建立一个有效的内部审计部门 ESTABLISHING AN EFFECTIVE Internal Audit Depar

Abstract
If you are wondering how to establish an effective internal audit department (IAD), The Schwan Food Co did just that with the help of Randy Just when he was the chief audit executive (CAE) at the company. Finding a qualified department head is a crucial first task in establishing an effective IAD. Once the CAE is hired, he/she should lead the development of the written audit charter, which sets forth the purpose, authority, and responsibilities of the IAD. Once the staffing was completed, Just worked with two of his managers to develop a risk-based assessment methodology tied to the Committee of Sponsoring Organizations of the Treadway Commission internal control framework and a consumer products business process model. The risk assessment framework closely incorporated the concepts of risk and control. In its first year, the department received a large number of requests for other projects, and that was clearly viewed as a substantial measure of success.

Full test
The demand for internal auditing services has skyrocketed with two recent events.
First, Section 404 of the Sarbanes-Oxley Act (SOX) mandated public companies to include with their annual report an internal control report that contains an assessment by management of the effectiveness of the company's financial reporting internal control system. Internal auditors have the technical expertise and professional objectivity to assist in this assessment process.
Second, the New York Stock Exchange required all listed companies to "maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company's risk management processes and system of internal control" by October 31, 2004. But the benefits of an internal audit department aren't unique to public companies. They are also applicable to private companies.
If you are wondering how to establish an effective internal audit department, The Schwan Food Company did just that with the help of Randy Just, one of the coauthors of this article, when he was the chief audit executive (CAE) at the company. Sadly, Randy died unexpectedly in January. He added a tremendous amount to the body of knowledge on establishing an effective internal audit department, and his contributions will be sorely missed. His co-authors dedicate this article to his memory.

WHY ESTABLISH AN INTERNAL AUDIT DEPARTMENT?
The motto of the internal audit department (IAD) at Schwan is "advancing the business." There are a multitude of ways in which internal auditors can help accomplish that objective. First, an effective IAD can help a company reach its goals by helping management improve controls, business processes, and business risk management. second, internal auditors serve a critical role as part of the corporate governance structure by ensuring that the company achieves its objectives in an ethical, legal, and well-governed manner.
Third, internal auditors help fight the battle against fraud. In 2004, the Association of Certified Fraud Examiners (ACFE) obtained data on 508 fraud cases totaling more than $761 million in losses. In the resulting 2004 Report to the Nation, the ACFE stated that approximately 57% of the victim organizations in its study had an internal audit function and that those organizations suffered a median fraud loss of $80,000 compared to median losses of $130,000 for companies without internal audit departments. This result is similar to the ACFE's 2002 study where the median fraud losses were $87,500 for entities with internal auditors vs. $153,000 for those without.
The IAD is a critical part of corporate governance along with senior management, the audit committee, and the external auditors. Internal auditors can be considered the eyes and ears of management as well as the corporate conscience. Given its importance, how should a company begin to establish an effective IAD?

START WITH THE LEADER
Finding a qualified department head is a crucial first task. Not only should the chief audit executive possess the necessary internal audit technical skills, but he or she should also be able to gain respect from both management and the audit committee. Good communication skills, objectivity, and strong moral character are also desirable characteristics.
The creation of Schwan's IAD was driven by personnel changes in top management. The first nonfamily-member CEO, who had a long and distinguished career in the food business, came on board in 1999. At about the same time, a new audit committee chair began his service. In 2002, a new CFO was hired who had extensive public accounting experience.
This new leadership helped the company slowly make changes. It improved the governance structure by establishing an internal audit department while retaining the positive aspects of the company's corporate culture, including its high standards of ethics, values, and hard work. Thus, the creation of the IAD was part of a company-wide effort to improve control and governance structures for a privately held but global company that had the goal of doubling in size from 2002 to 2007.
After conducting a regional and national search through a recruiting firm, the management team chose Randy Just to be their CAE. He brought with him extensive public accounting and internal auditing experience.

THE CHARTER AND MISSION
Once the CAE is hired, he/she should lead the development of the written audit charter, which sets forth the purpose, authority, and responsibilities of the IAD. Such a charter, which should be approved by the audit committee on behalf of the board of directors, is crucial for sending the message throughout the organization that internal auditing is viewed as a priority and has the endorsement of both executive management and the audit committee.
The charter should also clearly establish the independence of the IAD because it's critical that internal auditors be organizationally independent of management in order to enhance their effectiveness. This independence allows the auditors to perform their work objectively and without bias or concern that they would be unduly influenced by management.
Schwan decided its IAD should report directly to the CFO for administrative purposes. For purposes of governance, it established an advisory relationship between the IAD and the board's audit committee. But these relationships, whether direct reporting or advisory, were flexible, depending on the styles of individual managers. Schwan's audit committee chair was very "hands on" and viewed his relationship with the IAD to be as direct as the CFO/IAD relationship.
The audit charter protected the IAD's independence by ensuring full access by the CAE to the audit committee and protecting the CAE from removal without the approval of the audit committee. In addition, Schwan's audit committee charter established that the IAD was accountable to the board of directors through the audit c
ommittee.
The IAD mission statement should be specified in the charter. The mission of Schwan's IAD was:
"To provide independent, objective assurance services designed to add value and improve the Schwan Company's operations. The IAD helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the overall control environment and the network of enterprise business risk management control and governance processes."
This mission statement is almost verbatim with the Institute of Internal Auditors' approved definition of the purpose of internal auditing. In other words, the department's mission corresponds with Schwan's overall mission in that the IAD exists to help the company reach its goals and achieve its business objectives in an ethical, legal, well-governed manner. This mission is accomplished by helping improve controls, business processes, and business risk management.
To promote good relations and introduce the lAD's mission at Schwan, Randy Just initially met with all the members of executive management and then the senior management to gain an understanding of their expectations. Through these meetings he was able to introduce internal auditing as a service function charged with helping management to achieve company objectives rather than as something to fear or view as a threat.

STAFFING THE DEPARTMENT
Based on the analysis of Schwan's external auditor, the audit committee and senior management decided to staff the IAD with 10 internal auditors supported by an annual budget of approximately $1.63 million. The size of the function was expected to increase as the company grew. Ideally, Just wanted people at the senior and manager level to have public accounting experience as well as internal auditing work in industry. He recognized that it wasn't possible to find people at the staff level with that combination of experience. He staffed the IAD so it possessed a fairly broad-based assortment of expertise in financial, operational, compliance, and information systems auditing.
Initially, the greatest challenge was convincing qualified people to relocate to Schwan's corporate headquarters in Marshall, Minn., a community three hours from Minneapolis with a population of 12,000. While this is an attractive community for individuals with a family-based lifestyle, it was a hurdle to overcome in seeking to completely staff a new IAD. The company used industry contacts to recruit staff in addition to receiving assistance from outside recruiting organizations. After a few months, Schwan was able to fill all the positions.

OVERALL STRATEGY
Once the staffing was completed, Just worked with two of his managers to develop a risk-based assessment methodology tied to the COSO (Committee of Sponsoring Organizations of the Treadway Commission) internal control framework and a consumer products business process model. The IAD used this risk-based approach to determine the scope of its services.
As part of this risk assessment process, Just reviewed the strategic plans of the company and its business units. The lAD's efforts focused on the key areas and objectives on which the company and the business units focused. This was accomplished by having auditors meet with executives at the various business units and walk through a questionnaire they developed as part of the risk-based assessment approach
The IAD then weighted and prioritized potential projects across all the business units, giving consideration to the volume of their activities and their importance to the company's overall strategic plan.

RISK-BASED ASSESSMENT
The risk assessment framework closely incorporated the concepts of risk and control. Schwan established business objectives at all levels of the company from corporate down through each business unit. To achieve these objectives, it put in place core business processes that were groupings of related business activities (e.g., procure materials, manufacture products, distribute products, sell products, serve customers). The core business practices were supported by processes that provided resources and services to them.
Risks threaten the achievement of business objectives at all levels, while controls are the activities put into place to manage or mitigate the risks. Controls are often built into the core business processes and support processes.
Within each process, the IAD assessed:
* Gross risk (threats or impediments to the accomplishment of corporate or process objectives),
* Strength of relevant controls and management's response to the identified risks, and
* Residual risk (a reevaluation of risk in light of controls and management's response).
The IAD rated the risks based on the magnitude of the impact of the risk as well as its probability. They conducted residual risk assessments through focused interviews with multiple levels of management, a review of business plans, analysis of financial and operational reports, and a review of miscellaneous information (e.g., industry information, process documentation). For validation, they discussed the assessment results with the appropriate levels of management.
At Schwan, food quality and safety is one area of continual vigilance. Every single batch of raw materials or product that comes into Schwan's factories is tested for contamination, and the IAD assesses a gross risk of contamination of raw materials at a certain level. As a result of Schwan's very stringent controls, residual risk has been assessed as extremely low.

ASSESSING EFFECTIVENESS
On average, Just reviewed the status of the internal auditing plan with the auditing committee five times a year. The main criterion against which the success of the IAD was measured was whether the internal auditors were adding value. For example, were the major projects being performed? Was the IAD receiving requests from the business units for other projects?
Just budgeted approximately 80% of the internal audit staff time for projects identified through the risk assessment process, leaving 20% of their time open for emerging priorities. In its first year, the department received a large number of requests for other projects, and that was clearly viewed as a substantial measure of success.
During the meetings with the audit committee, Just also reported what percentage of the audit plan was complete, although that wasn't the primary measure of success since the IAD was created to address risk as it arises. Consequently, the annual internal audit plan could be revisited throughout the year and changed as need dictated.
Another major measure of success was the open acceptance by the business units and their willingness to work with the internal auditors. On the audits that came up in the risk assessment process, company personnel were willing to offer ideas on areas where they felt they could use audits, and they called the internal auditors for projects.

[Sidebar]
History of The Schwan Food Company
The Schwan Food Company began in 1952 with one man and one truck. Marvin Schwan, the founder, was the son of German immigrants who came to the U.S. in 1920. He and his parents ran a creamery in Marshall, Minn., but were having trouble making ends meet. Marvin discovered that, because of government pricing structures, he could sell ice cream for a few cents more in Yellow Medicine County, immediately north of Marshall. On March 18, 1952, he borrowed some dry ice bags, and, with a used 1946 Dodge panel van, he headed north with 14 gallons of ice cream. He knocked on farmhouse doors and sold all the ice cream. The next day he did the same thing again. Now, 54 years later, Schwan has gone from one man and one truck to 6,500 drivers in the home delivery part of the business, which constitutes approximately 40% of the company's total revenues. In addition to home delivery, Schwan's primary business units have grown to include its global consumer brands and its food services group. The global consumer brands manufactures, markets, and delivers frozen foods to grocery, warehouse, club, and convenience stores across the country. The food services group manufactures, markets, and distributes value-added frozen food products to public and private schools, universities, healthcare facilities, convenience stores, and chain restaurants. Today the company's workforce consists of approximately 24,000 people.

建立一个有效的内部审计部门
Hugh D Pforsich，Bonita K Peterson Kramer

摘要

你是否想知道怎么建立一个有效的内部审计部门，当兰迪还是Schwan食物公司的首席审计执行委员的时候，他帮公司做到了。他们发现建立一个有效的内部审计部门的首要任务是要有一位称职的部门主管。一旦公司的首席审计执行委员 被聘用, 他应该带动审计条例的建全,在其中提出内部审计部门的目的、权威和责任。一旦职员的设置完成后，就要和他的两个经理建立COSO委员会的方法，就是以风险为基础的内部控制结构和一个消费者产品程序模型。风险评估结构最大限度地吸收了风险和控制的概念。在第一年里，部门收到了对其它计划很多的请求，而且很清楚地被看作是对成功明确的测量。

全文

最近发生的两件事使得对内部审计服务的需求猛增。
第一，萨班斯法案的第404条要求上市公司在每年的年报里面要有一份包含对公司业绩的评估以及财务控制制度在内的内控制度报告。内部审计拥有技术上的优势和专业的客观性协助这个评估程序。
第二，纽约股票市场要求的所有上市公司在2004年10月31日之前，要维护内部审计的作用，这将给管理层和审计委员会提供公司风险管理程序和内部控制系统的评估。但是内部审计部门的这种好处并不是上市公司所专有的。他们也一样适用于非上市公司。
你是否想知道如何建立一个有效的内部审计部门,Schwan食品公司兰迪的努力下做到了。而且他也这篇文章的执笔者之一。当他还是公司的首席审计执行委员的时候，但是非常地可惜，兰迪突然在1月份去世。他将他的很大一部分精力投入在建立一个有效的内部审计部门，而他的贡献也随之消失。他的共同执笔者用这篇文章还表达对他的思念。

为什么要建立一个有效的内部审计部门呢？
在Schwan的内审部门中有这么一句箴言"advancing the business."内部审计的帮助下很多方法都可以达到这个目标。
首生，一个有效的内部审计部门可以帮助公司实现改善控制、业务流程和经营风险管理的目标。
其次，内部审计服务作为公司管理结构的一个重要的角色，确保了公司以道德、和较好的管理方法达到目的。
第三，内部审计还可以帮助进行反对欺诈的斗争。2004年，被ACFE查处的508件欺诈案件共造成了$761万的损失。2004年关于的国家报告中,ACFE陈述了它的研究，大约57%的受害人组织有了一个内部审计的功能而且那些组织遭受的损失相对于没有内部审计部门的公司造成的$130,000的损失而言是$80,000的欺诈损失。$87,500的欺诈损失相比于没有内审部门的$153,000的欺诈损失，这个结果和ACFE在2002年的欺诈损失很相近。
内部审计部门是公司管理方法的一个重要组成部份。它与高级管理、审计委员会和外部审计组成了公司的管理方法。内审人员被认为是公司的管理的眼睛和耳朵甚至是公司的良心。基于它的重要性，公司应该怎样开始建立有效的内部审计部门呢？

从领导开始
找到一个合格的部门主管是首要也是关键的任务。主要的审计主管不仅要有一定的内部审计技术，而且他要能够赢得管理层和审计委员会的尊敬。同时他还要有很好的沟通能力、客观性和强烈的道德个性的特征。
Schwan的内部审计部门的构成受到公司高层人员变化的影响。第一任的CEO有着很长且卓越的食品事务经历。1999年，董事会成立。大约在同一时间，新的一任审计委员会主席开始了他的任期。在2002年，被聘用的是一位新的CFO，他有着丰富的经验。
这位新的领导慢慢地帮助公司做变动。他保留公司了文化积极的方面，包括它的道德规范的高标准,价值和坚苦工作方面。建立起一个内部审计部门来改良公司的管理结构。因此，内部审计部门的创立是公司改善控制和公司管理结构的一部分，帮助公司从2002年到2007年加快完成全球化的公司的目标。
通过企业对地方和全国的一次调查后，管理层最终选择兰迪作为他们公司的首席审计执行委员。这是因为他有着广泛的公共会计和内部审计经验。

章程和使命
一旦首席审计执行委员被聘用，他就应该着手编写审计章程，在章程要指出内部审计部门的目的、权威和责任。这种章程应该要由代表公司董事会利益的审计委员的会的批准。这对内部审计在传达信息过程中得到一种优先权和有行政管理层和审计委员会的支持是决定性的。
章程应该要清楚地指出内部审计部门的独立性。这是因为内审人员的独立管理对于提高他们的效率有着重要的作用。这种独立性也允许审计人员客观地进行工作并且没有成见或是不用担心受到管理层的影响。
章程要求公司的内部审计部门要直接地向CFO报告。为了实现管理层的目的，它在董事会和内部审计部门之间建立起一个情况报告的关系。但是这个关系是否直接报告还是通知都是灵活的。这是取决定于各自的经理的样式。Schwan的审计委员会主席与内部审计部门的关系被看作CFO与内部审计部门的关系。
通过确保首席审计执行委员对审计委员会的完全控制和没有审计委员会的认同下保护首席审计执行委员免受撤除来实现审计章程对内部审计部门独立性的保护。另外，Schwan的审计委员会章程规定了内部审计部门通过审计委员会向董事会汇报情况。
内部审计部门的任务应该在章程中指出。Schwan内部审计部门的任务是：
为了要提供独立，客观的服务确保能够增加价值并且改善公司的经营，内部审计部门要通过系统方法来评估和改进整体控制环境，企业的经营风险管理控制和管理程序，从而帮助公司实现它的目的。
这个任务几乎一字不差地阐述了内审人员内部审计地定义。换句话说就是部门的任务和公司的整体任务是一致的。这是因为内部审计部门帮助公司以合理的道德,法律和很好被治理的方式来达到公司的目标和商业目的。这个任务会帮助公司实现改进控制、业务流程和经营风险管理的目的。
为了在Schwan发展好这种关系和介绍内部审计部门的任务，兰迪最初与所有的行政管理成员和高级管理人员见面，然后获取他们的期望和理解。通过这些会议他将内部审计介绍为有服务作用，能够帮助管理层实现公司的目标而不是把它看作是种威胁。

设置部门职员
根据Schwan对外部审计人员的分析，审计委员会和高级管理人员决定雇用10名的内部审计人员并且提供$163万的年度预算的支持。这个部门的作用将随着公司的发展而不断明显。公司所要雇用的人
员最好是在高级管理层并且有丰富的会计经验和企业内部审计工作经验。他认为他不可能找到像这种经验的职员。因此他找到那些拥有在财政、经营、信息系统、审计上有着广泛专业技术的人作为内部审计部门的职员。
起初，最大的困难是说服合格的人民调迁到Schwan公司总部——距离人口12000的米尼亚波尼斯有三小时车程的马歇尔社区。它是一个基于家庭的生活方式的可爱社区。为了克服寻求新的内部审计部门人员的障碍，公司除了从外部组织接受帮助外还通过产业联系的方式吸收职员。在几个月之后，公司的所有的位置被填满了。

整体战略
一旦雇用职员的任务完成后，就是要和他的两个经理共同开发与COSO相连的内部控制框架和消费生产事务的风险评估的方法。内部审计部门使用这种风险评估方法来确定它的服务范围。
作为这个风险评估过程的一部分，被看作是公司的战略计划和它的营业单位。内部审计部门的工作就是要集中在公司关键领域及目标和营业单位集中的区域。这是根据审计人员和董事就各种营业单位和他们开发的基于风险评估方法而确定的。
然后内部审计部门通过衡量所有的营业单位的潜在项目，考虑他们活动的容量和他们对公司整体战略计划的重要性。

风险评估
风险评估结合了风险和控制的观念。为了要达成公司的经营目的,Schwan公司提出相关经营活动中的经营重心(举例来说，获得材料,制造产品,分配产品,出售商品,服务客户)。并且为他提供了资源和服务
风险在各个方面威胁经营目的的完成，而控制是处理风险的有效手段。所以控制时常被放入经营重心的过程中，为其提供有效的帮助。
在每个过程中，内部审计部门评估:
* 总共的风险 (对企业的或经营目的的成就造成威胁),
* 对被识别的风险有关控制和回应的力量
* 剩余的风险.(风险的再评估)
内审部门评估基于风险和其它可能性的冲击的大小的风险。他们通过与管理焦点所在的人员面谈等方式，处理了剩余风险评估，商务计划的制定，财务而操作报告的分析以及各种数据的研究。对于最后结果的确认，他们会与相应的管理者讨论。
在Schwan公司，食物质量和安全是非常重要的一个因素。原料或进入Schwan工厂的产品都会被一一的进行测试，而且内审部门以一个特定的水平估定原料受污染的总共风险。结果，Schwan公司的产品得到了很好的控制,剩余的风险也已经被估定为极低。

业绩评估
一般说来，内审部门会对内审计划的实施情况进行一年五的检查。主要的的目的是为了测试内部审计部门是否能够为企业带来增值。举例来说，主要的计画正在被运行吗?内审部门正在为其他的计画受到来自其他部门的约束吗?
稽核人员一般会话80%的时间了来计划识别风险评估的程序,剩下的20%的时间用来执行。在第一年内，内审部门接到了其他部门发来的请求，而且这项计划的成功可以被清楚的衡量。
在审计委员会开会期间，也仅仅是报告审计计划的完成程度，尽管内审部门对产生提出风险那不是对成功的主要衡量。所以，年度的内部审计计划可能被一整年的检查而且如有需要将会改变。
主要衡量的成功的方式还有，查看经营单位是否并且自动自发的与内部审计人员合作。在对风险评估程序的稽核,公司人员愿意在他们的区域上提供主意，而且他们觉得自己可以使用审计，愿意与审计人员沟通。

附录：
Schwan食物公司的创立
Schwan食物公司创建于1952年，他建立的故事要从一个男人和一辆卡车说起。1920年，Marvin Schwan——公司的创立者从德国移民到了美国。他和他的父母亲开了家乳品商店在Marshall,Minn Marvin发现，因为订政府的定价策略，他卖的雪糕在北Marshall在比Yellow Medicine县卖更多的钱。1952年4月18日，他借了一辆二手的货车,，带了14个加仑的雪糕开向了北Marshall。他敲开了农户的门，并且卖出了所有的雪糕。第二天，他还是卖完了。现在，54年过去了Schwan从一辆卡车便成为一个拥有6500个司机的公司，公司40%的利润也是由此得来的。除了运输之外,Schwan主要的生意还包括它的全球消费者商标和食物服务团体。全球的消费者商标制造——销售而且递送冷冻食品给杂货、仓库、俱乐部和便利商店的食物。食物服务团体制造——销售而且分配递送冷冻食物给民众和私人的学校、大学、医疗设备、便利商店和餐馆。目前，公司的员工已经将近24，000人。