coso内部控制模型

coso内部控制模型 The COSO Internal Control Model The COSO internal control framework was first introduced in 1992, and in 1994 a comprehensive four-section report on internal controls was issued, con sisting of an executive summary, a framework, guidance to public companies o n reporting on internal controls to third parties, and evaluation tools to help a company comprehensively assess its current control environment. The COSO framework is relevant to achieving company objectives in three areas: Operational goals: The framework relates to the effective and efficient usag e of all of a company's resources. Financial reporting goals: The construct gives guidance on the consistent pr oduction of reliable financial reports. Compliance goals: The guidance creates a top ology of the company’s compl iance requirements as they relate to industry regulations or legal requirements f or public entities. coso内部控制框架提出三大目标,即运营的效率和效果,财务报告的可靠性,以及遵守适用的法律和规章 五大要素 1。控制环境 Control Environment This element is the foundation of the COSO framework. It sets the overall tone of the organization with regard to the importance of internal controls. Et hical values, leadership resource allocation, staff competence at all levels, the d ynamics of authority and responsibility within the organization, and managemen t philosophy are all parts of this critical component. In a sense, the control environment is the most difficult component to quan tify, because much of it relates to the overall culture of the organization. But t here are a number of clear goals that an organization can work toward to ensu re that the framework rests on a foundation exemplifying market leadership. Board and leadership involvement is the most crucial element in an organiz ation seeking market leadership. As the board and leadership set expectations a nd measure progress against them, business units or department heads begin to assign internal controls the priority they require. The specific strategies that c an be employed to move to a market-leader position within an industry include the following: ?Conveying the importance of ethical values道德价值by setting an exam ple and “walking the talk.” This includes relating stories of integrity and ethica l values through presentations, newsletter stories, and any other means of gettin g the message to everyone that these values are important to the organization. Public companies are now required to have a code of conduct for the board u nder the requirements laid out by SOX. Nonprofits and private companies can also benefit from a code of conduct. The organization cannot tolerate violations of this standard. There are financial benefits to this approach as well. One re search study performed by the Institute of Business Ethics (“Does Business Eth ics Pay?,” April 2003) found that companies displaying a clear commitment to ethical conduct consistently outperform companies that do not display ethical conduct. ?Developing clear organizational guidelines relating to responsibility and a uthority with accountability checks is another clear hallmark of an market lead er. Within the organization, leadership typically follows a distributed model, wi th individuals understanding the overall organizational goals and how the goals of their department or business unit relate to them. Individuals should also un derstand their responsibilities and the limit of their authority to ensure that the goals of the organization are achieved. When a leadership culture like this is achieved, the whole organization is focused on organizational objectives and co mmitted to the maintenance of the control structure. A guiding coalition of lea dership members believing in the need for change is one of the first steps typi cally taken by organizations that successfully make culture shifts, but changes will take effect slowly and steadily over time. ?Embedding the internal control framework within the organizational cultu re将内部控制框架融入企业文化. Management must clearly define roles and res ponsibilities for internal controls, including responsibility for the defining, docu menting, testing, and monitoring of controls and the remediating of problems. The organization must incorporate these responsibilities into the responsible indi viduals’ performance management goals. ?The internal controls environment is no longer viewed as separate from the operating component of the business; controls are embedded in processes fr om the beginning. 内部控制环境不再独立于企业经营要素,要从一开始就执行T his approach lowers the risk of inadequate controls and ensures that the control structure is in place from the outset of a process’s planning and launch. ?Supporting human resources policies and practices that provide clear cor porate career paths. Human resources management plays a key role in ensuring that individuals are hired with the needed financial competencies and that care er growth supports an increased level of financial reporting competencies.对人力资源/人才的要求 2。风险评估 Risk Assessment Leading companies take a risk-based approach to SOX internal controls co mpliance as a key step in achieving a correct balance between costs and benef its. Recent guidance from the Public Company Accounting Oversight Board (P CAOB) supports this approach with specific recommendations, including the us e of a risk-based method to determine which key controls are tested each year. The PCAOB also recommends that the viability of a company’s business mod el is an important consideration when evaluating risks. Companies that focus o n these larger problems and risks will better meet the needs of all their stakeh olders, including investors and analysts. Market leaders with respect to internal controls expand the risk focus starte d under internal compliance efforts to a broader venue. One popular concept th at often precedes a mature enterprise risk management initiative is the formatio n of a risk council. This council is generally composed of management represe ntatives from different areas of the business. Some of the early objectives of ri sk council meetings are as follows: Use of a common terminology for risk discussions throughout the organizati on; Definition of a risk framework or structure for fostering risk management a cross the organization; Characteriza tion of the organization’s current risk capability as well as risk and performance indicators; Identification of the company’s current spending on risk; and Formulation of a plan to mitigate the operational risks of the organization. If they do not already have a risk program, some companies take the risk management process even further with a more formalized, enterprise-wide progr am headed by a chief risk officer. Under this approach, the organization embe ds risk identification and mitigation into its culture in the same way it adopted its internal control framework. The goal is to intertwine risk and business stra tegy with other organizational systems such as performance management. Another important aspect to risk assessment is continuous monitoring of the internal and external environment in which the entity operates. This periodic s can of the operational environment can highlight upcoming events affecting bot h internal controls and risk strategy. Events such as systems change, mergers a nd acquisitions, loss of key personnel, and other events may require a closer l ook at existing controls and risk management 控制活动 Control Activities Market leadership in the actual design of controls requires corporate-wide c oordination and the involvement of ownership. Policies are set enterprise-wide, allowing an efficient implementation while avoiding duplicate efforts and definit ions. Control design workshops or training can raise the knowledge and capabil ity of management and staff to deal with defining, documenting, managing, test ing, and reporting on internal controls. Global organizations have recently begu n to roll these sessions out through online training sessions for foreign registra nt compliance with SOX section 404. These modules can be used with more-e xperienced users to reinforce other objectives, such as a return to basic control s and an emphasis on continuous improvement. Leading organizations have mo ved to more-comprehensive training on basic accounting concepts, and in the p rocess have improved the timing of their closing cycle, implemented process i mprovements, and reduced the error rate in accounting transactions. Market leaders have focused controls on prevention rather than detection (se e the Sidebar on types of controls). They have reengineered business processes, where needed, to incorporate prevention. Automating control checks by utilizin g software features that can complete checks without any specific action is als o beneficial. Internal auditing can help provide direction to business process o wners searching for the best approach to use. Working closely with the board will help the internal audit function receive the company-wide exposure necessa ry for business process owners to recognize the value delivered to the organiza tion. It will also make it more likely that business process owners will “buy i n” to the process. Leading-edge companies in internal controls implementation effectively utiliz e technology in several ways. First, they build in controls wherever cost-effecti ve, because this one-time change activates a continual and long-lasting process of control testing. Automated control testing also brings about a quicker respon se time to potential problems and needed corrections. Management can also utilize technology to support the documentation and t esting components of their control activities. Numerous vendors (e.g., BWise, Methodware) provide customizable software to provide a consistent approach ac ross the enterprise. The use of software to support these efforts is not limited to large companies, as many programs are scalable and affordable for small co mpanies. These programs help ensure that the initial investment in documentati on and testing is well maintained and that compliance efforts will be sustained into the future. They can also serve as a basis for higher-value initiatives do wnstream, such as business process improvement and more-comprehensive risk management activities. 信息与交流 Information and Communication An open flow of information and ease of communication within an organiz ation are essential with any new initiative. Experienced project managers are w ell versed in the communications needed to disperse information to stakeholders. They also have experience with change management, which can contribute to the timelier acceptance of new processes and the continuous improvement need ed to excel. Experienced project managers will build measurements into the pla ns to assess success. Leading companies foster open communication between internal auditors, ma nagement, and external auditors. The first year of SOX implementation for acc elerated filers resulted in less than ideal communications with external auditors, according to the SEC April 2005 Roundtable on Internal Control Reporting Pr ovisions. Recent recommendations from the SEC and the PCAOB have clarifie d expectations regarding external auditor communications, with the specific goal of improving the quality of testing, documentation, and remediation in the con trol environment, thus adding business value. Information overload is prevalent throughout business. In the “information e conomy,” management is frequent ly overwhelmed by the quantity of data avail able, often resulting in a failure to convert important business information into knowledge to support their competitive advantage in the marketplace. Leading companies have recognized that effective reporting of exceptions and an “exec utive dashboard” approach are the best ways to focus attention on important in formation, and they can avoid placing management adrift in a sea of meaningl ess data from endless sources. 5。监测 Monitoring Control self-assessments (CSA) can play an important part in monitoring int ernal controls. CSAs place the responsibility for assurance that controls are in place and functioning with the business process owners, consigning ownership exactly where it belongs under the dynamics of typical organizational behavior. Several questions from a CSA on a company’s accounts payable process ar e shown in Exhibit 2. The IIA website has numerous examples. Another CSA option is an interactive workshop, which uses a facilitator to draw out control information from management. This approach leaves control with management, allowing the organizational process owners to follow up downstream with surve ys or questionnaires in subsequent periods, further refining the work product. Monitoring efforts are best focused on leading indicators that allow time fo r correction, rather than lagging indicators that do not. The best reports for mo nitoring internal controls contain integrated information from both internal and external sources. Software packages can facilitate pulling together data from dis parate systems and processes. In many organizations, the internal auditors are responsible for conducting a fo rmal review of internal control work. Such a review should be conducted annu ally and should take advantage of “lessons learned” from SOX activities, as w ell as input from the external auditor.