1、coso內部控制模型The COSO Internal Control ModelThe COSO internal control framework was first introduced in 1992, and in 1994 a comprehensive four-section report on internal controls was issued, con sisting of an executive summary, a framework, guidance to public companies o n reporting on internal control

2、s to third parties, and evaluation tools to help a company comprehensively assessits current control environment.The COSO framework is relevant to achieving company objectives in three areas:Operational goals: The framework relates to the effective and efficient usag e of all of a company's reso

3、urces.Financial reporting goals: The construct gives guidance on the consistent pr oduction of reliable financial reports.Compliance goals: The guidance creates a topology of the company" &ompl iance requirements as they relate to industry regulations or legal requirements f or public entit

4、ies.coso內部控制框架提出三大目標，即運營的效率和效果，財務報告的可靠性，以及遵守適用的法律和規章五大要素1。控制環境Control EnvironmentThis element is the foundation of the COSO framework. It sets the overall tone of the organization with regard to the importance of internal controls. Et hical values, leadership resource allocation, staff competence at

5、 all levels, the d ynamics of authority and responsibility within the organization, and managemen t philosophy are all parts of this critical component.In a sense, the control environment is the most difficult component to quan tify, because much of it relates to the overall culture of the organizat

6、ion. But t here are a number of clear goals that an organization can work toward to ensu re that the framework rests on a foundation exemplifying market leadership.Board and leadership involvement is the most crucial element in an organiz ation seeking market leadership. As the board and leadership

7、set expectations a nd measure progress against them, business units or department heads begin to assign internal controls the priority they require. The specific strategies that c an be employed to move to a market-leader position within an industry include the following:? Conveying the importance o

8、f ethical values道德價值 by setting an exam ple and “walkingthe talk. This includes relating stories of integrity and ethica l values through presentations, newsletter stories, and any other means of gettin g the message to everyone that these values are important to the organization. Public companies a

9、re now required to have a code of conduct for the board u nder the requirements laid out by SOX. Nonprofits and private companies can also benefit from a code of conduct. The organization cannot tolerate violations of this standard. There are financial benefits to this approach as well. One re searc

10、h study performed by the Institute of Business Ethics ( "DoeBusiness Eth ics Pay?, " April 2003) found that companies displaying a clear commitment to ethical conduct consistently outperform companies that do not display ethical conduct.? Developing clear organizational guidelines relating

11、 to responsibility and a uthority with accountability checks is another clear hallmark of an market lead er. Within the organization, leadership typically follows a distributed model, wi th individuals understanding the overall organizational goals and how the goals of their department or business u

12、nit relate to them. Individuals should also un derstand their responsibilities and the limit of their authority to ensure that the goals of the organization are achieved. When a leadership culture like this is achieved, the whole organization is focused on organizational objectives and co mmitted to

13、 the maintenance of the control structure. A guiding coalition of lea dership members believing in the need for change is one of the first steps typi cally taken by organizations that successfully make culture shifts, but changes will take effect slowly and steadily over time.? Embedding the interna

14、l control framework within the organizational cultu re 將內部控制框架融入企業文化 .Management must clearly define roles and res ponsibilities for internal controls, including responsibility for the defining, docu menting, testing, and monitoring of controls and the remediating of problems. The organization must

15、incorporate these responsibilities into the responsible indi viduals performance management goals.? The internal controls environment is no longer viewed as separate from the operating component of the business; controls are embedded in processes fr om the beginning.內部控制環境不再獨立于企業經營要素， 要從一開始就執行T his

16、approach lowers the risk of inadequate controls and ensures that the control structure is in place from the outset of a process ' planning and launch.? Supporting human resources policies and practices that provide clear cor porate career paths. Human resources management plays a key role in ens

17、uring that individuals are hired with the needed financial competencies and that care er growth supports an increased level of financial reporting competencies對人 力資源/人才的要求2o風險評估Risk AssessmentLeading companies take a risk-based approach to SOX internal controls co mpliance as a key step in achieving

18、 a correct balance between costs and benef its. Recent guidance from the Public Company Accounting Oversight Board (P CAOB) supports this approach with specific recommendations, including the us e of a risk-based method to determine which key controls are tested each year. The PCAOB also recommends

19、that the viability of a company' s)usiness mod el is an important consideration when evaluating risks. Companies that focus o n these larger problems and risks will better meet the needs of all their stakeh olders, including investors and analysts.Market leaders with respect to internal controls

20、 expand the risk focus starte d under internal compliance efforts to a broader venue. One popular concept th at often precedes a mature enterprise risk management initiative is the formatio n of a risk council. This council is generally composed of management represe ntatives from different areas of

21、 the business. Some of the early objectives of ri sk council meetings are as follows:Use of a common terminology for risk discussions throughout the organizati on;Definition of a risk framework or structure for fostering risk management a cross the organization;Characterization of the organization c

22、urrent risk capability as well as risk and performance indicators;Identification of the company" scurrent spending on risk; andFormulation of a plan to mitigate the operational risks of the organization.If they do not already have a risk program, some companies take the risk management process

23、even further with a more formalized, enterprise-wide progr am headed by a chief risk officer. Under this approach, the organization embe ds risk identification and mitigation into its culture in the same way it adopted its internal control framework. The goal is to intertwine risk and business stra

24、tegy with other organizational systems such as performance management.Another important aspect to risk assessmentis continuous monitoring of the internal and external environment in which the entity operates. This periodic s can of the operational environment can highlight upcoming events affecting

25、bot h internal controls and risk strategy. Events such as systems change, mergers a nd acquisitions, loss of key personnel, and other events may require a closer l ook at existing controls and risk management控制活動Control ActivitiesMarket leadership in the actual design of controls requires corporate-

26、wide c oordination and the involvement of ownership. Policies are set enterprise-wide, allowing an efficient implementation while avoiding duplicate efforts and definit ions. Control design workshops or training can raise the knowledge and capabil ity of management and staff to deal with defining, d

27、ocumenting, managing, test ing, and reporting on internal controls. Global organizations have recently begu n to roll these sessions out through online training sessions for foreign registra nt compliance with SOX section 404. These modules can be used with more-e xperienced users to reinforce other

28、 objectives, such as a return to basic control s and an emphasis on continuous improvement. Leading organizations have mo ved to more-comprehensive training on basic accounting concepts, and in the p rocess have improved the timing of their closing cycle, implemented process i mprovements, and reduc

29、ed the error rate in accounting transactions.Market leaders have focused controls on prevention rather than detection (se e the Sidebar on types of controls). They have reengineered business processes, where needed, to incorporate prevention. Automating control checks by utilizin g software features

30、 that can complete checks without any specific action is als o beneficial. Internal auditing can help provide direction to business process o wners searching for the best approach to use. Working closely with the board will help the internal audit function receive the company-wide exposure necessa r

31、y for business process owners to recognize the value delivered to the organiza tion. It will also make it more likely that business process owners will ”buy n" to the process.Leading-edge companies in internal controls implementation effectively utiliz e technology in several ways. First, they

32、build in controls wherever cost-effecti ve, because this one-time change activates a continual and long-lasting process of control testing. Automated control testing also brings about a quicker respon se time to potential problems and needed corrections.Management can also utilize technology to supp

33、ort the documentation and t esting components of their control activities. Numerous vendors (e.g., BWise, Methodware) provide customizable software to provide a consistent approach ac ross the enterprise. The use of software to support these efforts is not limited to large companies, as many program

34、s are scalable and affordable for small co mpanies. These programs help ensure that the initial investment in documentati on and testing is well maintained and that compliance efforts will be sustained into the future. They can also serve as a basis for higher-value initiatives do wnstream, such as

35、business process improvement and more-comprehensive risk management activities.信息與交流Information and CommunicationAn open flow of information and ease of communication within an organiz ation are essential with any new initiative. Experienced project managers are w ell versed in the communications ne

36、eded to disperse information to stakeholders. They also have experience with change management, which can contribute to the timelier acceptance of new processes and the continuous improvement need ed to excel. Experienced project managers will build measurementsinto the pla ns to assesssuccess.Leadi

37、ng companies foster open communication between internal auditors, ma nagement, and external auditors. The first year of SOX implementation for acc elerated filers resulted in less than ideal communications with external auditors, according to the SEC April 2005 Roundtable on Internal Control Reporti

38、ng Pr ovisions. Recent recommendations from the SEC and the PCAOB have clarifie d expectations regarding external auditor communications, with the specific goal of improving the quality of testing, documentation, and remediation in the con trol environment, thus adding business value.Information ove

39、rload is prevalent throughout business. In the “informations conomy," management is frequently overwhelmed by the quantity of data available, often resulting in a failure to convert important business information into knowledge to support their competitive advantage in the marketplace. Leading

40、companies have recognized that effective reporting of exceptions and an ”exec utive dashboard "approach are the best ways to focus attention on important in formation, and they can avoid placing management adrift in a sea of meaningl ess data from endless sources.5。監測MonitoringControl self-assessments(CSA) can play an important