1、 1 外文翻译 原文 From internal control to enterprise risk management. Material: Author: Stephen J. Gauthier In September 2004, the Council of Sponsoring Organizations of the Treadway Commission on Fraudulent Financial Reporting issued Enterprise Risk Management-Integrated Framework. The new publication is
2、 intended to provide a more robust framework for COSOs earlier seminal work Internal Control-Integrated Framework (1992). BACKGROUND In the early 1990s, the Treadway Commission came to the conclusion that a broad conceptual framework was necessary if managers were to be properly equipped to meet the
3、ir responsibility for internal control. The key features of this conceptual framework, as set forth in Internal Control-Integrated Framework, can be very briefly summarized as follows: * Managers are responsible for achieving three basic objectives: (1) they must operate effectively and efficiently,
4、 (2) they must produce financial reports that outside parties can reasonably rely upon, and (3) they must comply with applicable laws and regulations. * Managers cannot leave the achievement of these objectives to chance. Rather, they must create a structure or framework of internal control to ensur
5、e that each of these objectives is met. * A truly comprehensive framework requires five components: (1) the establishment and maintenance of a sound control environment (corporate culture): (2) the regular, ongoing assessment of risk, (3) the design, implementation, and maintenance of control-relate
6、d policies and procedures to compensate for identified risks; (4) adequate communication; and 5) the regular, ongoing monitoring of control-related policies and procedures to ensure that they continue to function as designed and to ensure that identified problems are handled appropriately. 2 The fir
7、st COSO report was extraordinarily well received. Indeed, its comprehensive framework of internal control has provided the criteria now commonly used for internal control assessments, such as those recently mandated by the Sarbanes-Oxley legislation. COSO itself remains highly satisfied with its ori
8、ginal work and expressly states that it does not intend for its more recent report to alter or supplant its earlier guidance. All the same, COSO reached the conclusion that its earlier work on internal control could benefit from being placed within an even broader conceptual framework that COSO chos
9、e to describe as enterprise risk management. NEW GUIDANCE COSO defines enterprise risk management as “a process effected by an entitys board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the
10、 entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. This process necessarily involves both individual units within an organization and the organization as a whole.“ Like the earlier report, Enterprise Risk Managemen
11、t-Integrated Framework reiterates essentially the same three basic managerial objectives identified previously: operations, reporting (broadened to encompass nonfinancial and internal reporting), and compliance. In addition, COSO has identified a fourth category-strategic objectives-that that it des
12、cribes as being a “higher level objective“ with which the other three objectives need to be aligned. Enterprise Risk Management-Integrated Framework also replaces the single risk assessment component of the earlier framework with four separate components (including one that continues to be called ri
13、sk assessment), while at the same time providing additional guidance on the remaining four components identified in the earlier report. Thus, Enterprise Risk Management-Integrated Framework identities eight interrelated components that are necessary to provide reasonable assurance that objectives ar
14、e being achieved or that management is made aware of risks that could impede their achievement: * Internal environment * Objective setting * Event identification * Risk assessment * Risk response 3 * Control activities * Information and communication * Monitoring A key factor of the internal environ
15、ment component is the identification of an organizations risk appetite. That is, given the trade-offs that often must be made, how much risk is a given organization prepared to assume? For example, a venture capital fund might be presumed to be more willing to accept risk in anticipation of higher r
16、eturns than a pension fund. The objective-setting component provides the context for risk assessment. That is, a risk might be defined as something that could prevent an organization from achieving its objectives. Event identification involves not only negative potential events (i.e., risks), but al
17、so positive potential events (i.e., opportunities). Opportunities need to be channeled back to the objective setting component so management can take full advantage of them. Identified risks should then be subject to a risk assessment. Once a risk has been assessed, an organization should determine
18、an appropriate risk response (avoid, reduce, share, or accept), defined as one that will manage the inherent risk (the risk as originally identified before any action is taken) in such a manner that any risk remaining after a response has been taken (i.e., residual risk) will fall within a risk tole
19、rance interval consistent with the organizations risk appetite. Control activities are the concrete steps taken to respond to risk. Information and communication is essential to the whole process, with special emphasis placed on the need for communicating significant information “upstream“ (e.g., in
20、stance of management override). Finally, monitoring ensures that the various components remain effective over time and that significant deficiencies are reported and dealt with appropriately. Exhibit 1 compares managements objectives as set forth in the Internal Control-Integrated Framework (COSO I)
21、 and managements objectives as set forth in Enterprise Risk Management-Integrated Framework (COSO II). Exhibit 2 takes a similar approach to the various framework components described in COSO I and COSO II. Exhibit 1: Comparison of COSO Framework Objectives COSO I COSO II 4 Internal Control-Integrat
22、ed Enterprise Risk Management-Integrated Framework Framework * Strategic objectives (higher level objective) * Effectiveness and efficiency * Operations of operations * Reliability of financial * Reporting (both financial and non- reporting financial) * Compliance with applicable * Compliance laws r
23、egulations Exhibit 2: Comparison of COSO Framework Components COSO I COSO II Internal Control-Integrated Enterprise Risk Management-Integrated Framework Framework * Control environment * Internal environment (include risk appetite) * Risk assessment * Objective setting * Event identification * Risk
24、assessment * Risk response (avoid, reduce, share, accept) * Policies and procedures * Control activities * Communication * Information and communication * Monitoring * Monitoring 5 译文 从内部控制到企业的风险管理 资料来源 : 作者: Stephen J. Gauthier 2004 年 9 月,理事会主办机构的 特雷德韦委员会 发布了企业财务报告的欺诈风险管理 整合框架。自 1987 年的 特雷德韦 报告和 1
25、988 年 9 个审计准则公告发布后, COSO 对内部控制问题又进行了较深入系统的研究,于 1992 年发布了内部控制 整 体框架报告,该报告是国际内部控制理论发展的又一重要里程碑。 COSO 认为,内部控制是由企业董事会、经理阶层和其他员工实施的,为营运的效率效果、财务报告的可靠性、相关法令的遵循性等目标的实现而提供合理保证的过程。其构成要素应该来源于管理阶层经营企业的方式,并与管理的过程相结合。 背景 在 90 年代早期 , 特雷德韦 委员会得出结论 :必须要有一个完善的概念框架 ,如果管理人员都有正确管理机制来以满足他们对内部控制的责任。这个概念的主要特点是所提出的内部控制 整合框架
26、,可以非常简要概括如下 : 一、管理人员负责实现三 个基本目标 :(1)他们必须更加有效的运转 ,(2)必须提供外界可以合理依赖的财务报告 (3)必须遵守有关法律法规。 二、管理人员不能离开了实现这些目标的机会。相反 ,他们必须创造一个有结构或框架的内部控制 ,以确保内部控制的明确实施。 三、一个真正全面的框架有五个部分组成 :(1)建立和维持一个合理的控制环境 (企业文化 );(2)定期进行风险评估, (3)设计、实施和控制维修有关政策和程序以赔偿确认的风险 ;(4)良好的沟通 ;( 5)经常对控制相关的政策和程序进行监测,以确保它们继续发挥作用为目的,并确保发现的问题得到正确处 理。 CO
27、SO 报告出奇地受到一致好评。事实上,它全面的内部控制综合框架,提供了目前常用的内部控制评估,如最近通过的萨班斯 -奥克斯利法案规定。 2002 年 7 月 25 日美国通过的公司改革法案( Sarbanes-Oxley Act),使传统的注册会计师行业自律模式被打破,代之以政府监督下的独立监管为主的模式,即由美国证券交易委员会( SEC)监督下的公众公司会计监管委员会6 ( PCAOB)来负责制定或审批审计准则、事务所质量控制准则、职业道德准则、独立性准则以及其他与审计报告相关的准则。实际上意味着 AICPA 正在逐步 失去审计准则制定权。 COSO 明确指出,它不打算为它的最近报告,改变或
28、取代其先前的指导。同样得出的结论是 COSO 的内部控制其先前的工作可以受益于更广阔的范围内放置的概念框架 COSO 的选择来形容企业风险管理。 新指南 COSO 的定义为“企业风险管理的一个实体的董事会,管理和其他人员,在战略制定和整个企业,目的是找出潜在的事件可能影响到实体应用,影响一个过程,管理风险将在其风险偏好,为客户提供合理的保证了实体目标的实现。这一过程必然涉及组织内部和整个组织都个别单位。 内部控制结构包括三个要素: 控制环境:反映董 事会、管理者、所有者对控制的态度和行为。 会计系统:规定各项经济业务的确认、归集、分类、登记和编报方法。 控制程序:指管理当局为保证实现目标而制定
29、的政策和程序。 企业风险管理 - 整合框架也取代了四个独立的部分(包括一,这仍然是所谓的风险评估)的早期单一的风险评估框架的组成部分,而在同一时间提供,其余四所确定的组件的其他指导早先的报告。因此,企业风险管理 - 整合框架必需的提供合理的保证,目标正在实现或相互关联的组成部分是由管理层的风险,在正个风险管理的整合框架从以下几个方面体现: *内部环境 *目 标的设定 *事件识别 *风险评估 *风险应对 *控制活动 *信息和通讯 *监测 一个组织的内部环境的关键因素是一个组织的风险偏好鉴定。也就是说,企业的一项贸易往来,往往要作出多大的风险是承担其在贸易过程中存在的风险。一个风险资本基金可能被推
30、定为更愿意接受以比预期养老基金回报率较高的风险。 在制定目标的组件提供了风险评估范围内。也就是说,风险可能被定义为东西可以阻止实现其目标的组织。 事件识别不仅涉及负面事件 (即风险 ),而且还积极的潜在的事件 (即机会 )。7 机会需要加以引导回到目标的设定组 件管理可以采取充分利用它们。 当确定确认的风险便要受风险评估。一旦风险进行评估,组织应确定适当的风险应对(避免,降低,共享,或接受方)为确定,将管理的固有风险在这样一个(与最初确定采取任何行动之前的风险)其余的方式,任何风险的反应后,已采取(即剩余风险)将下降的时间间隔内的风险承受能力与组织的风险偏好是一致的。 2002 年 7 月 2
31、5 日美国通过的公司改革法案( Sarbanes-Oxley Act),使传统的注册会计师行业自律模式被打破,代之以政府监督下的独立监管为主的模式,即由美国证券交易委员会( SEC)监 督下的公众公司会计监管委员会( PCAOB)来负责制定或审批审计准则、事务所质量控制准则、职业道德准则、独立性准则以及其他与审计报告相关的准则。实际上意味着 AICPA 正在逐步失去审计准则制定权。 图表 1 比较管理目标,提出的内部控制框架和管理的目标所阐述的企业风险管理 综合框架 (COSO II)。图表 2 采取了类似的方法来描述各种框架部件COSO I 和 COSO II。 图表 1 COSO 框架 :比较的目标 COSO I COSO II 内部控制 综合框架 企业风险管理 综合框架 战略目标 (更高的水平目标 ) 行动的效果和效率 操作 财务报告的可靠性 金融和财务报告 根据适用的法律法规制定办法 合规 图表 2:COSO 框架部件的比较 COSO I COSO II 内部控制 综合框架 企业风险管理 综合框架 控制环境 内部环境 (包括风险 ) 风险评估 目标的设定 事件识别 风险评估 风险应对 (避免、减少 ,分享 ,接受 ) 政策和程序 控制活动 沟通 信息和通讯 监测 监测 8
