本文章將會繼續《編制內審計劃(一)》的討論。上一篇文章我們討論過如何劃分審計單元,接下來我們談一談風險評估。
2. 進行風險評估 Conduct Risk Assessment
在《COSO內控要素:風險評估(二)》一文中已談過風險評估的程序,現在講一講風險評估的方法。較普遍的方法是利用COSO的四個企業目標(Objectives)來先將風險分類,這包括Strategic (策略性風險),Operation (營運風險),Reporting (報導風險) 及 Compliance (遵循風險),然後在每類的風險中進行分析。分析的方法可以通過訪談或問卷的型式配以數據分析來進行,訪談/問卷的對象應包括管理層,相關單位或流程的負責人,以至外審,企業的法律顧問,Compliance Officer等等。在進行風險分析時,風險出現的可能性(Likelihood) 和影響(Impact)都必須要一併考慮。除了上述四個企業目標外,有些企業還會加入其他因素來考慮,例如管理層最近是否有變動,人員更換率 (Staff turnover rate),過去內審審計發現的數目等等。
上述的方法其實頑繁複的,見過最簡單的方法是單以各子公司Turnover的大小和其盈利的穩定性來做風險評估,但此方法不一定適用於其他公司,如果子公司與子公司之間有Transfer Pricing的考慮,又或者各子公司其實是一個垂直整合(Vertical Integration) 的話,單以上述的方法來評估各子公司的風險就不太合適。
除了COSO外,我曾見過另兩套方法,分別是由IBM發明的CARES和US Postal Service發明的IMAGE 2000。這兩套方法與COSO不同之處在於其風險的分類方式不同。
CARES其實代表五種風險,分別是:
C – Compliance 遵循風險
A – Accomplishment 達成目標
R – Reporting 信息可靠
E – Efficiency 運作效率
S – Safeguarding 資產保護
IMAGE 2000則代表五種風險,並且有著不同的比重,包括:
I – Internal Control 內部控制(20%)
M – Materiality 重要性(15%)
A – Audit Result 審計結果(10%)
G – Goals & Objectives 業務的目標和目的(30%)
E – Exposure 暴露(25%)
至於CARES及IMAGE 2000的詳情,日後有機會再談。下一篇文章將會講第三個步驟,為審計單元進行風險排序。
--------
相關文章連結:
上一篇文章:編制內審計劃(一)
下一篇文章:編制內審計劃(三)
&&&&&&&&
are there any internet references for CARES and IMAGE 2000?
回覆刪除It seems to me that there are no internet references for these two methods. However, I have some materials on hand. If you are interesting in them, I will write another articles for them later.
回覆刪除Thanks for your detailed introduction of Internal Audit. I found that it is different to our system internal audit of ISO 9001, OHSAS 18001 and ISO 27001.
回覆刪除Hi Quality Alchemist,
回覆刪除Thanks for your comments and supports. Actually, there is a great difference between ISO and Internal Auditing. ISO is focusing on compliance of procedures but not the adequacy and effectiveness of controls. On the other hand, Internal Auditing is focusing on risk management including risk idenification and analysis, control design and implementation and compliance as well. This doesn't mean that Internal auditing is better than ISO. Two systems have their own objectives. Both of them are helping management to manage risk.
It seems CARES is relatively operation-based while IMAGE2000 is business-oriented.
回覆刪除Risk...
Hi CM,
回覆刪除Yes, you are right. Especially CARES, I found it is quite useful when idenifying risks for operation.