COSO 内部控制整合框架2013版

COSOCOSO2013PAGE10页InternalControl–IntegratedExecutiveSummaryInternalcontrolhelpsentitiesachieveimportantobjectivesandsustainandimproveperformance.COSO’sInternalControl—IntegratedFramework(Framework)enablesorganizationstoeffectivelyandefficientlydevelopsystemsofinternalcontrolthatadapttochangingbusinessandoperatingenvironments,mitigateriskstoacceptablelevels,andsupportsounddecisionmakingandgovernanceoftheorganization.Designingandimplementinganeffectivesystemofinternalcontrolcanbechallenging;operatingthatsystemeffectivelyandefficientlyeverydaycanbedaunting.Newandrapidlychangingbusinessmodels,greateruseanddependenceontechnology,increasingregulatoryrequirementsandscrutiny,globalization,andotherchallengesdemandanysystemofinternalcontroltobeagileinadaptingtochangesinbusiness,operatingandregulatoryAneffectivesystemofinternalcontroldemandsmorethanrigorousadherencetopoliciesandprocedures:itrequirestheuseofjudgment.Managementandboardsofdirectors1usejudgmenttodeterminehowmuchcontrolisenough.Managementandotherpersonnelusejudgmenteverydaytoselect,develop,anddeploycontrolsacrosstheentity.Managementandinternalauditors,amongotherpersonnel,applyjudgmentastheymonitorandassesstheeffectivenessofthesystemofinternalcontrol.1TheFrameworkusestheterm“boardofdirectors,”whichencompassesthegoverningbody,includingboard,boardoftrustees,generalpartners,owner,orsupervisoryboard.TheFrameworkassistsmanagement,boardsofdirectors,externalstakeholders,andothersinteractingwiththeentityintheirrespectivedutiesregardinginternalcontrolwithoutbeingoverlyprescriptive.Itdoessobyprovidingbothunderstandingofwhatconstitutesasystemofinternalcontrolandinsightintowheninternalcontrolisbeingappliedeffectively.Formanagementandboardsofdirectors,theFrameworkAmeanstoapplyinternalcontroltoanytypeofentity,regardlessofindustryorlegalstructure,atthelevelsofentity,operatingunit,orfunctionAprinciples-basedapproachthatprovidesflexibilityandallowsforjudgmentindesigning,implementing,andconductinginternalcontrol—principlesthatcanbeappliedattheentity,operating,andfunctionallevelsRequirementsforaneffectivesystemofinternalcontrolbyconsideringhowcomponentsandprinciplesarepresentandfunctioningandhowcomponentsoperatetogetherAmeanstoidentifyandanalyzerisks,andtodevelopandmanageappropriateresponsestoriskswithinacceptablelevelsandwithagreaterfocusonanti-fraudmeasuresAnopportunitytoexpandtheapplicationofinternalcontrolbeyondfinancialreportingtootherformsofreporting,operations,andcomplianceAnopportunitytoeliminateineffective,redundant,orinefficientcontrolsthatprovideminimalvalueinreducingriskstotheachievementoftheentity’sobjectivesForexternalstakeholdersofanentityandothersthatinteractwiththeentity,applicationofthisFrameworkprovides:Greaterconfidenceintheboardofdirectors’oversightofinternalcontrolGreaterconfidenceregardingtheachievementofentityGreaterconfidenceintheorganization’sabilitytoidentify,analyze,andrespondtoriskandchangesinthebusinessandoperatingenvironmentsGreaterunderstandingoftherequirementofaneffectivesystemofinternalcontrolGreaterunderstandingthatthroughtheuseofjudgment,maybeabletoeliminateineffective,redundant,orinefficientInternalcontrolisnotaserialprocessbutadynamicandintegratedprocess.TheFrameworkappliestoallentities:large,mid-size,small,for-profitandnot-for-profit,andgovernmentbodies.However,eachorganizationmaychoosetoimplementinternalcontroldifferently.Forinstance,asmallerentity’ssystemofinternalcontrolmaybelessformalandlessstructured,yetstillhaveeffectiveinternalcontrol.TheremainderofthisExecutiveSummaryprovidesanoverviewofinternalcontrol,includingadefinition,categoriesofobjective,descriptionoftherequisitecomponentsandassociatedprinciples,andrequirementofaneffectivesystemofinternalcontrol.Italsoincludesadiscussionoflimitations—thereasonswhynosystemofinternalcontrolcanbeperfect.Finally,itoffersconsiderationsonhowvariouspartiesmayusethe本文也将讨论内部控制的局限性——为什么没有一个内部控制体系是完美的。DefiningInternalInternalcontrolisdefinedasInternalcontrolisaprocess,effectedbyanentity’sboardofdirectors,management,andotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesrelatingtooperations,reporting,andcompliance.Thisdefinitionreflectscertainfundamentalconcepts.InternalcontrolGearedtotheachievementofobjectivesinoneormorecategories—operations,reporting,andcomplianceAprocessconsistingofongoingtasksandactivities—ameanstoanend,notanendinitselfEffectedbypeople—notmerelyaboutpolicyandproceduremanuals,systems,andforms,butaboutpeopleandtheactionstheytakeateverylevelofanorganizationtoaffectinternalcontrolAbletoprovidereasonableassurance—butnotabsoluteassurance,toentity’sseniormanagementandboardofAdaptabletotheentitystructure—flexibleinapplicationfortheentityorforaparticularsubsidiary,division,operatingunit,orbusinessThisdefinitionisintentionallybroad.Itcapturesimportantconceptsthatarefundamentaltohoworganizationsdesign,implement,andconductinternalcontrol,providingabasisforapplicationacrossorganizationsthatoperateindifferententitystructures,industries,andgeographicregions.TheFrameworkprovidesforthreecategoriesofobjectives,whichalloworganizationstofocusondifferingaspectsofinternalcontrol:OperationsObjectives—Thesepertaintoeffectivenessandefficiencyofentity’soperations,includingoperationalandfinancialperformancegoals,andsafeguardingassetsagainstloss.ReportingObjectives—Thesepertaintointernalandexternalfinancialnon-financialreportingandmayencompassreliability,timeliness,transpar-ency,orothertermsassetforthbyregulators,recognizedstandardsetters,ortheentity’spolicies.ComplianceObjectives—ThesepertaintoadherencetolawsandtowhichtheentityisComponentsofInternalInternalcontrolconsistsoffiveintegratedControlThecontrolenvironmentisthesetofstandards,processes,andstructuresthatprovidethebasisforcarryingoutinternalcontrolacrosstheorganization.Theboardofdirectorsandseniormanagementestablishthetoneatthetopregardingtheimportanceofinternalcontrolincludingexpectedstandardsofconduct.Managementreinforcesexpectationsatthevariouslevelsoftheorganization.Thecontrolenvironmentcomprisestheintegrityandethicalvaluesoftheorganization;theparametersenablingtheboardofdirectorstocarryoutitsgovernanceoversightresponsibilities;theorganizationalstruc-tureandassignmentofauthorityandresponsibility;theprocessforattracting,developing,andretainingcompetentindividuals;andtherigoraroundperformancemeasures,incentives,andrewardstodriveaccountabilityforperformance.Theresultingcontrolenvironmenthasapervasiveimpactontheoverallsystemofinternalcontrol.topEveryentityfacesavarietyofrisksfromexternalandinternalsources.Riskisdefinedasthepossibilitythataneventwilloccurandadverselyaffecttheachievementofobjectives.Riskassessmentinvolvesadynamicanditerativeprocessforidentifyingandassessingriskstotheachievementofobjectives.Riskstotheachievementoftheseobjectivesfromacrosstheentityareconsideredrelativetoestablishedrisktolerances.Thus,riskassessmentformsthebasisfordetermininghowriskswillbemanaged.Apreconditiontoriskassessmentistheestablishmentofobjectives,linkedatdifferentlevelsoftheentity.Managementspecifiesobjectiveswithincategoriesrelatingtooperations,reporting,andcompliancewithsufficientclaritytobeabletoidentifyandanalyzeriskstothoseobjectives.Managementalsoconsidersthesuitabilityoftheobjectivesfortheentity.Riskassessmentalsorequiresmanagementtoconsidertheimpactofpossiblechangesintheexternalenvironmentandwithinitsownbusinessmodelthatmayrenderinternalcontrolineffective.Controlactivitiesaretheactionsestablishedthroughpoliciesandproceduresthathelpensurethatmanagement’sdirectivestomitigateriskstotheachievementofobjectivesarecarriedout.Controlactivitiesareperformedatalllevelsoftheentity,atvariousstageswithinbusinessprocesses,andoverthetechnologyenvironment.Theymaybepreventiveordetectiveinnatureandmayencompassarangeofmanualandautomatedactivitiessuchasauthorizationsandapprovals,verifications,reconciliations,andbusinessperformancereviews.Segregationofdutiesistypicallybuiltintotheselectionanddevelopmentofcontrolactivities.Wheresegregationofdutiesisnotpractical,managementselectsanddevelopsalternativecontrolInformationandInformationisnecessaryfortheentitytocarryoutinternalcontrolresponsibilitiestosupporttheachievementofitsobjectives.Managementobtainsorgeneratesandusesrelevantandqualityinformationfrombothinternalandexternalsourcestosupportthefunctioningofothercomponentsofinternalcontrol.Communicationisthecontinual,iterativeprocessofproviding,sharing,andobtainingnecessaryinformation.Internalcommunicationisthemeansbywhichinformationisdisseminatedthroughouttheorganization,flowingup,down,andacrosstheentity.Itenablespersonneltoreceiveaclearmessagefromseniormanagementthatcontrolresponsibilitiesmustbetakenseriously.Externalcommunicationistwofold:itenablesinboundcommunicationofrelevantexternalinformation,anditprovidesinformationtoexternalpartiesinresponsetorequirementsandexpectations.Ongoingevaluations,separateevaluations,orsomecombinationofthetwoareusedtoascertainwhethereachofthefivecomponentsofinternalcontrol,includingcontrolstoeffecttheprincipleswithineachcomponent,ispresentandfunctioning.Ongoingevaluations,builtintobusinessprocessesatdifferentlevelsoftheentity,providetimelyinformation.Separateevaluations,conductedperiodically,willvaryinscopeandfrequencydependingonassessmentofrisks,effectivenessofongoingevaluations,andothermanagementconsiderations.Findingsareevaluatedagainstcriteriaestablishedbyregulators,recognizedstandard-settingbodiesormanagementandtheboardofdirectors,anddeficienciesarecommunicatedtomanagementandtheboardofdirectorsasappropriate.RelationshipofObjectivesandAdirectrelationshipexistsbetweenobjectives,whicharewhatanentitystrivestoachieve,components,whichrepresentwhatisrequiredtoachievetheobjectives,andtheorganizationalstructureoftheentity(theoperatingunits,legalentities,andother).Therelationshipcanbedepictedintheformofacube. compliance—arerepresentedbythecolumns.ThefivecomponentsarerepresentedbytheAnentity’sorganizationalstructureisrepresentedbythethirdComponentsandTheFrameworksetsoutseventeenprinciplesrepresentingthefundamentalconceptsassociatedwitheachcomponent.Becausetheseprinciplesaredrawndirectlyfromthecomponents,anentitycanachieveeffectiveinternalcontrolbyapplyingallprinciples.Allprinciplesapplytooperations,reporting,andcomplianceobjectives.Theprinciplessupportingthecomponentsofinternalcontrolarelistedbelow.ControlEnvironmentTheorganizationdemonstratesacommitmenttointegrityandethicalTheboardofdirectorsdemonstratesindependencefrommanagementandexercisesoversightofthedevelopmentandperformanceofinternalManagementestablishes,withboardoversight,structures,reportinglines,andappropriateauthoritiesandresponsibilitiesinthepursuitofTheorganizationdemonstratesacommitmenttoattract,develop,andretaincompetentindividualsinalignmentwithobjectives.Theorganizationholdsindividualsaccountablefortheirinternalcontrolresponsibilitiesinthepursuitofobjectives.RiskAssessmentTheorganizationspecifiesobjectiveswithsufficientclaritytoenabletheidentificationandassessmentofrisksrelatingtoobjectives.Theorganizationidentifiesriskstotheachievementofitsobjectivesacrosstheentityandanalyzesrisksasabasisfordetermininghowtherisksshouldbemanaged.Theorganizationconsidersthepotentialforfraudinassessingriskstotheachievementofobjectives.Theorganizationidentifiesandassesseschangesthatcouldsignificantlyimpactthesystemofinternalcontrol.TheorganizationselectsanddevelopscontrolactivitiesthatcontributetothemitigationofriskstotheachievementofobjectivestoacceptableTheorganizationselectsanddevelopsgeneralcontrolactivitiesovertechnologytosupporttheachievementofobjectives.Theorganizationdeployscontrolactivitiesthroughpoliciesthatestablishwhatisexpectedandproceduresthatputpoliciesintoaction.Theorganizationobtainsorgeneratesandusesrelevant,qualityinformationtosupportthefunctioningofinternalcontrol.Theorganizationinternallycommunicatesinformation,includingobjectivesandresponsibilitiesforinternalcontrol,necessarytosupportthefunctioningofinternalcontrol.Theorganizationcommunicateswithexternalpartiesregardingmattersaffectingthefunctioningofinternalcontrol.Theorganizationselects,develops,andperformsongoingand/orseparateevaluationstoascertainwhetherthecomponentsofinternalcontrolarepresentandfunctioning.Theorganizationevaluatesandcommunicatesinternalcontroldeficienciesinatimelymannertothosepartiesresponsiblefortakingcorrectiveaction,includingseniormanagementandtheboardofdirectors,asappropriate.EffectiveInternalTheFrameworksetsforththerequirementsforaneffectivesystemofinternalcontrol.Aneffectivesystemprovidesreasonableassuranceregardingachievementofanentity’sobjectives.Aneffectivesystemofinternalcontrolreduces,toanacceptablelevel,theriskofnotachievinganentityobjectiveandmayrelatetoone,two,orallthreecategoriesofobjectives.Itrequiresthat:Eachofthefivecomponentsandrelevantprinciplesispresentand“Present”referstothedeterminationthatthecomponentsrelevantprinciplesexistinthedesignandimplementationofthesystemofinternalcontroltoachievespecifiedobjectives.“Functioning”referstothedeterminationthatthecomponentsandrelevantprinciplescontinuetoexistintheoperationsandconductofthesystemofinternalcontroltoachievespecifiedobjectives.Thefivecomponentsoperatetogetherinanintegrated“Operatingtogether”referstothedeterminationthatallfivecomponentscollectivelyreduce,toanacceptablelevel,theriskofnotachievinganobjective.Componentsshouldnotbeconsidereddiscretely;instead,theyoperatetogetherasanintegratedsystem.Componentsareinterdependentwithamultitudeofinterrelationshipsandlinkagesamongthem,particularlythemannerinwhichprinciplesinteractwithinandacrosscomponents.Whenamajordeficiencyexistswithrespecttothepresencefunctioningofacomponentorrelevantprinciple,orwithrespecttothecomponentsoperatingtogetherinanintegratedmanner,theorganizationcannotconcludethatithasmettherequirementsforaneffectivesystemofinternalcontrol.Whenasystemofinternalcontrolisdeterminedtobeeffective,seniormanagementandtheboardofdirectorshavereasonableassurance,relativetotheapplicationwithintheentitystructure,thattheAchieveseffectiveandefficientoperationswhenexternaleventsareconsideredunlikelytohaveasignificantimpactontheachievementofobjectivesorwheretheorganizationcanreasonablypredictthenatureandtimingofexternaleventsandmitigatetheimpacttoanacceptableUnderstandstheextenttowhichoperationsaremanagedeffectivelyandefficientlywhenexternaleventsmayhaveasignificantimpactontheachievementofobjectivesorwheretheorganizationcanreasonablypred