Research on the Relevant Issues of Risk-oriented Internal Audit YANG Guoli1,2, SUN Kexin1,2,DI Mengyan2 1. Management School, Wuhan University of Technology, P.R.China, 430070 2. Accounting Institute, Hebei University of Economics and Business, P.R.China, 050091 lee7301 @126.com Abstract: This paper focuses on theoretical research and the implementation of conditions, analyzes the problems in light of risk-based internal audit in our country's specific situation, proposes solution suggestions. Overall, based on the necessary conditions that the implementation of risk-oriented internal audit should have, the paper combined with the latest developments of risk-oriented internal audit theory, considers the current specific situation of internal audit in China. Through theoretical research, the author hopes to help enterprises establish a risk-oriented internal audit mode and strengthen operation management, increase economic efficiency, realize the goal of value increasing of target enterprise better, protect the interests of investors. Keywords: internal audit, risk-oriented internal audit, risk management

1 Introduction In “Organizational Governance – Internal Audit Guide” IIA points out clearly that: “Internal audit confirms organizational risk management, control and governance procedures, thus becoming one of the important cornerstones of effective governance.” We can say that IIA’s professional standards lead internal audit work to be on the road of risk-oriented audit completely, make the risk- oriented audit run through the whole process of internal audit. Most of the domestic research draws on theories of foreign audit results. According to the representative of Chinese scholars, Chunyuan Hu, the most significant feature of “risk-oriented internal audit” is that it will put customers into a big economic environment, use three-dimensional observation theory to determine the factors that affect the business continuous operation. Both internal and external sides of all those factors, from the business environment, conditions of the enterprise to the mode of operation and management mechanism, are used to analyze and evaluate audit’s risk level. And customers operational risk is implanted into the assessment of its own internal audit. On January 1, 2002 China began to implement it. “Internal Audit Practice Standards” changed in 2004 and 2005 push the enterprises’ internal audit work to the track of risk-oriented audit. The basic norms and concrete standards of internal auditing also take full account of this new trend. China’s internal audit will follow the risk-oriented thinking identified by these guidelines, and use enterprise risk management methods to carry out internal audit work.

2 Problems of the Application of the Risk-oriented Internal Auditing in China The risk-oriented internal auditing is of advanced and scientific nature. But as a new auditing model, China should carry on a dialectical understanding to it. Before applying the risk-oriented internal auditing, China should analyze the restrictive factors of carrying out this auditing model in the light of its own economic development level and internal auditing industry development condition in order to guarantee its implementation effect better. 2.1 The Internal Audit Doesn’t Play a Significant Role in the Risk Management Internal auditing function display in risk management depends on the mind extent and the specific implementation methods made by the enterprise management and internal auditing staff.For a long time, the lack of knowledge on how to involve internal auditing into enterprise risk management results in 136

inadequate control of internal audit risk, which mainly shows in the following aspects: 2.1.1 Enterprises risk management method is backward In practical internal auditing in china, enterprises mainly use qualitative analytical methods, less methods of risk based assessment skills, internal control self-assessment, analytical test, etc; and do not properly use risk assessment models to determine its work focus so as to give auditing priority to high-risk activities.Therefore, enterprises can’t decide its auditing focus and find auditing weaknesses loopholes in the light of the internal control system. Risk management of china is relatively backward compared with the international advanced enterprises in making extensive use of mathematical statistical models, financial engineering and other advanced methods.The lag of risk management stems from a lack of mature theoretical guidance, while the backward risk management methods directly. As a result, enterprise cannot properly predict, identify, assess and hedge the risks, thus affecting the smooth realization of business objectives. 2.1.2 The weakness of enterprise risk management consciousness In china, a lot of units are lack of strong risk management consciousness. Some internal auditors don’t think internal auditing play a role in risk management. This shows that the internal audit staff have no enough knowledge of risk management, lack risk management awareness and hasn’t realized the importance of risk management. That’s an important reason why internal auditing is unable to play a role in risk management. 2.2 Weak Consciousness of Internal Auditing Benefit and Cost Control Internal auditing benefit is divided into measurable auditing benefit and immeasurable auditing benefit. Measurable auditing benefit directly indicates audit effect in currency, including: the value saved or reduced by means of correcting accounting errors and the value saved by correcting the wrong actions. Immeasurable auditing benefit indicates auditing effect in non-currency, mainly including: strengthening risk management, enhancing internal control mechanism, providing reference for leader’s decision, promoting work efficiency, etc; internal auditing cost is to cost less than the loss of auditing case. However, internal auditing belongs to enterprises management function, which brings invisible benefit and inestimable cost and benefit directly. In china, internal auditor’s weak cost consciousness (especially in project cost management), mainly shows in the following aspects: first,time cost; second,leaving the cost benefit principle out of consideration when project approved; third,labor cost. At present, few enterprises have strict real time cost control and sense of cost control measures. 2.3 Inadequate Corporate Governance Structure 2.3.1 An imbalance between the setting of enterprise governance structure and internal audit organizations Independence and authority of internal auditing to achieve its value-added features are the most basic and important prerequisite. In order to ensure the independence and authority of enterprise in internal audit institutions to make it a better role, internal audit institution is an important part of the corporate governance control mechanism all the time. Internal audit organization model in China is mainly divided into the following types: First, internal audit institution is the subordination of the team of General Manager. Company’s financial department is in charge of managing. Because of the lowest independence and authority, and the worst effect, it has been basically eliminated; Second, internal audit institution is the subordination of the team of General Manager which is directly in charge of internal audit institution. Despite a little higher independence and authority, internal audit institution cannot control operation of senior management; Third, internal audit institution which is the subordination of board of directors or governance committees has much higher independence and authority and can go deeply into all levels of management to assist the board of directors of the company’s business process monitoring. But if the Audit Committee’s role is weakened, its independence and authority will be unable to be enhanced. Fourth, internal audit institution is the subordination of supervisory board. Company’s Chief Supervisor is in charge of managing it. It has the

137

highest independence and is capable of monitoring the actions of directors, senior management. If the board of supervisors has no right, but only a post, then the result is not satisfactory; Fifth, under the dual leadership of general manager and board of directors, internal audit institution has maximum independence of internal audit and the highest authority. From the perspective of organizational model of internal audit, the fifth model is most reasonable. But the internal audit organizational model of most enterprises in China fails to achieve this level. According to incomplete statistics, more than 60% China’s joint-stock company’s chairman holds a concurrent post with general manager. At present, a considerable portion of china’s joint-stock company’s management structure has been seriously distorted: Some chairmen ask for holding a concurrent post with general manager: some managers disagree with the rules of procedure and decision-making procedures, so that the board of directors and the board of supervisors exist in name only; Decision-making organization and executing organization blurred responsibilities and duty, so that the board of directors strategic decision-making functions are not full played. In addition, checking and balancing mechanisms within a certain range are not good enough, as well. 2.3.2. The senior management personnel ignore internal audit work At present , China’s current supervision of internal controls mostly caters to the Commission’s rules and regulations and is intervened by the government’s administration. That’s why the internal audit in Chinese enterprises lack internal motivation compared with the work in Western countries where the enterprises carry out internal audit work required by make decisions on their own. It results in senior management of companies not paying sufficient attention to the internal audit work.Furthermore, some senior leaders one-sided think that internal audit is to check their internal economic problems that will affect the unity and stability of enterprise workers, and decentralize management of energy, while others think that the internal audit limits their operational autonomy, and weakens their own authority. For this reason, many enterprises have ineffective internal audit bodies; internal audit personnel have no power but a post; and even many internal audit institutions are put aside in the actual work and ignored; the internal audit’s role of strengthening the internal management is not fully understood or not understood correctly. The internal auditor institution has not been seen as a whole or a relatively independent part of the enterprise but is treated as alien or assimilated power. Some enterprises management staff psychologically exclude the internal audit or see it as its subordinate. The hostile attitude of the senior management make the internal audit work more difficult to be carry out so that internal auditors will lack sense of achievement and lose enthusiasm for internal audit work. There will be no active co-ordination power for other departments’ employees so that corporate internal control system will be in name only. As a result, the right of Business interests’ level is not actually protected and it is difficult to achieve the goal of maximizing enterprise value. 2.4 Strengthen Internal Audit Quality Control 2.4.1 Internal audit of quality control being not strict Follow-up audit is an important audit step in the internal audit work process. In 2003, International Institute of Internal Auditors amended and published “Practical Internal Auditing Standard” which points out that the internal auditors carried out the follow-up audit to ensure whether the management react fully, efficiently and timely in accordance with the findings and advice of the report of the audit findings and recommendations to take actions by the full, effective and timely processor the management of (including the audit findings and recommendations of the external auditors and other staff). Follow-up audit begins the audited units made in a written reply to the audit report of audit findings and recommendations. In the follow-up audit process, if the audited unit has taken the corrective measures and are reaching the desired results, the follow-up audit procedures can be ended. If the audited unit fails to take corrective actions or declare a state of not intending to take any corrective measures, the follow-up auditors should confirm that senior management or board of directors has undertaken the risk of the report of taking the audit findings without corrective measures. At present, a few enterprises carry out normal follow-up audit, many enterprises’ internal audit of follow-up audit

138

work is imperfect mainly because unit’s main leaders lack the recognition about the importance and the nature of the internal audit. Some senior management staffs think that the audit is to check accounts. The audit work is over as long as the accounts check finished. Therefore, the problems found out in the audit work are not investigated and the audit suggestions for improvements are not implemented. Receiving the audit report, some leaders read it through because of busy work, and pay little attention to the problems, not mention implementing them. 2.4.2 Internal audit procedures are standard Compared with external audits, internal audit has no much fixed procedures and workflow, nor strict audit time limits, which makes internal audit staff have greater flexibility in many ways. Due to this flexibility, the internal audit work have greater randomness, making the quality of internal audit difficult to be guaranteed easily. Generally speaking, risk-oriented internal audit work should follow three phases from beginning to end: preparation phase, implementation phase, the termination phase. Each phase includes different content and process. However, in actual audit work, many internal audit staff members rarely strictly carry out operations in accordance with standardized audit procedures, specifically showing in the following areas: First, the audit plan developed for the audit project is too simple or even no audit plan is developed. There is no information about the audit content, audit scope, the specific audit procedures or division of the audit work; Second, the preparation of the audit working manuscript is incomplete, non-standard, and lack of objectivity. It cannot accurately record the audit procedures implemented and all the problems found out; Third, internal audit reports lack check and signature of leaders. Generally, the internal audit reports are prepared by the project leader, amended by the department manager and finalized without any sign or issue by senior leadership.

3 Strategies of Promoting the Application of the Risk-oriented Internal Audit Work in China Risk-oriented internal audit is currently the most popular and most advanced internal auditing method in western countries, and also aims the development direction of China’s internal audit. However, risk-oriented internal audit’s expansion and extending in China face various difficulties because of the condition of our country as well as the internal audit situation of domestic enterprises at present. 3.1 Strengthen the Overall Risk Management Philosophy, Optimize Risk Management Business Process The core concept of risk-based internal audit is risk management, and its operating environment and auditing objects can not be separated from enterprise risk management, but the two are complementary to each other. First of all, the overall risk management concept should be strengthened if we want to apply the risk management technique to the internal audit and implement risk-based internal audit. Comprehensive risk management is the overall management of the entire enterprise at all levels, in all management aspects and for each risk category. Strengthening the comprehensive risk management concept is to popularize and execute comprehensive risk management fully in all the parts of the enterprise. Secondly, we should realize comprehensiveness of risk management process, make risk management throughout every aspect of business development which is from supplying raw materials, production, pricing, marketing, accounts collecting to the risk early-warning monitoring, risk compensation, the follow-up monitoring and disposal. Optimize the risk management business processes and effectively evaluate and response to all sectors of risk. At the same time, we should intensify the risk management information construction, use client resources and historical data to build risk management information systems to provide technical support for the enhancement of the internal audit risk management level. 3.2 Strengthening the Audit Efficiency and Cost Management, and Realize Value Added It is very important to measure the benefits and the cost of inputs of internal audit in order to find out 139

how to play the role of internal audit under the cost-saving prerequisite. The effective role of internal audit cannot be measured by using specific standards. The monitoring defense which it constitutes is invisible. Enterprises should make the management of audit cost and benefits going throughout the whole audit process: As for the cost management of the audit preparation phase, we need to optimize audit organizations, integrate audit resources, strengthen budgetary control and reduce expenses; As for the cost management of the auditing implementation phase, we should strictly control audit procedures to minimize the intermediate links; The cost management of auditing reporting phase is primarily conducted by deep screening and refining the audit results comprehensively, using obtained information from the auditing project implementation phase. Finally, establishing a scientific and effective audit cost-effective management model is integrating cost management and personnel management with internal audit of benefits as a whole internal audit management model. 3.3 Improving the Corporate Governance Structure In the process of carrying out sustained and comprehensive risk-based internal audit in the framework of corporate governance for realizing business value added strategic goal, the Audit Committee play the role of supervision and guidance in risk management and internal audit; Strategic Committee needs to communicate with risk management committee on risk management problems found out in the internal audit work, and keep concerned about significant strategic risks the enterprises face; Risk Management Committee mainly organizes and coordinate risk management conducting; CEO is responsible for operation matters and ensures the effective implementation of risk-based internal audit. Risk management departments are responsible for taking the implementation of enterprise risk management. Internal audit department conducts risk assessments, develops audit plans and give advices. Other functional departments cooperate with the internal audit department to conduct risk-based internal audit, corporate risk management, other employees in company should keep up with the project development plan under the guidance of risk management concept. 3.4Improving Internal Audit Quality Control System 3.4.1. Regulating the internal audit procedures 3.4.1.1 working out the internal audit plan While compiling the audit plan, we should give full consideration to the workload and manpower, time and costs. Scientific internal audit plan should be worked out in accordance with the following order: The internal auditing items that can be audited are to be listed as audit objects; Then, internal control and risk management effectiveness should be assessed in accordance with each specific matter to determine high-risk able-audit matters; the last, audit resources and investor requirements, and audited matters special circumstances are to be considered comprehensively to determine the audit projects and sequencing. Internal audit departments in the development of the project plan should widely listen to opinions in all directions including: the Board and various management personnel advice; the opinions of external auditors; laws and regulations requirements; Materials as well as industry or economic development trends before the financial and operational situation analysis audit. On this basis, the internal audit program is to be adjusted appropriately. 3.4.1.2the implementation management of the internal audit plan Audit plan implementation management refers to the implementation of organizing and controlling audit plan as well as the process of modifying and supplying the original plan. As the auditing plan implementation is actually that internal audit takes various organizations and controlling measures to manage it according to plans requirement for their business activities, auditing plans should be checked and examined when it finished aiming to further strengthen auditing plan management. 3.4.2 Strengthening the internal audit project management The operating mechanism of audit project team should be established gradually in the audit project management. We should implement audit project team responsibility, support self-management and self-design project team, give full play to the whole effectiveness of the audit project team. At the same

；

140

time, corresponding appraisal system need to be developed to evaluate the results of the audit project team, and establish a scientific and well defined rights and responsibility mechanism of upper and lower linkage and a team leader responsibility regulation system. We should make the audit quality the main assessment objective, well defined rights, profits and responsibilities as assessment content, and combine evaluation system with avoiding internal audit risk, observing professional ethics, and executing every management systems.

4 Conclusion After the actual study of the real situation of risk-oriented internal audit, this paper identify gaps and propose relevant measures: strengthen the overall risk management philosophy; optimize risk management business process; enhance audit effectiveness and cost management; realize value-added business value; improve internal audit quality control system. As the internal audit risk-oriented enterprise in China’s promote gradually, enterprises should establish risk-oriented internal audit mechanism to ensure the effective operation mode: responsibility ascertain mechanisms, ownership alternative management mechanism, staff incentives mechanism and risk concept management mechanism. Acknowledgment: This paper is supported by a grant No.HB10XGL021 from the Social Science Foundation of Hebei Province.

References [1]. Christina Brune. Embracing internal controls. The Internal Auditor[J]. 2004(6). [2]. Nixon,Alice. Analysis:Corporate governance-Internal audit:the new rock and Accountancy[J].2005(1). [3]. Dana R. Hermanson. The value of internal control audits. Internal Auditing[J].2005(1).

141

roll.