译声翻译公司提供专业COSO报告翻译服务
美国COSO英文报告-内部控制翻译
COSO报告是美国COSO委员会(由美国AICPA、AAA、IIA、IMA、FEI五个组织成立的“发起人委员会”)于1992年提出的报告,是目前世界上最具权威性的关于内部控制的文献和标准。许多会计论文都引用了COSO报告的内容,但是我们一直没有机会看到COSO报告的原文。最近笔者有幸得到一份COSO报告的英文原件,并翻译了其中的第一部分:实施纲要。本译稿得到了国际内部审计师协会理事张翌轩先生的指点和认可。
COSO报告
内部控制整体框架 1994年第二版
◆实施纲要
◆框架
◆对外部当事人的报告 1992年9月
◆对外部当事人的报告的附录 1994年5月
COSO 委员会
实施纲要
高级经理们需要很长的探索道路去更好地控制他们所管理的企业。内部控制被放在保持公司在经营过程中有助于收益率目标和它的使命的业绩的位置上,以及使前进方向上的突发事件(的影响)最小化。他们能够在迅速变化的经济和竞争环境中管理交易、精明的客户的需求和优先要求,并重构未来的成长。内部控制促进效率、减少资产损失的风险和有助于保证财务报表的可信度以及对法律和规章制度的遵守。
由于内部控制服务于许多重要的目的,更好的内部控制系统和他们的报告的需求日益增加,内部控制显得能越来越多地解决各种潜在的问题。
内部控制是什么
内部控制对于不同的人有不同的理解,它引起了商人、立法机构、监管机构和其他人之间的混乱,因而在企业内部发生了错误的传递和期望的差异。如果不清晰地进行定义,那么,当它们被写进法律、规章、规则时,问题是被混淆的。
这个报告兼顾了经理层和其他人的需要和期望,它定义和描述内部控制:
● 建立一个通用的定义服务于不同群体的需要;
● 提供一个针对商业或其他企业(大的或小的;私人的或公众的的部门;营利的或不是营利的)的标准——能够评估他们的控制系统和讨论怎样去改进它们。
内部控制广泛地被定义为由企业董事会、经理层和其他人员实施的一个过程,它被设计为达到所关注的以下领域的目标提供合理的保证:
● 有效率和效益的经营运作;
● 可靠的财务报告;
● 遵循可适用的法律和规章。
第一个领域是一个基于商业目的的实体所从事的活动,包括经营业绩、收益率目标和资源保护;第二个领域关系到被公布的可靠的财务报告的制作,包括中期的和简化的财务报表以及选自每张报表的财务数据,例如:收入的放弃、所报告的政策;第三个领域是处理遵守这些法律和规章对企业的影响。那些特殊的、然而领域互相交叉的不同需要,允许直接集中于特殊的需要。
内部控制系统在不同的有效性水平上开展,各自地,如果董事会和经理层有以下的合理的保证,内部控制在三个领域中的每一个都可以被认为是有效的:
● 他们了解企业经营目标已经达到的范围和程度;
● 公布的财务报表已经被可靠地编制;
● 适用的法律和规章已经得到了遵守。
整个内部控制是一个过程,它的有效性是(体现)在一个或多个时点上运作过程的状态和情况。
内部控制由五个相关的要素组成,这是来自经理层管理一个企业的思路和完整的管理过程。虽然这些要素适用于所有的实体(企业),小型或中型公司执行它们可能要比大型企业困难一些,它的控制可能少一些形式和少一些结构,然而小型公司仍然能够有一个有效的内部控制。这些要素是:
● 控制环境——控制环境建立于一个组织的最高层,影响它的员工的控制理念,它是所有其他内部控制要素的基础,提供了(控制的)纪律和结构。控制环境要素包括企业员工的正直诚实、伦理价值观和能力;管理的哲学和经营风格;经营者分配权力和责任的路径;以及它的人力资源的组织和发展和由董事会提供的关注和指导。
● 风险评估——每个企业都面临各种来自内部和外部的必须进行评估的风险,风险评估的前提是确定在不同水平上有限的和内部协调一致的目标,风险评估是鉴别和分析成功达到目标的有关风险,形成怎样管理风险的讨论基础。由于经济、行业、管理和经营条件将继续发生变化,必须有一个鉴别和处理这种与变化相关的特殊风险的机制。
● 控制活动——控制活动是帮助保证管理措施得以实现的政策和程序。它们帮助采取必要的行动去应对风险,成功达到企业的目标。控制活动发生于企业的各个层面、所有水平和所有职能,它们包括的活动范围扩展到审核、批准、复查、核对、运作执行的检查、资产保护和职责分工等。
● 信息和沟通——有关的信息必须被鉴别、记载和以一定形式和适当的时间与有能力去完成他们的职责的人员之间交流。信息系统产生包括经营、财务和有关部门信息的报告,以管理和控制企业。它不仅涉及内部产生的信息,而且有关外部活动、行为和条件的信息必须提供给企业作出决策和对外报告。有效的沟通同样必须在广阔的领域发生——向下、平行、向上流动于一个组织内。所有的人都必须收到来自最高层关于控制责任必须被严肃对待的清晰的信息,他们必须理解他们自己在控制系统中的角色和任务,以及个人的活动如何与其他人的工作相联系,他们必须有一种与上层沟通特殊信息的方法,他们同样需要有效地与外部组织,例:客户、供应商、立法机构和股东进行沟通。
● 监督——内部控制系统必须受到监督——这个系统在过去时期执行质量的测试过程。它通过不断的监督活动、独立的评价,或二者都进行来完成。持续的监督活动发生于经营的过程之中,它包括常规的管理和运行管理活动,以及员工执行他们的职务的其他活动。独立的评价的范围和频率,主要取决于对于风险的评价和持续监督执行的效率。内部控制的差异应当向上级报告,严重事项的报告应当给最高管理当局和董事会。
这些要素的每一个都是互相协调和联系的,一个完整的系统能有效地对变化的条件作出反应,内部控制系统与企业的经营活动缠结在一起,并基于商业的理由而存在。当控制建筑于企业的基层和作为企业的基础的一部分时,内部控制就有了更高的效益。得到有质量的和积极授权支持的内在的控制,避免了不必要的成本和能够对变化的条件迅速作出反应。
企业要达到的三个领域的目标和达到目标需要描述的要素是直接相关的,所有要素与每一个领域的目标相关,当观察任何一个领域——例如运作的效率和效益,所有五个要素都必须被提出和有效执行,对包括运作全过程的内部控制都是有效的。
内部控制的定义——与它的潜在的过程的基本概念、人员的效率、由目标领域和要素以及有效性标准共同提供的合理保证、相关的讨论,构筑了内部控制的框架。
内部控制能做什么
内部控制能帮助企业达到它的绩效和收益目标,并预防资源的损失,它能帮助保证可靠的财务报告,它能帮助企业遵守法律和规章制度,避免对它的名誉的损害和其他后果,总之它能帮助一个企业在想去做的地方达到它的目的和避免缺陷,并令人惊讶地向前进。
内部控制不能做什么
不幸地,一些人抱有太大和不切实际的期望。他们完全地、绝对地期待,相信:
● 内部控制能保证一个企业成功——那就是它将保证达到基本的经营目标,或将至少保证(在竞争中)生存。
恰当、有效的内部控制仅仅能帮助一个企业达到这些目标,它将提供给经理层关于企业发展或它的缺陷的信息,以利于他们达到(这些目标)。但是内部控制不能将一个天生蹩脚的管理者变成一个好的,以及改变政府的政策和程序、竞争者的行为或超出管理者所能控制的经济条件。内部控制不能保证成功,甚至生存。
● 内部控制能保证财务报告的可靠性和遵从法律和规章。
这种信任同样是毫无根据的。一个内部控制系统,无论怎样设计和运作,它仅仅能提供合理的——不是绝对的——对经理层和董事会提供关于达到企业目标保证。由于所有的内部控制系统固有的局限性,达到的可能性是虚假的。这包括决策判断可能不完善、和可能由于简单的误差或误解而导致失败这种现实;此外,控制也可能由于二个或更多的人共谋而被绕过;经营者有权力无视这个系统;另一个限制性因素是一个内部控制系统的设计必须反映资源约束的事实,以及控制的利益必须与它的成本相匹配。
因而,内部控制在整体上能帮助企业达到它的目的,但它不是万应灵药。
角色和责任
组织的每一个人对内部控制都负有责任。
● 经理层——行政部门的首长是负有最终的责任的,将表现为系统的“所有者”。比任何其他个人更多的,行政首长要建立影响正直、道德和确立控制环境其他要素的“来自最高层的声音”。在大多数公司,行政首长通过提供对高级管理人员的领导和指导以及检查他们的控制这个企业的做法来履行职责。高级管理人员,事实上,为设立大多数特殊的内部控制政策和对单元职能的个人职责程序分配责任。在较小的企业,行政首长的影响力,通常经理就是业主,常常是更直接的。在任何情况下,在一个层叠的责任(结构)中,一个经理是他或她的责任范围内的有效的行政首长,特别重要的是财务官员和他们的员工的控制活动在上下之间直通经营和企业的其他单元。
● 董事会——经理层有责任向董事会提供治理、指导和失误(的情况)。有效的董事会的成员是客观的、有能力的和“好问”的,他们同样有关于企业活动和环境的知识,并有履行他们的董事会的责任的必要的时间。经理层也许处于一个无视控制的位置,忽视或窒息与下属的沟通,授权给一个故意误导结果去掩盖其痕迹的不诚实的管理人员。一个强有力的、活跃的董事会,特别是当他结合了有效的向上沟通的渠道、财务能力、法律和内部审计职能时,是能够经常地和最好地识别和纠正那些问题。
● 内部审计师——内部审计师在评价控制系统的有效性中扮演了重要的角色,贡献了推进的效率。因为组织的地位和在一个企业中的威信,内部审计职能经常扮演一个重要的提出忠告的角色。
● 其他人员——内部控制在一定程度上是组织里每个人的责任,因此每个人的工作的明确的或隐含的部分都将被描述。实际上每一个员工都将产生用于内部控制系统的信息,或从事其他必须被控制的活动。同样,所有的人都有责任向上沟通运行中的问题,例如,不遵守行为准则、其他对政策的违反或非法活动。
外部组织的成员常常对达到组织的目标作出贡献,外部审计师进行独立的和客观的检查,直接通过对财务报表的审计和间接地由对董事会和经理层提供有用的信息来实施他们的责任。其他提供对企业有效的内部控制有用的信息的人是立法机构、监管机构、客户和其他与企业有商业交往的人、财务分析师、债券持有人、新闻媒体。外部组织,无论如何,对此没有责任,他们不属于企业的内部控制系统。
这个报告的结构
这个报告共有4卷(注:COSO报告在1992年9月出版共4卷,一个关于外部组织的报告作为附件在1994年5月出版,在1994版中,前三卷和附件合订为一册,“评价工具”在第二册),第一卷是实施纲要,一个高水平的内部控制框架的概要用以指导行政首长和其他高级行政官员、董事会成员、立法机构、监管机构。
第二卷,框架,定义内部控制,描述它的组成部分,提供针对经理层、董事会成员或其他人评估他们的控制系统的准则。
第三卷,对外部组织的报告是对在准备他们发表的财务报表的内部控制(情况)的公开报告的那些实体提供指导的补充文件。
第四卷,评价工具,提供对执行内部控制系统的有用的材料。
去做什么
可以因这个报告带来成果的活动取决于这个阶层的角色和定位,包括:
● 高级管理层——大多数对这项研究作出贡献的高级行政官员相信他们主要是使他们的组织处于“控制之下”。许多人说,他们的公司的范围无论怎样划分,一个部门,或贯穿活动的一个控制单元——控制在处于早期发展阶段的地方或其他地方都需要加强,他们不喜欢感到意外。这个研究建议行政首长开始一项对控制活动的自我评估。利用这个框架,一个CEO,与关键的运作和财务执行官一起,能把注意的焦点集中于必要的地方。有一种方法,行政首长将与经营单元领导人和关键职能的员工进行讨论,开始控制评估,为这些个人提供指令去和他们的领导人讨论这个报告的概念,提供在他们的责任范围内最初评估过程的缺陷,反馈发现的结果。其他的方法,可以包括一项对公司和经营单元政策和内部审计程序的最初检查。无论它的形式是什么,最初的自我评估将决定它是否需要,怎样运作一项更为广泛的、深入得多的评估。它将同样确保正在进行的监测过程是适当的。花费时间评价内部控制被称为一项投资,但它是有高回报的一项。
● 董事会成员——董事会成员将与高级管理人员讨论企业内部控制系统的状况和提出其缺点是必要的。他们将从内部和外部审计师那里寻求所获。
● 其他人员——管理人员和其他人员将考虑他们的控制责任怎样存在于按照这个框架的管理行为中,并与更多的高层人员讨论加强控制的主意。内部审计师将考虑在内部控制系统中他们要关注的宽度和可能希望去比较他们的评价资料和评价工具。
● 立法机构和监管机构——起草和执行法律的政府官员承认事实上任何公布(的文件)都可能有误解和不同的预期。内部控制在二个方面存在非常广泛的预期,第一,他们对控制系统能完成什么有不同想法,要注意,一些观察者相信内部控制系统必须或应该预防经济损失,或至少防止企业的经营失败;第二,甚至当内部控制系统能够和不能够做什么以及关于“合理保证”概念的效力达成一致时,对概念的意义和怎样被利用仍然有完全不同的见解,公司行政官员在一项所主张的控制失败之后,后见之明地表示对涉及监管机构可以怎样解释公开报告主张的“合理保证”的重视。在立法者或执法者与经理层交流内部控制运行不正常的报告之前,将就共同的内部控制框架包括内部控制的局限性达成一致,这个框架将有助于达成一致,
● 专业组织——制定的规则和其他专业组织提供的财务管理指南,审计和根据这个框架考虑他们的标准和指南的有关主题,在这个范围内,概念和术语的差异将被消除。
● 教育和培训机构——这个框架是学术研究和分析的课题,能够预见将有进一步的提高。根据推测,这个报告已在被共同理解的基础上被接受。它的概念和术语将找到进入大学课程的它们的道路。
我们相信,这个报告提供了大量的利益。在相互理解的基础上,所有的部分将以共同的语言和更有效的沟通进行交流。企业行政部门将定位于对照标准评价控制系统,加强这个系统和使他们的企业接近于被接受的目标。进一步的研究能影响被接受的基础。立法机构和监管机构将能得到内部控制、它的利益和局限的增加的理解。所有的部门利用共同的内部控制框架,这些利益将被实现。
Legislators and Regulators
-Government officials who write or enforce
laws recognize that there can be misconceptions and different expectations
about virtually any issue. Expectations for internal control vary widely in two
respects. First, they differ regarding what control systems can accomplish. As
noted, some observers believe internal control systems will, or should, prevent
economic loss, or at least prevent companies from going out of business.
Second, even when there is agreement about what internal control systems can
and can't do, and about the validity of the "reasonable assurance"
concept, there can be disparate views of what that concept means and how it
will be applied. Corporate executives have expressed concern regarding how regulators
might construe public reports asserting "reasonable assurance" in
hindsight after an alleged control failure has occurred. Before legislation or
regulation dealing with management reporting on internal control is acted upon,
there should be agreement on a common internal control framework, including
limitations of internal control. This framework should be helpful in reaching
such agreement.
Professional Organizations
--Rule-making and other professional
organizations providing guidance on financial management, auditing and related
topics should consider their standards and guidance in light of this framework.
To the extent diversity in concept and terminology is eliminated, all parties
will benefit.
Educators
--This framework should be the subject of
academic research and analysis, to see where future enhancements can be made.
With the presumption that this report becomes accepted as a common ground for
understanding, its concepts and terms should find their way into university
curricula.
We believe this report offers a number of
benefits. With this foundation for mutual understanding, all parties will be
able to speak a common language and communicate more effectively. Business
executives will be positioned to assess control systems against a standard, and
strengthen the systems and move their enterprises toward established goals.
Future research can be leveraged off an established base. Legislators and
regulators will be able to gain an increased understanding of internal control,
its benefits and limitations. With all parties utilizing a common internal
control framework, these benefits will be realized.
Senior Management
--Most senior executives who contributed to
this study believe they are basically "in control" of their
organizations. Many said, however, that there are areas of their company--a
division, a department or a control component that cuts across
activities--where controls are in early stages of development or otherwise need
to be strengthened. They do not like surprises. This study suggests that the
chief executive initiate a self-assessment of the control system. Using this
framework, a CEO, together with key operating and financial executives, can
focus attention where needed. Under one approach, the chief executive could proceed
by bringing together business unit heads and key functional staff to discuss an
initial assessment of control. Directives would be provided for those
individuals to discuss this report's concepts with their lead personnel,
provide oversight of the initial assessment process in their areas of
responsibility and report back findings. Another approach might involve an
initial review of corporate and business unit policies and internal audit
programs. Whatever its form, an initial self-assessment should determine
whether there is a need for, and how to proceed with, a broader, more in-depth
evaluation. It should also ensure that ongoing monitoring processes are in
place. Time spent in evaluating internal control represents an investment, but
one with a high return.
Board Members
--Members of the board of directors should
discuss with senior management the state of the entity's internal control
system and provide oversight as needed. They should seek input from the
internal and external auditors.
Other Personnel
--Managers and other personnel should
consider how their control responsibilities are being conducted in light of
this framework, and discuss with more senior personnel ideas for strengthening
control. Internal auditors should consider the breadth of their focus on the
internal control system, and may wish to compare their evaluation materials to
the evaluation tools.
This report is in four volumes. The first
is this Executive Summary, a high-level overview of the internal control
framework directed to the chief executive and other senior executives, board
members, legislators and regulators.
The second volume, the Framework, defines
internal control, describes its components and provides criteria against which
managements, boards or others can assess their control systems. The Executive
Summary is included.
The third volume, Reporting to External
Parties, is a supplemental document providing guidance to those entities that
report publicly on internal control over preparation of their published
financial statements, or are contemplating doing so.
The fourth volume, Evaluation Tools,
provides materials that may be useful in conducting an evaluation of an internal
control system.
What to Do
Actions that might be taken as a result of
this report depend on the position and role of the parties involved:
Internal Auditors
--Internal auditors play an important role
in evaluating the effectiveness of control systems, and contribute to ongoing
effectiveness. Because of organizational position and authority in an entity,
an internal audit function often plays a significant monitoring role.
Other Personnel
--Internal control is, to some degree, the
responsibility of everyone in an organization and therefore should be an
explicit or implicit part of everyone's job description. Virtually all
employees produce information used in the internal control system or take other
actions needed to effect control. Also, all personnel should be responsible for
communicating upward problems in operations, noncompliance with the code of
conduct, or other policy violations or illegal actions.
A number of external parties often
contribute to achievement of an entity's objectives. External auditors,
bringing an independent and objective view, contribute directly through the
financial statement audit and indirectly by providing information useful to
management and the board in carrying out their responsibilities. Others
providing information to the entity useful in effecting internal control are
legislators and regulators, customers and others transacting business with the
enterprise, financial analysts, bond raters and the news media. External
parties, however, are not responsible for, nor are they a part of, the entity's
internal control system.
Organization of this Report
This belief is also unwarranted. An
internal control system, no matter how well conceived and operated, can provide
only reasonable--not absolute--assurance to management and the board regarding
achievement of an entity's objectives. The likelihood of achievement is
affected by limitations inherent in all internal control systems. These include
the realities that judgments in decision-making can be faulty, and that
breakdowns can occur because of simple error or mistake. Additionally, controls
can be circumvented by the collusion of two or more people, and management has
the ability to override the system. Another limiting factor is that the design
of an internal control system must reflect the fact that there are resource constraints,
and the benefits of controls must be considered relative to their costs.
Thus, while internal control can help an
entity achieve its objectives, it is not a panacea.
Roles and Responsibilities
Everyone in an organization has responsibility
for internal control.
Management
--The chief executive officer is ultimately
responsible and should assume "ownership" of the system. More than
any other individual, the chief executive sets the "tone at the top"
that affects integrity and ethics and other factors of a positive control
environment. In a large company, the chief executive fulfills this duty by
providing leadership and direction to senior managers and reviewing the way
they're controlling the business. Senior managers, in turn, assign
responsibility for establishment of more specific internal control policies and
procedures to personnel responsible for the unit's functions. In a smaller
entity, the influence of the chief executive, often an owner-manager, is
usually more direct. In any event, in a cascading responsibility, a manager is
effectively a chief executive of his or her sphere of responsibility. Of
particular significance are financial officers and their staffs, whose control
activities cut across, as well as up and down, the operating and other units of
an enterprise.
Board of Directors--Management is
accountable to the board of directors, which provides governance, guidance and
oversight. Effective board members are objective, capable and inquisitive. They
also have a knowledge of the entity's activities and environment, and commit
the time necessary to fulfill their board responsibilities. Management may be
in a position to override controls and ignore or stifle communications from
subordinates, enabling a dishonest management which intentionally misrepresents
results to cover its tracks. A strong, active board, particularly when coupled
with effective upward communications channels and capable financial, legal and
internal audit functions, is often best able to identify and correct such a
problem.
The internal control definition--with its
underlying fundamental concepts of a process, effected by people, providing
reasonable assurance--together with the categorization of objectives and the
components and criteria for effectiveness, and the associated discussions,
constitute this internal control framework.
What Internal Control Can Do
Internal control can help an entity achieve
its performance and profitability targets, and prevent loss of resources. It
can help ensure reliable financial reporting. And it can help ensure that the
enterprise complies with laws and regulations, avoiding damage to its reputation
and other consequences. In sum, it can help an entity get to where it wants to
go, and avoid pitfalls and surprises along the way.
What Internal Control Cannot Do
Unfortunately, some people have greater,
and unrealistic, expectations. They look for absolutes, believing that:
? Internal control can ensure an entity's
success--that is, it will ensure achievement of basic business objectives or
will, at the least, ensure survival.
Even effective internal control can only
help an entity achieve these objectives. It can provide management information
about the entity's progress, or lack of it, toward their achievement. But
internal control cannot change an inherently poor manager into a good one. And,
shifts in government policy or programs, competitors' actions or economic
conditions can be beyond management's control. Internal control cannot ensure
success, or even survival.
Internal control can ensure the reliability
of financial reporting and compliance with laws and regulations.
Monitoring
--Internal control systems need to be
monitored--a process that assesses the quality of the system's performance over
time. This is accomplished through ongoing monitoring activities, separate
evaluations or a combination of the two. Ongoing monitoring occurs in the
course of operations. It includes regular management and supervisory
activities, and other actions personnel take in performing their duties. The
scope and frequency of separate evaluations will depend primarily on an
assessment of risks and the effectiveness of ongoing monitoring procedures.
Internal control deficiencies should be reported upstream, with serious matters
reported to top management and the board.
There
is synergy and linkage among these components, forming an integrated system
that reacts dynamically to changing conditions. The internal control system is
intertwined with the entity's operating activities and exists for fundamental
business reasons. Internal control is most effective when controls are built
into the entity's infrastructure and are a part of the essence of the
enterprise. "Built in" controls support quality and empowerment
initiatives, avoid unnecessary costs and enable quick response to changing
conditions.
There
is a direct relationship between the three categories of objectives, which are
what an entity strives to achieve, and components, which represent what is
needed to achieve the objectives. All components are relevant to each
objectives category. When looking at any one category--the effectiveness and
efficiency of operations, for instance--all five components must be present and
functioning effectively to conclude that internal control over operations is
effective.
Control Environment
--The control environment sets the tone of
an organization, influencing the control consciousness of its people. It is the
foundation for all other components of internal control, providing discipline
and structure. Control environment factors include the integrity, ethical
values and competence of the entity's people; management's philosophy and
operating style; the way management assigns authority and responsibility, and
organizes and develops its people; and the attention and direction provided by
the board of directors.
Risk Assessment--Every entity faces a
variety of risks from external and internal sources that must be assessed. A
precondition to risk assessment is establishment of objectives, linked at
different levels and internally consistent. Risk assessment is the
identification and analysis of relevant risks to achievement of the objectives,
forming a basis for determining how the risks should be managed. Because
economic, industry, regulatory and operating conditions will continue to
change, mechanisms are needed to identify and deal with the special risks
associated with change.
Control Activities
--Control activities are the policies and
procedures that help ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to achievement of the
entity's objectives. Control activities occur throughout the organization, at
all levels and in all functions. They include a range of activities as diverse
as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of duties.
Information and Communication
--Pertinent information must be identified,
captured and communicated in a form and timeframe that enable people to carry
out their responsibilities. Information systems produce reports, containing
operational, financial and compliance-related information, that make it
possible to run and control the business. They deal not only with internally generated
data, but also information about external events, activities and conditions
necessary to informed business decision-making and external reporting.
Effective communication also must occur in a broader sense, flowing down,
across and up the organization. All personnel must receive a clear message from
top management that control responsibilities must be taken seriously. They must
understand their own role in the internal control system, as well as how
individual activities relate to the work of others. They must have a means of
communicating significant information upstream. There also needs to be
effective communication with external parties, such as customers, suppliers, regulators
and shareholders.
The first category addresses an entity's
basic business objectives, including performance and profitability goals and
safeguarding of resources. The second relates to the preparation of reliable
published financial statements, including interim and condensed financial
statements and selected financial data derived from such statements, such as
earnings releases, reported publicly. The third deals with complying with those
laws and regulations to which the entity is subject. These distinct but
overlapping categories address different needs and allow a directed focus to
meet the separate needs.
Internal control systems operate at
different levels of effectiveness. Internal control can be judged effective in
each of the three categories, respectively, if the board of directors and
management have reasonable assurance that:
They understand the extent to which the
entity's operations objectives are being achieved.
Published financial statements are being
prepared reliably.
Applicable laws and regulations are being
complied with.
While internal control is a process, its
effectiveness is a state or condition of the process at one or more points in
time.
Internal
control consists of five interrelated components. These are derived from the
way management runs a business, and are integrated with the management process.
Although the components apply to all entities, small and mid-size companies may
implement them differently than large ones. Its controls may be less formal and
less structured, yet a small company can still have effective internal control.
The components are:
Internal Control - Integrated Framework
Executive Summary
Senior executives have long sought ways to
better control the enterprises they run. Internal controls are put in place to
keep the company on course toward profitability goals and achievement of its
mission, and to minimize surprises along the way. They enable management to
deal with rapidly changing economic and competitive environments, shifting
customer demands and priorities, and restructuring for future growth. Internal
controls promote efficiency, reduce risk of asset loss, and help ensure the
reliability of financial statements and compliance with laws and regulations.
Because internal control serves many
important purposes, there are increasing calls for better internal control
systems and report cards on them. Internal control is looked upon more and more
as a solution to a variety of potential problems.
What Internal Control Is
Internal control means different things to
different people. This causes confusion among businesspeople, legislators,
regulators and others. Resulting miscommunication and different expectations
cause problems within an enterprise. Problems are compounded when the term, if
not clearly defined, is written into law, regulation or rule.
This report deals with the needs and
expectations of management and others. It defines and describes internal
control to:
Establish a common definition serving the
needs of different parties.
Provide a standard against which business and
other entities--large or small, in the public or private sector, for profit or
not--can assess their control systems and determine how to improve them.
Internal control is broadly defined as a
process, effected by an entity's board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement
of objectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and
regulations.
美国COSO英文报告翻译-内部控制翻译