1、 1 外文翻译 原文 Understanding internal control Material Source: Cover Story Author: Gauthier, Stephen J The concept of internal control is hardly new. All the same, recent private sector scandals and subsequent federal legislation have significantly renewed interest in this important, but frequently negl
2、ected topic. This article will examine what every public sector financial manager and board member should know about internal control. BACKGROUND Until recent years, a response to the basic question, “What is internal control?“ likely would have elicited a series of examples-segregation of incompati
3、ble duties, periodic bank reconciliations, use of receiving reports-rather than a true definition. That is to say, internal control tended to be viewed as a collective term used to describe a disparate assortment of policies and procedures rather than as a separate and coherent concept in its own ri
4、ght. Such was the situation that confronted the Treadway Commission on Fraudulent Financial Reporting when it first took up its mandate in the mid-1980s. After examining the underlying causes of fraudulent financial reporting, the Treadway Commission placed much of the blame on inadequate managerial
5、 involvement with internal control. The commission assigned at least partial responsibility for this lack of involvement to a general failure to provide managers with a clear understanding of what internal control really is and why it should be a matter of concern to them. In response to these findi
6、ngs, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations that sought to remedy the deficiencies exposed by the Treadway Commission. The result of this effort was the groundbreaking report Internal Control-Integrated Framework, whic
7、h was released by COSO in 1992. To this day, the “COSO Report“ serves as the essential foundation for any serious discussion of internal control. 2 In the private sector, the COSO Report provides the criteria normally used for evaluating internal control, including the internal control assessments m
8、andated for publicly traded companies by the federal Sarbanes-Oxley legislation that was passed in the wake of the Enron and WorldCom scandals. In the public sector, the Government Finance Officers Association in a recent recommended practice has taken the position that government financial managers
9、, in fulfillment of their ethical responsibilities, should “obtain the information and training needed to meaningfully take responsibility for internal control,“ and “in particular“ should obtain “a sound understanding of . internal control as set forth by COSO.“ THE FUNDAMENTAL NATURE OF INTERNAL C
10、ONTROL Regardless of the sector within which they serve (i.e., public, private, or not-for-profit), all managers must strive to: (1) operate effectively and efficiently, (2) produce reliable external financial reports, and (3) comply with applicable laws and regulations. Responsible managers cannot
11、leave the achievement of these objectives to chance. Rather, they must take concrete action to ensure the effectiveness and efficiency of operations, reliable financial reporting, and legal and regulatory compliance. It is the sum of these actions that constitute internal control. Put differently, i
12、nternal control could be defined as the sum of the tools and techniques used by management to ensure that it achieves its objectives. Thus, by its very nature, internal control is fundamentally a managerial concern. RESPONSIBILITY FOR INTERNAL CONTROL It is one thing, of course, to insist that the g
13、overning board is ultimately responsible for internal control. The real issue remains: “How can a governing board effectively fulfill its responsibility in this regard?“ The most practical solution is to establish an audit committee, which ideally can serve as the focal point for the boards internal
14、 control-related efforts, ensuring that the whole matter of internal control is regularly brought before the board for its attention and dealt with appropriately. Similarly, an internal audit function can be invaluable in helping managers to meet their primary responsibility for internal control, es
15、pecially those managers with a programmatic rather than a financial background, who may be less familiar with internal control. ENSURING THAT INTERNAL CONTROL IS ADEQUATE 3 Once management and the governing board have assumed their respective responsibility for internal control, how can they know th
16、at they have truly fulfilled their obligations? How much control is enough? COSO envisioned internal control as a unified structure or framework into which individual control elements or components are integrated. That is, COSO offered a conceptually holistic approach to internal control in place of
17、 the earlier, essentially piecemeal approach. COSO also identified five essential components that needed to be in place to ensure that such a framework of internal control is adequate or comprehensive: There must be a sound control environment (“corporate culture“) . There must be a regular, ongoing
18、 assessment of risk. Control-related policies and procedures must be designed, implemented, and maintained to address the risks thus identified. There must be adequate communication. There must be a regular and ongoing monitoring of control-related policies and procedures to ensure that they continu
19、e to function as designed and that any problems disclosed are handled appropriately. The key to a sound control environment is managements informed and active support for internal control. Likewise, effective support must involve more than just words; time and resources also have to be a part of the
20、 equation. Naturally, an active audit committee and an effective internal audit function are significant positive factors in an entitys control environment. Risk Assessment. There will always be challenges in the path of managements achieving its objectives (i.e., risks). Moreover, yesterdays risks
21、will not necessarily be the same as todays or tomorrows. Accordingly, risk assessment cannot be a “one-time“ effort, but must be a regular, ongoing process. Likewise, risks must be anticipated so they can be avoided or mitigated to the greatest extent possible. To revert to analogy, the time to inst
22、all lights at a railway crossing is before a major accident occurs. How then should managers go about the process of trying to identify previously unidentified risks? First, management should focus its attention on change, because all change involves some element of risk. Examples of types of change
23、 that can entail a high degree of risk include the following: * Changes in the operating environment (e.g., changes in regulations). * Changes in personnel (especially in sensitive positions). 4 * Changes in information systems and technology (e.g., if processes have been reengineered, are control p
24、rocedures still adequate?). * Rapid growth (e.g., pressure to “cut corners“ to meet increased demand). * New programs and services (e.g., lack of experience). * Changes in structure (e.g., elimination of a program). Managers also should consider inherent risk, which involves the notion that certain
25、situations, even when they are ongoing, involve heightened levels of risk. Examples of situations that typically involve a high degree of inherent risk include the following: * Complexity (the more that can go wrong, the more that will go wrong). * Cash receipts (“when cash passes hands it tends to
26、stick“). * Direct third-party beneficiaries (cash payments of assistance to individuals). * Prior problems (programs with a “problem past“ are likely to continue to experience problems). * No prior control weaknesses identified (situations where problems identified in the past have still not been re
27、medied) . Policies and procedures .As managers identify current and future potential risks as a result of their ongoing risk assessments, they must take practical steps to design and implement specific control-related policies and procedures to avoid or mitigate these risks. Traditionally, control-r
28、elated policies and procedures related to finance are classified into one of the following basic categories: * Authorization (all transactions need to be properly authorized). * Properly designed records (records should be designed to highlight missing items). * Security of assets and records (asset
29、s and records should be protected and available only to those who need them) . * Segregation of incompatible duties (ideally, individual employees should not be in the position to both commit and conceal an irregularity) . * Periodic reconciliations (accounting records should regularly be compared a
30、nd reconciled). * Periodic verifications (accounting data should regularly be compared with the actual items they represent). * Analytical review (the reasonability of financial data should be assessed by comparing that data with other data, both financial and non financial, as well as with expectat
31、ions). 5 Communication. Unlike the other four components of a comprehensive framework of internal control, communication does not really exist separately. Rather, it is a pervasive and necessary characteristic of each of the remaining components if they are to function effectively. For example, a so
32、und control environment requires good communication among levels of management as well as between managerial and non-managerial staff. Indeed, it was to underscore the importance of communication to each of the other components of a comprehensive framework of internal control that COSO chose to trea
33、t it as a separate component in its own right. Monitoring.The fifth and final component of a comprehensive framework of internal control is monitoring. Just as even the best-constructed house may reasonably be expected to require regular upkeep and occasional repairs, control-related policies and pr
34、ocedures tend naturally to deteriorate over time. Therefore, managers must periodically evaluate their control-related policies and procedures to ensure that they have been properly implemented and remain fully operational. INHERENT LIMITATIONS OF INTERNAL CONTROL While a sound framework of internal
35、 control is essential, it is important to bear in mind that no such framework can ever be perfect. For example, as already explained, managers normally are in a position to override whatever control-related policies and procedures they establish. Also, controls dependent upon the segregation of inco
36、mpatible duties typically could be circumvented through collusion.Finally, and most important, it would be inappropriate to implement a control-related policy or procedure that would end up costing more than the benefit it was reasonably expected to achieve. Thus, for instance, it sometimes may not
37、be feasible to fully implement the segregation of incompatible duties, in which case alternative (and potentially less effective) methods may need to be employed instead. CONCLUSION Internal control, by its very nature, is essentially a managerial responsibility. Awareness of managements responsibil
38、ity for internal control has been significantly heightened of late by recent private sector developments, such as the federal Sarbanes-Oxley legislation. GFOA has gone on record stating that public sector financial managers have an affirmative obligation under GFOAs Code of Professional Ethics to fu
39、lfill their internal control responsibility. The first step in 6 meeting that obligation is for managers to become familiar with the COSO guidance on internal control. Likewise, public sector governing boards, which are ultimately responsible for ensuring that management meets its internal control-r
40、elated responsibilities, should become familiar with the COSOs comprehensive framework of internal control so they can better hold management accountable. 译文 了解内部控制 资料 来源 : 封面故事 作者: 戈捷,史蒂芬 内部控制的概念并不新鲜。与此同时,由于最近私营企业丑闻的发生和随后的联邦法律的明显恢复,对这常常被忽视的主题重新燃起了兴趣。本文将研究每个公共部门的财务经理和董事会成员应该知道内部控制的有关内容。 背景 直到最近几年, 对
41、 于“ 什么是内部控制 ”这一 基本问题 已 引出一系列 如 不相容职 务、定期银行对帐、使用收款报告的回答,而不是一个真正的定义。这就是说,内部控制 往往被视为一种集体术语 , 用来描述一个截然不同的各 类 的政策和程序 ,而不是 作为单独的和连贯的概念统称看待。面对虚假财务报告的情况时,特雷德韦委员会首次讨论了其在 80 年代中期的任务。 在审查欺诈性财务报告的根本原因后,特雷德韦委员会的财务报告过多的责备放置在归咎于内部控制管理的不足。直到最近的欧盟委员会指出至少部分责任在于缺乏普遍参与,并应向管理者应提供是什么真正的内部控制明确理解和为什么这是一件值得关注之事。 为响应这些调查结果,
42、各 类 的机构赞助 特雷德韦委员会形成的 主办机构 ,寻求补救特雷德韦委员会暴露出佣金的不足。这一努力的结果是内部控制整合框架这突破性成果报告在 1992 年 COSO 报告上 得以发布。 时至今日 , COSO报告仍是讨论内部控制的重要基础。 在私营部门, COSO 报告提供了标准通常用于评估内部控制,包括内部控制评价在安然和世通上市公司的丑闻案后, 由联邦政府 授权 通过 了萨班斯 -奥克斯利法案。在公共部门,政府财政官员已明确了立场,即政府财政管理人员,在履行自己的道德责任,应该“获得的信息和培训需要采取有意义的内部控制责任”和“特别”应充分地理解 COSO 中内部控制理论。 内部控制的
43、基本性质 7 内部控制的基本性质:无论其所服务部门(即公营,私营或不以营利为目的)的所有管理人员必须努力做到: ( 1) 有效和高效运作, ( 2) 可靠的外部财务报告, ( 3) 以及遵守法律法规。 负责管理人员不能失去实现这些目标的机会。 相反 , 他们必须采取具体的行动来保证有效率的操作 、 可靠的财务报告、 遵守 法律和规章。 这是这些行动构成内部控制的总和。换句话说,内部控制可看作是管理所使用一种工具和技术,以确保实现其目标。因此,就其本质而言,内部控制是从根本上是一个管理问题。 内部控制 的责任 当然要坚持 理事会 最终对内部控制负责这是一回事。真正的问题仍然是 :“ 如何才能 使
44、 理事会有效地履行其在这方面的责任 ? ” 最实际的解决办法是建立一 个审计委员会,理想 上 可以 为 董事会的内部控制有关的工作 而努力 ,确保整 个 内部控制是 定期提交委员会并能够合理得到解决的。 同样,一个内部审计部的宝贵之处在于帮助企业的管理人员来满足他们主要的内部控制管理,特别是那些管理纲领性而不是经济背景下他们可能是比较不熟悉内部控制。 确保内部控制是适当的: 一旦管理者和管理委员会负责承担各自的内部控制时,他们怎么能知道他们已经真正 履行 了他们的义务?控制多少才够? COSO 设想 的内部控制 结构框架是作为一个 独立的控制元素或部分整合的统一 。也就是说, COSO 提供了
45、一种从整体分析内部控制 套的方法代替早些时候本质上分析零星的方法。 COSO 的还确定了五个重要组成部分,以确保这样的内部控制框架是足够或综合性的: 必须有一个健全的控制环境(“企业文化”)。 必须有一个定期的,持续的风险评估。 控制有关的政策和程序必须设计,实施和维护 以解决已确定的风险 。 必须有足够的沟通 。 必须有一个定期和持续监测控制有关的政策和程序,以确保它们继续发挥作用和披露的任何问题都能得到妥善处理。 对一个健全的控制环境的关键是管理层的知情和对内部控制积极的支持。同样,有效的支持必须有更多的不仅仅是 言语 ,时间和资源也必 须是 其中的一部份。 当然,积极有效的审计委员会和内
46、部审计职能是在一个实体的控制环境的产生重大积极因素。 风险评估。你总会遇到在管理的实现其目标的挑战(即风险)。此外,昨天的风险并不一定和今天的或明天的相同。因此,风险评估不能是“一次性”的8 努力,但必须是一个定期的,持续的过程。同样,风险必须是可预见的使他们在最大程度上能够避免或减轻。 那么,经理们如何对试图找出以前未知风险的过程呢?首先是管理者应注重关注在改变上,因为所有的更改涉及一些风险因素。导致高度的风险变化例子包括以下几点: 经营环境的变化(例如在法规 变化)。 人事变动(尤其是在敏感的位置)。 信息系统和技术变化(例如,如果进程已被重新设计时,是控制程序是否足够?)。 快速增长(如
47、“偷工减料”压力以满足不断增长的需求)。 新的方案和服务(例如缺乏经验)。 结构变化(例如一个程序的淘汰)。 管理人员还应该考虑固有风险,包括所涉及的想法,甚至在某些情况下,当他们正在进行中涉及的 提高层次的风险 。例如,通常情况下涉及的内在高风险程度包括以下几点: 复杂性(更可能出错的地方,更是会出错)。 现金收入(“通过现金也容易出错”)。 直接的第三方受益人(协助现金个人支付 )。 前问题( “ 问题 已经 过去 ” 很可能会继续 发生)。 事先不确定的控制弱点(在过去发现的问题仍然没有得到纠正的情况)。 政策和程序。作为管理者在他们持续的风险评估时,应当确认当前和未来的潜在的风险。他们
48、必须采取设计和实施具体的控制有关的政策和程序来避免或减轻这些风险。传统上,控制相关的政策和相关的财务程序分为以下基本类别: 授权(所有交易需要得到适当的授权)。 正确设计记录(记录的设计应突出丢失物品)。 资产和记录的安全性(资产和记录应受到保护和只提供给那些谁需要它们)。 不相容职务分离(理想情况下员工不应 该在的职位上都承诺和隐瞒违规)。 定期对账(会计记录应定期进行比较和核对)。 定期核查(会计资料,应当定期与他们所代表的实际项目核查)。 分析性复核(财务数据的合理性,应通过比较评估,与其他数据,包括金融和非金融,以及与预期的数据复核)。 沟通。不像其他四个组成部分内部控制的综合框架 ,
49、沟通就不存在另行规定。相反,如果他们想要有效地发挥作用,它就是对一种普遍和必要的特征的9 补充。例如, 一个健全的控制环境,需要各管理层次之间以及管理和非管理人员良好的沟通。事实上,这是为了强调沟通的重要性, COSO 选择将其视为内部 控制综合框架独特的方法。 监测。一个全面的内部控制框架第五和最后一个组件是监测。只是因为即使是最好构架的房子 可能 在合理预期下需要定期和不定期的维修保养,控制相关的政策和程序,往往会随着时间的推移,自然恶化。因此,管理者必须定期评估其控制有关的政策和程序,以确保它们已被妥善执行,并继续全面运作。 内部控制固有的局限性 虽然有健全的内部控制框架是必要的,重要的是要记住,没有什么框架可以永远是完美的。例如,作为已解释过,经理通常的职责是推翻任何管制建立的政策和程序。此外,控制依赖的隔离问题通常使不相容职务可以相互 串谋。最后,也是最重要的,它将不恰当的政策或程序实施内部管理 ,花费超过预期目的效益。因此,它有时会不可行全面落实不相容职务的划分 ,在这种情况下可选择的和潜
