COSO《内部控制-整合框架》执行纲要2013版(中英文对照)

1、,.internal control integrated framework内部控制整合框架executive summary执行纲要internal control helps entities achieve important objectives and sustain and improve performance. cososinternal control integrated framework (framework) enables organizations to effectively and efficiently develop systems of interna

2、l control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization.内部控制帮助组织达到重要的目标，维持和改进业绩。科索委员会的内部控制整合框架使得组织能够开发有效果且有效率的内部控制体系，该体系且能够适应变化的商业和运营环境，将风险降低到可接受的水平，并且促进规范决策和组织的治理。designing and im

3、plementing an effective system of internal control can be challenging; operating that system effectively and efficiently every day can be daunting. new and rapidly changing business models, greater use and dependence on technology, increasing regulatory requirements and scrutiny, globalization, and

4、other challenges demand any system of internal control to be agile in adapting to changes in business, operating and regulatory第 1 页;.,.environments.设计并实施一套有效的内部控制体系是充满挑战的；每天保持制度运行的效果和效率会让人可望而不可及。崭新且不断更新的商业模型，对技术的深入应用和依赖，日益繁多的监管要求和检查，全球化和其他挑战要求每一个组织的内部控制体系都能够更加敏捷地适应不断变化的商业、运营和监管的环境。an effective syst

5、em of internal control demands more than rigorous adherence to policies and procedures: it requires the use of judgment. management and boards of directors 1 use judgment to determine how much control is enough. management and other personnel use judgment every day to select, develop, and deploy con

6、trols across the entity . management and internal auditors, among other personnel, apply judgment as they monitor and assessthe effectiveness of the system of internal control.一套有效的内部控制体系除了对制度和流程严格遵守外，还要求判断力。管理层和董事会通过其判断来决定多少控制是充分的。管理层和其他员工每天通过其判断，在组织内选取，推进和实施各类控制。管理层和内部审计师，以及其他的员工，通过其判断来监控和测试内部控制体系

7、的有效性。the framework assists management, boards of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive. it does so by1the framework uses the term“ boardof directors, which” encompasses the gove

8、rning body, including board, board of trustees, general partners, owner, or supervisory board.本框架使用“董事会”一词，泛指治理层，包括：董事会，理事会，一般合伙人，所有者和监事会等。第 2 页;.,.providing both understanding of what constitutes a system of internal controland insight into when internal control is being applied effectively .本框架在内部

9、控制方面，对管理层，董事会，外部的利益相关者和其他与组织产生互动关系的相关方有所帮助，且不会过分死板；而这有赖于对内部控制体系构成要素的理解，有赖于对内部控制体系能够有效实施的时机的洞见。for management and boards of directors, the framework provides:对于管理层和董事会，本框架提供：a means to apply internal control to any type of entity , regardless of industry or legal structure, at the levels of entity, o

10、perating unit, or function一套工具，将内部控制推广到各类型的组织，无论行业或法律形式，无论在组织层面，经营单元层面或职能层面；a principles-basedapproachthatprovidesflexibilityand allowsforjudgmentindesigning,implementing,andconductinginternalcontrol principlesthatcanbeappliedattheentity ,operating,andfunctional levels一种原则导向的方法，能够灵活设计，实施和推进内部控制，并留有判

11、断空间 这些原则可在组织层面、运营层面和职能层面应用；requirements for an effectivesystem of internalcontrol by considering第 3 页;.,.howcomponentsandprinciplesarepresentandfunctioningandhowcomponents operate together一些要求，具体阐述有效的内部控制体系的要素和原则是如何存在和发挥作用，如何在一起产生协调作用；a means to identify and analyze risks, and to develop and manage

12、appropriate responses to risks within acceptable levels and with a greater focus on anti-fraud measures一套工具，识别和分析风险，开发和管理合适的风险应对措施将风险控制在可接受的水平，且更关注反舞弊措施；an opportunityto expand theapplicationof internalcontrolbeyondfinancialreportingto other forms of reporting,operations,and complianceobjectives一个机会

13、，将基于财务报告的内部控制扩大应用范围，满足各种其他的报告、运营和遵循目标；an opportunity to eliminate ineffective, redundant, or inefficient controls that provide minimal value in reducing risks to the achievement of the entity sobjectives一个机会，清理那些在降低风险方面价值不大的无效，冗余和低效的控制。for external stakeholders of an entity and others that interact

14、with the entity, application of this framework provides:第 4 页;.,.对于外部利益相关者和组织的其他相关方，本框架的应用可使其：greater confidence in the board of directorsoversight of internal controlsystems对于董事会针对内部控制的监管更有信心；greater confidence regarding the achievement of entity objectives对于组织实现目标更有信心；greater confidence in the org

15、anization sability to identify , analyze, and respond to risk and changes in the business and operating environments对组织识别，分析和应对来自商业与运营环境风险与变化的能力更有信心；greaterunderstandingof therequirementof an effectivesystem ofinternal control更了解有效的内部控制体系的具体要求；greater understanding that through the use of judgment,

16、management may be able to eliminate ineffective, redundant, or inefficient controls更了解管理层如何通过其判断清理那些无效，冗余和低效的控制。internal control is not a serial process but a dynamic and integrated process. the framework applies to all entities: large, mid-size, small, for-profit and not-for-profit, and government

17、bodies. however, each organization may choose to implement internal control differently . for第 5 页;.,.instance, a smaller entity ssystem of internal control may be less formal and less structured, yet still have effective internal control.内部控制不是一个按部就班的过程而是一个动态和整合的过程。本框架可以适用于各类型的组织：大型，中型或小型；盈利，非盈利或政府

18、机构。然而，每个组织都可以有权选择，实施不同的内部控制。例如，一个小型组织的内控体系可以不那么正式和结构清晰，但仍保持有效。the remainder of this executive summary provides an overview of internal control, including a definition, categories of objective, description of the requisite components and associated principles, and requirement of an effective system o

19、f internal control. it also includes a discussion of limitations the reasons why no system of internal control can be perfect. finally, it offers considerations on how various parties may use the framework .以下，本文将对内部控制提供总览，包括定义，各类别的目标，必要要素和相关原则的描述，以及对一个有效内部控制体系的要求。本文也将讨论内部控制的局限性 为什么没有一个内部控制体系是完美的。第

20、6 页;.,.defining internal control定义内部控制internal control is defined as follows:内部控制定义如下：internal control is a process, effected by an entity sboard of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, re

21、porting, and compliance.内部控制是一套流程，受组织的董事会，管理层和其他员工所影响，被设计并用来为组织提供合理保证，使其实现运营，报告和遵循目标。this definitionreflects certain fundamental concepts. internal control is:以上定义体现了一些基础概念。内部控制是：geared to the achievement of objectives in one or more categories operations, reporting, and compliance使组织实现多个种类的目标，如运营，报

22、告和遵循；a process consisting of ongoing tasks and activities a means to an end, not an end in itself一个持续不断的过程，包括各种任务和活动 一个达到目的的手段，而非目的本身；第 7 页;.,.effected by people not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organiz

23、ation to affect internal control受人的影响 不仅仅是制度和流程手册，体系和表单，而是组织各个层级的人和他们所采取的行动；able to provide reasonable assurancebut not absolute assurance, to an entity ssenior management and board of directors可以向组织的高级管理层和董事会提供合理保证 而非绝对保证；adaptable to the entity structure flexible in application for the entire enti

24、ty or for a particular subsidiary, division, operating unit, or business process可以适应组织的结构可灵活应用于整个组织或一个分支机构，业务部，运营单元或业务流程。this definitionis intentionallybroad. it captures importantconcepts that arefundamentalto how organizations design, implement,and conduct internalcontrol, providing a basis for ap

25、plication across organizations that operate indifferententity structures, industries, and geographic regions.这个定义被设定的包含广泛，包括了关于组织如何设计，实施和推进内部控制的一些重要的基础概念，为不同的组织架构，行业和地理区域的组织提供了操作支持。第 8 页;.,.objectives目标the framework provides for three categories of objectives,which alloworganizations to focus on dif

26、fering aspects of internalcontrol:本框架提供了三个类型的目标，使得组织可以关注于内部控制的不同方面：operations objectives these pertain to effectiveness and efficiency of theentitysoperations, including operational and financial performance goals,and safeguarding assets against loss.运营目标组织运营的效果和效率，包括运营和财务绩效目标，资产安全不受损失。reporting obj

27、ectives these pertain to internal and external financial and non-financial reporting and may encompass reliability , timeliness, transpar-ency, or other terms as set forth by regulators, recognized standard setters, or the entity spolicies.报告目标内、外部的财务和非财务报告的可靠性、及时性、透明度，以及其他监管者、公认的标准制定机构和组织政策所要求的方面。c

28、ompliance objectives these pertain to adherence to laws and regulations to which the entity is subject.遵循目标遵守对组织适用的法律法规。第 9 页;.,.components of internal control内部控制的要素internal control consists of five integrated components.内部控制包括五个相关关联的要素。control environment控制环境the control environment is the set of s

29、tandards, processes, and structures that provide the basis for carrying out internal control across the organization. the board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. management reinforces

30、 expectations at the various levels of the organization. the control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational struc-ture and assignment of auth

31、ority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. the resulting control environment has a pervasive impact on the overall system of interna

32、l control.控制环境是一套标准、流程和结构，能够为内部控制的实施提供基础。董事会和高级管理层为内部控制的重要性（包括期待的行为准则）提第 10 页;.,.供高层定调（the tone at the top ）。组织各个层级的管理活动强化了这种期望。控制环境包括了组织正直和道德的价值观；促进董事会行使公司治理的监控职责的机制；吸引、开发和保留人才的机制；严格的绩效衡量、激励和汇报机制以保证绩效实现。控制环境会对内部控制的整体体系产生全面影响。risk assessment风险评估every entity faces a variety of risks from external and

33、 internal sources. risk is defined as the possibility that an event will occur and adversely affect theachievement of objectives. risk assessment involves a dynamic and iterative process for identifying and assessingrisks to the achievement of objectives. risksto the achievement of these objectives

34、from across the entity are considered relative to established risk tolerances. thus, risk assessment forms the basis for determining how risks will be managed.每个组织都面临着来自内外部的各类风险。风险是潜在事件发生并对组织实现其目标产生负面影响的可能性。风险评估包括了根据组织要实现的目标，动态和反复的识别和评估风险的过程。将全组织范围的影响目标实现的风险同已经建立的风险容忍度一同考量后，风险评估就为决定风险如何进行管理打下了基础。apr

35、econdition to risk assessmentis the establishment of objectives, linked at different levels of the entity . management specifies objectives within categories relating to operations, reporting, and compliance with sufficient第 11 页;.,.clarity to be able to identify and analyze risks to those objective

36、s. management also considers the suitability of the objectives for the entity . risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.风险评估的先决条件是组织各个层级的目标的确立。管理层要结合

37、运营、报告和遵循的三大类目标，明确相应的具体目标，以便识别和分析相关的风险。管理层也要考虑这些目标对于组织的可持续性。风险评估还要求管理层考虑可能导致内控失效的外部环境和内部商业模式的可能变化。control activities控制活动control activities are the actions established through policies and proceduresthat help ensure that management sdirectives to mitigate risks to the achievement of objectives are car

38、ried out. control activities are performed at all levels of the entity, at various stages within business processes, andover the technology environment.they may be preventive or detectiveinnature and may encompass a range of manual and automated activitiessuchas authorizations and approvals, verific

39、ations,reconciliations,and businessperformance reviews. segregation of duties is typically built into the selection and development of control activities. where segregation of duties is not practical, management selects and develops alternative control activities.第 12 页;.,.控制活动是通过制度和流程所确立的行动，旨在确保管理层

40、降低影响组织目标实现的风险的方针得以实现。在组织的各个层级，业务的各个环节，信息技术的整个环境中都应实施控制活动。从性质上，可以是预防性的，也可以是检查性的；应覆盖手工和自动控制；包括授权和批准，复核，对账和业务绩效评估。不相容职责分离也是典型的应选取和推进的控制活动。如果不相容职责分离无法实施，管理层应选择和推进替代性的控制活动。informationand communication信息与沟通information is necessary for the entity to carry out internal control responsibilities to support th

41、e achievement of its objectives. management obtains or generates and uses relevant and quality information from bothinternal and external sources to support the functioning of other components of internal control.信息对于组织而言，对推进内控、促进其目标实现是非常必要的。管理层从内外部获得或生成，并且使用相关的有质量的信息来支持内部控制其他要素的正常运转。communication i

42、s the continual, iterative process of providing, sharing, and obtaining necessary information. internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity . it enables personnel to receive a clear message from senior m

43、anagement that control responsibilities must be taken seriously.第 13 页;.,.external communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.沟通是一个持续和不断重复的提供、分享和获得必要的信息的过程。，

44、内部沟通是一个手段，使得信息能够在整个组织向上、向下和横向扩散，能够帮助员工接受来自高管层的清晰的信息控制的职责必须认真实施。外部沟通包括两个部分：将外部的相关信息传入组织内部，以及根据其要求和期望，提供信息给外部的相关方。monitoring activities监督活动ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including

45、controls to effect the principles within each component, is present and functioning. ongoing evaluations, built into business processes at different levels of the entity, provide timely information. separate evaluations, conducted periodically , will vary in scope and frequency depending on assessme

46、nt of risks, effectiveness of ongoing evaluations, and other management considerations. findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of dir

47、ectors as appropriate.持续的评价，独立的评价，或者两者的某种组合可以用来确认内部控制的五个要素以及每个要素下的原则是否存在并发挥作用。嵌入整个业务体系的持续评价可以提供及时的信息；独立的评价需要定期开展，第 14 页;.,.其范围和频率可能因风险评估，持续评价的有效程度以及管理层的其他考虑而有所不同。评价中的发现应结合监管者、标准订立机构和管理层、董事会所设定的标准进行评估；缺陷应当视情况传递给管理层和董事会。第 15 页;.,.relationship of objectives and components目标和要素的关系a direct relationship e

48、xists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and the organizational structure of the entity (the operating units, legal entities, and other). the relationship can be depicted in the form of a cube.组织要实现

49、的目标，为了实现目标所必须的要素，组织的组织架构（如运营单元，法律实体及其他）这三者之间存在着直接的关系。这个关系可以以一个立方体的形式展现。? the three categories of objectives operations, reporting, and compliance are represented by the columns.运营、报告和遵循三类目标以纵列表示。? the five components are represented by the rows.内部控制的五个要素以横行表示。? an entitysorganizational structure is represented by the third dimension.组织的组织架构以第三维表示。第 16 页;.,.components and principles要素及原则the framework sets out seventeen principles representing the fundamental concepts associated with each component. because these pri