《内部控制-整合框架》执行纲要(中英文对照).doc

InternalControlIntegratedFramework内部控制整合框架ExecutiveSummary执行纲要Internalcontrolhelpsentitiesachieveimportantobjectivesandsustainandimproveperformance.COSOsInternalControlIntegratedFramework(Framework)enablesorganizationstoeffectivelyandefficientlydevelopsystemsofinternalcontrolthatadapttochangingbusinessandoperatingenvironments,mitigateriskstoacceptablelevels,andsupportsounddecisionmakingandgovernanceoftheorganization.内部控制帮助组织达到重要的目标，维持和改进业绩。科索委员会的内部控制整合框架使得组织能够开发有效果且有效率的内部控制体系，该体系且能够适应变化的商业和运营环境，将风险降低到可接受的水平，并且促进规范决策和组织的治理。Designingandimplementinganeffectivesystemofinternalcontrolcanbechallenging;operatingthatsystemeffectivelyandefficientlyeverydaycanbedaunting.Newandrapidlychangingbusinessmodels,greateruseanddependenceontechnology,increasingregulatoryrequirementsandscrutiny,globalization,andotherchallengesdemandanysystemofinternalcontroltobeagileinadaptingtochangesinbusiness,operatingandregulatory第1页environments.设计并实施一套有效的内部控制体系是充满挑战的；每天保持制度运行的效果和效率会让人可望而不可及。崭新且不断更新的商业模型，对技术的深入应用和依赖，日益繁多的监管要求和检查，全球化和其他挑战要求每一个组织的内部控制体系都能够更加敏捷地适应不断变化的商业、运营和监管的环境。Aneffectivesystemofinternalcontroldemandsmorethanrigorousadherencetopoliciesandprocedures:itrequirestheuseofjudgment.Managementandboardsofdirectors1usejudgmenttodeterminehowmuchcontrolisenough.Managementandotherpersonnelusejudgmenteverydaytoselect,develop,anddeploycontrolsacrosstheentity.Managementandinternalauditors,amongotherpersonnel,applyjudgmentastheymonitorandassesstheeffectivenessofthesystemofinternalcontrol.一套有效的内部控制体系除了对制度和流程严格遵守外，还要求判断力。管理层和董事会通过其判断来决定多少控制是充分的。管理层和其他员工每天通过其判断，在组织内选取，推进和实施各类控制。管理层和内部审计师，以及其他的员工，通过其判断来监控和测试内部控制体系的有效性。TheFrameworkassistsmanagement,boardsofdirectors,externalstakeholders,andothersinteractingwiththeentityintheirrespectivedutiesregardinginternalcontrolwithoutbeingoverlyprescriptive.Itdoessoby1TheFrameworkusestheterm“boardofdirectors,”whichencompassesthegoverningbody,includingboard,boardoftrustees,generalpartners,owner,orsupervisoryboard.本框架使用“董事会”一词，泛指治理层，包括：董事会，理事会，一般合伙人，所有者和监事会等。第2页providingbothunderstandingofwhatconstitutesasystemofinternalcontrolandinsightintowheninternalcontrolisbeingappliedeffectively.本框架在内部控制方面，对管理层，董事会，外部的利益相关者和其他与组织产生互动关系的相关方有所帮助，且不会过分死板；而这有赖于对内部控制体系构成要素的理解，有赖于对内部控制体系能够有效实施的时机的洞见。Formanagementandboardsofdirectors,theFrameworkprovides:对于管理层和董事会，本框架提供：lAmeanstoapplyinternalcontroltoanytypeofentity,regardlessofindustryorlegalstructure,atthelevelsofentity,operatingunit,orfunction一套工具，将内部控制推广到各类型的组织，无论行业或法律形式，无论在组织层面，经营单元层面或职能层面；lAprinciples-basedapproachthatprovidesflexibilityandallowsforjudgmentindesigning,implementing,andconductinginternalcontrolprinciplesthatcanbeappliedattheentity,operating,andfunctionallevels一种原则导向的方法，能够灵活设计，实施和推进内部控制，并留有判断空间这些原则可在组织层面、运营层面和职能层面应用；lRequirementsforaneffectivesystemofinternalcontrolbyconsidering第3页howcomponentsandprinciplesarepresentandfunctioningandhowcomponentsoperatetogether一些要求，具体阐述有效的内部控制体系的要素和原则是如何存在和发挥作用，如何在一起产生协调作用；lAmeanstoidentifyandanalyzerisks,andtodevelopandmanageappropriateresponsestoriskswithinacceptablelevelsandwithagreaterfocusonanti-fraudmeasures一套工具，识别和分析风险，开发和管理合适的风险应对措施将风险控制在可接受的水平，且更关注反舞弊措施；lAnopportunitytoexpandtheapplicationofinternalcontrolbeyondfinancialreportingtootherformsofreporting,operations,andcomplianceobjectives一个机会，将基于财务报告的内部控制扩大应用范围，满足各种其他的报告、运营和遵循目标；lAnopportunitytoeliminateineffective,redundant,orinefficientcontrolsthatprovideminimalvalueinreducingriskstotheachievementoftheentitysobjectives一个机会，清理那些在降低风险方面价值不大的无效，冗余和低效的控制。Forexternalstakeholdersofanentityandothersthatinteractwiththeentity,applicationofthisFrameworkprovides:第4页对于外部利益相关者和组织的其他相关方，本框架的应用可使其：lGreaterconfidenceintheboardofdirectorsoversightofinternalcontrolsystems对于董事会针对内部控制的监管更有信心；lGreaterconfidenceregardingtheachievementofentityobjectives对于组织实现目标更有信心；lGreaterconfidenceintheorganizationsabilitytoidentify,analyze,andrespondtoriskandchangesinthebusinessandoperatingenvironments对组织识别，分析和应对来自商业与运营环境风险与变化的能力更有信心；lGreaterunderstandingoftherequirementofaneffectivesystemofinternalcontrol更了解有效的内部控制体系的具体要求；lGreaterunderstandingthatthroughtheuseofjudgment,managementmaybeabletoeliminateineffective,redundant,orinefficientcontrols更了解管理层如何通过其判断清理那些无效，冗余和低效的控制。Internalcontrolisnotaserialprocessbutadynamicandintegratedprocess.TheFrameworkappliestoallentities:large,mid-size,small,for-profitandnot-for-profit,andgovernmentbodies.However,eachorganizationmaychoosetoimplementinternalcontroldifferently.For第5页instance,asmallerentityssystemofinternalcontrolmaybelessformalandlessstructured,yetstillhaveeffectiveinternalcontrol.内部控制不是一个按部就班的过程而是一个动态和整合的过程。本框架可以适用于各类型的组织：大型，中型或小型；盈利，非盈利或政府机构。然而，每个组织都可以有权选择，实施不同的内部控制。例如，一个小型组织的内控体系可以不那么正式和结构清晰，但仍保持有效。TheremainderofthisExecutiveSummaryprovidesanoverviewofinternalcontrol,includingadefinition,categoriesofobjective,descriptionoftherequisitecomponentsandassociatedprinciples,andrequirementofaneffectivesystemofinternalcontrol.Italsoincludesadiscussionoflimitationsthereasonswhynosystemofinternalcontrolcanbeperfect.Finally,itoffersconsiderationsonhowvariouspartiesmayusetheFramework.以下，本文将对内部控制提供总览，包括定义，各类别的目标，必要要素和相关原则的描述，以及对一个有效内部控制体系的要求。本文也将讨论内部控制的局限性为什么没有一个内部控制体系是完美的。第6页DefiningInternalControl定义内部控制Internalcontrolisdefinedasfollows:内部控制定义如下：Internalcontrolisaprocess,effectedbyanentitysboardofdirectors,management,andotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesrelatingtooperations,reporting,andcompliance.内部控制是一套流程，受组织的董事会，管理层和其他员工所影响，被设计并用来为组织提供合理保证，使其实现运营，报告和遵循目标。Thisdefinitionreflectscertainfundamentalconcepts.Internalcontrolis:以上定义体现了一些基础概念。内部控制是：Gearedtotheachievementofobjectivesinoneormorecategoriesoperations,reporting,andcompliance使组织实现多个种类的目标，如运营，报告和遵循；Aprocessconsistingofongoingtasksandactivitiesameanstoanend,notanendinitself一个持续不断的过程，包括各种任务和活动一个达到目的的手段，而非目的本身；第7页Effectedbypeoplenotmerelyaboutpolicyandproceduremanuals,systems,andforms,butaboutpeopleandtheactionstheytakeateverylevelofanorganizationtoaffectinternalcontrol受人的影响不仅仅是制度和流程手册，体系和表单，而是组织各个层级的人和他们所采取的行动；Abletoprovidereasonableassurancebutnotabsoluteassurance,toanentitysseniormanagementandboardofdirectors可以向组织的高级管理层和董事会提供合理保证而非绝对保证；Adaptabletotheentitystructureflexibleinapplicationfortheentireentityorforaparticularsubsidiary,division,operatingunit,orbusinessprocess可以适应组织的结构可灵活应用于整个组织或一个分支机构，业务部，运营单元或业务流程。Thisdefinitionisintentionallybroad.Itcapturesimportantconceptsthatarefundamentaltohoworganizationsdesign,implement,andconductinternalcontrol,providingabasisforapplicationacrossorganizationsthatoperateindifferententitystructures,industries,andgeographicregions.这个定义被设定的包含广泛，包括了关于组织如何设计，实施和推进内部控制的一些重要的基础概念，为不同的组织架构，行业和地理区域的组织提供了操作支持。第8页Objectives目标TheFrameworkprovidesforthreecategoriesofobjectives,whichalloworganizationstofocusondifferingaspectsofinternalcontrol:本框架提供了三个类型的目标，使得组织可以关注于内部控制的不同方面：OperationsObjectivesThesepertaintoeffectivenessandefficiencyoftheentitysoperations,includingoperationalandfinancialperformancegoals,andsafeguardingassetsagainstloss.运营目标组织运营的效果和效率，包括运营和财务绩效目标，资产安全不受损失。ReportingObjectivesThesepertaintointernalandexternalfinancialandnon-financialreportingandmayencompassreliability,timeliness,transpar-ency,orothertermsassetforthbyregulators,recognizedstandardsetters,ortheentityspolicies.报告目标内、外部的财务和非财务报告的可靠性、及时性、透明度，以及其他监管者、公认的标准制定机构和组织政策所要求的方面。ComplianceObjectivesThesepertaintoadherencetolawsandregulationstowhichtheentityissubject.遵循目标遵守对组织适用的法律法规。第9页ComponentsofInternalControl内部控制的要素Internalcontrolconsistsoffiveintegratedcomponents.内部控制包括五个相关关联的要素。ControlEnvironment控制环境Thecontrolenvironmentisthesetofstandards,processes,andstructuresthatprovidethebasisforcarryingoutinternalcontrolacrosstheorganization.Theboardofdirectorsandseniormanagementestablishthetoneatthetopregardingtheimportanceofinternalcontrolincludingexpectedstandardsofconduct.Managementreinforcesexpectationsatthevariouslevelsoftheorganization.Thecontrolenvironmentcomprisestheintegrityandethicalvaluesoftheorganization;theparametersenablingtheboardofdirectorstocarryoutitsgovernanceoversightresponsibilities;theorganizationalstruc-tureandassignmentofauthorityandresponsibility;theprocessforattracting,developing,andretainingcompetentindividuals;andtherigoraroundperformancemeasures,incentives,andrewardstodriveaccountabilityforperformance.Theresultingcontrolenvironmenthasapervasiveimpactontheoverallsystemofinternalcontrol.控制环境是一套标准、流程和结构，能够为内部控制的实施提供基础。董事会和高级管理层为内部控制的重要性（包括期待的行为准则）提第10页供高层定调（thetoneatthetop）。组织各个层级的管理活动强化了这种期望。控制环境包括了组织正直和道德的价值观；促进董事会行使公司治理的监控职责的机制；吸引、开发和保留人才的机制；严格的绩效衡量、激励和汇报机制以保证绩效实现。控制环境会对内部控制的整体体系产生全面影响。RiskAssessment风险评估Everyentityfacesavarietyofrisksfromexternalandinternalsources.Riskisdefinedasthepossibilitythataneventwilloccurandadverselyaffecttheachievementofobjectives.Riskassessmentinvolvesadynamicanditerativeprocessforidentifyingandassessingriskstotheachievementofobjectives.Riskstotheachievementoftheseobjectivesfromacrosstheentityareconsideredrelativetoestablishedrisktolerances.Thus,riskassessmentformsthebasisfordetermininghowriskswillbemanaged.每个组织都面临着来自内外部的各类风险。风险是潜在事件发生并对组织实现其目标产生负面影响的可能性。风险评估包括了根据组织要实现的目标，动态和反复的识别和评估风险的过程。将全组织范围的影响目标实现的风险同已经建立的风险容忍度一同考量后，风险评估就为决定风险如何进行管理打下了基础。Apreconditiontoriskassessmentistheestablishmentofobjectives,linkedatdifferentlevelsoftheentity.Managementspecifiesobjectiveswithincategoriesrelatingtooperations,reporting,andcompliancewithsufficient第11页claritytobeabletoidentifyandanalyzeriskstothoseobjectives.Managementalsoconsidersthesuitabilityoftheobjectivesfortheentity.Riskassessmentalsorequiresmanagementtoconsidertheimpactofpossiblechangesintheexternalenvironmentandwithinitsownbusinessmodelthatmayrenderinternalcontrolineffective.风险评估的先决条件是组织各个层级的目标的确立。管理层要结合运营、报告和遵循的三大类目标，明确相应的具体目标，以便识别和分析相关的风险。管理层也要考虑这些目标对于组织的可持续性。风险评估还要求管理层考虑可能导致内控失效的外部环境和内部商业模式的可能变化。ControlActivities控制活动Controlactivitiesaretheactionsestablishedthroughpoliciesandproceduresthathelpensurethatmanagementsdirectivestomitigateriskstotheachievementofobjectivesarecarriedout.Controlactivitiesareperformedatalllevelsoftheentity,atvariousstageswithinbusinessprocesses,andoverthetechnologyenvironment.Theymaybepreventiveordetectiveinnatureandmayencompassarangeofmanualandautomatedactivitiessuchasauthorizationsandapprovals,verifications,reconciliations,andbusinessperformancereviews.Segregationofdutiesistypicallybuiltintotheselectionanddevelopmentofcontrolactivities.Wheresegregationofdutiesisnotpractical,managementselectsanddevelopsalternativecontrolactivities.第12页控制活动是通过制度和流程所确立的行动，旨在确保管理层降低影响组织目标实现的风险的方针得以实现。在组织的各个层级，业务的各个环节，信息技术的整个环境中都应实施控制活动。从性质上，可以是预防性的，也可以是检查性的；应覆盖手工和自动控制；包括授权和批准，复核，对账和业务绩效评估。不相容职责分离也是典型的应选取和推进的控制活动。如果不相容职责分离无法实施，管理层应选择和推进替代性的控制活动。InformationandCommunication信息与沟通Informationisnecessaryfortheentitytocarryoutinternalcontrolresponsibilitiestosupporttheachievementofitsobjectives.Managementobtainsorgeneratesandusesrelevantandqualityinformationfrombothinternalandexternalsourcestosupportthefunctioningofothercomponentsofinternalcontrol.信息对于组织而言，对推进内控、促进其目标实现是非常必要的。管理层从内外部获得或生成，并且使用相关的有质量的信息来支持内部控制其他要素的正常运转。Communicationisthecontinual,iterativeprocessofproviding,sharing,andobtainingnecessaryinformation.Internalcommunicationisthemeansbywhichinformationisdisseminatedthroughouttheorganization,flowingup,down,andacrosstheentity.Itenablespersonneltoreceiveaclearmessagefromseniormanagementthatcontrolresponsibilitiesmustbetakenseriously.第13页Externalcommunicationistwofold:itenablesinboundcommunicationofrelevantexternalinformation,anditprovidesinformationtoexternalpartiesinresponsetorequirementsandexpectations.沟通是一个持续和不断重复的提供、分享和获得必要的信息的过程，。内部沟通是一个手段，使得信息能够在整个组织向上、向下和横向扩散，能够帮助员工接受来自高管层的清晰的信息控制的职责必须认真实施。外部沟通包括两个部分：将外部的相关信息传入组织内部，以及根据其要求和期望，提供信息给外部的相关方。MonitoringActivities监督活动Ongoingevaluations,separateevaluations,orsomecombinationofthetwoareusedtoascertainwhethereachofthefivecomponentsofinternalcontrol,includingcontrolstoeffecttheprincipleswithineachcomponent,ispresentandfunctioning.Ongoingevaluations,builtintobusinessprocessesatdifferentlevelsoftheentity,providetimelyinformation.Separateevaluations,conductedperiodically,willvaryinscopeandfrequencydependingonassessmentofrisks,effectivenessofongoingevaluations,andothermanagementconsiderations.Findingsareevaluatedagainstcriteriaestablishedbyregulators,recognizedstandard-settingbodiesormanagementandtheboardofdirectors,anddeficienciesarecommunicatedtomanagementandtheboardofdirectorsasappropriate.持续的评价，独立的评价，或者两者的某种组合可以用来确认内部控制的五个要素以及每个要素下的原则是否存在并发挥作用。嵌入整个业务体系的持续评价可以提供及时的信息；独立的评价需要定期开展，第14页其范围和频率可能因风险评估，持续评价的有效程度以及管理层的其他考虑而有所不同。评价中的发现应结合监管者、标准订立机构和管理层、董事会所设定的标准进行评估；缺陷应当视情况传递给管理层和董事会。第15页RelationshipofObjectivesandComponents目标和要素的关系Adirectrelationshipexistsbetweenobjectives,whicharewhatanentitystrivestoachieve,components,whichrepresentwhatisrequiredtoachievetheobjectives,andtheorganizationalstructureoftheentity(theoperatingunits,legalentities,andother).Therelationshipcanbedepictedintheformofacube.组织要实现的目标，为了实现目标所必须的要素，组织的组织架构（如运营单元，法律实体及其他）这三者之间存在着直接的关系。这个关系可以以一个立方体的形式展现。Thethreecategoriesofobjectivesoperations,reporting,andcompliancearerepresentedbythecolumns.运营、报告和遵循三类目标以纵列表示。Thefivecomponentsarerepresentedbytherows.内部控制的五个要素以横行表示。Anentitysorganizationalstructureisrepresentedbythethirddimension.组织的组织架构以第三维表示。第16页ComponentsandPrinciples要素及原则TheFrameworksetsoutseventeenprinciplesrepresentingthefundamentalconceptsassociatedwitheachcomponent.Becausetheseprinciplesaredrawndirectlyfromthecomponents,anentitycanachieveeffectiveinternalcontrolbyapplyingallprinciples.本框架确立了十七项原则代表了与每个控制要素相关的基本概念。因为这些原则直接从控制要素中提炼，一个组织可以直接应用全部这些原则来实施内部控制。Allprinciplesapplytooperations,reporting,andcomplianceobjectives.Theprinciplessupportingthecomponentsofinternalcontrolarelistedbelow.这些原则都可以应用于运营、报告和遵循三类目标。这些每个控制要素内的原则如下：ControlEnvironment控制环境1.Theorganizationdemonstratesacommitmenttointegrityandethicalvalues.组织对正直和道德等价值观做出承诺。2.Theboardofdirectorsdemonstratesindependencefrommanagement第17页andexercisesoversightofthedevelopmentandperformanceofinternalcontrol.董事会独立于管理层，并对内部控制的推进与成效加以监督控制。3.Managementestablishes,withboardoversight,structures,reportinglines,andappropriateauthoritiesandresponsibilitiesinthepursuitofobjectives.管理层围绕其目标，在治理层监督下，建立健全组织架构、汇报条线、合理的授权与责任等机制。4.Theorganizationdemonstratesacommitmenttoattract,develop,andretaincompetentindividualsinalignmentwithobjectives.组织对吸引、开发和保留与认同组织目标的人才做出承诺。5.Theorganizationholdsindividualsaccountablefortheirinternalcontrolresponsibilitiesinthepursuitofobjectives.组织根据其目标，使员工各自担负起内部控制的相关责任。RiskAssessment风险评估6.Theorganizationspecifiesobjectiveswithsufficientclaritytoenabletheidentificationandassessmentofrisksrelatingtoobjectives.就识别和评估与其目标相关的风险，组织做出清晰的目标设定。7.Theorganizationidentifiesriskstotheachievementofitsob