coso内部控制模型WORD

1、文档可能无法思考全面，请浏览后下载! coso内部控制模型The COSO Internal Control ModelThe COSO internal control framework was first introduced in 1992, and in 1994 a comprehensive four-section report on internal controls was issued, consisting of an executive summary, a framework, guidance to public companies on reporting on

2、 internal controls to third parties, and evaluation tools to help a company comprehensively assess its current control environment. The COSO framework is relevant to achieving company objectives in three areas:Operational goals: The framework relates to the effective and efficient usage of all of a

3、company's resources. Financial reporting goals: The construct gives guidance on the consistent production of reliable financial reports. Compliance goals: The guidance creates a topology of the companys compliance requirements as they relate to industry regulations or legal requirements for publ

4、ic entities. coso内部控制框架提出三大目标，即运营的效率和效果,财务报告的可靠性,以及遵守适用的法律和规章五大要素1。控制环境Control EnvironmentThis element is the foundation of the COSO framework. It sets the overall tone of the organization with regard to the importance of internal controls. Ethical values, leadership resource allocation, staff compe

5、tence at all levels, the dynamics of authority and responsibility within the organization, and management philosophy are all parts of this critical component.In a sense, the control environment is the most difficult component to quantify, because much of it relates to the overall culture of the orga

6、nization. But there are a number of clear goals that an organization can work toward to ensure that the framework rests on a foundation exemplifying market leadership.6 / 9Board and leadership involvement is the most crucial element in an organization seeking market leadership. As the board and lead

7、ership set expectations and measure progress against them, business units or department heads begin to assign internal controls the priority they require. The specific strategies that can be employed to move to a market-leader position within an industry include the following:· Conveying the im

8、portance of ethical values道德价值 by setting an example and “walking the talk.” This includes relating stories of integrity and ethical values through presentations, newsletter stories, and any other means of getting the message to everyone that these values are important to the organization. Public co

9、mpanies are now required to have a code of conduct for the board under the requirements laid out by SOX. Nonprofits and private companies can also benefit from a code of conduct. The organization cannot tolerate violations of this standard. There are financial benefits to this approach as well. One

10、research study performed by the Institute of Business Ethics (“Does Business Ethics Pay?,” April 2003) found that companies displaying a clear commitment to ethical conduct consistently outperform companies that do not display ethical conduct. · Developing clear organizational guidelines relati

11、ng to responsibility and authority with accountability checks is another clear hallmark of an market leader. Within the organization, leadership typically follows a distributed model, with individuals understanding the overall organizational goals and how the goals of their department or business un

12、it relate to them. Individuals should also understand their responsibilities and the limit of their authority to ensure that the goals of the organization are achieved. When a leadership culture like this is achieved, the whole organization is focused on organizational objectives and committed to th

13、e maintenance of the control structure. A guiding coalition of leadership members believing in the need for change is one of the first steps typically taken by organizations that successfully make culture shifts, but changes will take effect slowly and steadily over time. · Embedding the intern

14、al control framework within the organizational culture将内部控制框架融入企业文化. Management must clearly define roles and responsibilities for internal controls, including responsibility for the defining, documenting, testing, and monitoring of controls and the remediating of problems. The organization must inc

15、orporate these responsibilities into the responsible individuals performance management goals. · The internal controls environment is no longer viewed as separate from the operating component of the business; controls are embedded in processes from the beginning. 内部控制环境不再独立于企业经营要素，要从一开始就执行This

16、approach lowers the risk of inadequate controls and ensures that the control structure is in place from the outset of a processs planning and launch.· Supporting human resources policies and practices that provide clear corporate career paths. Human resources management plays a key role in ensu

17、ring that individuals are hired with the needed financial competencies and that career growth supports an increased level of financial reporting competencies.对人力资源/人才的要求 2。风险评估Risk AssessmentLeading companies take a risk-based approach to SOX internal controls compliance as a key step in achieving a

18、 correct balance between costs and benefits. Recent guidance from the Public Company Accounting Oversight Board (PCAOB) supports this approach with specific recommendations, including the use of a risk-based method to determine which key controls are tested each year. The PCAOB also recommends that

19、the viability of a companys business model is an important consideration when evaluating risks. Companies that focus on these larger problems and risks will better meet the needs of all their stakeholders, including investors and analysts.Market leaders with respect to internal controls expand the r

20、isk focus started under internal compliance efforts to a broader venue. One popular concept that often precedes a mature enterprise risk management initiative is the formation of a risk council. This council is generally composed of management representatives from different areas of the business. So

21、me of the early objectives of risk council meetings are as follows: Use of a common terminology for risk discussions throughout the organization; Definition of a risk framework or structure for fostering risk management across the organization; Characterization of the organizations current risk capa

22、bility as well as risk and performance indicators; Identification of the companys current spending on risk; and Formulation of a plan to mitigate the operational risks of the organization. If they do not already have a risk program, some companies take the risk management process even further with a

23、 more formalized, enterprise-wide program headed by a chief risk officer. Under this approach, the organization embeds risk identification and mitigation into its culture in the same way it adopted its internal control framework. The goal is to intertwine risk and business strategy with other organi

24、zational systems such as performance management.Another important aspect to risk assessment is continuous monitoring of the internal and external environment in which the entity operates. This periodic scan of the operational environment can highlight upcoming events affecting both internal controls

25、 and risk strategy. Events such as systems change, mergers and acquisitions, loss of key personnel, and other events may require a closer look at existing controls and risk management控制活动Control ActivitiesMarket leadership in the actual design of controls requires corporate-wide coordination and the

26、 involvement of ownership. Policies are set enterprise-wide, allowing an efficient implementation while avoiding duplicate efforts and definitions. Control design workshops or training can raise the knowledge and capability of management and staff to deal with defining, documenting, managing, testin

27、g, and reporting on internal controls. Global organizations have recently begun to roll these sessions out through online training sessions for foreign registrant compliance with SOX section 404. These modules can be used with more-experienced users to reinforce other objectives, such as a return to

28、 basic controls and an emphasis on continuous improvement. Leading organizations have moved to more-comprehensive training on basic accounting concepts, and in the process have improved the timing of their closing cycle, implemented process improvements, and reduced the error rate in accounting tran

29、sactions.Market leaders have focused controls on prevention rather than detection (see the Sidebar on types of controls). They have reengineered business processes, where needed, to incorporate prevention. Automating control checks by utilizing software features that can complete checks without any

30、specific action is also beneficial. Internal auditing can help provide direction to business process owners searching for the best approach to use. Working closely with the board will help the internal audit function receive the company-wide exposure necessary for business process owners to recogniz

31、e the value delivered to the organization. It will also make it more likely that business process owners will “buy in” to the process.Leading-edge companies in internal controls implementation effectively utilize technology in several ways. First, they build in controls wherever cost-effective, beca

32、use this one-time change activates a continual and long-lasting process of control testing. Automated control testing also brings about a quicker response time to potential problems and needed corrections.Management can also utilize technology to support the documentation and testing components of t

33、heir control activities. Numerous vendors (e.g., BWise, Methodware) provide customizable software to provide a consistent approach across the enterprise. The use of software to support these efforts is not limited to large companies, as many programs are scalable and affordable for small companies.

34、These programs help ensure that the initial investment in documentation and testing is well maintained and that compliance efforts will be sustained into the future. They can also serve as a basis for higher-value initiatives downstream, such as business process improvement and more-comprehensive ri

35、sk management activities.信息与交流Information and CommunicationAn open flow of information and ease of communication within an organization are essential with any new initiative. Experienced project managers are well versed in the communications needed to disperse information to stakeholders. They also

36、have experience with change management, which can contribute to the timelier acceptance of new processes and the continuous improvement needed to excel. Experienced project managers will build measurements into the plans to assess success. Leading companies foster open communication between internal

37、 auditors, management, and external auditors. The first year of SOX implementation for accelerated filers resulted in less than ideal communications with external auditors, according to the SEC April 2005 Roundtable on Internal Control Reporting Provisions. Recent recommendations from the SEC and th

38、e PCAOB have clarified expectations regarding external auditor communications, with the specific goal of improving the quality of testing, documentation, and remediation in the control environment, thus adding business value. Information overload is prevalent throughout business. In the “information

39、 economy,” management is frequently overwhelmed by the quantity of data available, often resulting in a failure to convert important business information into knowledge to support their competitive advantage in the marketplace. Leading companies have recognized that effective reporting of exceptions and an “executive dashboard” approach are the best ways to focus attention on important information, and they can avoid placing management adrift in a sea of meaningless data from endless sources.5。监测MonitoringControl self-assessments (CSA) can play an important part in monitoring internal