如何监测内部控制的外文翻译.doc

如何监测内部控制引言：内部控制对于任何一个组织的有效运作都是至关重要的。若有一个有效的控制系统在合适的地方运用,你的风险可降至最小化。但是你应该如何监测控制,以确保其质量和效用呢?内部控制是任何组织有效运行的关键,。董事会、执行长和内部审计人员都为实现这个企业的目标而工作;该内部控制系统是使这些团体确保那些目标的达成的一种手段。控制帮助一个企业有效率地运转。此外,运用一种有效的风险系统,风险可被降低到最小。同时,控制促进经营和与经营有关的信息的可靠性。发表的有关文件全美反舞弊性财务报告委员会发起组织(COSO;1992) 在它发布的具有开创性的文件内部控制整合框架中,将内部控制定义为: 企业风险管理是一个过程，受企业董事会、管理层和其他员工的影响，包括内部控制及其在战略和整个公司的应用，旨在为实现经营的效率和效果、财务报告的可靠性以及法规的遵循提供合理保证。该委员会还指出,一个的内部控制的系统包括五个要素。它们是：控制环境风险评估信息和沟通控制活动监控COSO的定义及五个要素已被证明确实对不同的团体,如董事会和首席执行官起到作用。这些群体对内部控制系统的监管以及系统设计与运行有责任。而且,内部审计人员已经发现COSO的指导是有用的。这群人员可能会被董事会或管理层要求去测试控制。COSO最近发布的一份讨论文件，指出五个要素监控,其中的五个要素的确定在1992framework COSO原本。中国发展简报的题为内部控制-整合框架：内部控制简-科尔伯特，美国中央情报局(CIA)、注册会计师（CPA）、中国注册金融分析师(CRFA)。是里士满州东部肯塔基大学的一个会计教授。她主要写关于COSO报告、萨班斯-奥克斯利法案、公司治理问题、内部控制，以及其他主题的文章。科尔伯特博士从事审计和审计服务教学，以及多种统计学、会计学，和公司治理的MBA课程。此文出处：企业会计和金融2008年5/6月。体系监督指南 (COSO，2007)。在文件中,COSO强调监控的重要性，以及这些信息常常被没有充分利用。因为董事会、执行长,和内部审计人员都在一个公司的内部控制中扮演着重要角色，内部控制的各要素,包括监测,都对所有的团体有着非常重要的意义。同时,外审计人员对监测有兴趣。萨班斯-奥克斯利法案（2002）为外部审计师创建了一个新的监督体制。所有的五个要素,包括监测,必须加以考虑。另外,内部控制审计必须结合对财务报告的检查。在一体化审计之前，在首席执行官的领导下，也许也在内部审计活动的支持下的管理，评估了内控制体系的有效性。随后外部审计人员对控制出具意见。起监督角色的董事会，将阅读内部审计、管理层和首席执行官出具的报告。文件关于监测对每一个团体的指导起了帮助,因为他们分别为各自的角色而劳动。什么是监测？监测的组成可评估内部控制系统在过去一段时间发挥效用的质量。其对控制功能的评估有助于企业确定其控制在有效地运作中。监测是内部控制的一部分在执行监测活动时，相关人员参与审查系统的设计及其运行效果。这种检查必须进行及时,目的是为了提供给企业最大的利益。管理层负责做出适当的行动以回应这些结果。当事人对内部控制有兴趣,可以充分依赖这个内部控制系统,如果合适的监测活动被有效管理且管理层根据结果采取行动。当一个高度的依赖可以连接到内部控制的监控方面，和系统的其它方面的测试,特别是控制活动,可以适当被降低。即时控制一些监测活动将开始执行并且持续。也就是说,他们被造进系统，沿着正常经营活动执行。典型地,连续的监测活动都是自动化的。这个系统随之产生被管理层审查的异常报告,然后适当的行动可以被采取。不连续控制除了用即时连续的监测技术外,企业也可以选择分开的监测活动。这些需要管理层或内部审计人员的截然不同的监控。不连续控制可能会成为收集的即时连续活动的信息的结果,或是从正在进行的,或对特定风险的回应。设计监测作为管理者设计内部控制系统,他们会识别企业要达成经营目标的风险。这些风险应被优先处理，且通过资源配置以分散风险。正如管理部门设计内部控制系统,会考虑谁将参与这些监测活动，何时且多久执行活动，和对这些元素的监测。监测环节设计的每一个方面会在下文讨论，详见附表1。附表1：设计内部控制的监测环节识别风险并优先考虑确定谁将会参与监测活动考虑监测活动的时间决定监测活动执行的频率风险,优先权,资源为了适当地设计内部控制系统，管理部门首先会评估企业正面临的不能达到经营目标的风险。随后，一个内部控制系统,包括监测环节,会根据这些风险来设计。为了最有效地利用监测活动,它们应该被优先。也就是说,携带较大风险的交易和事项比较危险，应该增加监测活动。这些活动可能会执行得更加频繁。另一种可能是每次检查之间有较大范围的覆盖。举个例子,如果一个制造商的销售回报有所增加,但产品质量差,公司可能会选择检查更多的即将装运的产品，或者将检查的时间定在每日，而不是每周。用于监测活动的资源必须充分。通过指定合适的资金等级，管理部门就监测活动如何重要发出了一个有力的信息。除了监测外，另一个内部控制系统设计的重要方面涉及到控制环境。控制环境是指组织的最高层。当董事会和首席执行官强调系统的监测环节的重要性，他们会发出强有力的讯息。一种在最高层实施的方法是建立一个有利于增强控制的组织结构。接着，才可雇佣合格的、专业的人员来实施和运作这个系统。作为内部控制的监控环节，应该建立与那些有权采取行动的人员的正式的沟通渠道。监测活动的结果应很快在权威且有权力做出反应的个体中传开。及时纠正的措施帮助组织实现其目标有效地、有效率地进行。谁负责实施监测？为使监测有效，必须有合适的人员实施这项活动。个人可将参与监测作为工作的一个方面。而另一些人,如核查人员,质量控制人员,以及内部审计人员，监测则是他们工作的重点。管理部门必须设计内部控制系统，来监测发生并且适时的由熟练的员工指挥。只有这样监测结果才能进行处理。企业人员必须清楚明白何种信息可以对收到结果的个体起作用,以及何种信息应转到下一水平。同时, 在系统监测方面的个人的工作应该能够被总结和过滤信息,以便它对那些利用它来完善组织机构的人有用。管理是对内部控制系统最终负责的,包括监测，而管理层的人员没有被授权执行监测活动。内部审计人员可以被要求介入。另一种选择是把此功能外包出去。这两种选择都可能是有效的。同时,利用专业的内部审计人员或第三方提供商，管理层的人员就可腾出时间进行其他活动。何时监测？监测的频率？当考虑监测活动的时间,管理层必须考虑多种因素。例如,这个行业,特定的企业,和有资格的人员执行监测职责都对决定內部控制监测的时间和频率有重要作用。监测元素管理层负责整个的内部控制系统的设计与操作,包括监测环节。另一个环节, 环境控制,与监测是相关联的。控制环境包括最高层的组织。董事会负责为企业营造氛围。董事会若坚持有效控制对企业的运行是必不可少的，则这种态度将渗透在整个企业。此外,如果董事会成员强调监测元素的重要性,并要求查看监测活动的结果,管理层则可明确监测元素对该企业的总体目标是如何重要。举一个监督监测结果的例子，董事会的成员可能会要求监测活动每月有一个总结报告。各种各样的管理者就可被问及针对结果所采取的措施。然后,他们将很快了解监测元素对企业的治理有多么重要。对监测结果的报告和采取的措施监测元素有效,内部控制中存在的弱点则必须传达给组织内适当的人员。每一个弱点迹象的指出应附带着对它的描述。除了报告弱点和其内部重要性, 关于内部控制的外部沟通由法律或规章规定。无论接受者对于企业是内部或外部的,及时的沟通是非常重要的。装备了及时的信息，个体负责仔细操作，就可以选择合适的行动方案。随之,企业的外部决策者就可以做出正确的选择。报告的步骤及对监测结果采取的措施都显示在附表2中。附表2：步骤和措施：监测结果发展的可能性及重要性排名内部的内部控制报告外部的内部控制报告排名可能性及重要性为帮助那些负责考查监测活动结果的人,可以使用控制缺陷的排名系统。这样的一个系统可以显示出最需要被优先处理的不足或缺陷。可以定量衡量，也可以定性衡量。不论使用定性还是定量的方法，该事件发生的可能性及其重要性都应纳入这项措施。可能性代表了控制不能防止或检测到一个特定风险的发生的可能。意义是对组织假定风险发生的潜在的影响。对特定风险的可能性和重要性的排名的专业判断是主观的。尽管如此,这些数值提供了一种有价值的工具来总结关于信息等有关风险的可能性和重要性的资料,。那些负责处理风险的人可以运用这些数值评估更清晰地了解需优先处理的问题，快速及时地分配现有资源。The Journal of Corporate Accounting & Finance / May/June 2008How to Monitor Internal Controls Jan ColbertIntroduction ：Internal controls are critical for any organization to function effectively. And with an effective system of controls in place, you minimize risk. But how should you monitor controls to ensure their quality and performance?Internal control is critical to the effective functioning of any organization. Boards of directors, CEOs, and internal auditors all work to attain the entitys objectives; the system of internal control is the means by which these parties help to ensure that those objectives are met. Controls help an entity to operate efficiently. In addition, with an effective system of controls in place, risk is minimized. Also, controls serve to promote the reliability of both operations and information that is produced relative to the operations. DISCUSSION DOCUMENT ISSUED In its seminal document “Internal ControlIntegrated Framework,” the Committee of Sponsoring Organizations of the Treadway Commission (COSO; 1992) defines internal control as: A process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Jan Colbert, CIA, CPA, Cr. FA, PhD, is a professor of accounting at Eastern Kentucky University in Richmond. She writes on COSO topics, the Sarbanes-Oxley Act, corporate governance issues, internal controls, and other matters. Dr. Colbert teaches auditing and assurance services, as well as various statistics, accounting, and corporate governance courses in the MBA program.The Committee went on to explain that a system of internal control includes five components. They are: control environment, risk assessment, information and communication, control activities, and monitoring. COSOs definition and the five components have proven useful to a variety of groups, including boards of directors and CEOs. Respectively, these groups have responsibilities for oversight of a system of internal control and for the design and operation of the system. Further, internal auditors have found COSOs guidance useful. This group may be asked by the board or management to test controls. COSO recently published a Discussion Document that addresses monitoring, one of the five components originally identified in COSOs 1992framework. The publication is entitled “Internal Control Integrated Framework: Guidance on Monitoring Internal Control Systems” (COSO, 2007). In the document, COSO stresses the significance of monitoring, a control component entities often underutilize. Because boards of directors, CEOs, and internal auditors all play valuable roles with respect to an entitys internal control, each component of internal control, including monitoring, is significant to all of these groups. Also, external auditors have an interest in monitoring. The independent audit firm is mandated by the Sarbanes-Oxley Act of 2002 to examine the clients system of internal control. All five components, including monitoring, must be considered. Further, the internal control audit must be integrated with the examination of the financial statements. Prior to the integrated audit, management, led by the CEO and perhaps with the support of the internal audit activity, assesses the effectiveness of the system of internal control. The external auditor then opines on the controls. The board of directors, in its oversight role, will peruse the reports produced by internal audit and by management and the CEO. The guidance in the Discussion Document regarding monitoring serves as an aid to each of these groups as they labor in their respective roles. WHAT IS MONITORING? Monitoring constitutes assessing the quality of the performance of the system of internal control over time. Such assessments of the functioning of controls help the entity to ascertain that controls are operating effectively. Monitoring as Part of Internal Control In performing monitoring activities, appropriate personnel take part in examining both the design of the system and its operation. Such examinations must be performed in a timely manner in order to provide the maximum benefit to the entity. Management is then responsible for taking appropriate action in response to findings. Parties with an interest in internal control can place significant reliance on the system of internal control if both appropriate monitoring activities are conducted and management acts on the results. When a high degree of reliance can be attached to the monitoring aspect of internal control, testing of other aspects of the system, especially control activities, might appropriately be reduced. Ongoing, Continuous Monitoring Some monitoring activities will be ongoing and continuous. That is, they are built into the system and are executed along with the normal activities of operations. Typically, continuous monitoring activities are automated. The system then produces exception reports that are reviewed by management, and appropriate actions can be taken. Separate MonitoringBesides employing ongoing, continuous monitoring techniques, the entity might also choose to utilize separate monitoring activities. These entail distinct monitoring by management or perhaps by the internal auditors. Separate monitoring may take place as a result of the information gathered from ongoing, continuous activities or in response to specified risks. DESIGNING MONITORINGAs managers design the system of internal control, they will identify risks to the entity of achieving its objectives. These risks should be prioritized and resources allocated to address the risks. As management designs its system of internal control, consideration will be given to who will be participating in the monitoring activities, when and how often they will be performed, and to the elements of monitoring. Each of these aspects of the design of the monitoring component is discussed below and noted in Exhibit 1.Exhibit 1Designing the Monitoring Component of Internal Control Identify risks and prioritize. Determine who will perform the monitoring activities. Consider the timing of monitoring activities. Decide how often monitoring activities will occur.Risks, Priorities, ResourcesTo appropriately design the system of internal control, management begins by assessing the risks the organization faces of not achieving its objectives. A system of internal control, including the monitoring component, can then be designed to address those risks. To most effectively utilize monitoring activities, they should be prioritized. That is, for transactions and events that carry more risk and, thus, are more critical, monitoring activities should be increased. Such activities may be performed more often. An alternative is that there might begreater coverage during each examination. For example, if sales returns for a manufacturer have increased due to poor quality, the company might elect to inspect more product before shipment, or inspections could take place daily rather than on a weekly cycle.Sufficient resources must be devoted to monitoring activities. By designating appropriate levels of funds, management sends a strong message as to how significant monitoring activities are.Besides monitoring, another significant aspect of the design of the system of internal control relates to the control environment. The control environment refers to the tone at the top of the organization. When the board and the CEO stress the critical nature of the monitoring component of the system, these parties send a strong message. One way of operationalizing the tone at the top is to establish an organizational structure conducive to the enhancement of controls. Qualified, dedicated personnel should then be hired to implement and operate the system. As part of the monitoring component of internal control, formal channels of communication with those empowered to take action should be established. The results of the monitoring activities should quickly be channeled to individuals who have the authority and the capability to react. Timely corrective actions help the organization achieve its objectives in an effective and efficient manner. Who Performs Monitoring? For monitoring to be effective, appropriate personnel must perform the activities. Individuals may engage in monitoring as one aspect of their work. For others, such as inspectors, quality control personnel, and internal auditors, monitoring is the focus of their positions. Management must design the system of internal control such that monitoring occurs and is conducted in a timely manner by knowledgeable employees. Only then can the results of monitoring be addressed. Entity personnel must clearly understand what information can be acted upon at the level of the individual receiving the results and what should be forwarded to the next level. Also, individuals working in the monitoring aspect of the system should be able to summarize and filter information so that it is useful to those utilizing it to improve the organization.While management is ultimately responsible for the system of internal control, including monitoring, members of management are not mandated themselves to perform the monitoring activities. Internal auditors may be asked to step in. Another option is to outsource the function. Either of these choices may be cost effective. Also, by utilizing the expertise of internal auditors or third-party providers, members of management are freed up for other activities.When and How Often?When considering the timing of monitoring activities, management must consider multiple factors. For example, the industry, the specific entity, and the qualifications of monitoring personnel performing monitoring duties all play a role in the timing and frequency of this component of internal control.Elements of Monitoring Management is responsible for both the design and operation of the entire system of internal control, including the monitoring component. Another component, the control environment, interrelates with monitoring.The control environment encompasses the tone at the top of the organization. The board of directors is responsible for an appropriate tone for the organization. An overall attitude by the board that effective controls are essential to the running of the organization will permeate throughout the entire entity. Further, if Board members stress the importance of the monitoring component and ask to see the results of monitoring activities, management will grasp how critical the component is to the overall objectives of the organization. As an example of overseeing the results of monitoring, members of the board might request monthly summaries of monitoring activities. Various managers can then be queried about resulting actions taken. They will then quickly recognize how important the monitoring component is to the governance of the entity.REPORTING AND ACTION ONTHE RESULTS OF MONITORINGFor the monitoring component to be effective, weaknesses in internal control must be communicated to appropriate personnel within the organization. An indication of the significance of each weakness should accompany its description. Besides reporting weaknesses and their importance internally, external communications regarding internal control may be mandated by law or regulation.Regardless of whether the recipient is internal or external to the entity, prompt communication is critical. Armed with timely information, individuals responsible for the operations scrutinized can then select appropriate courses of action. Further, decision makers located outside the organization can make appropriate choices.The steps in the reporting of and actions to be taken on the results of monitoring are shown in Exhibit 2.Exhibit 2Steps and Actions: Results of Monitoring Develop likelihood and significance ranking. Report on internal control internally. Report on internal control externally.RankingLikelihood and SignificanceTo aid those with responsibilities for considering the results of monitoring activities, a ranking system for control deficiencies might be employed. Such a system aids in prioritizing issues. A numeric scale could be used; a qualitative scale is also appropriate.Regardless of whether a qualitative or numeric scale is employed, both the likelihood of the event occurring and its significance should be incorporated into the measure. The likelihood represents the probability that a control will not prevent or detect a specific risk from occurring. Significance is the potential impact to the organization assuming the risky event occurs.The professional judgments incorporated into both the likelihood and the significance rankings of any particular risk are admittedly subjective. Still, scales provide a valuable tool to summarize information concerning the likelihood and significance of a risk. Those whose responsibility it is to address risks can more readily prioritize issues to be handled and deploy resources quickly and appropriately by utilizing the estimates in the scales.Reporting InternallyAs noted, management is ultimately responsible for the monitoring component of the system of internal control. However, members of management are not required to actually perform the monitoring activities themselves. Managers may ask internal auditors to engage in monitoring activities or perhaps a third-party provider might be engaged to handle monitoring. A combination of managers, internal auditors, or third parties might also be utilized.Internal summaries regarding the system of control will be presented to the board of directors by management. If the internal auditors have participated in monitoring, that group will also report to the governing body. Communications to the Board should set forth the results of monitoring at a high level. More detailed reports, with findings specific to each area, should be presented to the manager