IT环境下内部审计参与企业风险管理研究
|
摘要
内部审计参与企业风险管理是企业提高经营管理效率的客观需要和追求自身发展的必然结果。信息技术的日新月异使得企业在IT下环境面临许多新课题、新风险。由此导致内部审计在参与风险管理的过程中,运用传统的内部审计方法已经远远不能达到现代审计的要求。IT环境下,内部审计如何参与风险管理来提高企业风险管理的有效性,并为组织增值,已成为目前理论界和实务界亟待解决的问题。
本文的研究是以风险管理理论的最新框架——美国COSO颁布的ERM框架为理论指导,充分考虑IT环境,并运用IT技术,对传统的内部审计技术方法进行创新,尝试建立与IT环境相适应的基于信息结构的现代内部审计参与风险管理的理论与方法体系。
从本文整体架构上看,全文分为五个部分:第一部分是绪论。介绍本文的研究背景、研究意义,国内外研究现状,本文研究的内容和研究方法以及本文可能的创新;第二部分内部审计和风险管理相关理论。根据COSO-ERMF和IIA对内部审计的定义演进分析了内部审计与企业风险管理结合的意义,指出内部审计在ERMF中承担的角色和作用;并通过对36家企业的问卷调查进一步说明了内部审计参与企业风险管理的必要性;第三部分是IT环境下内部审计参与风险管理的考虑。IT环境下内部审计参与风险管理主要考虑以下几个方面,一是IT环境如何改变企业环境以及与之相伴的风险,二是IT环境如何影响内部审计及IT环境下内部审计如何利用IT来更有效的参与风险管理活动。第四部分是IT环境下内部审计参与风险管理途径分析。主要以COSO颁布的最新风险管理框架—ERMF为基础,重新构建了IT环境下内部审计参与风险管理的途径;最后做了案例分析;第五部分是完善IT环境下内部审计和风险管理的对策建议。主要针对前面几部分的分析提出了完善IT环境下内部审计和风险管理建议;第六部分是结束语。得出结论并指出本文的不足之处和研究展望。
In order to improve management efficiency and pursuit self-development, enterprise's internal audit should be involved in the risk management. With the development of information technology, enterprises are facing many new problems and new risks in IT environments ,which has lead to the internal audit using traditional methods has been far from adequate to meet the requirements of modern audit when it involving in the risk management. It has been a urgent problem both in theory and in practice now that how internal audit involved in the risk management to improve validity of it and promote value of organization.
The research of this article is by the newest theory of risk management framework—COSO -ERMF issued by the USA, and considers the IT environment fully and applies IT technology, carries on the conformity and the optimization to the traditional enterprise internal audit theory and the method, establishes a internal audit's new theoretical method system to adapt the IT environment.
The full text is divided into six parts, the main structure is as follows: In chapter one, the author introduces the background and significance of the dissertation and the literature review at home and abroad, contents and the methodology , and the contributions and limitations in the dissertation; In Chapter Two, 'Internal Audit and ERM Theory', the author introduces the connotation of internal audit from the perspective of its development ,the ERMF and the internal audit's role in the ERMF; Chapter three is the consideration of internal audit involved in risk management under IT environment. In IT environment, internal audit involved in the risk management mainly have to be considerate with the following areas: the first is how the IT environment changes the businesses's environment and the risks associated with them; the second is how the IT environment can influence the internal audit ,and how the internal audit effectively use IT to participate in the risk management activities; Chapter four is the way of internal audit involved in risk management under IT environment. On the base of COSO--ERMF, the paper discusses deeply the way in which internal audit involved in the risk management. Chapter five is about the suggestion on improving internal audit involved in risk management under IT environment; In chapter four , the author sum up to the whole article and then illustrate the limitations and prospect of the research on the thesis.
本文的研究是以风险管理理论的最新框架——美国COSO颁布的ERM框架为理论指导,充分考虑IT环境,并运用IT技术,对传统的内部审计技术方法进行创新,尝试建立与IT环境相适应的基于信息结构的现代内部审计参与风险管理的理论与方法体系。
从本文整体架构上看,全文分为五个部分:第一部分是绪论。介绍本文的研究背景、研究意义,国内外研究现状,本文研究的内容和研究方法以及本文可能的创新;第二部分内部审计和风险管理相关理论。根据COSO-ERMF和IIA对内部审计的定义演进分析了内部审计与企业风险管理结合的意义,指出内部审计在ERMF中承担的角色和作用;并通过对36家企业的问卷调查进一步说明了内部审计参与企业风险管理的必要性;第三部分是IT环境下内部审计参与风险管理的考虑。IT环境下内部审计参与风险管理主要考虑以下几个方面,一是IT环境如何改变企业环境以及与之相伴的风险,二是IT环境如何影响内部审计及IT环境下内部审计如何利用IT来更有效的参与风险管理活动。第四部分是IT环境下内部审计参与风险管理途径分析。主要以COSO颁布的最新风险管理框架—ERMF为基础,重新构建了IT环境下内部审计参与风险管理的途径;最后做了案例分析;第五部分是完善IT环境下内部审计和风险管理的对策建议。主要针对前面几部分的分析提出了完善IT环境下内部审计和风险管理建议;第六部分是结束语。得出结论并指出本文的不足之处和研究展望。
In order to improve management efficiency and pursuit self-development, enterprise's internal audit should be involved in the risk management. With the development of information technology, enterprises are facing many new problems and new risks in IT environments ,which has lead to the internal audit using traditional methods has been far from adequate to meet the requirements of modern audit when it involving in the risk management. It has been a urgent problem both in theory and in practice now that how internal audit involved in the risk management to improve validity of it and promote value of organization.
The research of this article is by the newest theory of risk management framework—COSO -ERMF issued by the USA, and considers the IT environment fully and applies IT technology, carries on the conformity and the optimization to the traditional enterprise internal audit theory and the method, establishes a internal audit's new theoretical method system to adapt the IT environment.
The full text is divided into six parts, the main structure is as follows: In chapter one, the author introduces the background and significance of the dissertation and the literature review at home and abroad, contents and the methodology , and the contributions and limitations in the dissertation; In Chapter Two, 'Internal Audit and ERM Theory', the author introduces the connotation of internal audit from the perspective of its development ,the ERMF and the internal audit's role in the ERMF; Chapter three is the consideration of internal audit involved in risk management under IT environment. In IT environment, internal audit involved in the risk management mainly have to be considerate with the following areas: the first is how the IT environment changes the businesses's environment and the risks associated with them; the second is how the IT environment can influence the internal audit ,and how the internal audit effectively use IT to participate in the risk management activities; Chapter four is the way of internal audit involved in risk management under IT environment. On the base of COSO--ERMF, the paper discusses deeply the way in which internal audit involved in the risk management. Chapter five is about the suggestion on improving internal audit involved in risk management under IT environment; In chapter four , the author sum up to the whole article and then illustrate the limitations and prospect of the research on the thesis.
引文
[1]Thomas Walther,Henry Johansson,John Dunleavy,and Elizabeth Hjelm.1997.Reinventing the CFO:Moving from Financial Management to Strategic Management,New York:McGraw-Hill:P.3
[2]Robert.Mednick.1988.Our Profession in the Year 2000:A Blue print of the Future.Journal of Accountancy,August
[1]张金城.《会计系统网络化对审计工作的影响》,审计理论与实践.1999年09期
[1]William G.Zikmund,Raymond McLeod,Jr.:Customer Relationshic Management-Integrating Marketing Strategy and Information Technology。
[1]张瑞君:《e时代财务管理——管理信息化理论与实践的探讨》,中国人民大学出版社,2002年版。
[1]David A.Wilson:Managing Information-IT for Business Processes
[1]孙宝文、李辉:《电子商务的风险管理与审计研究》,中央财经大学学报,2003年第5期
[1]Jean C.Bedard,Lynford Granham and Cynthia Jackson(2005),'Information Systems Risk and Audit Planning',Int.J.Audit,9:147-163.
[1]魏方:《论企业内部审计对企业内部控制的作用》,科技情报开发与经济,2003年第3期。
[2]陈青:《我国内部审计的创新与发展》,财会研究,2003年第5期。
[1]陈杰、黄正瑞.网络环境下会计系统的安全审计.审计研究.2000,01.38-31
[2]陈青.我国内部审计的创新与发展.财会研究.2003,05.45-50
[3]高容.信息时代中国审计发展战略探讨.东南大学硕士学位论文.2004
[4]郭艳萍.内部审计在风险管理中的价值增值.审计月刊.2007,08.30-33
[5]胡克谨.IT审计[M].北京:电子工业出版社,2002,03.70-76.
[6]胡宣达,沈厚才.风险管理学基础.上海:东南大学出版社,2001,06.33-181
[7]黄圆圆.内部审计与企业风险管理的协调和整合.审计与经济研究.2005,05.18-20
[8]黄作明、丛秋实.实现远程计算机审计的前提条件.当代财经.2004,8.119-121
[9]金锡万.企业风险控制.大连:东北财经大学出版社,2001,8-11
[10]李松.浅谈网络时代下计算机审计的发展.审计研究.2001,05.63-65
[11]李瑛玫,于翔,汤春明.哈尔滨工业大学学报(社会科学版).2007,06.8-11
[12]刘春花.增值型内部审计研究[D].厦门大学硕博论文库.2006,1-65
[13]刘汝焯、徐薇、黄昌胤.计算机审计中关于电子证据的几个法律问题.审计研究.2004,03.3-6
[14]刘新琳,周兵.内部审计参与风险管理的路径分析.审计月刊.2008,01.13-15
[15]刘志远、刘洁.信息技术条件下的企业内部控制.会计研究.2001,12.69-74
[16]马占树.信息技术对现代审计的影响.对外经贸财会.2005,10.45-50
[17]裴文英、姜玉泉.试论审计过程中电子数据的特点和规律.审计研究.2005,06.60-69
[18]平狄克、鲁宾费尔德.微观经济学.北京:中国人民大学出版社,2004,1-430
[19]乔瑞红.内部审计参与风险管理研究.财会通讯(学术版).2006,08.22-25
[20]孙宝文、李辉.电子商务的风险管理与审计研究.中央财经大学学报.2003,05.17-24
[21]石爱中.从内部控制历史看内部控制发展.审计研究,2006.06,3-7
[22]魏方.论企业内部审计对企业内部控制的作用.科技情报开发与经济.2003,03.36-40
[23]文硕.世界审计史[M]第二版.北京:企业管理出版社,1996,481-483
[24]谢科范、袁明鹏、彭华涛.企业风险管理.武汉:武汉理工大学出版社,2004,1-189
[25]杨晓军.面向电子商务的审计问题研究.审计研究.2000,09.29-36
[26]张金城.会计系统网络化对审计工作的影响.审计理论与实践.1999,09.8-10
[27]张进、易仁萍、陈伟.计算机审计中电子数据的清理研究.审计研究.2004,06.21-
25
[28]张坤、李嘉明等.风险管理与内部审计.北京:化学工业出版社,2004,1-303
[29]张庆龙,彭志国.企业内部审计指南.中国时代经济出版社.2007,04.5-42
[30]张瑞君:《e时代财务管理——管理信息化理论与实践的探讨》,中国人民大学出版社,2002年版.1-243
[31]中国内部审计协会.内部审计理论与实务.北京:中国石化出版社,2004,1-446
[32]中国内部审计协会.内部审计在治理、风险和控制中的作用.北京:中国财政经济出版社,2004,30-75
[33]中国内部审计协会.中国内部审计规范.北京:中国财政经济出版社,2004,16-49
[34]中国内部审计协会编译.内部审计实务标准——专业实务框架(国际内部审计协会2004年1月修订).北京:中国时代经济出版社,2005,1-420
[35]中国注册会计师协会.审计.北京:经济科学出版社,2005,1-304
[36]朱荣恩、贺欣.内部控制框架的新发展——企业风险管理框架.审计研究.2003,06.11-15
[37]庄明来.论计算机网络环境下的详细审计.审计研究.2003,06.8-10
[38]庄明来.我国会计电算化研究的历史分期及学术倾向.财会通讯.2002,03.43-46
[39]Adams,D.L.,and J.F.Mullarkey,"A survey of Audit Software,"Journal of Accountancy,September 1972,pp.39-67.
[40]Anderson,U.,"Assurance and Consulting Services,"Research Opportunities in Internal Auditing,edited by A.D.Bailey,A.A.Gramling,and D.Ramamoorti(Altaonte Springs,FL:The Institute of Internal Auditors Research Foundation,2003
[41]Berry,M.J.A.,and G.Linoff,Data Miniing Techniques for Maketing,Sales,and Customer Support(New York:John Wiley &Sons,1997),121-140
[42]Boynton Johnson Kell,ModernAuditing,7thedition,John Wiley&Sons,Inc.2001
[43]Chew,Andrew Swee-Chung:Structured Analysis of Management Accounting,1993,1-2,19-36
[44]Coderre,D.G.,CAATTS and other BEASTS(Vancouver,Canada:ACL Institute,2001
[45]Cohen,DanielA,Aiyesha Dey,Thomas Z.Lys,"The Effect of the arbanes-OxleyAct on Earnings Management:What has changed?",Working aper,Northwest University,2003 Control-Integrated Framework,1994Edition,1994.
[46]COSO:2003,Enterprise Risk Management Framework,1-443
[47]David A.Wilson:Managing Information-IT for Business Processes,93-120
[48]Jean C.Bedard,Lynford Granham and Cynthia Jackson(2005),'Information Systems Risk and Audit Planning',Int.J.Audit,9:147-163.
[49]Mario Piattini,Hershey:Auditing Information Systems,Idea Group Publishing,2000,649-675
[50]Mark S.Beasley,Richard Clune,Dana R Hermanson.Enterprise risk anagement:An empirical analysis of factors associated with the extent of mplementation.Journal of Accounting and Public Policy,2005,87-103
[51]McCollum,T.,and D.Salierno,"Choosing the Right Tools,"Internal,August2003:32-43
[52]Price water house Coopers,COSO Draft:Enterprise Risk Management Framework,2003,87-112
[53]Robert.Mednick.1988.Our Profession in the Year 2000:A Blue print of the Future.Journal of Accountancy,August,4-18
[54]Robert.Mednick.1988.Our Profession in the Year 2000:ABlue print of the Future.Journal of Accountancy,August,30-76
[55]Salaasick,M.,and Le Grand,PC Management Best Practices:A Survey of the Total Cost of Operations,Risk,Security,and Audit(2003),427-455
[56]Salmasick,M.,and C.Le Grand,"PC Management Best Practices",April 1995:18-22
[57]Searcy,D.L.,and J.B.Woodroof,"Continuous Auditing:Leveraging Technology."The CPA Journal,May2003:46-48
[58]The Committee of Sponsoring Organizations of the Treadway Commission,Internal
[59]Thomas Walther,Henry Johansson,John Dunleavy,and Elizabeth Hjelm.1997.Reinventing the CFO:Movingfrom Financial Management to Strategic Management,New York:McGraw-Hill,3-20
[60]Victor Bennett,Bob CanciIla,IT responses to Sarbanes-Oxley,www.ibm.com,2005,12-25
[61]相关网站:COSO委员会(http://www.coso.org、)风险管理与保险(http://www.tosafe.net)中国内部审计协会(http://www.ciia.com.cn)中国审计论坛(http://bbs.iaudit.cn)
[2]Robert.Mednick.1988.Our Profession in the Year 2000:A Blue print of the Future.Journal of Accountancy,August
[1]张金城.《会计系统网络化对审计工作的影响》,审计理论与实践.1999年09期
[1]William G.Zikmund,Raymond McLeod,Jr.:Customer Relationshic Management-Integrating Marketing Strategy and Information Technology。
[1]张瑞君:《e时代财务管理——管理信息化理论与实践的探讨》,中国人民大学出版社,2002年版。
[1]David A.Wilson:Managing Information-IT for Business Processes
[1]孙宝文、李辉:《电子商务的风险管理与审计研究》,中央财经大学学报,2003年第5期
[1]Jean C.Bedard,Lynford Granham and Cynthia Jackson(2005),'Information Systems Risk and Audit Planning',Int.J.Audit,9:147-163.
[1]魏方:《论企业内部审计对企业内部控制的作用》,科技情报开发与经济,2003年第3期。
[2]陈青:《我国内部审计的创新与发展》,财会研究,2003年第5期。
[1]陈杰、黄正瑞.网络环境下会计系统的安全审计.审计研究.2000,01.38-31
[2]陈青.我国内部审计的创新与发展.财会研究.2003,05.45-50
[3]高容.信息时代中国审计发展战略探讨.东南大学硕士学位论文.2004
[4]郭艳萍.内部审计在风险管理中的价值增值.审计月刊.2007,08.30-33
[5]胡克谨.IT审计[M].北京:电子工业出版社,2002,03.70-76.
[6]胡宣达,沈厚才.风险管理学基础.上海:东南大学出版社,2001,06.33-181
[7]黄圆圆.内部审计与企业风险管理的协调和整合.审计与经济研究.2005,05.18-20
[8]黄作明、丛秋实.实现远程计算机审计的前提条件.当代财经.2004,8.119-121
[9]金锡万.企业风险控制.大连:东北财经大学出版社,2001,8-11
[10]李松.浅谈网络时代下计算机审计的发展.审计研究.2001,05.63-65
[11]李瑛玫,于翔,汤春明.哈尔滨工业大学学报(社会科学版).2007,06.8-11
[12]刘春花.增值型内部审计研究[D].厦门大学硕博论文库.2006,1-65
[13]刘汝焯、徐薇、黄昌胤.计算机审计中关于电子证据的几个法律问题.审计研究.2004,03.3-6
[14]刘新琳,周兵.内部审计参与风险管理的路径分析.审计月刊.2008,01.13-15
[15]刘志远、刘洁.信息技术条件下的企业内部控制.会计研究.2001,12.69-74
[16]马占树.信息技术对现代审计的影响.对外经贸财会.2005,10.45-50
[17]裴文英、姜玉泉.试论审计过程中电子数据的特点和规律.审计研究.2005,06.60-69
[18]平狄克、鲁宾费尔德.微观经济学.北京:中国人民大学出版社,2004,1-430
[19]乔瑞红.内部审计参与风险管理研究.财会通讯(学术版).2006,08.22-25
[20]孙宝文、李辉.电子商务的风险管理与审计研究.中央财经大学学报.2003,05.17-24
[21]石爱中.从内部控制历史看内部控制发展.审计研究,2006.06,3-7
[22]魏方.论企业内部审计对企业内部控制的作用.科技情报开发与经济.2003,03.36-40
[23]文硕.世界审计史[M]第二版.北京:企业管理出版社,1996,481-483
[24]谢科范、袁明鹏、彭华涛.企业风险管理.武汉:武汉理工大学出版社,2004,1-189
[25]杨晓军.面向电子商务的审计问题研究.审计研究.2000,09.29-36
[26]张金城.会计系统网络化对审计工作的影响.审计理论与实践.1999,09.8-10
[27]张进、易仁萍、陈伟.计算机审计中电子数据的清理研究.审计研究.2004,06.21-
25
[28]张坤、李嘉明等.风险管理与内部审计.北京:化学工业出版社,2004,1-303
[29]张庆龙,彭志国.企业内部审计指南.中国时代经济出版社.2007,04.5-42
[30]张瑞君:《e时代财务管理——管理信息化理论与实践的探讨》,中国人民大学出版社,2002年版.1-243
[31]中国内部审计协会.内部审计理论与实务.北京:中国石化出版社,2004,1-446
[32]中国内部审计协会.内部审计在治理、风险和控制中的作用.北京:中国财政经济出版社,2004,30-75
[33]中国内部审计协会.中国内部审计规范.北京:中国财政经济出版社,2004,16-49
[34]中国内部审计协会编译.内部审计实务标准——专业实务框架(国际内部审计协会2004年1月修订).北京:中国时代经济出版社,2005,1-420
[35]中国注册会计师协会.审计.北京:经济科学出版社,2005,1-304
[36]朱荣恩、贺欣.内部控制框架的新发展——企业风险管理框架.审计研究.2003,06.11-15
[37]庄明来.论计算机网络环境下的详细审计.审计研究.2003,06.8-10
[38]庄明来.我国会计电算化研究的历史分期及学术倾向.财会通讯.2002,03.43-46
[39]Adams,D.L.,and J.F.Mullarkey,"A survey of Audit Software,"Journal of Accountancy,September 1972,pp.39-67.
[40]Anderson,U.,"Assurance and Consulting Services,"Research Opportunities in Internal Auditing,edited by A.D.Bailey,A.A.Gramling,and D.Ramamoorti(Altaonte Springs,FL:The Institute of Internal Auditors Research Foundation,2003
[41]Berry,M.J.A.,and G.Linoff,Data Miniing Techniques for Maketing,Sales,and Customer Support(New York:John Wiley &Sons,1997),121-140
[42]Boynton Johnson Kell,ModernAuditing,7thedition,John Wiley&Sons,Inc.2001
[43]Chew,Andrew Swee-Chung:Structured Analysis of Management Accounting,1993,1-2,19-36
[44]Coderre,D.G.,CAATTS and other BEASTS(Vancouver,Canada:ACL Institute,2001
[45]Cohen,DanielA,Aiyesha Dey,Thomas Z.Lys,"The Effect of the arbanes-OxleyAct on Earnings Management:What has changed?",Working aper,Northwest University,2003 Control-Integrated Framework,1994Edition,1994.
[46]COSO:2003,Enterprise Risk Management Framework,1-443
[47]David A.Wilson:Managing Information-IT for Business Processes,93-120
[48]Jean C.Bedard,Lynford Granham and Cynthia Jackson(2005),'Information Systems Risk and Audit Planning',Int.J.Audit,9:147-163.
[49]Mario Piattini,Hershey:Auditing Information Systems,Idea Group Publishing,2000,649-675
[50]Mark S.Beasley,Richard Clune,Dana R Hermanson.Enterprise risk anagement:An empirical analysis of factors associated with the extent of mplementation.Journal of Accounting and Public Policy,2005,87-103
[51]McCollum,T.,and D.Salierno,"Choosing the Right Tools,"Internal,August2003:32-43
[52]Price water house Coopers,COSO Draft:Enterprise Risk Management Framework,2003,87-112
[53]Robert.Mednick.1988.Our Profession in the Year 2000:A Blue print of the Future.Journal of Accountancy,August,4-18
[54]Robert.Mednick.1988.Our Profession in the Year 2000:ABlue print of the Future.Journal of Accountancy,August,30-76
[55]Salaasick,M.,and Le Grand,PC Management Best Practices:A Survey of the Total Cost of Operations,Risk,Security,and Audit(2003),427-455
[56]Salmasick,M.,and C.Le Grand,"PC Management Best Practices",April 1995:18-22
[57]Searcy,D.L.,and J.B.Woodroof,"Continuous Auditing:Leveraging Technology."The CPA Journal,May2003:46-48
[58]The Committee of Sponsoring Organizations of the Treadway Commission,Internal
[59]Thomas Walther,Henry Johansson,John Dunleavy,and Elizabeth Hjelm.1997.Reinventing the CFO:Movingfrom Financial Management to Strategic Management,New York:McGraw-Hill,3-20
[60]Victor Bennett,Bob CanciIla,IT responses to Sarbanes-Oxley,www.ibm.com,2005,12-25
[61]相关网站:COSO委员会(http://www.coso.org、)风险管理与保险(http://www.tosafe.net)中国内部审计协会(http://www.ciia.com.cn)中国审计论坛(http://bbs.iaudit.cn)