内部控制和管理企业范围的风险.doc

附录A：原文：Internal Controls and Managing Enterprise-Wide RisksBy John FarrellIn addition to complying with the sweeping reforms in corporate governance and financial reporting following the Sarbanes-Oxley Act, companies can benefit further by adopting a broader view that encompasses an enterprise-wide risk-management outlook. This approach is especially applicable to section 404 of the Sarbanes-Oxley Act, which deals with managements assertion regarding the effectiveness of its internal controls over financial reporting. As companies work to comply with these new rules, they can build their section 404 work into an opportunity to address other aspects of risk throughout the organization, including financial, legal, and operational. The emerging trend of evaluating and monitoring the range of business risksincluding those assessed in an internal control reviewmay help companies simultaneously meet strategic goals, boost shareholder and stakeholder value, and focus on good governance.Self-AssessmentFulfilling the mandates of section 404 need not be an obstacle to implementing an enterprise risk-management effort. Instead, the compliance process can enable companies to focus on enterprise-wide risks through a distributed evaluationthat is, a self-assessment of risk and control. This evaluation assigns responsibility for the assessment to those who are “closest to the action”in other words, those most directly involved in the control over each process. Such an approach can help companies achieve a better-balanced risk and control status.Conventional wisdom formerly held that responsibility for internal controls was delegated to an organizations financial group. According to current thinking, however, internal controls are owned by those within the business who manage daily operations and who depend on the controls for achieving their goals. These control process owners are well prepared to perform the distributed evaluation of identifying, evaluating, and managing pertinent risks to assist the business in achieving its financial goals. The Sarbanes-Oxley rules reinforce the value of such risk-based evaluations.If a company looks ahead one year, how can it measure success beyond mere compliance with regulatory requirements? For multinational companies, one sign of success would be a worldwide standardization of internal controls that allows the organization to orient itself toward a widely accepted set of control criteria, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework or the COSO enterprise risk- management (ERM) framework issued in 2003. Coining a “controls language” shared throughout the organization can help a company take greatest advantage of its set of controlsdeciding which key controls to keep and which it can discard because they do not add value or are otherwise unnecessary.Process ImprovementIn addition, companies may use the section 404 assertion rules to help them achieve a company-wide transformation of business processes. The internal-control assessment may produce several improvements: Greater use of automated, or system-based, controls; Better evaluation of process risks and mitigation of risk; More uniform controls throughout the organization; and Greater responsibility for controls assessment for the process owners. The compliance procedures can also be used to weed out nonessential tasks and determine good practices within each business process: Comparing controls between different business units, or within a companys operations in different countries; Cutting the risk of error by using a more technology-based method of control rather than manual processes; Using key performance indicators to gauge the effectiveness of a process across a span of risks and time periods; and Getting feedback from control procedures on a worldwide basis, which can lead to better reporting capabilities. In examining their sets of controls, companies may find it valuable and cost-effective to consider an automated system rather than a manual review. The internal control assessment, performed through an automated self-assessment, is more than a simple questionnaire. It can gather information from control owners about the status of key controls. The assessment is based not on the frequency of the assertion but on the type of controlautomated or manualand how vulnerable to risk the controls may be.Using an automated system for internal control assessment offers several other advantages. It consolidates internal control information and status, as well as being a repository of all organizational risks and controls. The repository is useful not only for section 404 reporting responsibilities but also for any ERM initiatives.Role of the Internal AuditorThe internal auditor can play a vital role in linking internal control reporting with ERM. The internal auditor can foster an environment that allows the company to link the efficiencies of an ERM approach to the overall business aims of the organization.In addition to articulating the linkage of internal control reporting with ERM to senior management, the internal auditor can perform a number of other important functions: Helping control process owners gain a better understanding of internal control assessment and testing. Becoming a purveyor of best practices within the organization. For example, if the internal auditor discovers that a particular business segment has adopted a more efficient approach to internal control reporting, she can share that knowledge with other business segments. Generally enhancing the organizations understanding of internal controls by imparting subject-matter knowledge in this area. Monitoring the organizations internal controls through testing and feedback on its control status. Focus on GovernanceWhile the distributed evaluation, or risk assessment, is properly assigned to the operations people with direct experience in their respective areas, the overall risks that an organization faces continue to be a corporate-governance priority for the board of directors and management. To help them better understand those risks, corporate leaders should consider the following questions: What types of analyses is the organization doing to identify risks? What is the organization doing to assess those risks and find the best way to take advantage of or mitigate them? In response to the mandates and recommendations of Sarbanes-Oxley, senior management may consider several other measures to enhance corporate accountability: Assessing self-knowledge and knowledge of others in the organization. Ensuring that a uniform process exists and is followed by other members of the organization that provides internal certification. Assessing the impact of changes in the business that may have an effect on internal controls; for example, acquisitions or divestitures, and new accounting or SEC rules. Obtaining formal internal management representation letters, on a quarterly basis, from internal accounting personnel for domestic and foreign subsidiaries. Holding monthly or quarterly conference calls with accounting staff (including worldwide operations) to review new accounting pronouncements and other items that facilitate the closing process. Initiating a formal regular meeting with key process owners or segment leaders (including sales, purchasing, human resources, and legal) to discuss activities that may influence accounting and disclosure. Harmonizing these measures with any ERM initiatives. Applying an ERM approach to the internal-control assessment process has costs. It may be more costly, however, not to seize the opportunity to implement this approach. The investment would include: Establishing a risk framework and common risk vocabulary; Establishing and maintaining a chief risk officer or risk committee; Continued measuring and monitoring; and Periodic updating of the risk assessment framework. For many companies, a phased-in approach is the most practical way to deal with the cost issue. Initially, a company evaluates only the risks and controls over financial reporting, but it designs the evaluation tools and techniques so they can support ERM. Once the evaluations required by Sarbanes-Oxley are complete, the company can expand the assessment into the operational and strategic realms, until a complete ERM system is in place. 译文：内部控制和管理企业范围的风险约翰法雷尔除遵守全面改革公司治理和财务报告遵循萨班斯-奥克斯利法案,公司可以进一步受益采用更广泛的观点,包括企业级风险管理的前景。这种方法尤其适用于部分404年的萨班斯-奥克斯利法案,内容涉及管理的断言关于其内部控制的有效性在财务报告。随着企业工作要遵守这些新规则,他们可以建立他们的部分404工作的机会来解决其他方面的风险在整个组织,包括金融、法律和操作。新兴趋势的评估和监控范围的商业风险,包括那些评估在一个内部控制评审可能帮助企业同时满足战略目标,提高股东和利益相关者的价值,关注好的治理。自我评估履行的授权部分404不需要成为一个障碍,实现企业风险管理工作。相反,合规流程可以使公司专注于企业级的风险通过分布式评价,是一个自我评估,风险和控制。这个评价分配责任评价那些“最接近行动”换句话说,那些最直接参与控制每个进程。这种方法可以帮助企业实现更平衡的风险和控制状态。传统智慧认为,以前负责内部控制是委托给一个组织的金融集团。根据当前的思维,但是,内部控制是属于那些在业务管理日常运营和谁取决于控制达到他们的目标。这些控制过程业主准备好执行分布式评价识别、评估和管理相关的风险,协助企业实现其财务目标。萨班斯-奥克斯利规则加强价值的基于风险的评估。如果一个公司未来一年,它怎么能衡量成功不仅仅是符合监管要求?对跨国公司成功的一个标志是一个世界性的标准化的内部控制,使组织在向东它本身对一个被广泛接受的一系列控制标准,如赞助组织委员会的Treadway委员会(COSO内部控制框架或COSO企业风险管理框架(ERM)2003年发布的。创造了一种“控制语言“共享整个组织可以帮助一个公司以最大的优势的组控制决定这关键的控制来保持和它可以丢弃,因为他们不增加价值或者其他不必要的。过程改进此外,公司可以使用部分404断言规则来帮助他们实现一个全公司范围内的业务流程的转变。试图评估可能产生的一些改进:使用更多的自动化,或系统,控制;更好的评估过程的风险和减轻风险;更均匀控制整个组织;更大的责任,控制评估过程所有者。合规程序也可以用来清除不必要的任务和确定好实践在每个业务流程:控制不同业务单位之间的比较,或在一个公司的操作在不同的国家;减少错误的风险通过使用更多的技术为基础的控制方法,而不是手动流程;使用关键绩效指标来衡量有效性的过程在风险和时间跨度;和从控制程序得到反馈给全世界,这可以导致更好的报告功能。在考察他们组控制,公司可能会发现,有价值的和具有成本效益的考虑一个自动化的系统,而不是一个手动审查。内部控制评估,进行自我评估,通过一个自动化的不仅仅是一个简单的问卷调查。它可以收集信息从控制所有者的状态键控制