Foreword: The birth of a good article requires you to constantly collect data and sort out ideas. This website has collected a wealth of model articles on the theme of internal control risk assessment for you, which are only for reference. Welcome to read and collect.
Part 1: Internal Control Risk Assessment Model
Key words: risk orientation; Internal audit; reflection
The development of international audit mode has gone through three stages: account oriented audit mode, system oriented audit mode and risk oriented audit mode. Risk oriented audit is a new audit mode developed on the basis of account oriented audit and system oriented audit, An audit method that carries out risk assessment on the auditee, determines the scope and focus of the audit, and then carries out substantive review. From the perspective of revealing risks, risk oriented audit has obvious advantages over the current audit method, which can effectively make up for the shortcomings of the current audit method. Therefore, it is particularly necessary to introduce risk oriented audit in the People's Bank of China.
1、 The Development Track of Risk oriented Audit Mode of the People's Bank of China
In 2011, the People's Bank of China formulated and issued the 2011-2013 Plan for the Transformation of the People's Bank of China's Internal Audit Work, marking the full launch of the transformation of internal audit work, and taking the establishment of a risk oriented audit model as the first task of the transformation of internal audit work; At the same time, it took the lead in setting up a risk assessment task force. On the basis of carefully combing and studying the risk assessment work of central banks in Europe, America and other developed countries, it issued the Implementation Plan on Risk Assessment of the People's Bank of China (Draft for Comments) in 2012, and the rudiments of the internal audit risk assessment framework of the People's Bank of China were basically formed. While making important breakthroughs in theoretical research, the risk assessment practice of the People's Bank of China has been steadily promoted by all branches. In order to strengthen the promotion and application of transformation achievements and further promote risk assessment, in July 2013, a symposium was held to discuss and revise the preliminary framework of risk assessment, issue the Trial Measures for Risk Assessment of the Internal Audit Department of the People's Bank of China, establish the risk quantitative assessment model of the People's Bank of China, and standardize the risk assessment procedures. Assistant President Guo Qingping pointed out at the transformation work summary meeting that internal audit departments at all levels paid attention to the application of risk assessment methods in the process of formulating audit plans, implementing on-site audits, and preparing audit reports, so as to better achieve "risk guided audit and audit focused on risk". On the whole, the risk oriented audit mode of the People's Bank of China has been basically established.
2、 Some Thoughts on the Risk oriented Audit Model of the People's Bank of China
(1) Risk oriented audit mode is basically established
After three years of transformation, auditors have gradually strengthened and applied the five concepts of transformation in practice. However, the understanding and application of the concept of "risk guided audit and audit focused on risk" are still at the initial stage of exploration, and auditors' understanding needs to be changed. On the one hand, it is not fully recognized that risk guided audit can not only be applied to the preparation of audit plans, but also should be extended to the preparation of audit plans, the implementation of audit sites, the preparation of audit reports and other processes. On the other hand, in accordance with the organizational level and division of responsibilities, the development of audit plans is considered at the head office level. Branches, especially the provincial capital sub branches and prefecture level sub branches below the branch level, are mainly responsible for the organization and implementation of audit projects. They lack the necessary initiative to develop audit plans. Therefore, the concept of risk guided audit has not been widely and deeply explored in practice. More importantly, according to the inertial thinking and previous audit experience, the auditors believe that they have paid attention to the major audit findings in the audit implementation and reporting stages, and have paid attention to the risks in the audit, so there is no need for complex analysis and evaluation.
(2) Risk identification is the premise and basis of risk assessment
Risk events to be identified in risk assessment include both inherent risk events that affect the realization of business objectives and major events that affect the realization of basic control objectives Internal control Missing issues. In the process of risk event identification, on the one hand, we should take the business objective of the assessment object as the logical starting point, and refer to the Internal Audit Department of the People's Bank of China risk assessment work The risk classification method of the Tentative Measures comprehensively identifies the inherent risk events that affect the realization of business objectives. On the other hand, it is also necessary to carefully analyze the assessed business process, understand the basic control objectives of the assessed business, and then identify major internal control deficiencies. Internal control is hierarchical. Generally, control processes, control activities and control measures at different levels are designed and implemented according to business importance and inherent risks. The corresponding control objectives are also divided into basic control objectives and specific control objectives. In risk assessment, it is only necessary to identify major internal control deficiencies that affect the realization of basic control objectives, and it is not necessary to identify general internal control normative issues that affect specific control objectives, so as to avoid the identified risks being lost to detail, triviality and difficulty in analysis and utilization.
(3) The evaluation depends on the professional judgment of the personnel involved in the evaluation
The risk assessment depends more on the professional judgment of the assessors, and requires higher professional quality of the assessors. The evaluation should be carried out in the preparation stage of the audit plan, and the evaluators should understand the system, the findings in the recent audit and the relevant inspections. Generally speaking, those who are familiar with the above three aspects are often auditors with rich audit experience. It is precisely because of the influence of audit "inertia" thinking that these people are accustomed to formulating audit content against the system. They feel a little afraid of complicated mathematical calculations in risk assessment. In the audit implementation stage, auditors are not only required to invest a lot of energy to investigate the problems, but also need to improve the audit method and adopt more targeted audit means to focus on the identified key content. It is often easy to pursue the audit progress at the expense of the audit focus. In the stage of audit report, the auditors should re evaluate the problems found in the audit against the standard of impact degree, which puts forward higher requirements for the ability of auditors, especially the chief auditor.
3、 Further in-depth research on the risk oriented audit model of the People's Bank of China
Although the risk assessment framework of the People's Bank of China has basically taken shape and the risk oriented audit model has basically been established, it still needs further research.
(1) Improve the objectivity of risk assessment
Risk assessment is more dependent on professional judgment and requires high quality of assessors. How to eliminate the influence of human factors and improve the accuracy of evaluation is an important issue to be explored and solved continuously. The number of residual risks is calculated through quantitative assignment, but it is not an accurate number. Even if it is calculated to two decimal places, it does not mean that the risk measurement is more accurate. In order to make the risk assessment more accurate, we must work hard on the assessment process.
(2) Improve the applicability of risk assessment
The scope of application of risk assessment is the internal audit department, which is an important basis for the internal audit department to carry out risk assessment on various functions and business areas of the People's Bank of China, formulate audit plans, allocate audit resources, and implement audit activities. The next step is to extend this method to all business departments of the People's Bank of China to carry out self-assessment. The applicability, rationality and effectiveness of the risk assessment method are also worthy of in-depth study.
(3) Improve the efficiency of risk assessment
It can be seen from the quantitative calculation formula of risk assessment that after identifying the risk events and making the risk level determination, the assessors need to invest a lot of work in complex mathematical calculation. Therefore, it is necessary to speed up the informatization construction of the evaluation work in a timely manner, let the evaluators jump out of the complex calculation process, and make the evaluation truly return to the main links such as the identification of risk events and the determination of risk levels, which will help to better play the role of the evaluation work.
Part 2: Internal Control Risk Assessment Model
1、 Current situation of risk management of basic People's Bank of China
At present, the People's Bank of China identifies risks mainly by defining the types, causes and nature of risks according to their own business characteristics, whether there may be capital and property losses, major hazards caused by leaks and divulgences, and the impact on the realization of the central bank's policy objectives and work efficiency. According to the relevant contents of the Guidelines of the People's Bank of China on Internal Control of Branches and Branches, the basic risks of the People's Bank of China at present mainly include the following:
(1) Hidden danger of capital security risk
First, in the process of accounting business, due to the lack of risk awareness of individual post holders and the lack of confidentiality measures for their personal computer operation passwords, some post holders even told other personnel in the department their personal computer operation passwords in order to facilitate other personnel to operate their own temporary business. When they leave their posts, they will handle the business on their behalf, leading to the phenomenon of clear business processing. Second, in terms of personnel allocation related to fund accounting business posts, the phenomenon of incompatible posts holding concurrent posts still occurs. Third, the personal seal was not kept strictly, so people could not enter the cabinet and lock it. Fourth, in the process of purchasing bulk goods, there are such phenomena as payment in advance, inconsistency between the payer and the supplier of the original contract, and even forgetting to deduct the advance payment when making payment. Fifth, there is a phenomenon of exceeding authority in capital expenditure. Sixth, the review of the return data was not strict when handling the treasury return business, and even the payee of the budget return was inconsistent with the payee of the budget revenue. The above problems are likely to lead to capital risk.
(2) Potential legal risk
First, the application materials were not carefully reviewed in the process of administrative licensing, and some expired and invalid materials were found in the submitted application materials. Second, the administrative license was not handled according to the prescribed procedures, the "Notice of Acceptance of Administrative License Application" was not issued to the applicant when the application was received, and the "Letter of Decision on Administrative License" or "Letter of Decision on Rejection of Administrative License" and other effective documents were not issued in time after the completion of the application. Third, the working papers of administrative law enforcement inspection were not standardized, some lacked signatures of inspectors, the inspected unit did not sign on the fact confirmation letter, or the signer did not meet the requirements of the regulations to sign ultra vires, some of the elements of the punishment decision letter were incomplete, the decision letter did not specify the rights of the punished person, and some of the basis of the punishment decision was inaccurate or unclear. Fourth, the economic contract is not standardized, the contract elements are incomplete, and the quality of the subject matter is not clearly specified. The above problems are likely to lead to legal risks.
(3) Potential operational risk
First, the purchase of bulk goods was not standardized. There are still some units that do not include the items that should be included in the purchase management of bulk goods into the purchase management of bulk goods. The second is the omission of signature and seal in business operations, which leads to the difficulty in determining the responsibility after problems occur. Third, safety education and supervision are not in place. The drivers of some units have been involved in minor traffic accidents continuously, and the units have not paid attention to them. The above problems are likely to lead to operational risks.
(4) Potential reputation risk
In the external publicity or research, some employees of the People's Bank of China did not fully demonstrate the proposed manuscript, nor submitted it to the publicity management department for review, and submitted it to multiple media without authorization, which led to some distortion, misinformation and reputation risk.
2、 Difficulties Faced by Risk Management of Grass roots People's Bank of China
(1) Risk management culture has not really been established
At present, some grassroots central bank staff still simply understand risk management as the formulation, binding and summary of various rules and regulations, and believe that the establishment of sound rules and regulations is the establishment of a risk management mechanism, without really recognizing the relationship between risk identification, analysis, evaluation, etc. and risk prevention, They did not actively carry out regular risk analysis on regular business and management activities, and lacked the risk management awareness of timely analysis on unconventional business and management activities and emergencies.
(2) Risk assessment standards are not unified enough
Although the Guidelines on Internal Control of Branches of the People's Bank of China pointed out that risk assessment means identifying and analyzing relevant risks and determining coping strategies, there is no specific and unified assessment criteria. Different assessment objects have different criteria, and the same object also has different criteria. Some take the five elements of internal control as the assessment criteria, and some take the effectiveness of internal control Comprehensiveness, timeliness and rationality are the criteria. Without a unified risk assessment standard, it is impossible to make an accurate assessment of risks.
(3) Insufficient risk assessment information exchange
It is mainly reflected in the asymmetric information between the two sides of risk assessment: first, although the risk management information of each business department is increasing, the risk information submitted is single, which is limited to the compilation of internal control systems of each business department and other materials, and cannot dynamically reflect the current situation of risk management. Second, the timeliness of risk management information transmission is poor, and there is information lag. The third is that the channels are not smooth enough and there is little communication at ordinary times. It only depends on the collection of information or temporary flow in the preliminary preparation stage of the assessment.
(4) There is still a gap between the comprehensive quality of employees and the requirements of risk management
First, the knowledge structure is unreasonable. At present, most of the internal auditors and business department personnel of the People's Bank of China only have the professional knowledge of accounting and finance, currency and credit, investigation and statistics, foreign exchange management, and lack the special training on risk management knowledge. Second, the professional knowledge was updated slowly, the risk identification and analysis of new business were not in place, and the old documents and methods were often applied in practical work to deal with new problems and new situations, lacking the ability to understand and control new risk points.
(5) The long-term mechanism of risk assessment needs to be strengthened
Risk assessment should be a continuous and cyclical process. However, some units and functional departments regard risk assessment as a phased work, which is sometimes tight and sometimes loose. They fail to timely prevent and control the identified risk points, and fail to carefully investigate the hidden new risk points; In terms of risk response evaluation, it failed to re analyze and re evaluate in combination with the actual situation, and the risk response measures that had been formulated were not updated with the changes in personnel, processes, systems and the external environment, which gradually weakened the role of the risk control plan.
3、 Ways to strengthen the risk management of the People's Bank of China at the grass-roots level
(1) Establish a professional risk assessment team
The People's Bank of China at the grass-roots level should establish a professional risk assessment team, which is held by people with rich management experience in the unit, to carefully assess the overall risk situation on a regular basis, screen out risk points above the high risk level, and conduct risk monitoring and risk control management. The assessment team shall organize daily risk identification, risk monitoring and risk analysis, be responsible for establishing the risk assessment model of each business line, collect and sort out risk assessment data, timely assess and analyze the risk situation, and provide basis for leaders to make decisions. The President and the leaders of the bank in charge should fully support the development of risk assessment, ensure that the risk assessment work has sufficient human, material and information technology levels, and timely understand the development of risk assessment work. Relevant functional departments should perform their own duties in the process of risk assessment. They should not only clarify the division of labor, but also work together to play an active role.
(2) Optimize risk assessment process
According to the classification of risk types of the People's Bank of China at the grass-roots level, operational risk accounts for a large proportion in the whole risk system. According to the characteristics and nature of operational risks, the risk assessment process should be from the outside to the inside, from the bottom to the top, from known to unknown. Based on the analysis of operational business processes, starting from the basic position, the risk assessment process should extend from known risks to unknown risks. The risk assessment flow chart is shown in Figure 1.
(3) Establish risk assessment model
The establishment of the risk assessment model should have a certain accuracy, which can play a practical guiding role in risk control.
1. Measurement of risk level. The measurement of risk level generally includes two aspects: inherent risk and risk control effect. The actual risk level is proportional to the inherent risk and inversely proportional to the control effect.
The actual risk level is the residual risk existing in the business post after the implementation of internal control. It should be the risk level that managers and decision-makers can accept. If there is a gap between the calculated risk level and the set target value, it is necessary to take control measures again, and then conduct risk assessment again until it is confirmed that the risk level is within an acceptable range.
2. Risk rating. Inherent risks can be divided into five levels according to the degree of risk: high risk, high risk, medium risk, low risk and low risk. Different scores are given to inherent risks according to the degree of risk and risk level. For example, the high risk value is 1-0.9, the high risk value is 0.9-0.8, the medium risk value is 0.8-0.7, the low risk is 0.7-0.6, and the low risk is below 0.6; The control effect evaluation grade (control evaluation value) is divided into five conditions: excellent, satisfactory, to be improved, poor and invalid. According to the internal control evaluation conclusion, it is divided into excellent 90-100, satisfactory 80-90, to be improved 70-80, poor 60-70 and invalid 50-60.
3. Risk assessment method. The combination of analytic hierarchy process and Delphi method is adopted to identify and assess risks. Using the analytic hierarchy process (AHP), combined with business process analysis, the complex risk problems are decomposed into several constituent elements, which are grouped according to the dominance relationship and the degree of influence procedure to form an orderly hierarchical structure. The risk factors can be further subdivided to facilitate the identification of the risk factors that play a key and decisive role in the risk points. The Delphi method is used to fully collect expert opinions and constantly revise the risk assessment results to improve the accuracy of risk assessment. The specific methods and steps are as follows: (1) Post personnel: use the analytic hierarchy process and process analysis to identify and subdivide risks and conduct qualitative evaluation of risks. (2) Department self-evaluation team: adopt quantitative analysis method and assign evaluation scores. (3) Risk assessment department: adopt qualitative and quantitative comprehensive evaluation methods to summarize and sort out risks. (4) Professional risk assessment team: use the Delphi method to assess, determine the final risk results, and submit the qualitative risk assessment report.
4. Risk assessment criteria. The head office and branches of the People's Bank of China shall, on the basis of full investigation, certification and risk assessment, determine the standard risk level or safety indicators in specific business areas as the standards for measurement and comparison of grass-roots people's banks. The grassroots central bank determines its own risk level and risk level by comparing with the safety indicators and risk standards, and then determines whether to take control measures and to what extent according to the risk comparison results.
Part 3: Internal Control Risk Assessment Model
Key words: higher vocational colleges; Internal control; implementation; proposal
As the institutional basis for higher vocational colleges (hereinafter referred to as higher vocational colleges) to improve their internal management level, standardize internal control, and strengthen the construction of the risk prevention and control mechanism of clean government, the Internal Control Norms of Administrative Institutions (Trial) has been implemented for more than two years. Over the past two years, most colleges and universities have established formal and compliant internal control systems in combination with their own reality. However, the implementation effect of internal control is like people drinking water, knowing how cold and warm it is. What factors have hindered the construction, implementation and effectiveness of the internal control system in higher vocational colleges, and how to effectively respond to them has become an important issue to be solved to promote the continuous deepening of internal control construction in higher vocational colleges. In combination with the implementation of internal control in the school, the author analyzes and discusses the construction of internal control evaluation system in higher vocational colleges from the perspective of risk assessment mechanism, indicator system construction, risk feedback mechanism and other aspects, so as to realize the effective implementation of internal control in higher vocational colleges.
1、 Implementation of internal control system
Since the implementation of internal control in 2014, the school has completed three key tasks. First, a leading organization for risk assessment has been established and the division of responsibilities has been refined. A working group on risk assessment of economic activities was established, and its office is located in the Finance Department. The president is the team leader, the vice president in charge of finance is the executive deputy team leader, the deputy school leader is the deputy team leader, and the heads of the two offices, the General Affairs Office, the Academic Affairs Office, the Assets Office, the Audit Office and other relevant departments are members. At the same time, the dominant position of relevant departments in economic activities has been clarified, and the division of responsibilities of project departments has been refined. For example, on the basis of the previous division of responsibilities, the Scientific Research Foreign Affairs Office and the Propaganda Department have been added, separating scientific research instruments and equipment, scientific research furniture, scientific research consumables from teaching, and putting them under the responsibility of the Scientific Research Foreign Affairs Office; Publicity Department shall be responsible for the publicity and cultural facilities such as lighting, audio and network equipment for student activities. The second is to improve the construction of relevant economic systems. At the level of budget business control, the school actively promotes budget performance management and improves and revises relevant systems; In terms of revenue and expenditure business, it has standardized and improved the financial management, travel expense management, business card management, reimbursement approval, business reception, and bus management; At the level of government procurement business control, a package of management measures has been formulated from three aspects, including the scope, process and acceptance of goods bidding; At the level of asset control, the Interim Measures for the Management of Fixed Assets of the School has been improved from six aspects, including the management, custody, coordination, lease, disposal and account verification of assets; At the level of financial control business, it is clearly detailed from the two aspects of post setting and seal keeping; At the level of construction project control, from the decision-making process, implementation process, design change and investment budget adjustment of infrastructure projects, the Regulations on the Management of School Infrastructure Projects have been revised and improved; In terms of contract control, the School Economic Contract Management Measures has been revised and improved from six aspects: contract countersigning, performance, settlement to statistics, classification and archiving. The establishment and improvement of a series of systems not only strengthened the internal control and management of the school at six levels, but also made the decision-making, approval and implementation processes of various economic activities more clear, and all kinds of economic behaviors more standardized. Third, a risk assessment feedback mechanism has been initially formed. The important carrier of the feedback mechanism of school risk assessment is the internal control meeting. At the initial stage of the implementation of the internal control system, in order to unify understanding and enhance attention, the school held an internal control working meeting every six months. The Finance Department and the Audit Department respectively introduced the implementation of the internal control system, pointed out the problems existing in the school's economic activities, and put forward corresponding rectification suggestions or improvement measures. Later, the school adjusted the content of the meeting according to the implementation of the internal control work, and adjusted the content of the mid year meeting to select functional departments to introduce their own experience, shortcomings and improvement direction in the implementation of internal control. At the end of the year, the Finance Department and the Audit Department conducted a comprehensive, systematic and objective economic activity risk assessment of the school, A written report shall be prepared and submitted to the working meeting for consideration.
2、 Problems in the implementation of internal control system
1. The risk assessment working group was ignored. Internal control is a systematic task as well as a long-term work, which is the common responsibility of all relevant functional departments. However, in the process of implementing internal control management, higher vocational colleges often ignore the importance of the risk assessment working group and unilaterally place the responsibility of internal control management on the financial department or the internal audit department. This is not conducive to the formation of a mechanism of communication, coordination and linkage among various departments in the internal control of higher vocational colleges, making it impossible for internal control to penetrate into the decision-making The whole process of implementation and supervision has lost the overall control of the school's economic activities and violated the comprehensive principle of internal control.
2. The risk assessment index system is not perfect. The effective implementation of risk assessment is inseparable from the establishment of the risk assessment report system. Whether the content of the risk assessment report can comprehensively, systematically and objectively reflect the risks existing in economic activities is inseparable from the construction of the assessment index system. However, the Measures of the Internal Control Standards of Administrative Institutions (Trial) issued by the Ministry of Finance only involve the basic requirements and application guidance of internal control of administrative institutions, and do not give guidance on the content and scope of their internal control. This is also the fundamental reason why high vocational schools cannot establish a scientific and perfect risk assessment index system at present.
3. The subject of risk assessment is not comprehensive. In the internal control evaluation system of higher vocational colleges, there should be two parts: internal evaluation and external evaluation. The main body of internal evaluation should be the school risk assessment team, and the main body of external evaluation should be professional auditors or accounting firms. The advantages of internal evaluation lie in comprehensiveness, while the advantages of external evaluation lie in objectivity. However, in practical work, we are not comprehensive about the subject of risk assessment, and often pay attention to internal assessment and ignore external assessment, which makes the major risks in important economic activities or economic activities of schools vulnerable to the subjective preference of leaders, leading to deviation in the importance principle of internal control.
3、 Recommendations
1. Play the role of risk assessment working group. First, personnel. The members of the risk assessment team shall be mainly the financial and audit personnel of the school, supplemented by the personnel of each functional department. The second is time. The work of the risk assessment team shall be carried out in March of the next year according to the requirements of the principle of comprehensiveness and in combination with the actual work of the financial settlement, and the time schedule is about 20 days. Third, working methods. Unified organization and centralized office shall be adopted; The fourth is the work content. Determine the evaluation content, evaluation indicators and evaluation means, and then carry out the evaluation work step by step to form an evaluation report.
2. Improve the risk assessment index system. When setting up the school internal control evaluation system, it must be comprehensive. Only by setting up comprehensive evaluation indicators can the output evaluation results be scientific and reasonable. For this reason, we can sort out the business processes of various economic activities of the school, clarify the business links, systematically analyze the risks of economic activities, determine the risk points, set the risk coefficient as the basic indicator, and then combine the key points determined in the business processing process to screen out the indicators with high relevance and significance. Only in this way can we achieve the real significance of evaluation.
3. Introduce external evaluation subjects. In the process of carrying out internal control evaluation, higher vocational colleges should adopt a combination of internal and external methods. On the basis of internal evaluation, they should regularly or irregularly hire auditors or accounting firm professionals to conduct independent, objective and fair evaluation of the school's internal control work, so as to ensure the healthy and sustainable development of the school's internal control work.
Author: Liu Xiaoguang Unit: Henan Medical College
reference:
[1] Cao Xinmei. On the Construction of Internal Control in Colleges and Universities [J]. China Economy and Trade, 2013 (14): 247-248
[2] Che Peng, Yang Wenchao, Cui Changhai. Discussion on the construction of internal control system in colleges and universities [J]. China Business, 2013 (5): 79-80
[3] Yang Rong. Discussion on the Construction of Internal Control Evaluation System in Colleges and Universities [J]. Finance and Accounting Communication, 2013 (9): 31-33
Part 4: Internal Control Risk Assessment Model
Key words: risk oriented audit mode, risk assessment framework, countermeasures and suggestions
1、 Overview of risk oriented audit
With the development and change of social economy, the audit method has gone through three stages of development to adapt to the change of the audit environment: first, the account based audit method. The audit method is detailed audit. The focus of the audit is the balance sheet, which is the detailed audit of accounting vouchers and books. The second is the system based audit method. The audit method is sampling audit. The focus of the audit is to understand, test and evaluate the rationality of the internal control design and the effectiveness of the implementation. The third is the risk oriented audit method. The audit method is mainly sampling audit and diversified. It is based on the audit risk model. The focus of the audit is risk assessment and risk prevention.
(1) The connotation of risk oriented audit. Risk oriented audit means that based on the full understanding and evaluation of the internal control of the audited entity, auditors analyze and judge the risk of the audited entity and its degree of risk, focus audit resources on high-risk audit areas, adopt corresponding audit strategies for different risk factors, and strengthen substantive testing of high-risk points, Reduce the residual risk of internal audit to the lowest level.
(2) Two modes of risk oriented audit. Risk oriented audit has gone through two stages since it came into being. The theoretical circle calls the audit based on the traditional audit risk model "audit risk=inherent risk × control risk × inspection risk" as the traditional risk oriented audit model; The audit based on the model of "audit risk=major misstatement risk × inspection risk" is called modern risk oriented audit mode.
2、 Analysis on the Applicability of Risk oriented Audit Mode in the People's Bank of China
Based on the analysis of the two modes of risk oriented audit, the People's Bank of China mainly conducts risk oriented audit by referring to the modern risk oriented audit mode. First, the head office of the People's Bank of China has established the Guidelines on Internal Control of Branches of the People's Bank of China (hereinafter referred to as the Guidelines on Internal Control) in 2006, established a relatively complete internal control framework, and the main focus of internal audit has gradually shifted to the evaluation of internal control; Second, the five elements of internal control stipulated in the Internal Control Guidelines of the People's Bank of China are consistent with the five elements of internal control under the modern risk oriented audit method; Third, the People's Bank of China's Internal Control Guidelines proposed that the internal audit function should shift to the direction of risk analysis and assessment. The internal audit of the People's Bank of China can draw on and absorb the new audit concept of modern risk oriented audit, and comprehensively use modern risk oriented audit methods and traditional risk oriented audit methods.
At present, the implementation of risk oriented audit mode in the People's Bank of China still has certain constraints and problems to be solved.
(1) Risk oriented audit is difficult to become the main content of internal audit in the short term. At present, the internal audit of the People's Bank of China is still dominated by system based audit. Although it has gradually changed from supervision and inspection to management services, and from error detection and correction to promoting the construction of internal control, due to its functions and actual needs, it still has to undertake a large number of traditional basic audit work, such as outgoing audit, comprehensive audit, and audit of the performance of leading cadres. Therefore, at this stage, we can only adopt a hybrid audit model that focuses on system based audit, supplemented by risk oriented audit.
(2) Lack of ready-made risk oriented audit mode. At present, risk oriented audit is still in the stage of in-depth exploration and practice, lacking the necessary legal protection, mature theoretical guidance and perfect risk evaluation system. Although there are many technical methods of risk oriented audit, they are more complex in practical application. Some traditional audit methods and some advanced mathematical, statistical and information technology methods should be used. At the same time, the risk oriented audit operation process and implementation procedures also need to select appropriate audit models according to their own actual situation and management requirements, and summarize and constantly improve them in practice.
(3) The workload of risk oriented audit is heavy. In the risk oriented audit work, due to the expansion of the scope of audit evidence collection, it takes longer for the internal auditors, has higher technical content, and has higher audit costs. In addition, due to the active cooperation and cooperation of the relevant departments in the collection and sorting of audit evidence, it has caused greater burden and pressure on the internal auditors.
(4) Risk oriented audit requires high quality of auditors. Modern risk oriented audit puts forward new requirements for the professional quality of auditors. They should not only have rich audit theory and practical experience, but also have the necessary knowledge of management and economics. They should be able to fully understand and analyze the macro environment and development of the audit target from a systematic and strategic perspective, and expand the audit perspective beyond internal control, Assess risks at a high level.
To sum up, at present, the full implementation of modern risk oriented audit mode in the People's Bank of China is still subject to many constraints. However, modern risk oriented audit is a change of concept. We can organically combine system based audit and risk oriented audit, and absorb the basic ideas and practices of risk oriented audit mode, which is completely feasible. By integrating the ideas and methods of risk control in risk oriented audit into system based audit, It will accumulate useful practical experience for exploring a modern risk oriented audit model suitable for the People's Bank of China.
3、 The Conception of the Risk Assessment Framework of the People's Bank of China under the Risk oriented Audit Mode
Risk assessment is the basis of risk oriented audit and also a part of risk management. Therefore, the establishment of the risk assessment framework of the People's Bank of China is not only the need of risk management, but also the need to carry out risk oriented audit. Risk oriented audit is a new and multi-dimensional audit mode. The modern risk oriented audit risk model is "audit risk=major misstatement risk × inspection risk". However, the internal audit field of the People's Bank of China includes many audit types and covers many risk types.
(1) Reasonably establish risk indicators and evaluate them. All units of the People's Bank of China shall reasonably establish risk indicators according to their own actual conditions. First, establish inherent risk assessment indicators. In combination with the risk screening results, business risk indicators such as departments and units are listed item by item. According to the importance of business, risk vulnerability and audit results over the years, risk levels are divided, and corresponding risk scores are allocated for quantitative evaluation. The second is to establish control risk assessment indicators. Set three quantitative indicators: internal control integrity indicator, internal control rationality indicator and internal control effectiveness indicator. According to the evaluation results of the three indicators, summarize and evaluate the control risks of the audited entity.
(2) Assess major risks. First of all, according to the external environmental factors of the People's Bank of China and the coordination factors among relevant social entities, the macroeconomic environment and industry environment are analyzed, and the risks in all aspects are comprehensively and comprehensively assessed to find potential important strategic risks and major events. Analyze the key internal links of the People's Bank of China through the main contents of internal control mechanisms such as control environment, management risk assessment procedures, financial reporting information system, control and supervision, and determine the link risks. Evaluate and summarize the risks found, and determine the high-risk points and areas of the audited unit. Finally, further determine the audit procedures to be implemented for the identified major risk areas, and determine the effectiveness of internal control operation and identify major risks through the implementation of control tests and substantive procedures.
(3) Pay attention to the assessment of inspection risks. The concept of "risk" in risk oriented audit not only refers to operational risk, major misstatement risk or other risks, but also includes inspection risk. Inspection risk refers to the possibility that auditors fail to discover major risks. Only auditors with rich theoretical knowledge, long-term practical experience and strong judgment can collect sufficient and appropriate audit evidence from complex audit objects and make correct and reasonable judgments. Inspection risk is the key to audit work, audit failure and audit responsibility. The People's Bank of China must attach importance to the evaluation of inspection risk in risk assessment.
(4) Integration of risk assessment and risk management. The risk management model of the People's Bank of China should play the role of risk assessment, highlight the concept of management audit, and provide value-added services for the audited units through risk management consulting. It includes seven aspects: first, analyze the changes of risk environmental factors; The second is to creatively analyze and judge whether the management has identified all risks of the unit by using some analytical methods in risk event identification activities; Third, in risk assessment activities, the unit shall conduct quantitative and qualitative analysis on the identified risk events; Fourth, in risk response activities, analyze and evaluate the rationality of risk return and the effectiveness of risk reduction measures; Fifth, limit and reduce risks by designing business control procedures in control activities; Sixth, in risk information communication activities, confirm whether risk information is accurately and timely communicated to relevant personnel and effectively managed through the evaluation report system; Seventh, in monitoring activities, check whether the internal control system has been updated and whether new risks can be controlled by analyzing changes in the environment and risks.
4、 The Application of Risk oriented Audit in the Internal Audit of the People's Bank of China
(1) The procedures, contents and methods of risk oriented audit are used in the existing audit projects. Risk oriented audit strengthens the risk assessment procedure, requires the audit focus to move forward from audit testing to risk assessment, and runs risk assessment through the whole audit process. In the internal audit work, the procedures, contents and methods of risk oriented audit can be selectively used in the account and system audit business process according to the actual situation of the audit project. First, risk identification is added. Carry out pre audit investigation, find out potential risk points and preliminarily identify audit risks. The second is to join the risk assessment link. On the basis of pre audit investigation, analyze various risks, determine the key links, and find out the uncontrolled or potential residual risks through further analysis of the key link risks. The third is to add risk report content. After finding problems in the inspection and audit, the auditors should deeply analyze the causes of the problems, comprehensively judge the nature of the problems, fully reveal the major risks of the audited objects, and put forward feasible risk management suggestions and countermeasures from the perspective of risk.
(2) The concept of risk oriented audit is introduced into the evaluation of internal control. Introduce risk oriented audit into the internal control of the People's Bank of China, formulate internal control audit plans with focus and pertinence through risk oriented audit, establish an internal control evaluation system based on risk assessment, understand and grasp various risk factors existing in the People's Bank of China from a broader range, and effectively avoid internal control risks. The first is to focus on risk assessment, put the starting point and focus of assessment on the risk of control environment and business process identification, analyze the risk, and put forward suggestions and methods for risk control. The second is to focus on inherent risks and control risks, make full use of information technology, create an interactive platform for internal control information exchange, and design a sound and reasonable risk evaluation index system. Third, taking risk oriented audit as the entry point, we applied the internal control review system to conduct a comprehensive risk assessment on the soundness and effectiveness of the control system of various business processes such as risk management, business operation, function performance, security, etc., in order to reveal problems, plug loopholes, and promote the construction of the People's Bank of China's internal control.
(3) Timely carry out risk oriented audit. We will promote the development and transformation of the internal audit work of the People's Bank of China by carrying out risk oriented audit and using advanced concepts and methods of modern risk oriented audit. The focus of modern risk oriented audit is to identify and control risks. It is guided by the factors that may lead to major risks at the macro level. According to the results of audit evidence collection and the judgment of importance, it summarizes and judges the overall risk. Finally, on the basis of comprehensive identification and assessment of risk factors, the audit report is formed and specific audit opinions and suggestions are put forward.
5、 Suggestions on Improving the Risk oriented Auditing Level of the People's Bank of China
(1) Establish a new type of audit organization suitable for risk oriented audit. Establish a risk committee in the branches of the People's Bank of China, set up a risk management department, centralize the risk management functions scattered in each department, and establish a process oriented organization with the goal of audit intelligence, operation networking, and process integration.
(2) Improve audit techniques and methods. Strengthen the research and improvement of audit technology and methods, boldly adopt advanced technologies and methods of modern risk oriented audit in audit practice, fully apply analytical testing and use more scientific analysis tools.
(3) Improve the ability of auditors. Strengthen the business training of internal auditors, especially the learning of modern risk oriented audit theory and new knowledge, new technology and new methods of related specialties, and improve their ability to use risk oriented audit model. At the same time, optimize the structure of auditors and select professional and technical personnel to enter the internal audit department.
(4) Establish audit database. To carry out risk oriented audit, we must be familiar with the audit object. Full and accurate information is the basis for doing a good job of risk oriented audit. By establishing an audit database, collect and sort out the pre audit investigation, risk identification, risk assessment, risk report and subsequent audit of the audited objects, enter them into the audit database, and update and adjust them in due course.
reference:
[1] Cai Chun, Zhao Sha, Modern Risk oriented Auditing Theory [M], China Times Economic Publishing House, 2006
[2] Xie Rong, Wu Jianyou, Theoretical Research and Practical Development of Modern Risk oriented Auditing [J], Accounting Research, 2004 (4)
[3] Feng Xue, Internal Audit Business Process Reengineering of Grassroots Central Bank [J], China Internal Audit. 2008 (10)
Part 5: Internal Control Risk Assessment Model
(I) Re recognize the position and role of internal control evaluation in internal audit
As an important part of the organization's internal control system, internal audit is essentially an evaluation function. It performs its duties by measuring and evaluating the effectiveness of other controls. Internal auditors cannot and do not need to have the same knowledge (let alone replace it) as the technical experts or business experts engaged in various activities of the unit, but it is through the door of internal control that internal audit can inspect and evaluate all activities of the unit and add value. Therefore, it can be said that the internal audit itself is the internal control evaluation, and the focus of this evaluation may be in the financial aspect, or in the business management aspect. According to the difference of assessment scope, audit types can be divided into financial audit and operational audit (or called benefit audit). No matter what kind of audit, it involves the evaluation scope and purpose, the selection of internal control mode and the risks in the evaluation process. It is necessary for the internal auditors to take it seriously.
(2) Correctly understand the concept of internal control and select appropriate internal control standards or models
A correct understanding of the concept of internal control requires internal auditors to firmly establish the following concepts: (l) process concept. Internal control is a dynamic process to supervise and control the whole operation and management activities, which should be combined with the operation and management process of the enterprise; (2) Attach importance to the role of people. Not only managers, internal auditors or the board of directors, but also everyone in the organization is responsible for internal control, and the importance of people cannot be ignored in the process of internal control design and evaluation; (3) Pay attention to soft control. The management style, management, corporate culture, personnel ability, internal control awareness and other soft controls of senior management determine whether other control elements can play a role; (4) Risk concept. Risk is the premise and basis for the existence and change of internal control; (5) Cost and benefit concept. Internal control is limited by inherent conditions and can only achieve "reasonable" assurance based on the principle of cost and benefit. There is no free internal control and no perfect internal control.
In terms of the selection of internal control standards or models, since there is no mature internal control standards or models in China, it is a good way to appropriately learn from foreign advanced experience. COSO has been widely recognized, and enterprises can use it as the main reference standard and refine and supplement it according to their own actual situation. In terms of specific practices, if conditions permit, the internal audit department can take the lead in preparing the internal control manual. This manual is not a simple summary of the rules and regulations established by the enterprise in the past, but is carried out separately according to the five internal control elements of the control environment, risk assessment, control activities, information and communication and supervision described in the COSO framework, to clarify the internal control responsibilities and the control requirements of each business cycle, even including the key points of risk analysis and assessment. The manual can not only serve as a guide for all employees to follow, but also provide internal control and risk management tools for internal audit departments and managers at all levels.
(3) Reasonably formulate internal audit strategy
Based on the strategic analysis of the internal and external environment of the audit department, internal auditors can formulate their department's 3-5 year strategic plan in combination with the enterprise's development strategy. According to the experience of some large foreign enterprises, the strategic plan should at least include: (1) the role and orientation of the internal audit department: clarify how the internal audit department is positioned and transformed; (2) Clarify the challenges that the internal audit department may face in the coming years; (3) Risk analysis results of auditable fields and specific audit resource allocation plan in the coming years; (4) Appointment, selection and training arrangement of internal auditors; (5) Department informatization promotion plan; (6) Arrangement for strategic cooperation with external experts (such as joint audit machine information system); (7) Cooperation with other departments of the enterprise, especially the supervision department: such as the establishment of resource sharing information system and coordination; (8) Planning of research and industry best practices; (9) Work standards and other internal control and risk management reference guides and manual preparation plan.
The strategic plan is prepared on a rolling basis every year as the situation changes.
(4) Developing a risk oriented internal control assessment method Risk can be seen as the uncertainty faced by achieving organizational goals. The fundamental purpose of an enterprise's internal control system is to provide management for risks that threaten the achievement of its goals. Without risk, there is no need for internal control.
The above logical relationship among objectives, risks and controls is the basis for establishing internal control evaluation and ideas. Risk orientation means that the assessment of strategy and objectives and business processes precedes specific work. Internal auditors must first perform strategic analysis on the industry characteristics, business objectives and strategies of the organization and the corresponding risk management activities. Understand, for example, what the organization's goals and strategies are in the industry and market environment in which it operates, what government regulations or other forces have to do with the original transformation of the organization, and what are the most fundamental risks that affect the company's strategy.
Next, internal auditors will analyze the interrelationship between organizational objectives, strategies and important operational risks. And focus on those business areas that are easy to incur business risks and can generate additional opportunities; Determine which business processes are the most important, and then evaluate the efficiency and effect of internal control activities associated with these processes.
As the core part of the above process, the risk assessment can adopt both quantitative and qualitative analysis methods. In addition to the risk assessment method provided in the IIA textbook (selecting the reason for the risk and measuring the weight), in practice we can also classify the risks that may occur in each business process and establish the so-called risk identification map or risk database. Auditors implement preventive control by setting key variables or indicators that are easy to measure and monitoring their changes, so as to find problems in a timely manner with an early warning mechanism and give play to the monitoring function in a timely manner.
In addition, the effective use of internal control self-assessment (CSA) can also greatly improve the efficiency and effectiveness of the internal control evaluation process. CSA does not completely hand over the evaluation work to the audited unit, but takes a cooperative approach without losing the independent position of internal auditors. Using CSA can help business units understand the importance of internal control and understand that the ultimate responsibility for control and risk management lies in their own purposes. At the same time, internal auditors can also collect valuable information about soft control that cannot be obtained in traditional audit procedures.
CSA is not out of line with national conditions. As long as our internal auditors plan carefully and combine it with the traditional internal control evaluation process, they will carry out it step by step from simple to complex, and believe that they will achieve satisfactory results.
(5) Make good use of information technology
In the face of the challenges brought by the general informatization and increasingly complex business environment, internal auditors should make good use of computer technology and tools to improve audit efficiency. According to the current situation of domestic enterprise informatization, we can start from the following aspects: (1) as mentioned above, establish a database for each key business process of each audited entity, set early warning indicators to implement real-time control, and timely audit and investigate exceptions; (2) Establish a paperless fast working paper system, and the whole audit process from planning to post audit tracking can be supported by computers. The main audit findings can be communicated with the audited unit through computers at any time, and the audit report can be issued on the day when the audit field work is completed; (3) Distribute and collect internal control and risk assessment questionnaires through the company's intranet; (4) Collect audit clues (such as fraud clues) and conduct audit user satisfaction survey through the company's intranet; (5) Carry out online risk management and internal control education for all employees; (6) Obtain audit reference materials. Some international companies and government audit institutions often publish useful reference materials on the Internet, which is quite valuable for us to carry out internal control assessment (according to our knowledge, there are nearly 100 free downloadable guides on the Internet with internal control or risk management as the theme). The "online library" built with these materials can be easily shared by all auditors.
Part 6: Internal Control Risk Assessment Model
Key words: risk assessment; Safety supervision; Electric power enterprises
The 100 year development history of China's power industry, especially the efforts in power since 1949, has prompted China's power industry to develop a relatively complete management system and system in safety management. So many years of experience and lessons have prompted the power enterprises to study and analyze the management of the safe sound field during operation. Some experiences and lessons have been accumulated and rules and regulations with legal basis have been formulated. However, there are still great differences between these theories and methods and foreign advanced safety inspection management and practical operations. In terms of operation risk assessment and control of electric power safety inspection, China mainly focuses on post-processing, and the work of protection is relatively weak, which leads to frequent accidents.
1. Assessment of operation risk and idea of controlling electric power safety supervision
Through the identification, measurement and analysis of risks, on this basis, we effectively reduced the risks to the minimum, comprehensively and systematically handled the risks in the enterprise with a reasonable and economical method, and realized a scientific and reasonable management method to ensure safety to the maximum extent. Based on the power grid enterprise, the power grid enterprise increased its efforts to implement a safe production management supervision system, The main center is risk management. According to the standard and scientific methods applied in the power industry, we identify and evaluate the problems of risk control in the production process of enterprises, establish solutions to control operational risks, achieve the supervision and management of risk control, and minimize the risk as much as possible. The assessment of operational risk refers to an important link in the risk monitoring and management of power grid enterprises. The main work is to assess the hazards and risks of each task in the process of implementation. The main purpose is to understand the distribution of the causes of hazards in each type of work and the degree of risk hazards to be faced, And formulate an effective plan for risk control and management to reduce and reduce accidents and damages. The difference between risk assessment and control power safety supervision is that the risk can be quantified according to the risk assessment during the operation, the risk can be classified according to the degree of risk management, and effective and reasonable measures to control risk can be formulated for operations with high risk while the operation is being carried out.
2. Application of assessment and control in operation risk in safety supervision of electric power enterprises
2.1 Significance of application
The essence of safety supervision is risk management. The establishment of management and supervision system for safety and operation risks is also the main task that Chinese power enterprises face in the production process, and also the key point of the construction of safety risk management system, emergency management system and post accident management system, that is, the only three management systems, This is also the long-term development goal and important work content of China's electric power enterprises. It is of great significance to improve the safe production and prevention system, reduce the risk of operations, ensure the safety of electric power enterprises, and promote the harmonious development of electric power enterprises.
The traditional method of operation risk management and control is based on the experience of actual operation, which has certain requirements and norms for the safety of operations. It should have guiding and promoting significance for the safe operation, which is also a full representation of the experience and lessons learned from the safe operation risk work in the historical stage, It always falls behind the requirements of socialist economic construction on safe operation, which, to some extent, affects the further development of safe operation and production. The system of operational risk management and control is based on risk control. It puts forward the main content of risk control and management, attaches importance to the assessment and control of operational risk, realizes the safety management system, and solves the content of operational risk assessment and control management philosophy and management in the process of operational production, It ensures the risk assessment and control of safe operation.
2.2 Main application methods
How to organically combine the risk assessment and control in the operation in the electric power safety supervision, promote the risk in the operation to be better applied to the electric power safety management, and better serve the safety management and supervision, we must constantly explore, study and further deepen. According to the steps of on-site safety management supervision during the operation, the methods in practical application are studied.
(1) Formulate the plan for management supervision of risk system. In production, the safety management supervision department must summarize the general situation of operation risk assessment and control, the risk status of the operation information after power failure of the relevant management department, and develop the management supervision plan according to the relevant information materials, focusing on the important content of safety management on the tasks with high degree of operation risk, In the work of management supervision and operation site of power enterprises, management safety itself has certain risks. The work of safety management at the operation site is likely to bring risks to the operation at the construction site. Therefore, the staff of management supervision of power enterprises should change to ensure the personal safety of management personnel and will not affect the safety of operation. We must work out a plan for operational risk assessment and control, and focus on the prevention measures to reduce traffic accidents, emergencies during vehicle driving, falling objects and damage to ground objects by integrating seasonal characteristics and the environment for risk identification, assessment and control. These should be fully applied to the management and supervision of the construction site. In addition, the safety management and supervision personnel must take reasonable measures to deal with the illegal behaviors found in the construction site, so as to reduce the unnecessary risks caused by these behaviors when doing power operations.
(2) Application of risk assessment and control of operation in on-site management supervision. ① According to the results of the assessment and control of operational risks, the on-site risks of operation and construction shall be systematically arranged, managed by levels, and the relatively high risks in the operation shall be checked. ② In the process of on-site safety supervision of electric power, personnel inspection, equipment inspection and on-site inspection are carried out by using a combination of different forms of questioning, inspection and observation. In addition, the results of job risk assessment and control are compared with the conditions of the job site, It also inspected the construction site according to the methods and thoughts of job risk assessment and control, and supplemented the industrial control of job risk assessment.
(3) The department that found problems in the safety management audit and gave feedback, pointed out the shortage of sudden control in the operation risk assessment, and required to make every effort to improve the practice base of operation risk assessment and control, which provided convenience for the next operation in risk assessment and control. At the same time, it is also necessary to conduct training on the assessment and control of operational risks, so that managers can better understand the effective measures to control many problems existing in operational risks.
(4) Systematically summarize, summarize and analyze the data of safety supervision according to the classification of risks and hazards in the operation according to the assessment and control methods in the operation risk. We found many problems in the process of total analysis, and collected the information data of risk hazards of operations as the source of data for the modification of operational risk assessment and control and the dynamic update of risk assessment in the next year. In the previous summary and analysis of management supervision, more attention was paid to the summary and analysis of different types of violations, ignoring the analysis of operation risk assessment and control behind the violations, thus the risk and prevention measures would not be well established, and the risk control in advance was achieved.
3. Summary
This paper introduces the application of job risk assessment and control in electric power safety supervision, which has been widely applied to practical work in some electric power enterprises, and has achieved good results. No matter what form of expression and practical application, the theoretical idea of the problem in the assessment and control of operational risk, according to the method of assessment and control in the operational risk, is a good service for the management and supervision of safety in electric power enterprises, guiding the safety and management departments of electric power enterprises to expand new ideas when they are in production, To a great extent, it has realized the assessment and control of operational risk, and promoted the improvement of safety management supervision level of China's power enterprises.
reference
[1] Li Zhengyao. On the Application of Job Risk Assessment and Control in Electric Power Safety Supervision [J]. Research on Urban Construction Theory, 2012 (16)
[2] Feng Bin. Research on power maintenance work of safety production risk management [J]. Power Informatization, 2010 (12)
[3] Meng Wei, Li Wei, Yang Jianmin. Thoughts on the application of risk control in power production management [J]. Inner Mongolia Power Technology, 2004 (05)
[4] Tong Shiyu, Song Wei, Shi Yunlong. Development of power grid operation risk assessment and pre control system [J]. Safety. 2012 (08)
[5] Wang Kunlin. Risk Assessment and Management of Power Supply Enterprises [J], Yunnan Electric Power Technology, 2011 (01)
[6] Wu Minbo. Application of risk assessment and control in safety management of power enterprises [J]. Enterprise Technology Development, 2011 (15)
Part 7: Internal Control Risk Assessment Model
Keywords: internal audit; Grassroots central bank; risk management
With the development of various businesses of the People's Bank of China, the occurrence of all kinds of potential risks and cases and accidents has seriously affected the image and performance of duties of grassroots central banks. Risk control and prevention have become the focus of internal management and control of grassroots central banks. Internal audit can review and evaluate risk management at the unit level (such as organizational governance, system design, etc.) and department level (such as treasury, issuance, etc.), analyze the problems and causes of risk management at relevant levels, and put forward targeted policy recommendations. Therefore, the participation of internal audit in risk management is an effective way and development direction to improve internal control, prevent system risks and ensure the standardized operation of central bank business.
1、 Analysis on the Current Situation of Risk Management of Grass roots Central Bank
In recent years, the business development of the People's Bank of China has gradually presented the characteristics of "three modernizations", namely: centralized capital clearing, systematic business processing, and informatization of financial management. At present, the grassroots central bank basically sets up three departments for supervision and inspection, namely, internal audit, inspection tour and discipline inspection and supervision. The inspection tour is aimed at the party committee of the grassroots central bank. The discipline inspection and supervision mainly focuses on the construction of party conduct and integrity, and the construction of punishment and prevention system. The internal audit mainly focuses on important businesses and key fields. It has once conducted inspections on the national treasury, issuance Most central sub branches of the post supervision center specialized in post supervision of basic businesses such as capital clearing have been cancelled or merged, and each department or sub branch has set up post of post supervision to supervise its own work. The reform and innovation business has greatly promoted the economic development of the jurisdiction, but the corresponding supervision and restriction mechanism has not been established and improved in time. For example, the financial IC card application project vigorously promoted by branches and sub branches to build a rural credit system and serve the people's livelihood is a popular project to promote economic development and facilitate people's life, but many potential risks and hidden dangers arise in the process of operation and application. How to prevent these risks and hidden dangers has not been a systematic supervision and restriction mechanism up to now.
2、 Problems in Risk Management of Grass roots Central Banks
At present, the grass-roots central bank carries out risk management according to the mode of "combining decentralized control with centralized supervision". On the one hand, the business department of the superior bank carried out vertical supervision and management on the risks of its business line; on the other hand, the Bank's internal audit department carried out horizontal supervision and inspection on the business. Through years of practice, the current risk management model of the grassroots central bank has achieved good results in promoting the performance of the People's Bank of China's duties. At the same time, there are mainly the following problems:
(1) The utilization rate of internal audit results is low, which affects the function of internal audit
The internal audit department, as the main driving force of risk management, sent the audited departments with rectification notices for the problems found in the audit. Individual audited departments failed to pay full attention to the cause analysis of the problems and potential risk losses, resulting in repeated investigations of some problems, which made it difficult for the internal audit work to achieve good results.
(2) Risk management awareness needs to be strengthened
First, most of the risk management of grassroots central banks is in the form of departmental business systems, and risk management lacks systematic coping strategies. Second, at present, some employees of the grassroots central bank have insufficient awareness of the importance of risk management, and their risk concept and regulatory awareness are not strong.
(3) Risk management organization and system are not perfect
At present, the People's Bank of China has not yet formed a systematic and independent risk management system, nor a clear and unified risk management department. It mainly relies on the audit supervision of the internal audit department for post risk discovery and management, with insufficient prevention and in-process monitoring.
3、 The Role of Internal Audit in Promoting Risk Management of Grass roots Central Banks
The inherent relative independence of internal audit makes it more able to identify, analyze and evaluate risks from the overall perspective, timely find the weak links in the risk management system, put forward risk early warning, and achieve effective risk control; At the same time, as an important supervision department of the internal management of the grassroots central bank, it has the characteristics of regular and comprehensive supervision. It can carry out audit supervision on the business work of the branch central bank at any time, conduct comprehensive analysis and assessment of the risks faced, and timely prevent and resolve the risks faced by the grassroots central bank. Therefore, internal audit can play an active role in promoting the risk management of branch central banks.
(1) Effectively carry out audit supervision and give full play to the role of internal audit
According to the characteristics of the vertical management system of the People's Bank of China, the internal audit supervision should actively implement audit projects against key problems and weak links, so as to achieve a targeted view, so as to better play the role of internal audit: first, audit supervision should be carried out according to the internal audit projects uniformly arranged by the superior bank; The second is to make audit arrangements for the issues concerned by the bank leaders; The third is to select audit projects and implement audit supervision in line with the requirements of internal audit innovation and transformation.
(2) Promote the construction of long-term mechanism of internal control, and promote the continuous strengthening of internal control management
Effective internal control is a necessary means to prevent risks. It is the responsibility of the management of the organization to build an effective long-term internal control mechanism. However, as an important part of the organization, the internal audit department must play its due role in the construction of the long-term internal control mechanism. First, it is necessary to actively play the "ear and eye" role of leaders, and timely understand and master the current situation of the bank wide internal control management, Identify weak links and put forward constructive suggestions on internal control mechanism to the bank leaders. The second is to strengthen audit consultation. Fully communicate with the audit objects, analyze and evaluate their internal control status, analyze the causes of the problems, put forward improvement suggestions from the perspective of internal audit, and promote them to continuously strengthen internal control to achieve the optimization of internal control. Third, we should strengthen the follow-up supervision of audit, actively urge functional departments to earnestly perform their responsibilities of internal control management, earnestly rectify various problems found in audit, and promote the construction of a long-term mechanism of internal control.
(3) Actively carry out risk identification, assessment and response to ensure that risks are under control
Grass roots central banks should establish a risk oriented audit mode of "risk guided audit and audit focused on risk". Risk identification, assessment and analysis shall be carried out regularly in all business functional areas of the Bank, and risk assessment shall be carried out by reference to the procedures in the Head Office's risk assessment pilot measures, to evaluate whether the existing risk control measures are scientific. For business function areas with high assessment risk, strengthen audit supervision, deeply analyze the problems found in the audit, and scientifically take corresponding measures to achieve effective risk control.
4、 The Assumption of Internal Audit Participating in the Risk Management of Grass roots Central Bank
The internal audit participating in the risk management audit of the grassroots central bank should clarify the overall goal, that is, take the overall work goal of the central bank as the standard, and take the audit and evaluation of the internal control status of the grassroots central bank as the basis to supervise and evaluate the adequacy, rationality and effectiveness of various business departments and units in risk identification, control and supervision. We take the treasury business of the grass-roots central bank as an example, and the specific operation ideas are as follows:
(1) Risk identification
Risk events can be classified from multiple perspectives according to different classification principles. Different risk classifications play an important role in formulating risk management strategies later. The collection of initial information mainly refers to the collection of various problems found in the supervision and inspection of the unit or department in the past three years. From a large amount of initial information, the organization will classify and analyze the risk events of the unit or department. For example, 7 risk events were identified in treasury business (see Table 1):
(2) Risk analysis and risk evaluation
1. The establishment of risk event assessment standards for risk identification, analysis and assessment shall combine qualitative and quantitative methods. To conduct accurate risk event assessment, relatively reasonable and accurate assessment standards must be developed, which is an important part of risk assessment. We can use the supervision and inspection results of the treasury business in the past three years as the basis, adopt analytical review, and verify through repeated discussions. In order to verify the rationality of the standard, we used the supervision and inspection results of this year for a return test. The return test results are: all participants agree that they passed the test. Finally, the assessment criteria for risk events of treasury business are determined as shown in Table 22. The probability of occurrence analysis is compared with the assessment criteria, and the probability of occurrence of risk events is analyzed. First, form an appreciable judgment reason, and determine the level of probability of occurrence in comparison with the assessment criteria, as shown in Table 3:4. When assessing risks with the risk coordinate map, the risk coordinate map should be drawn based on the assessment of the probability of risk occurrence and the degree of impact on the target. The function of risk coordinate chart is mainly to determine the priority and strategy of risk management. For specific application, first draw the risk coordinate area map. The risk coordinate area map is to transform the boundary of risk strategy principles into some dangerous sections in the coordinate map, divide the coordinate map into several areas, and form the risk coordinate area map. The risk events in different regions have different management strategies. We convert the risk strategy principle boundary into two straight lines and a 1/4 arc line to partition the risk coordinate map. As shown in Figure 1, we regard the coordinate map as divided into four areas by three lines: red area (Area A) is a double high-risk area, green area (Area D) is a low-risk area, light area (Area B) near the ordinate is a high-risk area, and light area (Area C) near the abscissa is a high-risk area. Risk events fall in different regions, and different risk management strategies are adopted in principle.
(3) Risk assessment results and internal audit work
According to the risk management work flow chart, risk events are evaluated and risk management strategies are determined. For risk events such as 1, 2, 3 and 7, which are in high risk areas, we should pay close attention to them, formulate specific operational strategies, and the internal audit department should strengthen inspection efforts. For risk events such as 4, 5, 6 and 8, the inspection frequency can be appropriately relaxed. For risk events in high-risk areas, it is necessary to deeply analyze the causes, propose targeted countermeasures, and provide reference for leaders to make decisions.
5、 Problems that Internal Audit Should Pay Attention to in the Risk Management of Grass roots Central Bank
(1) Risk management supervision and evaluation shall be based on risk management process and risk assessment standards
One is to see whether the various risks that run through the central bank can be effectively identified and managed. It is not only necessary to identify the individual risks faced by a certain department, but also to be able to identify the interaction between each risk as a whole, and collect and integrate various separated information to effectively manage risks. Second, it can effectively assess and measure risks, so that the management can obtain more information, focus on high-risk business and management activities, and then reasonably allocate resources to improve management efficiency. Third, it can effectively promote the central bank to perform its duties.
(2) The internal control mechanism needs to be improved and the internal control evaluation level needs to be further improved
First, after the functional adjustment of the People's Bank of China and the organizational reform of sub branches, individual departments and sub branches failed to timely revise their job responsibilities and operating procedures according to the changes in the business functions of internal departments. Second, the superior bank has lagged behind in the formulation and improvement of some systems, especially in recent years, the financial business has developed rapidly, new situations and problems have emerged constantly, the old system cannot cover all risk points, and the new system has not been improved and enriched in time, resulting in blind spots in internal control and certain potential risks. Third, the internal control evaluation and supervision mechanism is not unified. If the control evaluation is carried out on its own basis, and the supervision evaluation is carried out on the basis of the Bank's external supervision, a unified internal control evaluation system has not been formed, resulting in different audit priorities determined by each bank.
(3) Insufficient technical content during operation
On the one hand, there is no scientific and reasonable sampling method and sampling quantity in the on-site inspection process, which is easy to cause inspection risks. On the other hand, from the perspective of the whole bank, risks were not systematically and effectively identified and scientifically defined according to scientific regulations, and risk assessment framework was not established; Moreover, the method of combining quantitative and qualitative analysis is not fully used to analyze risks, which leads to inaccurate determination of risk hazards.
(4) The quality of internal auditors needs to be improved
On the one hand, for a long time, the internal auditors of the grassroots central bank have adapted to the traditional audit model of error detection and correction, less consideration has been given to risk control factors, the concept of risk audit evaluation is weak, and the necessary theoretical basis for risk identification and risk assessment is lacking. On the other hand, the evaluation personnel's mastery of standards and judgment ability directly affect the results of evaluation and inspection. The level of internal auditors cannot meet the needs of a large amount of information judgment during on-site inspection, resulting in inspection risks.
reference:
[1] PBC Shanghai Headquarters Research Group, "Internal Audit's Supervision and Evaluation of the Central Bank's Risk Management", China Internal Audit, 2008, Issue 3
[2] Liu Qingyu, Wang Fengyan, "Enterprise External Quality Risk Assessment Method", Quality Safety Management, 2006, Issue 5
[3] Li Hengxin, "Scientific risk assessment method in risk management", China Packaging Industry, 2007, Issue 9
[4] Lan Fang, "Reflections on Internal Audit's Participation in Enterprise Risk Management", Audit Forum, 2007, Issue 5
Part 8: Internal Control Risk Assessment Model
Key words Risk assessment Internal audit application practice
With the continuous development and expansion of China's market economy, all businesses of banks are faced with heavy responsibilities, and internal audit is no exception. However, there are still some problems in the process of carrying out internal audit, which restrict the improvement of relevant work efficiency. This article takes the way of bank internal risk assessment as the entry point of the article, and elaborates on the relevant solutions.
1、 Ways of internal risk assessment of banks
(1) The choice of risk management mode. In the process of risk analysis and assessment, the internal audit department of the bank, on the one hand, understands the risk control level of the bank through the application of the risk control system; On the other hand, it is necessary to adopt an effective risk assessment model to effectively assess the degree of risk. Through the understanding of risk mastery and anti risk ability, we can accelerate the development process of banks and give correct evaluation. In the process of bank development, both the bank's risk and its fixed risk are closely related to the control risk. Fixed risk refers to the probability of errors between the bank's internal control, accounting treatment and the audited object. Control risk refers to the probability that the errors of accounting treatment and the audited object have not been corrected by the bank's internal control system. Combining the probability product of control risk and fixed risk, we can get the risk value left by the bank under internal control. It is easy to see that the risk assessment system plays an important role in promoting the development of banks. Through the acquisition of value at risk and the ability of banks to bear risks, it can provide effective risk management models for banks.
(2) Exploring the risk assessment process. In the exploration of the risk assessment process, the main contents of the design are to define the risk items, divide the audit objects, understand the risk factors, measure the risk degree, evaluate and control the risk capability, etc. The specific contents are as follows: 1) divide the audit objects. In the process of dividing audit objects, we should adhere to the principle of different dimensions and different division methods, and help the bank management and internal audit staff to have good communication, so that we can effectively analyze the results in the process of risk assessment of audit objectives, and provide more effective guidance for the bank's audit work. The audit dimension mainly refers to the selection of appropriate development strategies by banks in combination with their own actual conditions. In addition, in the process of dividing audit objects, we can combine the internal management, product type, organization and other aspects of the bank to make the division more reasonable and scientific. 2) Clarify risk matters. Risk matters mainly include the determination of risk categories, as well as the clarification of risk factors and events. In the process of classification, the bank's operation, external supervision and cost-effectiveness should be taken into consideration. At present, the risks faced by Chinese banks mainly include legal risk, credit risk, market risk, strategic risk, etc. Risk factors mainly include capital, supervision, technology management and market competition. 3) Calculation of fixed risks. In the calculation of fixed risks, the probability and degree of impact of risks should be taken into account. The probability measurement of the occurrence of risk should be combined with the specific situation to classify the risk level. The risk impact degree mainly considers the loss degree of the bank's asset cost and the safety factor. Only scientific fixed risk measurement can effectively identify the hazards caused by risks in the continuous and rapid development of banks and provide effective decisions for the efficient development of banks. 4) Evaluate and control risk capability. Banks should budget and objectively evaluate their own risk resistance ability based on the size of fixed risks. There are many budget methods adopted, such as walk through test method and gap analysis method, to obtain the ability of enterprises to control risks. At the same time, in the process of risk assessment, the residual risk should be calculated finally to provide reliable information and materials for the in-depth development of the enterprise.
2、 The Application and Extension of Internal Audit Risk Assessment Results of Chinese Banks
(1) Integrate audit resources centered on bank internal audit risk assessment. As the internal audit of commercial banks in China started late and lagged behind the internal audit of banks in developed countries, it is difficult for audit resources to meet the growing needs of business development. At present, China's economy continues to develop at a high speed and commercial banks are developing rapidly. However, internal audit resources of China's commercial banks are scarce, the proportion of relevant employees in the total staff of banks is low, and professional skills and qualities are uneven, which is difficult to meet the needs of complex internal audit work of banks. It makes the emerging businesses of China's commercial banking industry, such as online banking, personal loans, information security, wealth management products, face huge risks. Therefore, in order to improve the efficiency and effectiveness of the Bank's internal audit department, we must be risk oriented, scientifically and reasonably allocate audit resources, allocate the limited audit resources to the most needed audit links according to the risk assessment results, develop scientific and rigorous audit systems, audit work processes, audit plans, and define audit projects and audit frequency, So as to effectively supervise each key link of banking business and operation. Through a comprehensive risk assessment of banking business, identify and control business areas with high risk, and assign experienced audit personnel to audit.
(2) Improve risk management. In the process of building the risk management framework of China's banks, banks should take process reengineering, institutional setting and staffing as the starting point in accordance with the requirements of the SASAC and the CBRC, so as to effectively achieve all-round management of multiple risks. The effective implementation of the risk assessment of the bank's internal audit can not only provide effective guidance for the formulation of audit plans and audit methods, but also make the bank's internal risk management more reasonable and scientific. The risk assessment results effectively reflect the remaining risk level of each audit unit, and can timely identify some potential risk factors, optimize the internal control process, improve the relevant system, strengthen risk management, effectively promote the improvement of the bank's risk control ability, so as to successfully achieve the control objectives.
(3) On the basis of risk orientation, determine the audit focus and realize the effective transformation of internal audit function. The risk assessment work of banks in China is at the initial stage, and there is no relatively mature and complete risk assessment system. Banks have a long way to go if they want to rely on the results of risk assessment to guide the relevant work of banks. Therefore, the internal audit department of the bank should implement the concept of risk assessment throughout the bank's work, so as to promote the quality and efficiency of audit work and effectively promote the development process of comprehensive risk assessment. The internal audit department of banks in China is generally transformed from the audit and supervision department. In the past, the work focused on the content of error detection and correction, and its focus was also on the internal control system of banks. This work mode of focusing on the control system without risk assessment has certain drawbacks, mainly reflected in:, The speed of control change cannot keep up with the rapid change of the business environment, and it is meaningless to audit the control that has become a past style and has nothing to do with the current risks. It can be said that the premise of effective control is to effectively assess the current risk. It can be seen that control is dependent on management risk. The risk oriented audit conducted on the basis of risk assessment makes the staff more concerned about the risks they face when carrying out their work, thus making the audit work more targeted and purposeful, and helping to quickly achieve the work goals.
3、 Conclusion
It is of practical significance to promote the sustainable development of banks by improving the quality of internal audit. As an important part of the internal audit work of banks, risk assessment should be given sufficient attention, actively exploring new work models, changing work concepts, improving risk management, determining audit priorities on the basis of risk orientation, realizing effective transformation of internal audit functions, and improving banks' ability to resist risks, Only in this way can we effectively reduce the risks faced by banks and protect their efficient and long-term sustainable development.
(The author's unit is Wuhan Branch of Audit Bureau of Agricultural Bank of China)
[About the author: Anita Gui (1978 -), female, from Wuhan, Hubei Province, bachelor's degree, intermediate economist, research direction: audit.]
reference
Part 9: Internal Control Risk Assessment Model
Keywords: internal audit; risk management
CLC No.: F239.62 Document ID No.: A Article No.: 1672-3198 (2007) 07-0139-02
Every organization has its own goals. In the process of achieving goals, there are uncertainties that affect the realization of goals. An important responsibility of enterprise management is to establish a good risk management system to identify, evaluate and control risks and provide reasonable assurance for the realization of enterprise goals. The role of internal audit in risk management is to monitor, inspect, evaluate and report the adequacy and effectiveness of the management's risk management process, and propose improvements
See, help enterprises improve risk management and control system, so as to add value to enterprises.
1 Introduction to enterprise risk management system
The essence of enterprise risk management (ERM for short) is that enterprises effectively use various resources to manage risks in a strategic way, so that enterprises can operate in a stable way in a changing environment, thus obtaining opportunities to increase value. In the global competitive market, any enterprise is in a volatile environment. Enterprises are facing more and more risks, and the scale of losses caused by risks is also growing, which urge enterprises to pay high attention to risk management. To evaluate the adequacy and effectiveness of the risk management process, a preliminary understanding of the risk management system is required. According to the requirements of the Enterprise Risk Management Framework issued by the COSO Committee of the United States, the establishment of a risk management system includes eight interrelated risk management elements, which run through the enterprise management process to ensure the realization of enterprise goals.
(1) Internal control environment. It is mainly to establish the concept of risk management in the enterprise and create a risk management culture, including the establishment of the enterprise's risk culture, the formulation of clear strategies and objectives, the identification of the enterprise's risk owners and stakeholders, the use of a unified risk language, and lay the foundation for other risk management elements.
(2) Goal setting. Managers must first determine the objectives of the enterprise before they can determine the matters that have potential impact on the realization of the objectives. According to the tasks or expectations determined by the enterprise, the manager formulates the strategic objectives of the enterprise, selects the strategy and determines other goals related to it, and decomposes and implements them in the enterprise level by level.
(3) Event identification. The following things may bring risks to the organization: incorrect, untimely, incomplete and unreliable data may lead to wrong decisions; The records are incorrect, and the accounting data are not true and complete; Improper asset protection; Customers are dissatisfied and the reputation of the organization is damaged; Inadequate implementation of organizational decisions, plans and procedures, or violations of laws and regulations; Uneconomically acquiring or ineffectively using resources; The organization's tasks and objectives were not completed. It needs the managers of the enterprise to identify, evaluate and respond to it.
(4) Risk assessment. Risk assessment is one of the key steps in ERM implementation. In the process of risk assessment, attention should be paid to selecting appropriate assessment techniques, assessing the possibility and frequency of risk events, the potential impact of risk events and their costs, and finally drawing a risk map. There are many methods to evaluate risk events, such as quantitative methods and qualitative methods. Enterprises can develop their own evaluation methods according to their own specific conditions.
(5) Risk response. Risk response can be divided into four categories: risk avoidance, risk reduction, risk sharing and risk acceptance. For every important risk
All risk response plans should be considered. Effective risk management requires managers to select risk response plans that can make the possibility and impact of enterprise risks within risk tolerance.
(6) Control activities. Control measures are to assess the additional costs and insurance costs caused by risk acceptance and the management costs and returns caused by control when accepting risks. In the case of risk reduction, identify the required control activities, and assess the cost of these control activities. Control activities also include assessing the ability of current organizations, procedures, systems and feedback systems to manage risks. Finally, adjust the risk map by controlling behavior. The possibility and frequency of risk occurrence are difficult to change. The most effective way is to reduce the risk to the extent that the enterprise can bear it by controlling the risk management cost.
(7) Information and communication. The information system should effectively track the events that are happening and have been avoided in the enterprise. At the same time, the enterprise should ensure that there are timely ERM reports on all levels of the enterprise. Costs and control activities incurred in risk activities. Secondly, the effectiveness and cost of ERM should be communicated. Ensure that there are regular ERM reports in the enterprise, especially the completion of employees' responsibilities and obligations and the inspection of ERM. CRO and other important executives should measure and archive the effectiveness and cost of ERM, and clarify the responsibilities and ways of reporting to the board of directors and executives.
(8) Monitoring. The monitoring of enterprise risk management refers to the process of evaluating the content, operation and implementation quality of risk management elements. An enterprise can ensure that its risk management is continuously implemented at the internal affairs management level and in all departments through continuous monitoring and individual evaluation. Risks are not static. The number and possibility of risks will change with the change of internal and external environment. Continuous monitoring is the most basic for effective risk management. Through continuous monitoring, enterprises can identify the problems that should be improved in the next step of risk management. This link can clarify the benefits and values ERM can bring to enterprises, understand the correctness of risk assessment, provide lessons for the next assessment, clarify the effectiveness of risk response decisions, and help control costs.
From the above eight risk management elements, we can see that enterprise risk management is a process. It is a process involving the board of directors, management and other employees of the enterprise, which is applied to the formulation of enterprise strategy and to all levels and departments within the enterprise to identify matters that may have potential impact on the enterprise and manage risks within its risk appetite, so as to provide reasonable assurance for the realization of enterprise goals.
2 The role of internal audit in risk management
According to the definition of internal audit in the Standards for Internal Audit Practice, internal audit is an independent and objective assurance and consulting activity, which aims to add value to an institution and improve its operational efficiency. It uses systematic and standardized methods to evaluate and improve risk management, control and governance procedures, so as to help the organization achieve its goals. Therefore, in risk management, internal audit can play the following roles:
(1) The internal auditors are familiar with the company's business and can go deep into the whole process of production and operation at any time to understand and grasp the specific situation, collect a large number of first-hand data, find out the potential problems with risks, conduct risk analysis, and draw the management's attention to the relevant suggestions on risk management and control.
(2) The internal audit actively assists the company to establish the risk management process through consulting services. Risk management is a complex system engineering. In an organization, the division of responsibilities should be clear and each should perform its own duties. The Board of Directors is responsible for formulating strategic objectives, senior leaders are responsible for one aspect of risk management, other managers are assigned part of the work by the management, operators are responsible for daily monitoring, and internal auditors are responsible for regular evaluation and assurance. Internal auditors can promote and assist the establishment of risk management process, but they are not responsible for risk management.
(3) Internal audit takes risk management evaluation as the focus of audit work to check and evaluate the adequacy and effectiveness of risk management process. Internal audit mainly evaluates the adequacy and effectiveness of the risk management process from two aspects.
① Evaluate the completion of the main objectives of risk management. It is mainly reflected in evaluating the development situation and trend of the company and the industry, and determining whether there may be risks affecting the development of the enterprise; Check the company's business strategy and understand the acceptable risk level of the company; Discuss the department's objectives, existing risks, and risk reduction and control strengthening activities taken by the management with relevant management, and evaluate their effectiveness; Evaluate whether the risk monitoring and reporting system is appropriate; Evaluate the adequacy and timeliness of risk management results report; Evaluate whether the management's risk analysis is comprehensive, whether the measures taken to prevent risks are complete, and whether the suggestions are effective; Conduct on-site observation and direct test on the management's self-evaluation, check whether the information on which the self-evaluation is based is accurate, and other audit techniques; Assess the management weaknesses related to risk management and discuss with the management, the Board of Directors and the Audit Committee. If the risk level they accept is inconsistent with the company's risk management strategy, they should report it.
② Evaluate the appropriateness of the risk management method selected by the management. Due to the different cultural atmosphere, management philosophy and work objectives of each company, the implementation of risk management is also very different. Each company shall design the risk management process according to its own activities. Generally speaking, large-scale companies that raise funds in the market must use formal quantitative risk management methods; For those with small scale and less complicated business, informal risk management committees can be set up to carry out evaluation activities on a regular basis. The responsibility of internal auditors is to evaluate whether the company's risk management method and the nature of the company's activities are appropriate.
(4) The internal audit shall actively and continuously support and participate in the risk management process, and manage and coordinate the risk management process. Under the modern enterprise system, the company has fully established the risk management process, so the internal audit can assume the function of risk management. First of all, the internal audit starts with evaluating the internal control system of each department, looking for management loopholes in production, procurement, sales, financial accounting, human resources management and other fields, identifying and preventing risks, and making relevant evaluations. Secondly, internal audit can go deep into the extremely subtle aspects of enterprise management to find problems and analyze their rationality. Internal auditors are more likely to find and prevent risks based on the probability of risk occurrence and go deep into each process of operation and management. Thirdly, internal audit also plays a coordinating role in the department risk management. Not only each department has internal risks, but also each management department has a shared comprehensive risk. As an independent third party, internal auditors can coordinate all departments to jointly manage the enterprise to prevent risks brought by macro decision-making.
3 Integrate enterprise risk management into internal audit procedures
In risk management, the internal audit department mainly re supervises the risk management carried out by the risk management department and other relevant departments. Therefore, the internal audit procedure and the risk management of the institution should be coordinated to make the two work synergistically.
(1) When preparing the audit plan, the internal audit department should formulate the audit plan and determine the audit items on the basis of the assessment of the risks that may affect the organization.
(2) When determining the audit scope, we should consider and reflect the strategic planning objectives of the whole company, and evaluate the audit scope once a year to reflect the latest strategy and guidelines of the organization.
(3) When preparing the audit plan, determine the focus of audit work through risk factor analysis; In the process of audit implementation, through evaluating the internal control system, find out the omissions and weak links; When updating the audit scope and plan, reflect the changes in the management's policies, objectives and work priorities. When selecting technologies and methods to detect and verify risks, the significance and possibility of risks should be reflected.
(4) When preparing the audit report, it shall evaluate the risk management status, point out the loopholes and shortcomings in risk management, and put forward suggestions on strengthening management.
