中小型民营企业内部控制研究外文翻译、中英文翻译、外文文献翻译

《中小型民营企业内部控制研究外文翻译、中英文翻译、外文文献翻译》由会员分享，可在线阅读，更多相关《中小型民营企业内部控制研究外文翻译、中英文翻译、外文文献翻译（27页珍藏版）》请在装配图网上搜索。

1、本科毕业设计（论文）   外文参考文献译文及原文     学     院                        专     业                       年级班别                

2、       学     号                       学生姓名                       指导教师                            

3、;  年    月     日   目录  摘要 1 1 选题背景 2 2 内部控制理论的概述   . .3 2.1 内部控制的根本性质 .3 2.2 内部控制的责任 . .3 3 确保内部控制的充分性 . .5 4 先天的内部控制 9 5 结论 11 Abstract.12 1 Background Topics.13 2 Internal control theory outlined . 15 2.1 The Fundamental Nature Of  Intaral Control .15 2.

4、2 Responsibillty For Internal Control .15 3 Ensuring that the internal control adequacy . .17 4 Inherent limitations of internal control 22 5 Conclusion .25 摘  要  内部控制这个概念已经不是一个新概念。这篇文章将研究每个公共部门财政经理和董事会成员应该了解的关于内部控制的内容。在分析了虚假的财政报告的根本原因以后， Treadway 委员会把大部分的责任归咎于内部控制管理的不足。作为回应，建立 Treadway 委员

5、会的各个组织成立了一个赞助组织委员会（ COSO），设法补救 的 Treadway 委员会揭露出来的问题。  COSO 为了确保此架构足够及全面的内部控制，确定了 5 个重要组成部分：1、控制环境； 2、风险评估； 3、政策及程序； 4、沟通； 5、监测与追踪。一个健全的架构与内部控制是必要的，同时必须意识到这类框架是难于达到一个完美的境界。内部控制在本质上是一种管理责任。   1 选题背景  内部控制这个概念已经是毫无新意的。同样，由于私营部门最近的丑闻事件使得联邦法律重申了这个经常被忽略和议题的重要性，这篇文章将研究每一个公共部门的财政经理及董事会成员还 应当

6、了解内部控制的哪些制度。  直到最近几年，基本问题“什么是内部控制？”这个问题可以引出一系列的例子：不同职责的分离，定期进行银行对账，获取的报告的利用等概念，但是这些并不是内部控制的准确定义。也就是说，内部控制往往被视为一个集体名词来形容不同种类的政策和程序，而不是作为一个独立和统一的概念。这就是八十年代中期 Treadway 委员会在面对虚假财政报告，需要履行职责时所面临的形势。  经调查分析提供虚假的财政报告的根本原因后，该 Treadway 委员会把大部分的责任归咎于内部控制缺乏管理上，但是在企业管理者不能够 清楚地了解内部控制的真正含义和为什么要重视内部控制这个问题

7、上，该委员会要负一定的责任。  针对这些调查结果，发起组织 Treadway 委员会的各个机构成立了一个协调委员会，设法补救 Treadway 委员会揭露出来的问题，这一努力的结果，是 1992年 COSO 发布的开创性报告中提到的内部控制综合框架。直到今天，“ COSO 报告”依然是在正规和严肃场合开展内部控制的讨论的重要基础。  在私营部门， COSO 报告规定的标准通常用于评价内部控制，包括授权公司进行公开交易，这是由于安然和世界通讯的丑闻，使联邦的 Sarbanes-Oxley 法规对内部控制进行了规定。在公共部门，政府财政官员协会在最近推荐的做法中的立场是政府的财

8、政管理为了履行自己的道德责任，应“获取信息和负责内部控制所需的有意义的培训”、特别是正确理解内部控制（ COSO）的规定。   2 内部控制理论的概述  2.1 内部控制的根本性质  无论是哪种性质的组织（即公、私、或非营利性），所有的管理者都必须致力于：（ 1）、经营效率；（ 2）、制作真实可靠的外部财务报告；（ 3）、遵守适用的法律和法规。  负责任的管理人员不能脱离这些目标，相反，他们必须采取具体行动，以确保经营运 作的有效性和高效率、财务报告的真实可靠并且不违背法律法规的规定。也就是这些行为构成的内部控制。不同的是，内部控制可以定义为管理上使用的

9、用以确保实现其目标的工具和技术的总称。因此，在本质上，内部控制在根本上是一个管理问题。  2.2 内部控制的责任  以下一个类比可能有助于指派负责内部控制的管理者、董事会成员和审计员正确理解内部控制的责任和职能。“学生主要是负责完成功课。”给学生分配这种首要的责任是实际的，因为完成功课任务的目标是提高学生的技能，为学生完成功课而又不影响学生技能的提高的情况是不可能存在的。家长、导师 或同学可以在学生完成某一项任务时提供帮助，但是最终只有学生本人的直接参与，才能达到提高技能的目的。当然，这并不是说，父母或监护人以功课是学生的主要责任为理由来为自己开脱责任。父母或监护人的最终职

10、责是确保学生为他自己的功课负责，虽然家长或监护人实际上不能帮助学生完成功课，但他们有权利监督学生完成功课。最后，教师和辅导员，他们为学生和家长、监护人提供宝贵的帮助，是不能取代的。最终，如果学生的功课不能按时完成，最终的责任由家长或监护人来承担。  这个比喻表明了内部控制实际的含义，我们可以将上述例子中的学生、家长或监 护人、教师分别代表管理、理事会委员和内部审计师，这有助于理解内部控制中各人的职责所在。正如我们刚才解释的，内部控制是一个根本的管理问题（即管理者用工具和技术来实现管理目标），因此，管理是内部控制的主要责任所在。但是董事会的成员不能因为内部管理是管理层的主要职责而对内部

11、管理袖手旁观，因为它的工作是确保管理符合其所有责任。因此，内部控制的最终责任由董事会来承担。独立的内部审计师，就像一位老师，他可以为管理的成功提供必要的援助（制作真实可靠的财务报表），但即使是最好的老师也无法帮助学生、家长或监护人完成原本属于他 们的责任及任务。最后，内部审计师，作为一个重要的角色，像老师一样帮助他们达到目标。尽管如此，内部审计员在内部控制制度中能做的也只是协助管理，而不取代它。  当然，有一件事必须坚持的是，理事会要承担内部控制的最终责任。主要的问题仍然是：“理事会怎么有效地履行它在这方面的责任？”最现实的办法是成立一个审计委员会，最好能做为中心点，在董事会的内部控

12、制方面努力，确保整个内部控制的问题能够定期提交给董事会进行及时处理。同样，内部审计员的作用是，可帮助经理人，完成他们内部控制的主要任务，尤其是一个纲领性而非金融背景的主管 ，他们可能不熟悉内部控制。   3 确保内部控制的充分性  一旦管理与理事会在内部控制中共同承担各自的责任，怎样才能知道自己是否真正履行了自己的义务？多少控制才是合适的呢？  在 COSO 报告中，内部控制（复数）比内部控制（单数）更常见，然而，COSO 中内部控制更多地被视为它各部分的总和（个别政策和程序）。在美国，COSO 憧憬将内部控制的个人控制元件或部件都集成一个统一的结构或架构纳入其中

13、，即 COSO 提供一个整体内部控制的概念来代替早期的零敲碎打。 COSO为确保架构内的内部控制是否足够或全 面，还确定了需要加以实施的五项重要组成部分：  1、必须有完善的控制环境（企业文化）；  2、必须有一个定期的连续的风险评估；  3、必须设计、实施、维持相关的政策和程序，从而确定风险的处理；  4、必须有充分的沟通；  5、必须设计一个定期和持续地监测防治相关的政策和程序，以确保它们能持续发挥作用，使得任何问题都可以得到妥善处理。  控制环境。用比喻更可能有助于了解主要的控制环境。小孩子不是在孤立的环境中长大的，而是在被特定

14、的人所包围的特定环境中长大的。这样的环境可能会对孩子的成长产生深远的影响，因此，一个只有有限潜 能的孩子也许是在一个充满生机和机会的富裕环境中成长并发挥潜能，一个拥有巨大潜能的孩子也许会在不利的环境中成长，潜能被埋没了。  内部控制也并非是在真空状态。内部控制无可避免的会受到周围环境或企业文化或好或坏的影响。事实上，最终要取得成功的内部控制是不可能夸大到对周遭环境的控制的。在周遭对内部控制持冷漠态度甚至充满敌意（这么多的“繁文缛节”需要“穿越”才能办妥工作）的环境下，就算有最佳的政策和程序，也没有多大的希望得到有效的发展。反之，一种显然是支持内部控制的环境可以得到最妥善的甚至是最基本

15、的控制政策和程序。  关键在于健全的内部控制环境以及积极支持的环境。管理难以支持的东西，它不理解（因此，管理在内部控制上必须对 COSO 的指导性内容相当熟悉，这是 GFOA 在较早前提出的要求）。同样地，有效的支持不是空谈，时间和资源也是其中的重要部分。  此外，管理者的以身作则是非常重要的。很多时候，经理人似乎认为，内部控制仅仅是对他们的部属 ,那就是经理人采取措施对那些向他们汇报的下属实施控制。当然，这种做法可能的结果就是员工会把内部控制视为一种规避（证明其级别和重要性的组织），而不是视作一种避免。  一个特别重要的例子，该原则只是针对 违反相关政策和程序的

16、控制讨论关于管理的问题。管理人员为了避免发生冲突，并没有对某些措施采取有效的纪律处分，即使某些情况是涉及欺诈的。无可避免的是，这样的做法对其他人发出了一个明确且危险的讯息：内部控制和管理并不是很严格。  当然，一个积极的审计委员会和有效的内部审计部门，都是宏观控制环境中重要的积极因素。  风险评估。在管理者实现其目标（即风险）的过程当中，挑战是永远存在的。此外，昨天的风险和今天的、明天的风险不一定相同。因此，风险评估是不可能凭“一次性”的努力就可以完成，而必须是定期的、持续进行的过程。同样， 为了使他们能够避免或减轻风险，风险必须是可预期的。打个比方，在铁道路口设置路灯可避

17、免一个重大事故的发生 ,同样，如果此前的入口或交通情况发生变化，路灯在铁道路口设置就显得越来越有必要。  那么，经理人需怎样才能设法找出以前未知的风险呢？首先，管理应把注意力集中在改变上，因为所有的变化都会涉及一定程度的风险。可以带来高风险的变化包括以下：  1、经营环境的改变（例如，改变企业内部的规章制度）；  2、人事变动（特别是敏感职位的变动）；  3、信息系统和技术的改变（例如，如果过程已被重新设计，控制程度是否仍然足够？）  4、快速增长（例如，为应付需求增加而施加的压力）；  5、新的项目和服务（例如，缺乏经验）； &nb

18、sp;6、结构变化（例如，取消原项目的实施）。  经理也应考虑目前的固定风险，并处理高风险的情况。一般的内存高风险包括以下：  1、复杂度（越复杂越容易出错）；  2、现金收入；  3、直接第三方受益人（现金支付帮助个人）；  4、以前遇到的问题（过去存在问题的项目很可能会继续遇到相同的问题）；  5、事先确定的控制弱点（查明的问题在过去没有得到纠正的情形）。  政策及程序。作为管理者必须分析当前和今后潜在的风险。由于其进行风险评估，所以 他们必须采取切实有效的措施来设计和实施具体的相关政策和程序，以避免和尽量减少这些风险。

19、传统上，与控制相关的财政政策和程序通常可划分为以下几个基本类别：  1、授权（所有交易需适当授权）；  2、妥善记录（记录应旨在突出遗失物品）；  3、安全的资产和档案（资产和档案，应该受到保护，且只提供给有需要的人）；  4、不相容职务（理想的情况下，个别员工不应该在的职位上犯下隐瞒违规的事）；  5、定期核对（会计记录应定期加以对比和调和）；  6、定期复查（会计数据应定期比较它们代表的实际项目）；  7、分析性复核（比较各项财务数 据，并评估这些数据和其他数据，包括金融的、非金融的，以及预期的）。  具体防治

20、 的 相关政策及程序 ,也可以分为两派 ,旨在消除实际问题（如消防系统）；以局部的目标，使管理人员注意到潜在的问题，使他们能够及时发现问题（如烟雾报警器）。这个重要的区别会在讨论中显示出来。  沟通。与其他四个组成部分不同的是，沟通通常不是单独存在的。相反，它是其余各部分能够有效运作的基础。举例来说，一个良好的控制环境，需要各级管理部门之间以及管理人员与非管理人员之间良好的沟通才能形成。的确，COSO 为了强调沟通的重要性，把它作为一个单独的组 件与其他几个部分共同组成了一个全面的框架。  尤为要注意的是，财务经理是从消费者的角度记录与会计有相关的和政策和程序。传统的会计政

21、策和程序手册就是普遍应用于此目的。最近，政府已经开始使用内部网络，以确保工作人员能够随时获得最新的信息。当然，经理人也有能力左右控制它们的建立。  因为万一发生不可避免的管理风险，给员工提供一个明确的没有经理左右的沟通方式是非常重要的。  并非所有类型的信息都是同样具有紧迫性的。举例说，违规和舞弊，是必须立即传达给有关部门的，而定期报告则可能需要准备较多相对不敏感的与控制相关的资料才能 传达。良好的沟通可以确保信息的加速传达也是符合这样的考虑。  监测。第五个也就是最后一个内部控制综合性框架的组成部分是监测。正如再好的房屋也需要定期保养和不定期保养，有关控制的政策

22、和程序也会随着时间的推移而变得不相适应。因此，管理者必须定期评价其与控制相关的政策和程序，以确保他们能得到很好的落实，并确保的业务能够充分的展开。  同样重要的是，许多与控制有关的政策和程序，都旨在提醒管理过程中潜在发生的问题，而不是真正的杜绝问题。因此，监测的一个重要因素是，如何评价从过去的迹象显示可能发生的错误和违反相关政策和程序 有关规定的问题已被处理。   4 先天的内部控制  一个健全的架构，内部控制是必不可少的，但重要的是要记住，没有这种框架，将永远不会完美。例如，像前面解释过的，经理通常有能力建立凌驾一切与控制相关的政策和程序。另外，控制的不相容职务

23、通常可以通过合作而避开（即个人会以控制他人来代替共同工作）。最后，也是最重要的，不宜实行与控制相关的政策或程序，从而结束了耗资超过合理预期实现的收益的情况。所以，举例来说，它有时未必可全面贯彻不相容职务，在这种情况下可能需要进行改聘的方法（可能不太有效）来替代。  企 业内部控制的风险管理  如前所述，  COSO 报告是在 1992 年关于内部控制的严格讨论中形成的。COSO 从未改变过在 1992 年发表的内部控制综合框架的使命，相反，安理会决定加强其关于企业风险管理的内部控制工作。这样的结果是美国在 2004 年出版了企业风险管理 整合框架（ COSO）。

24、 COSO论述了企业的风险管理：  一个过程会受到公司董事会、管理人员和其他人员的影响，跨企业的应用策略的制订，旨在找出可能会发生的影响组织的事件，而风险管理可对实现组织目标提供合理的保证。这个过程必然会涉及到组织中的个体以及组织这个 整体。  根据 COSO，综合性的企业风险管理架构，是指提供合理的保证：（ 1）组织目标的实现；（ 2）风险管理就是意识到风险可能影响了他们的业绩。  COSO相对于原 COSO 报告，重申了三个基本管理目标：行动（效益和效率）；报导（扩大到包括财政和内部报告）；服从。而且还确定了新的第四类战略目标，这可以描述为一个“高层

25、次”，因为所有的其他目标将需要加以调整来适应它。  COSO为强调企业风险管理，把由四个单独部分（其中包括被称为“风险评估”的部分）组成的架构，扩大到由八个部分组成的完整的企业风险管理架构：  1、内 部环境（包括一个组织对损失和风险的容忍度）；  2、目标设定（为风险评估提供支持，风险被定义为能妨碍一个组织实现其目标的因素）；  3、事件识别（包括积极的机会和消极的风险）；  4、风险评估（风险反应 -内在风险）；  5、风险反应（决定减少、分享或接受固有的风险，使剩余的风险与组织的风险相符）；  6、活动控制（应对风险的

26、具体步骤）；  7、信息和沟通（专门有一条规定：管理凌驾于“上级汇报”之上）；  8、监测。   5 结论  内部控制，就其性质而言，基本上是一种管理责任。管理部门的职 责，已大大加剧了后期私 营部门对 内部控制的 重视，如联 邦政府的 法律法规Sarbanes-Oxley。 GFOA 已明确表示公共部门的财务经理，有义务去了解 GFOA 的实务专业理论，并履行其在内部控制中的责任。首先，履行这些义务是为了让各管理人员熟悉 COSO 报告中对内部控制的理解。同样，公共部门的理事，因为其最终责任是确保管理人员完成其内部控制问题中的责任，因此他应更熟悉 CO

27、SO报告中完善内部控制架构的内容，才能更好地进行管理问责。   Abstract The concept of internal control is hardly new. This article will examine what every public sector financial manager and board member should know about internal control. After examining the underlying causes of fraudulent financial reporting, the Treadway

28、 Commission placed much of the blame on inadequate managerial involvement with internal control. In response, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations (COSO) that sought to remedy the deficiencies exposed by the Treadway

29、 Commission.  COSO identified five essential components that needed to be in place to ensure that such a framework of internal control is adequate or comprehensive: 1. control environment, 2. assessment of risk, 3. policies and procedures, 4. communication, and 5. monitoring. While a sound fram

30、ework of internal control is essential, it is important to bear in mind that no such framework can ever be perfect. Internal control, by its very nature, is essentially a managerial responsibility. 1 Background Topics The concept of internal control is hardly new. All the same, recent private sector

31、 scandals and subsequent federal legislation have significantly renewed interest in this important, but frequently neglected topic. This article will examine what every public sector financial manager and board member should know about internal control. Until recent years, a response to the basic qu

32、estion, "What is internal control?" likely would have elicited a series of examples-segregation of incompatible duties, periodic bank reconciliations, use of receiving reports - rather than a true definition. That is to say, internal control tended to be viewed as a collective term used to

33、 describe a disparate assortment of policies and procedures rather than as a separate and coherent concept in its own right. Such was the situation that confronted the Treadway Commission on Fraudulent Financial Reporting when it first took up its mandate in the mid-1980s. After examining the underl

34、ying causes of fraudulent financial reporting, the Treadway Commission placed much of the blame on inadequate managerial involvement with internal control. The commission assigned at least partial responsibility for this lack of involvement to a general failure to provide managers with a clear under

35、standing of what internal control really is and why it should be a matter of concern to them. In response to these findings, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations that sought to remedy the deficiencies exposed by the

36、Treadway Commission. The result of this effort was the groundbreaking report Internal Control - Integrated Framework, which was released by COSO in 1992. To this day, the "COSO Report" serves as the essential foundation for any serious discussion of internal control. In the private sector,

37、 the COSO Report provides the criteria normally used for evaluating internal control, including the internal control assessments mandated for publicly traded companies by the federal Sarbanes-Oxley legislation that was passed in the wake of the Enron and WorldCom scandals. In the public sector, the

38、Government Finance Officers Association in a recent recommended practice has taken the position that government financial managers, in fulfillment of their ethical responsibilities, should "obtain the information and training needed to meaningfully take responsibility for internal control,"

39、; and "in particular" should obtain "a sound understanding of. internal control as set forth by COSO."1 2 Internal control theory outlined 2.1 THE FUNDAMENTAL NATURE OF INTERNAL CONTROL Regardless of the sector within which they serve (i.e., public, private, or not-for-profit), a

40、ll managers must strive to: ( 1 ) operate effectively and efficiently, (2) produce reliable external financial reports, and (3) comply with applicable laws and regulations. Responsible managers cannot leave the achievement of these objectives to chance. Rather, they must take concrete action to ensu

41、re the effectiveness and efficiency of operalions, reliable financial reporting, and legal and regulatory compliance. It is the sum of these actions that constitute internal control. Put differently, internal control could be defined as the sum of the tools and techniques used by management to ensur

42、e that it achieves its objectives. Thus, by its very nature, internal control is fundamentally a managerial concern. 2.2 RESPONSIBILITY FOR INTERNAL CONTROL An analogy may be useful in understanding the proper assignment of responsibility for internal control among managers, board members, and audit

43、ors. A student is primarily responsible for completing homework assignments. The reason for assigning primary responsibility to the student is as much practical as it is ethical； since the purpose of a homework assignment is to sharpen the student's skills, no one else can do a student's hom

44、ework for the student without fundamentally compromising that objective. While a parent, tutor, or fellow student may provide valuable help to the student in completing an assignment, in the end, only the student's direct involvement can achieve the desired end. That is not to say, of course, th

45、at parents or guardians can somehow absolve themselves of their own responsibility for the completion of their charges' homework on the grounds that it is the student who is primarily responsible. Parents or guardians remain ultimately responsible for ensuring that a student meets his or her res

46、ponsibility for homework. Although parents or guardians cannot actually do the homework for the student, they have a duty to make sure the student does so. Finally, teachers and tutors, while they can be of invaluable assistance to both students and their parents or guardians, cannot replace either.

47、 In the end, homework remains the primary responsibility of the student and the ultimate responsibility of the parents or guardians. This analogy holds true for internal control if the students, parents or guardia ns, teachers, and tutors of the previous example are replaced by management, the gover

48、ning board, the independent auditor, and the internal auditor. Management is primarily responsible for internal control, because internal control, as explained earlier, is, by its very nature, fundamentally a management concern (i.e., the tools and techniques used by managers to achieve management o

49、bjectives). Board members, in turn, cannot wash their hands of responsibility for internal control on the grounds that management is primarily responsible, because it is the job of a governing board to ensure that management meets all of its responsibilities. Thus, the governing board is ultimately

50、responsible for internal control. The independent auditor of the financial statements, like a teacher, validates management's success (in preparing reliable financial statements) and is avai able to provide assistance, as needed. Still, even the best teacher cannot make up for a disengaged stude

51、nt or uninvolved parents or guardians. Finally, the role of internal auditors, like that of tutors, is to help those whom they serve to succeed. Nonetheless, an inter- nal auditor can only assist management, not replace it, with regard to internal control. It is one thing, of course, to insist that

52、the governing board is ultimately responsible for internal control. The real issue remains: "How can a governing board effectively fulfill its responsibility in this regard?" The most practical solution is to establish an audit committee, which ideally can serve the focal point for the boa

53、rd's internal control-related efforts, ensuring that the whole matter of internal control is regularly brought before the board for its attention and dealt with appropriately.2 Similarly, an internal audit function can be invaluable in helping managers, especially those managers with a programma

54、tic rather than a financial background, who may be less familiar with internal control.3 3 Ensuring that the internal control adequacy Once management and the governing board have assumed their respective responsibility for internal control, how can they know that they have truly fulfilled their obl

55、igations? How much control is enough? Before the COSO Report, it was more common to speak of internal controls (plural) than of internal control (singular). COSO, however, viewed internal control as much more than the sum of its parts (individual policies and procedures). COSO envisioned internal co

56、ntrol as a unified structure or framework into which individual control elements or components are integrated. That is, COSO offered a conceptually holistic approach to internal control in place of the earlier, essentially piecemeal approach. COSO also identified five essential components that neede

57、d to be in place to ensure that such a framework of internal control is adequate or comprehensive: * There must be a sound control environment ("corporate culture") * There must be a regular, ongoing assessment of risk * Control-related policies and procedures must be designed, implemented

58、, and maintained to address the risks thus identified * There must be adequate communication * There must be a regular and ongoing monitoring of control-related policies and procedures to ensure that they continue to function as designed and that any problems disclosed are handled appropriately Cont

59、rol environment. An analogy once again may be useful for understanding the importance of the control environment. Children do not grow up in isolation, but rather surrounded by specific individuals in specific circumstances. This environment can have a profound impact on a child's development. T

60、hus, a child with only limited gifts may flourish in a supportive and opportunity-rich environment, whereas a child with much greater potential may languish in a dysfunctional setting. Internal control also does not function in a vacuum. It is inevitably affected, for better or worse, by the surroun

61、ding environment or "corporate culture." Indeed, it is impossible to exaggerate the importance of the ambient control environment to the ultimate success of internal control. The best designed policies and procedures have little hope of being effective in an environment where internal cont

62、rol is viewed with indifference or even hostility (so much "red tape" to be "cut through" to get the job done). Conversely, an environment that is clearly supportive of control will tend to get the most out of even the most basic control-related policies and procedures. The key t

63、o a sound control environment is management's informed and active support for internal control. Management can hardly be supportive of something it does not understand (thus the GFOA recommendation mentioned earlier regarding the need for management to become familiar with the COSO guidance on i

64、nternal control). Likewise, effective support must involve more than just words； time and resources also have to be a part of the equation. In addition, there is no substitute for management leading by example. All too often, managers appear to believe in internal control - but only for their subord

65、inates! That is, managers wish to exempt themselves from the very controls they place on those who report to them. Of course, the likely outcome of such an approach is that employees will view the circumvention of internal control as something to be desired (evidence of their rank and importance wit

66、hin the organization) rather than as something to be avoided. One particularly important example of the principle just discussed is management's response to violations of control-related policies and procedures. All too frequently, managers seek to avoid confrontation, even in situations involvi

67、ng fraud, and thus fail to take effective disciplinary action. Almost inevitably, such a response sends the clear and dangerous message to others that management is not really serious about internal control. Naturally, an active audit committee and an effective internal audit function are significan

68、t positive factors in an entity's control environment. Assessment of risk. There will always be challenges in the path of management's achieving its objectives (i.e., risks). Moreover, yesterday's risks will not necessarily be the same as today's or tomorrow's. Accordingly, risk

69、assessment cannot be a "one-time" effort, but must be a regular, ongoing process. Likewise, risks must be anticipated so they can be avoided or mitigated to the greatest extent possible. To revert to analogy, the time to install lights at a railway crossing is before a major accident occur

70、s. Likewise, lights may become necessary at a railway crossing where none were needed previously because of changes in population or traffic patterns. How then should managers go about the process of trying to identify previously unidentified risks? First, management should focus its attention on ch

71、ange, because all change involves some element of risk. Examples of types of change that can entail a high degree of risk include the following: * Changes in the operating environment (e.g., changes in regulations) * Changes in personnel (especially in sensitive positions) * Changes in information s

72、ystems and technology (e.g., if processes have been reengineered, are control procedures still adequate?) * Rapid growth (e.g., pressure to "cut comers" to meet increased demand) * New programs and services (e.g., lack of experience) * Changes in structure (e.g., elimination of a program)

73、Managers also should consider inherent risk, which involves the notion that certain situations, even when they are ongoing, involve heightened levels of risk. Examples of situations that typically involve a high degree of inherent risk include the following: * Complexity (the more that can go wrong,

74、 the more that will go wrong) * Cash receipts ("when cash passes hands it tends to stick") * Direct third-party beneficiaries (cash payments of assistance to individuals) * Prior problems (programs with a "problem past" are likely to continue to experience problems) * Prior unres

75、ponsiveness to identified control weaknesses (situations where problems identified in the past have still not been remedied) Policies and procedures. As managers identify current and future potential risks as a result of their ongoing risk assessments, they must take practical steps to design and im

76、plement specific control-related policies and procedures to avoid or mitigate those risks. Traditionally, control-related policies and procedures related to finance are classified into one of the following basic categories: * Authorization (all transactions need to be properly authorized) * Properly

77、 designed records (records should be designed to highlight missing items) * security of assets and records (assets and records should be protected and available only to those who need them) * Segregation of incompatible duties (ideally, individual employees should not be in the position to both comm

78、it and conceal an irregularity) * Periodic reconciliations (accounting records should regularly be compared and reconciled) * Periodic verifications (accounting data should regularly be compared with the actual items they represent) * Analytical review (the reasonabiliry of financial data should be

79、assessed by comparing that data with other data, both financial and nonfinancial, as well as with expectations) Specific control-related policies and procedures also can be divided between those designed to actually eliminate a problem (like a fire sprinkler system) and those designed with the more

80、limited goal of alerting managers to a potential problem so they can eliminate it (like a smoke alarm). The importance of this distinction will become apparent later in the discussion of monitoring. Communication. Unlike the other four components of a comprehensive framework of internal control, com

81、munication does not really exist separately. Rather, it is a pervasive and necessary characteristic of each of the remaining components if they are to function effectively. For example, a sound control environment requires good communication among levels of management as well as between managerial a

82、nd non-managerial staff. Indeed, it was to underscore the importance of communicatio n to each of the other components of a comprehensive framework of internal control that COSO chose to treat it as a separate component in its own right. Of special importance to good communication from the perspecti

83、ve of financial managers is the documentation of accounting-related policies and procedures. Traditionally an accounting policies and procedures manual has generally been used for this purpose. More recently, governments have begun to use internal Web sites to ensure that staff has ready access to t

84、he most updated information.4 Managers, of course, are in a position to override whatever controls they establish. Because of this unavoidable risk of management override, it is important that staff be provided with a clear way of communicating around managers in situations where management override

85、 does occur. Not all types of information have the same urgency. For example, indications of irregularities or fraud need to be communicated to the appropriate parties immediately, whereas periodic reporting may be sufficient for many less sensitive types of control-related information. Good communi

86、cation will ensure that the speed of communication is consistent with such considerations. Monitoring. The fifth and final component of a comprehensive framework of internal control is monitoring. Just as even the best-constructed house may reasonably be expected to require regular upkeep and occasi

87、onal repairs, control-related policies and procedures tend naturally to deteriorate over time. Therefore, managers must periodically evaluate their control-related policies and procedures to ensure that they have been properly implemented and remain fully operational. Just as important, many control

88、-related policies and procedures are designed to alert managers to a potential problem rather than to actually eliminate the problem. Therefore an essential element of monitoring is to evaluate how past indications of possible errors and irregularities signaled by control-related policies and proced

89、ures have been dealt with. 4 Inherent limitations of internal control While a sound framework of internal control is essential, it is important to bear in mind that no such framework can ever be perfect. For example, as already explained, managers normally are in a position to override whatever cont

90、rol-related policies and procedures they establish. Also, controls dependent upon the segregation of incompatible duties typically could be circumvented through collusion (i.e., individuals intended to act as a control upon one another could instead work together to frustrate the control). Finally,

91、and most important, it would be inappropriate to implement a control-related policy or procedure that would end up costing more than the benefit it was reasonably expected to achieve. Thus, for instance, it sometimes may not be feasible to fully implement the segregation of incompatible duties, in w

92、hich case alternative (and potentially less effective) methods may need to be employed instead. FROM INTERNAL CONTROL TO ENTERPRISE RISK MANAGEMENT As noted earlier, COSO's 1992 report was groundbreaking and has served ever since as the basis for all serious discussion of internal control. For a

93、ll that, COSO did not abandon its mission with the 1992 publication of Internal Control - an Integrated Framework. Rather, it decided to enhance its work on internal control by placing it within the even broader context of enterprise risk management. The result was COSO's 2004 publication Enterp

94、rise Risk Management - an Integrated Framework (COSO II). COSOII describes enterprise risk management as: a process effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may af

95、fect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. This process necessarily involves both individual units within an organization and the organization as a whole. A comprehensive enterprise risk management

96、framework, according to COSOII, is one that provides reasonable assurance (1) that an entity's objectives are being achieved or (2) that management is made aware of risks that could impede their achievement: COSO II reiterates the three basic managerial objectives identified in the original COSO

97、 Report: operations (effectiveness and efficiency), reporting (broadened to encompass nonfinancial and internal reporting), and compliance. It also identifies a new fourth category of strategic objectives that it describes as being on a "higher level," because all of the other objectives w

98、ould need to be aligned to it. Consistent with the emphasis on enterprise risk management, COSOII expands the single risk assessment component of the ear lier framework into four separate components (including one that continues to be called "risk assessment"), bringing to eight the total

99、number of components in a comprehensive framework of enterprise risk management: * Internal environment (including the identification of an entity's tolerance for loss or risk appetite) * Objective setting (providing the context for the risk assessment, given that a risk is to be defined as some

100、thing that could prevent an entity from achieving its objectives) * Event identification (both positive -opportunities, and negative - risks) * Risk assessment (scope of risk prior to response - inherent risk) * Risk response (decision to reduce, share, or accept inherent risk so that any remaining

101、or residual risk is consistent with the entity's risk appetite) * Control activities (concrete steps taken to respond to risk) * Information and communication (specifically to include a provision for "upstream reporting" in the case of management override) * Monitoring Exhibit 1 compar

102、es and contrasts the objectives set forth in the original 1992 COSO Report with those presented in COSO II. Exhibit 2 provides a similar comparison between the elements of a comprehensive framework of internal control (1992 COSO Report) and the elements of a comprehensive framework of enterprise ris

103、k management (COSO II). Because of the wide acceptance already accorded the guidance provided in the 1992 COSO Report, COSOII emphasizes that nothing in the latter report amends or replaces the guidance found in the earlier report. That is, COSO II is designed to supplement rather than replace the o

104、riginal COSO guidance for those who desire a "more robust" context for assessing internal control. 5 CONCLUSION Internal control, by its very nature, is essentially a managerial responsibility. Awareness of management's responsibility for internal control has been significantly heighte

105、ned of late by recent private sector developments, such as the federal Sarbanes-Oxley legislation. GFOA has gone on record stating that public sector financial managers have an affirmative obligation under GFOA's Code of Professional Ethics to fulfill their internal control responsibility. The f

106、irst step in meeting that obligation is for managers to become familiar with the COSO guidance on internal control. Likewise, public sector governing boards, which are ultimately responsible for ensuring that management meets its internal control-related responsibilities, should become familiar with the COSO's comprehensive framework of internal control so they can better hold management accountable.