risk Management System of Beijing Branch

ABC Beijing Branch pursues steady risk management strategy, lays stress on obtaining moderate returns by taking moderate risk, gives consideration to moderate scale, moderate speed and good quality, so that income and capital adequacy after risk is adjusted reaches good level.

Comprehensive risk management identifies measures and controls dominant or connotative risk of business operation timely by organically combining the elements, such as, risk management strategy, policy, organization, tools and team. According to principles of comprehensiveness, whole course and the entire personnel, so as to guarantee the whole bank's risk management is run effectively in terms of decision, execution, supervision, etc. Under comprehensive risk management system, board of directors shoulder the final responsibility of risk management, and board of directors executes relevant functions of risk management through subsidiary risk management committee and board of auditors.

From the whole system, primary branch establishes risk management department independently, secondary branch puts the department undertaking responsibilities of comprehensive risk management into practice, and begins to carry out the pilot assignment of risk principal and risk manager, where primary branch assigns risk principal to secondary branch, and secondary branch assigns risk manager to sub-branch, so as to gradually set up the comprehensive risk management
73

organization system with "centralized control, matrix distribution, comprehensive coverage and total involvement".

b. Internal Audit's Participation in Risk Management

ABC Beijing Branch adopts independent and vertical internal audit system, internal audit institution audits and evaluates the whole branch's operating management, operation and operating performance, and is responsible for and reports work to board of directors, accepts the instruction from board of supervisors, as well as accepts inspection, supervision and evaluation from board of auditors.

Internal audit institution develops various major audit project deeply and steadily, fully reveals and timely finds potential credit risk, operational risk, market risk, reputation risk, liquidity risk, strategic risk so as to help risk management department formulate risk management strategy timely to reasonably deploy economic capital and optimize asset structure, to realize the combination of capital adequacy level with shareholder value maximization.

It can be seen from ABC Beijing Branchs risk management system and internal audits participation in risk management that all the work of ABC Beijin g Brach has favorable development trend exactly under such risk management system. In order to strengthen standardized management of counter business of the whole branch and to prevent and control operational risk of counter, ABC Beijing Branch has organized and developed two-week overall inspection of the four major businesses of cash, negotiable document, important blank voucher and counter business seal throughout the province since December 24th 2010. This inspection object and scope includes all the vaults, teller cash cabinets, voucher bank and cash, negotiable document, important blank voucher and counter business seal of self-help equipment cash box. The inspection is conducted in the surprise way, the inspectors located avoid the inspection, all the organizations involving in the four major businesses are included in
74

the scope of the inspection, including external business institutions and internal institutions, and both institutions inspected and businesses inspected are covered comprehensively. Such activities have strengthened banks operations management, standardized business operation, improved control level, and effectively prevented and controlled the operation risk.

5.4 Enlightenment

It can be seen from the analysis on two cases above that risk management has raised extensive concern of people from all walks of life, but, due to uncertainty of risk, the way and method of risk management has also innovated and developed continuously.

CNPCs failure in risk management process has warned Chinese enterprises, which is worth our deep thoughts. On the contrary, ABC Beijing Branchs risk management system and internal audits participation in risk management has offered reference for development of Commercial Bank of China, and has also indicated the direction for development of Chinese enterprises. The following several enlightenments can be got from the analysis on these two cases:

Healthy and good risk management culture is the premise to improve ability of enterprise risk management. First, management should have clear and definite risk management strategy and specific and integrated risk management policy, as well as can deliver them to the staff of enterprise effectively.

Second, management should give priority to strengthening staffs consciousness of risk, so that the staff can pay close attention to risk, identify risk and prevent risk consciously during the process of business process. Besides, management should
75

intensify training, improve staffs skill and level of risk identification and risk prevention, and achieve omni bearing and sweeping comprehensive risk management. Furthermore, management should unblock the delivery and report channel of risk information, so that the staff can take the initiative to cope with the encountered risks reported by management.

Independent and objective risk management framework is the guarantee for effective operation of enterprises. Establishment and perfection of risk management system is a long-term and continuous process of keeping on development, effective foundation of risk management is the counterbalance of three powers (board of directors, board of supervisors and senior management) on decision, supervision and execution of risk management. Therefore, three in one risk management organization system (centering on risk management committee, coordinated by risk management department, carried out and implemented by operating department) authorized by board of directors should be established so as to offer guarantee for effective operation of enterprise better.

Risk management-focused performance assessment is the development direction of enterprise in future. At present, the performance assessment methods of Chinese enterprises include assessment of 360 degrees, balanced score card, grade assessment, management by objectives, all of which neglects risk management costs effect on enterprise business performance. As risk management concept is popularized in each tier and staff of enterprises, a set of scientific risk management assessment indicator needs to be introduced. There has been no such indicator system yet in China at present, so European and American performance assessment indicator on risk management needs to be introduced, Europe and Americas application of the indicator mainly reflects in financial industry, which quantizes predictable losses in future brought by risk into the cost of the current period so as to adjust profit of the current period directly, to measure the income after the risk is deducted, and to consider the capital reserve for risk, realizing linkage of income and risk. If this risk
76

management assessment indicator is introduced into Chinas financial industry, it will have significant meaning for improving the present performance assessment method.

Comprehensive risk management is the powerful foundation for enterprises to achieve the goal. What Chinese enterprises do to control risk is mostly to take measures to avoid risk when risk appears, but falls behind in establishment of risk early warning mechanism, besides, banking mainly controls the credit risk and neglects the control of operational risk, market risk, liquidity risk, strategic risk, etc, therefore, risk should be controlled fully so that the enterprise goal can be achieved better, but risk quantification is a little difficult, the risk data should be collected and systemized, in order to improve usability and reliability of the data, better risk quantification model should be selected, from the present circumstances of China, what China uses are primary quantification tools required by New Basel Accord, which relates to the backwardness of Chinese current risk management technology, and is selected after adequate consideration of national conditions of China.

77

CHAPTER 6: DISCUSSIONS

78

Countermeasures Perfecting Internal Audits Participation in Risk Management under ERM Framework

It can be seen from statistical result of questionnaire before and analysis on the two cases last chapter that there are many problems existing in internal audits participation in risk management at present, however, the problems of internal audits participation in risk management can be solved gradually along with practical development, as long as we deeply analyze the reasons in specific practice, positively explore new methods, sum up experience comprehensively, face reality calmly, and take the following countermeasures below.

6.1 Build and Perfect Laws and Regulations, Continuously Perfect Criterion System

As the highest law, Audit Law of Peoples Republic of China mainly aims at state audit but limited provisions for internal audit. Therefore, relevant law should be perfected and completed so that there are laws and rules for internal audit to follow. Specific provisions for internal audit are mainly reflected in Audit Office Provisions on Internal Audit, however, it is the level of laws and regulations, and cannot solve the new problems internal audit encounters in risk management. Therefore, aiming at the condition of Chinese internal audit, it is an urgent task to publish a specialized internal audit law.

In order to make internal audit participate in risk management better, enterprises must establish and perfect relevant risk management system on a strategic height, offering platform of internal audits participation in risk management. In process of specific implementation, we should use rules of international internal audit standard for
79

reference, absorb its essence to summarize Chinese effective internal audit experience, and keep pace with international internal audit standard in standard formulation in future. From the present circumstances, Chinese internal audit standard system is far away from international internal audit standard system, therefore, there is larger space in introducing essence of international internal audit standard system and relevant advanced internal audit concept, however, existing standard system should not be completed copied, laws and regulations should be perfected and standard system should be perfected according to Chinas specific environment.

6.2 Define Internal Audit Objective, Cultivate Risk Management Concept

As an independent and objective confirmation and consultation activity, internal audit evaluates and improves risk management and processes of control and governance by systematic and normative way, with the purpose of adding value and improving organizational operation. It can be seen from this definition that the objective of internal audit is to add enterprise value, the objective is consistent with objective of risk management, which makes status of internal audit promoted, besides, and internal audit lays particular emphasis on offering consultation service to directors based on supervision and evaluation.

In ERM framework issued by COSO, there is a new idea --- risk combination, that is, enterprise directors are asked to identify and control risks enterprise is faced with by the concept of risk combination. Risk management idea of an enterprise is the common faith and attitude of the whole enterprise and core value of enterprise, as well as decides development lifeblood of enterprise. Therefore, thinking on risk management should be run throughout each business link of enterprise, and enterprise
80

staff is asked to identify risk accurately, to build correct concept of risk, and to extend and inherit enterprise risk management culture.

6.3 Extend Internal Audit Function, Integrate Risk Management Comprehensively

It can be seen from definition of internal audit that functions of internal audit have extended to confirmation and consultation from supervision and evaluation, mainly with the purpose of meeting customer demand. Enterprise lives depending on customer satisfaction, if customer demand is not satisfied, enterprise will be sifted out in competition, therefore, internal auditors should take risk management as start, build service concept, extend functions of internal audit, and create value for enterprises better.

Internal audit department should give full play to its function under leadership of board of directors or board of auditors, as the important constituent part of risk management, internal audit should blend risk management in internal audit system, which can offer suggestion and consultation to process of risk management better, however, rights and responsibilities of internal audit and risk management should be separated so as to achieve goal of enterprise.

6.4 Strengthen Audit Team Construction, Improve Quality of Auditors

81

Internal audits participation in risk management is not only a science but also an art, needing versatile professionals. From the condition of Chinese internal auditors at present, most of them are experts in accounting and auditing only, but not proficient in computer, law, etc. Therefore, the following work should be done so as to make internal audit better participate in enterprise risk management: 1. versatile talents should be introduced to enrich the team of audit, such as, uniting environmental protection departments and social intermediary organizations, engaging lawyers, engineering technicians, architects, etc. 2. business quality of internal auditors should be improved, professional ability of internal auditors should be improved in the forms of reeducation or various trainings so as to completely change knowledge structure of internal auditors so that internal auditors turn into versatile talents who are proficient in knowledge of accounting and audit and also master management, information technology, law, from unitary talents who are skillful at knowledge of accounting and audit only. 3. Communication technique of internal auditors should be strengthened. Learn how to behave before action, internal auditors should learn how to get along with others so as to make a good job of audit. During auditing, internal auditors must have good communication skills and make efforts to get along with auditors or other persons needing service so as to analyze existing problems and to discuss the improvement measures together, thus, promoting business management, and achieving goals of enterprise value added.

82

CHAPTER 7: CONCLUSIONS

83

Internal audits participation in risk management is the new direction of internal audit development, offering opportunity to development of internal audit itself, and also challenge to development of risk management. Therefore, it is very necessary to research internal audits participation in risk management. Proceeding from relevant theory of risk management development, this Thesis elaborates background and constituent parts of ERM framework after introducing meaning of internal audit and risk management. Secondly, this Thesis elaborates procedures of internal audits participation in risk management under ERM framework, and next further deepens internal audits participation in risk management through two cases. Furthermore, it surveys current situation of Chinese current internal audits participation in risk management in the form of questionnaire, and analyzes the results, as well as reaches two reasons for internal audits participation in risk management. Finally, it puts forward solutions to internal audits participation in risk management. Under guidance of theory above, this Thesis reaches the following conclusions:

(1) As a new development trend, mainly starting with achieving enterprise objective and oriented by risk management, internal audits participation in risk management evaluates enterprise risk management process systematically and normatively, thus adding value for enterprise through giving play to functions of confirmation and consultation.

(2) Constituent parts are included by ERM framework have in eight aspects, one idea more than that of internal control framework, that is, risk combination, an objective refers to strategic objective, two concepts refer to risk appetite and risk tolerance, three elements refer to objective setting, matters identification and risk reaction. New ERM framework offers better environment to internal audits participation more comprehensively and reasonably.

(3) It can be seen from result of questionnaire that unreasonable setting of Chinese current internal audit institutions has affected independence of internal audit,
84

old-fashioned idea of internal audit has affected business operation, backwardness of internal audit methods has restricted its participation in risk management, and lower comprehensive quality of internal auditors has affected integral development of enterprise. Therefore, appropriate measures should be taken to improve current situation.

(4) It can also be seen from questionnaire that though many enterprises have realized the importance of risk management, the concept of risk management has not been fully introduced in specific operation process so that cognition comes apart from practice, meanwhile, it also explains that risk management will become the important task of enterprise, as the important constituent part of risk management, internal audit will have huge development space.

(5) Acceleration of internal audits participation in risk management has a long way to go. Different strategies should be taken to improve the process of its participation, and this Thesis should put forward four countermeasures: 1. Perfect laws and regulations complete criterion system; 2. Define objective of internal audit, cultivate idea of risk management; 3. Extend internal audit function, blend in risk management comprehensively; 4. Strengthen construction of audit team, improve quality of auditors.

Innovative Points of This Thesis

First, topic angle of this Thesis is novel, under condition of socialist market economy, only when the relationship between internal audit and risk management is known correctly can various enterprise objectives be achieved well, only the important position of internal audit in risk management is defined and internal audits positive role in risk management is given full play, can enterprise be helped to find and evaluate important risk factors and to promote enterprise to improve risk management system, thus realizing mastering and control of risk so that enterprise can avoid risk,
85

transfer risk and control risk effectively, as well as improve whole efficiency and efficient performance of enterprise.

Secondly, this Thesis knows current basic information on Chinese internal audit and risk management in the form of questionnaire. Survey result is shown in chart where the existing problems can be found out more clearly.

Besides, it further explains risk managements importance to enterprise through positive and negative cases.

Shortcomings of This Thesis

Due to my limited data and level of writing, there are many shortcomings existing in the research made by this Thesis:

First, in research methods, normative research method only, no empirical research, which makes some defects, exist in reliability of conclusion in this Thesis.

Secondly, in questionnaire, data is collected in a narrow scope, and fewer questions involved in questionnaire cannot include the current situation comprehensively, due to limited knowledge, reliability of questionnaire isnt detected, so that survey result lacks reliability.

Besides, as internal audit and risk management involve much subject knowledge, and the author has limited command of it, the Thesis is not studied very thoroughly, besides, due to lack in practical experience, the countermeasures raised finally are not comprehensive enough.

86

Reference

Ahlawat, S. S., and Lowe, D.J. (2004) An examination of internal auditor objectivity: In-house versus outsourcing, Auditing: A Journal of Practice and Theory, Vol. 23 No. 2, pp. 14-158.

Adamec, B. A., Leinicke, L.M., Ostrosky, J.A. and Rexroad, W.M. (2005) Getting a leg up, Internal Auditor, Vol. 62 No. 3, pp. 40-45.

Bailey, J. A. (2007) Best practices for internal auditor independence, Internal Auditing, Vol.22 No. 2, pp. 34-37.

Cohen, J., Krishnamoorthy, G. and Wright, A. (2004), The corporate governance mosaic and financial reporting quality, Journal of Accounting Literature, Vol. 23, pp. 87-152

DeZoort, F. T., Hermanson, D. R., Archambeault, D. S., and Reed, S. A. (2002) Audit committee effectiveness: A synthesis of the empirical audit committee literature, Journal of Accounting Literature, Vol. 21, pp. 38-75.

Donnelly, D.P., Quirin, J.J., and OBryan, D. (2003) Auditor acceptance of dysfunctional audit behavior: An explanatory model using auditors personal characteristics, Behavioral Research in Accounting, Vol.15, No. 1, pp. 87-110.

Fraser, I. and Henry, W. (2007) Embedding risk management: Structures and approaches, Managerial Auditing Journal, Vol. 22 No. 4, pp. 392-409.

Gramling, A. A. & P.M. Myers, (2006) Internal auditings role in ERM, Internal Auditor, Vol. 63 No. 2, pp. 52-58.
87

Institute of Internal Auditors (IIA), (1999) Internal Auditing Definition [online] Available: http://www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-aud iting/ [accessed 09 Aug 2012].

Institute of Internal Auditors (IIA), (2004a), The role of internal auditing in enterprise risk management [online] Available: http://www.theiia.org/guidance/standards-and-practices/positionpapers/current-positio n-papers/ [accessed 10 Aug 2012].

Institute of Internal Auditors (IIA), (2004b), COSO releases new ERM Framework [online] Available: http://www.theiia.org/guidance/additional-resources/coso-related-resources/coso-relea sesnew-erm-framework/[accessed 10 Aug 2012]. Raghunandan, K., Read, W.J. and Rama, D.V. (2001) Audit committee composition, gray directors and interaction with internal auditing, Accounting Horizons, Vol. 15 No. 2, pp. 105-118.

Gray, I. and Manson, S. (2000) The Audit Process. Principles, Practice and Cases, 2nd edition,Thomson Learning, U.S, pp. 119.

Bou-Raad, G. (2000) Internal Auditors and a Value-added Approach: The New Business Regime, Managerial Auditing Journal, 15(4), pp. 182-6.

Cai, C. (1997) On the Functions and Objectives of Internal Audit and their Underlying Conditions, Managerial Auditing Journal, 12(4), pp. 247-250.
88

Papas, A. (1999) Introduction in Auditing, Benos ed., Athens, pp. 109-110.

Spira, F.L., and Page, M. (2003) Risk Management: The Reinvention of Internal Control and the Changing Role of Internal Audit, Accounting, Auditing & Accountability Journal, 16(4), pp. 640-661.

Sawyer, B. L. (2003) Sawyers Internal Auditing, The Practise of Modern Internal Auditing, The Institute of Internal Auditors, 5th ed., pp. 120-121.

Power, M. (2004) The Nature of Risk: The Risk Management of Everything, Balance Sheet, 12(5), pp. 19-28.

Leung, P., Cooper, B. J., and Robertson, P. (2003), The Role of Internal Audit in Corporate Governance, The Institute of Internal Auditors Research Foundation, RMIT University, Australia.

Knechel, W. R. (2007) The Business Risk Audit: Origins, Obstacles and Opportunities, Accounting Organizations and Society, 32, pp. 383408.

Eleftheriadis, I. (2006), Risk Management Processes, The Case of Greek Companies, 1st International Conference of Accountng and Finance, University of Macedonia, Thessaloniki, Greece, Conference Proceedings.

Simkins, B. and Ramirez, S. (2008) Enterprise Wide Risk Management and Corporate Governance, Loyola University Chicago Law Journal, Vol. 39, No. 3

Griffiths, D. M. (2006) Risk Based Internal auditing: An Introduction [online]. Available :http://www.internalaudit.biz/files/introduction/Internalauditv2_0_3[ access ed 16th Aug 2012].
89

Beumer, H. (2006), A Riskoriented Approach, Internal Auditor, pp. 72-76.

Gramling, A. and Myers, P. (2006) Internal Auditing's role in ERM, Internal Auditor, Vol. 63, Issue.

Professional Practice Framework (2004) Practice Advisory 2100-3: The Internal Auditor's Role in The Risk Management Process, The IIA Research Foundation.

Olson, D. and Wu, D. D. (2007) Enterprise Risk Management, Chapter 1 in Financial Engineering and Risk Management, Vol. 1, Chicago.

Liebenberg,

A.

and

Hoyt,

R.

(2003)

the determinants

of

Enterprise Risk Management: Evidence from the appointment of Chief Risk Officers. Risk Management and Insurance Review, 6, 1, pp. 37-52.

Ghita, M. (2004) Internal Audit - Economic Publishing House, Buchares.

McVay, S. and Ge, W. (2005) The disclosure of material weaknesses in internal control after the Sarbanes-Oxley Act, Accounting Horizons, 19 (3):137-158.

Srinivasan, S. (2004) Consequences of financial reporting failures for outside directors: Evidence from restatements, Forthcoming, Journal of Accounting Research.

Goodwin, J. (2004) A comparison of internal audit in the public and private sectors, Managerial Auditing Journal, 19 (5): 640-650.

Anderson, U. (2003) Assurance and consulting services, Research Opportunities in Internal Auditing, Institute of Internal Auditors Research Foundation, Altamonte Springs, FL.
90

Abbott, L.J. and Parker, S. (2000) Audit committee characteristics and auditor choice, Auditing: A Journal of Practice and Theory, 19 (2): 47-66.

Willekens, M. and Achmadi, C. (2003) Pricing and supplier concentration in the private client segment of the audit market: Market power or competition? International Journal of Accounting, 38 (4): 431-456.

Peel, M. J. and Roberts R. (2003) Audit fee determinants and auditor premiums: Evidence from the micro-firm sub-market, Accounting and Business Research, 33(3): 207-233.

Bockus, K. and Gigler, F. (1998) A theory of auditor resignation, Journal of Accounting Research, 36(2): 191-208.

Stewart, G. and Kent, P. (2006) the use of internal audit by Australian companies, Managerial Auditing Journal, 1: 81-101.

Kishal, Y. and Pehlivanl, D. (2006) Risk Based Internal Auditing and ISE Application, 75-87.

Yardmc, E, (2008) Results of Development of Risk and Controls Survey, International Conference on Corporate Governance.

Walker, P. L., Shenkir, W. G. and Barton, T.L. (2002) Enterprise Risk Management: Pulling it all Together, USA, The Institute of Internal Auditors Research Foundation.

Sobel, P. J. (2005) Auditors Risk Management Guide Integrating Auditing and ERM, USA, CCH Incorporated.
91

Scarbrough, D. P., Rama, D. V. and Raghunandan, K. (1998) Audit Committee Composition and Interaction with Internal Auditing: Canadian Evidence, Accounting Horizons, 12 (1), 51-62.

Francis, J. (2004) What Do We Know About Audit Quality? The British Accounting Review, 36, 345-368.

Brody, R. G., and Lowe, D. J. (2000) The New Role of the Internal Auditor: Implications for Internal Auditor Objectivity, International Journal of Auditing, 4 (2), 169-176.

Adamec, B. A., Leinicke, L. M., Ostrosky, J. A., and Rexroad, W. M. (2005) Getting a Leg Up, The Internal Auditor, 62 (3), 40-45.

Bailey, J. A. (2007) Best Practices for Internal Auditor Independence, Internal Auditing, 22 (2), 34-37.

Mutchler, J., Chang, S., and Prawitt, D. (2001) Independence and Objectivity: A Framework for Research Opportunities in Internal Auditing. Altamonte Springs, FL: The Institute of Internal Auditors.

Turley, S. and Zaman, M. (2004) The Corporate Governance Effects of Audit Committees, Journal of Management and Governance, 8 (3), 305-335.

Scarbrough, D. P., Rama, D. V. and Raghunandan, K. (1998) Audit Committee Composition and Interaction with Internal Auditing: Canadian Evidence, Accounting Horizons, 12 (1), 51-62.

Cohen, J., Krishnamoorthy, G., and Wright, A. (2004) The Corporate Governance Mosaic and Financial Reporting Qualit, Journal of Accounting Literature, 23,
92

87-152.

Church, B. and Schneider, A. (1991) Maintaining Objectivity Despite Conflicting Duties, Internal Auditing, 7 (2), 11-17.

Valentine, S., Godkin, L. and Lucero, M. (2002) Ethical context, organizational commitment, and person-organization fit, Journal of Business Ethics, 41(4): pp. 349-361.

Nielson, N. L., Kleffner, A.E. and Lee, R. B. (2005) The evolution of the role of risk management communication in effective risk management, Risk Management and Insurance Review, 8(2): pp. 279-290.

Kizirian, T. and Leese, W. R. (2004) Security controls and management tone, Internal Auditing, 19(2), pp. 42-46.

Fatemi, A. and Glaum, M. (2000) Risk management practices of German firms, Managerial Finance, 26(3): pp. 1-17.

Hoelter, J. W. (1983) The analysis of covariance structures: Goodness-of-fit indices, Sociological Methods and Research, 11, pp. 325-344.

Julien, R. J, and Richards, T. (2008) Rising to the challenge, Internal Auditor, 65(1): pp. 43-46.

Lindow, P.E. and Race, J.D. (2002) Beyond traditional audit techniques, Journal of Accountancy,194(1), pp. 28-34.

Viator, R. E. (2001)The association of formal and informal public accounting mentoring with role stress and related job outcomes, Accounting, Organizations and
93

Society, 26: pp. 73-93.

Institute of Internal Auditors (IIA) (2001) The Standards for the Professional Practice of Internal Auditing, Altamonte Springs, FL: IIA.

Kinney, W. (2000) Information Quality Assurance and Internal Control, Boston, MA: Irwin McGraw-Hill.

Moeller, R. (2005) Brink's Modern Internal Auditing, Sixth Edition, John Wiley & Sons, Inc.

Libby, T., Salterio, S. E., and Webb, A. (2004) The balanced scorecard: The effects of assurance and process accountability on managerial judgment, The Accounting Review 79(4): 1075-1094.

Lin, Z. and Chen, F. (2004) An empirical study of audit expectation gap in The Peoples Republic of China, International Journal of Auditing, 8:93-115.

Chen, J.(2009) An exploratory study of alignment ERP implementation and organisational development activities in a newly established firm, Journal of Enterprise Information Management, 22 (3), 298-316.

Wang, X. L. and Bowie, D. (2009) Revenue Management: the impact on business-to-business relationships, Journal of Services Marketing, 23(1), p31-41.

Lin, S., Pizzini, M., Vargus, M. and Bardhan, I. (2011) The Role of the Internal Audit Function in the Disclosure of Material Weaknesses, The Accounting Review, 86, 287-323.

Tan, M. (2004) The nature of risk: the risk management of everything, Balance
94

Sheet, 12, (5), pp.19-28.

Lin, Z. J., Liu, M., and Wang, Z. M. (2009) Market implication of the audit quality and auditor switches: Evidence from China:, Journal of International Financial Management and Accounting, 20(1), 35-78.

95

Appendix

Withdrawal information Inside Shanxi Provinc e Amount of enterprise s Proportio n 71.8% 28.17% 100 % 51 Outside Shanxi Provinc e 20 71 Total

Industry category Financial Government Private enterprise s Total

institution al agencies s

20

12

39

71

28.17%

16.9%

54.93%

100 %

Table 1 Withdrawal Information on Questionnaire

Financial Industry category Institution setting Board auditors General managers Together with other 4 9 of 7 institutions

Governmental Private agencies enterprises

Total

Proportion

10

14.08%

12

25

35.21%

26

36

50.71%

departments
96

Total

20

12

39

71

100%

Table 2 Setting of Internal Audit Institution (Statistical Result of Question 2 of Questionnaire)

Industry category Education background and major Education background Junior college Bachelor s degree Masters degree Doctors degree Total Major Accounting, audit Law Computer Management Total

Financial institution s 3

Governmental agencies

Private

Tota

Proportio n

enterpris l es

20

26

36.62%

16

30

42.25%

12

16.9%

4.23%

20 12

12 8

39 29

71 49

100% 69.01%

3 2 3 20

1 1 2 12

3 2 5 39

7 5 10 71

9.86% 7.04% 14.09% 100%

Table 3 Education Background and Major of Internal Auditors (Statistical Result of Question 3 and 4 of Questionnaire)

Industry category Items carried

Financial

Government

Private

Tota

Proportio n

institution al agencies
97

enterprise l

out and restraining factors Items carried out Financial audit Risk audit Internal control audit Economic responsibilit y audit Total Constrainin g factors Leaders paying enough attention Not audit environment Auditors lack in skills Greater proportion of traditional audit Total not

23

39

54.93%

6 3

1 0

2 3

9 6

12.68% 8.45%

11

17

23.94%

20 1

12 0

39 5

71 6

100% 8.45%

ideal 4

14

19.72%

11

23

32.39%

14

28

39.44%

20

12

39

71

100%

Table 4 Items Often Carried Out by Internal Audit Institution and Factors Restricting Development of Audit (Statistical Result of Question 5 and 6 of
98

Questionnaire)

Financial Industry category institutions

Governmental Private agencies enterprises

Total

Proportion

Answers Necessary, and 13 established Necessary, but 7 not established Neither necessary established Unknown Total 0 20 1 12 6 39 7 71 9.86% 100% nor 0 0 4 4 5.63% 9 21 37 52.11% 2 8 23 32.40%

Table 5 Cognition of Risk Management and Establishment of Risk Management Framework (Statistical Result of Question 7 and 8 of Questionnaire)

Industry category

Financial

Governmental Private enterprises

Total

Proportion

institutions agencies

Standard ERM framework 7 1 2 10 14.09%

issued by COSO Guidance Comprehensive

99

on 11

12

31

43.66%

Risk Management of Central

Enterprises issued by SASAC Adjustment according to 2 2 19 23 32.39%

physical truth of enterprises

Unknown Total

0 20

1 12

6 39

7 71

9.86% 100%

Table 6 Risk Management System or Standard Adopted (Statistical Result of Question 9 of Questionnaire)

Industry category

Financial institutio

Governmen tal agencies

Private enterpris es

Tota Proporti l on

Answers Necessity Necessary Unnecessary Unknown Total Implementati on Implemented Unimplement ed Unknown Total

ns 16 3 1 20 13 6 7 4 1 12 2 6

23 7 9 39 8 21

46 14 11 71 23 33

64.79% 19.72% 15.49% 100% 32.39% 46.48%

1 20

4 12

10 39

15 71

21.13% 100%

Table 7 Necessity and Specific Implementation of Internal Audits Participation in Risk Management (Statistical Result of Question 10 and 11 of Questionnaire)
100

Questionnaire

Dear internal auditors, How are you! I greatly appreciate that you find time to fill in this questionnaire. The purpose of this questionnaire is to help us know the current situation of Chinese internal audits participation in risk management, and find problems therefrom, so as to offer reference for internal audits participation in risk management in future.

This survey is for study and research only, I will keep secret for the following information, please be relieved to fill in it! Thanks for your participation!

1. Type of your company (

A. financial institutions B. governmental agencies C. private enterprises

2. How does the internal audit department work in your company (

A. lead by board of directors or board of auditors B. lead by general manager C. set together with other departments

3. Education background of internal auditors in your company (

A. junior college B. bachelors degree C. masters degree D. doctors degree

4. Majors of internal auditors in your company (

A. accounting B. audit C. law D. computer E. management F. other ________ (please specify)

5. Items which are often carried out by internal audit department of your company ( )
101

A. financial audit B. risk audit C. internal control audit D. accountability audit E.

other

6. What do you think the main factors restricting development of internal audit are ( )

A. Leaders attention is not enough B. Not ideal audit environment C. Auditors are lack of skills D. Greater proportion of traditional audit E. Industrial demand is not obvious

7. Whether you think it is necessary to control the risk ( A. necessary B. unnecessary C. unknown

8. Whether risk management framework is established in your company ( A. established B. not established C. unknown

9. Risk management system or standard adopted by your company is (

A. ERM framework issued by COSO B. Guidance on Comprehensive Risk Management of Central Enterprises issued by SASAC C. Adjustment according to physical truth of enterprises D. unknown

10. Whether do you think is necessary internal audit to participate in risk management ( )

A. necessary B. unnecessary C. unknown

11. Special circumstance of internal audits participation in risk management in your company ( )

A. Internal audit has already participated in risk management B. Internal audit has not participated in risk management C. Unknown
102

103