中小型民營企業(yè)內(nèi)部控制研究外文翻譯、中英文翻譯、外文文獻(xiàn)翻譯VIP

本科畢業(yè)設(shè)計(jì)（論文）   外文參考文獻(xiàn)譯文及原文     學(xué)     院                        專     業(yè)                       年級(jí)班別                       學(xué)     號(hào)                       學(xué)生姓名                       指導(dǎo)教師                              年    月     日   目錄  摘要 1 1 選題背景 2 2 內(nèi)部控制理論的概述   . .3 2.1 內(nèi)部控制的根本性質(zhì) .3 2.2 內(nèi)部控制的責(zé)任 . .3 3 確保內(nèi)部控制的充分性 . .5 4 先天的內(nèi)部控制 9 5 結(jié)論 11 Abstract.12 1 Background Topics.13 2 Internal control theory outlined . 15 2.1 The Fundamental Nature Of  Intaral Control .15 2.2 Responsibillty For Internal Control .15 3 Ensuring that the internal control adequacy . .17 4 Inherent limitations of internal control 22 5 Conclusion .25 摘  要  內(nèi)部控制這個(gè)概念已經(jīng)不是一個(gè)新概念。這篇文章將研究每個(gè)公共部門財(cái)政經(jīng)理和董事會(huì)成員應(yīng)該了解的關(guān)于內(nèi)部控制的內(nèi)容。在分析了虛假的財(cái)政報(bào)告的根本原因以后， Treadway 委員會(huì)把大部分的責(zé)任歸咎于內(nèi)部控制管理的不足。作為回應(yīng)，建立 Treadway 委員會(huì)的各個(gè)組織成立了一個(gè)贊助組織委員會(huì)（ COSO），設(shè)法補(bǔ)救 的 Treadway 委員會(huì)揭露出來的問題。  COSO 為了確保此架構(gòu)足夠及全面的內(nèi)部控制，確定了 5 個(gè)重要組成部分：1、控制環(huán)境； 2、風(fēng)險(xiǎn)評(píng)估； 3、政策及程序； 4、溝通； 5、監(jiān)測與追蹤。一個(gè)健全的架構(gòu)與內(nèi)部控制是必要的，同時(shí)必須意識(shí)到這類框架是難于達(dá)到一個(gè)完美的境界。內(nèi)部控制在本質(zhì)上是一種管理責(zé)任。   1 選題背景  內(nèi)部控制這個(gè)概念已經(jīng)是毫無新意的。同樣，由于私營部門最近的丑聞事件使得聯(lián)邦法律重申了這個(gè)經(jīng)常被忽略和議題的重要性，這篇文章將研究每一個(gè)公共部門的財(cái)政經(jīng)理及董事會(huì)成員還 應(yīng)當(dāng)了解內(nèi)部控制的哪些制度。  直到最近幾年，基本問題“什么是內(nèi)部控制？”這個(gè)問題可以引出一系列的例子：不同職責(zé)的分離，定期進(jìn)行銀行對(duì)賬，獲取的報(bào)告的利用等概念，但是這些并不是內(nèi)部控制的準(zhǔn)確定義。也就是說，內(nèi)部控制往往被視為一個(gè)集體名詞來形容不同種類的政策和程序，而不是作為一個(gè)獨(dú)立和統(tǒng)一的概念。這就是八十年代中期 Treadway 委員會(huì)在面對(duì)虛假財(cái)政報(bào)告，需要履行職責(zé)時(shí)所面臨的形勢。  經(jīng)調(diào)查分析提供虛假的財(cái)政報(bào)告的根本原因后，該 Treadway 委員會(huì)把大部分的責(zé)任歸咎于內(nèi)部控制缺乏管理上，但是在企業(yè)管理者不能夠 清楚地了解內(nèi)部控制的真正含義和為什么要重視內(nèi)部控制這個(gè)問題上，該委員會(huì)要負(fù)一定的責(zé)任。  針對(duì)這些調(diào)查結(jié)果，發(fā)起組織 Treadway 委員會(huì)的各個(gè)機(jī)構(gòu)成立了一個(gè)協(xié)調(diào)委員會(huì)，設(shè)法補(bǔ)救 Treadway 委員會(huì)揭露出來的問題，這一努力的結(jié)果，是 1992年 COSO 發(fā)布的開創(chuàng)性報(bào)告中提到的內(nèi)部控制綜合框架。直到今天，“ COSO 報(bào)告”依然是在正規(guī)和嚴(yán)肅場合開展內(nèi)部控制的討論的重要基礎(chǔ)。  在私營部門， COSO 報(bào)告規(guī)定的標(biāo)準(zhǔn)通常用于評(píng)價(jià)內(nèi)部控制，包括授權(quán)公司進(jìn)行公開交易，這是由于安然和世界通訊的丑聞，使聯(lián)邦的 Sarbanes-Oxley 法規(guī)對(duì)內(nèi)部控制進(jìn)行了規(guī)定。在公共部門，政府財(cái)政官員協(xié)會(huì)在最近推薦的做法中的立場是政府的財(cái)政管理為了履行自己的道德責(zé)任，應(yīng)“獲取信息和負(fù)責(zé)內(nèi)部控制所需的有意義的培訓(xùn)”、特別是正確理解內(nèi)部控制（ COSO）的規(guī)定。   2 內(nèi)部控制理論的概述  2.1 內(nèi)部控制的根本性質(zhì)  無論是哪種性質(zhì)的組織（即公、私、或非營利性），所有的管理者都必須致力于：（ 1）、經(jīng)營效率；（ 2）、制作真實(shí)可靠的外部財(cái)務(wù)報(bào)告；（ 3）、遵守適用的法律和法規(guī)。  負(fù)責(zé)任的管理人員不能脫離這些目標(biāo)，相反，他們必須采取具體行動(dòng)，以確保經(jīng)營運(yùn) 作的有效性和高效率、財(cái)務(wù)報(bào)告的真實(shí)可靠并且不違背法律法規(guī)的規(guī)定。也就是這些行為構(gòu)成的內(nèi)部控制。不同的是，內(nèi)部控制可以定義為管理上使用的用以確保實(shí)現(xiàn)其目標(biāo)的工具和技術(shù)的總稱。因此，在本質(zhì)上，內(nèi)部控制在根本上是一個(gè)管理問題。  2.2 內(nèi)部控制的責(zé)任  以下一個(gè)類比可能有助于指派負(fù)責(zé)內(nèi)部控制的管理者、董事會(huì)成員和審計(jì)員正確理解內(nèi)部控制的責(zé)任和職能?！皩W(xué)生主要是負(fù)責(zé)完成功課。”給學(xué)生分配這種首要的責(zé)任是實(shí)際的，因?yàn)橥瓿晒φn任務(wù)的目標(biāo)是提高學(xué)生的技能，為學(xué)生完成功課而又不影響學(xué)生技能的提高的情況是不可能存在的。家長、導(dǎo)師 或同學(xué)可以在學(xué)生完成某一項(xiàng)任務(wù)時(shí)提供幫助，但是最終只有學(xué)生本人的直接參與，才能達(dá)到提高技能的目的。當(dāng)然，這并不是說，父母或監(jiān)護(hù)人以功課是學(xué)生的主要責(zé)任為理由來為自己開脫責(zé)任。父母或監(jiān)護(hù)人的最終職責(zé)是確保學(xué)生為他自己的功課負(fù)責(zé)，雖然家長或監(jiān)護(hù)人實(shí)際上不能幫助學(xué)生完成功課，但他們有權(quán)利監(jiān)督學(xué)生完成功課。最后，教師和輔導(dǎo)員，他們?yōu)閷W(xué)生和家長、監(jiān)護(hù)人提供寶貴的幫助，是不能取代的。最終，如果學(xué)生的功課不能按時(shí)完成，最終的責(zé)任由家長或監(jiān)護(hù)人來承擔(dān)。  這個(gè)比喻表明了內(nèi)部控制實(shí)際的含義，我們可以將上述例子中的學(xué)生、家長或監(jiān) 護(hù)人、教師分別代表管理、理事會(huì)委員和內(nèi)部審計(jì)師，這有助于理解內(nèi)部控制中各人的職責(zé)所在。正如我們剛才解釋的，內(nèi)部控制是一個(gè)根本的管理問題（即管理者用工具和技術(shù)來實(shí)現(xiàn)管理目標(biāo)），因此，管理是內(nèi)部控制的主要責(zé)任所在。但是董事會(huì)的成員不能因?yàn)閮?nèi)部管理是管理層的主要職責(zé)而對(duì)內(nèi)部管理袖手旁觀，因?yàn)樗墓ぷ魇谴_保管理符合其所有責(zé)任。因此，內(nèi)部控制的最終責(zé)任由董事會(huì)來承擔(dān)。獨(dú)立的內(nèi)部審計(jì)師，就像一位老師，他可以為管理的成功提供必要的援助（制作真實(shí)可靠的財(cái)務(wù)報(bào)表），但即使是最好的老師也無法幫助學(xué)生、家長或監(jiān)護(hù)人完成原本屬于他 們的責(zé)任及任務(wù)。最后，內(nèi)部審計(jì)師，作為一個(gè)重要的角色，像老師一樣幫助他們達(dá)到目標(biāo)。盡管如此，內(nèi)部審計(jì)員在內(nèi)部控制制度中能做的也只是協(xié)助管理，而不取代它。  當(dāng)然，有一件事必須堅(jiān)持的是，理事會(huì)要承擔(dān)內(nèi)部控制的最終責(zé)任。主要的問題仍然是：“理事會(huì)怎么有效地履行它在這方面的責(zé)任？”最現(xiàn)實(shí)的辦法是成立一個(gè)審計(jì)委員會(huì)，最好能做為中心點(diǎn)，在董事會(huì)的內(nèi)部控制方面努力，確保整個(gè)內(nèi)部控制的問題能夠定期提交給董事會(huì)進(jìn)行及時(shí)處理。同樣，內(nèi)部審計(jì)員的作用是，可幫助經(jīng)理人，完成他們內(nèi)部控制的主要任務(wù)，尤其是一個(gè)綱領(lǐng)性而非金融背景的主管 ，他們可能不熟悉內(nèi)部控制。   3 確保內(nèi)部控制的充分性  一旦管理與理事會(huì)在內(nèi)部控制中共同承擔(dān)各自的責(zé)任，怎樣才能知道自己是否真正履行了自己的義務(wù)？多少控制才是合適的呢？  在 COSO 報(bào)告中，內(nèi)部控制（復(fù)數(shù)）比內(nèi)部控制（單數(shù)）更常見，然而，COSO 中內(nèi)部控制更多地被視為它各部分的總和（個(gè)別政策和程序）。在美國，COSO 憧憬將內(nèi)部控制的個(gè)人控制元件或部件都集成一個(gè)統(tǒng)一的結(jié)構(gòu)或架構(gòu)納入其中，即 COSO 提供一個(gè)整體內(nèi)部控制的概念來代替早期的零敲碎打。 COSO為確保架構(gòu)內(nèi)的內(nèi)部控制是否足夠或全 面，還確定了需要加以實(shí)施的五項(xiàng)重要組成部分：  1、必須有完善的控制環(huán)境（企業(yè)文化）；  2、必須有一個(gè)定期的連續(xù)的風(fēng)險(xiǎn)評(píng)估；  3、必須設(shè)計(jì)、實(shí)施、維持相關(guān)的政策和程序，從而確定風(fēng)險(xiǎn)的處理；  4、必須有充分的溝通；  5、必須設(shè)計(jì)一個(gè)定期和持續(xù)地監(jiān)測防治相關(guān)的政策和程序，以確保它們能持續(xù)發(fā)揮作用，使得任何問題都可以得到妥善處理。  控制環(huán)境。用比喻更可能有助于了解主要的控制環(huán)境。小孩子不是在孤立的環(huán)境中長大的，而是在被特定的人所包圍的特定環(huán)境中長大的。這樣的環(huán)境可能會(huì)對(duì)孩子的成長產(chǎn)生深遠(yuǎn)的影響，因此，一個(gè)只有有限潛 能的孩子也許是在一個(gè)充滿生機(jī)和機(jī)會(huì)的富裕環(huán)境中成長并發(fā)揮潛能，一個(gè)擁有巨大潛能的孩子也許會(huì)在不利的環(huán)境中成長，潛能被埋沒了。  內(nèi)部控制也并非是在真空狀態(tài)。內(nèi)部控制無可避免的會(huì)受到周圍環(huán)境或企業(yè)文化或好或壞的影響。事實(shí)上，最終要取得成功的內(nèi)部控制是不可能夸大到對(duì)周遭環(huán)境的控制的。在周遭對(duì)內(nèi)部控制持冷漠態(tài)度甚至充滿敵意（這么多的“繁文縟節(jié)”需要“穿越”才能辦妥工作）的環(huán)境下，就算有最佳的政策和程序，也沒有多大的希望得到有效的發(fā)展。反之，一種顯然是支持內(nèi)部控制的環(huán)境可以得到最妥善的甚至是最基本的控制政策和程序。  關(guān)鍵在于健全的內(nèi)部控制環(huán)境以及積極支持的環(huán)境。管理難以支持的東西，它不理解（因此，管理在內(nèi)部控制上必須對(duì) COSO 的指導(dǎo)性內(nèi)容相當(dāng)熟悉，這是 GFOA 在較早前提出的要求）。同樣地，有效的支持不是空談，時(shí)間和資源也是其中的重要部分。  此外，管理者的以身作則是非常重要的。很多時(shí)候，經(jīng)理人似乎認(rèn)為，內(nèi)部控制僅僅是對(duì)他們的部屬 ,那就是經(jīng)理人采取措施對(duì)那些向他們匯報(bào)的下屬實(shí)施控制。當(dāng)然，這種做法可能的結(jié)果就是員工會(huì)把內(nèi)部控制視為一種規(guī)避（證明其級(jí)別和重要性的組織），而不是視作一種避免。  一個(gè)特別重要的例子，該原則只是針對(duì) 違反相關(guān)政策和程序的控制討論關(guān)于管理的問題。管理人員為了避免發(fā)生沖突，并沒有對(duì)某些措施采取有效的紀(jì)律處分，即使某些情況是涉及欺詐的。無可避免的是，這樣的做法對(duì)其他人發(fā)出了一個(gè)明確且危險(xiǎn)的訊息：內(nèi)部控制和管理并不是很嚴(yán)格。  當(dāng)然，一個(gè)積極的審計(jì)委員會(huì)和有效的內(nèi)部審計(jì)部門，都是宏觀控制環(huán)境中重要的積極因素。  風(fēng)險(xiǎn)評(píng)估。在管理者實(shí)現(xiàn)其目標(biāo)（即風(fēng)險(xiǎn)）的過程當(dāng)中，挑戰(zhàn)是永遠(yuǎn)存在的。此外，昨天的風(fēng)險(xiǎn)和今天的、明天的風(fēng)險(xiǎn)不一定相同。因此，風(fēng)險(xiǎn)評(píng)估是不可能憑“一次性”的努力就可以完成，而必須是定期的、持續(xù)進(jìn)行的過程。同樣， 為了使他們能夠避免或減輕風(fēng)險(xiǎn)，風(fēng)險(xiǎn)必須是可預(yù)期的。打個(gè)比方，在鐵道路口設(shè)置路燈可避免一個(gè)重大事故的發(fā)生 ,同樣，如果此前的入口或交通情況發(fā)生變化，路燈在鐵道路口設(shè)置就顯得越來越有必要。  那么，經(jīng)理人需怎樣才能設(shè)法找出以前未知的風(fēng)險(xiǎn)呢？首先，管理應(yīng)把注意力集中在改變上，因?yàn)樗械淖兓紩?huì)涉及一定程度的風(fēng)險(xiǎn)?？梢詭砀唢L(fēng)險(xiǎn)的變化包括以下：  1、經(jīng)營環(huán)境的改變（例如，改變企業(yè)內(nèi)部的規(guī)章制度）；  2、人事變動(dòng)（特別是敏感職位的變動(dòng)）；  3、信息系統(tǒng)和技術(shù)的改變（例如，如果過程已被重新設(shè)計(jì)，控制程度是否仍然足夠？）  4、快速增長（例如，為應(yīng)付需求增加而施加的壓力）；  5、新的項(xiàng)目和服務(wù)（例如，缺乏經(jīng)驗(yàn)）；  6、結(jié)構(gòu)變化（例如，取消原項(xiàng)目的實(shí)施）。  經(jīng)理也應(yīng)考慮目前的固定風(fēng)險(xiǎn)，并處理高風(fēng)險(xiǎn)的情況。一般的內(nèi)存高風(fēng)險(xiǎn)包括以下：  1、復(fù)雜度（越復(fù)雜越容易出錯(cuò)）；  2、現(xiàn)金收入；  3、直接第三方受益人（現(xiàn)金支付幫助個(gè)人）；  4、以前遇到的問題（過去存在問題的項(xiàng)目很可能會(huì)繼續(xù)遇到相同的問題）；  5、事先確定的控制弱點(diǎn)（查明的問題在過去沒有得到糾正的情形）。  政策及程序。作為管理者必須分析當(dāng)前和今后潛在的風(fēng)險(xiǎn)。由于其進(jìn)行風(fēng)險(xiǎn)評(píng)估，所以 他們必須采取切實(shí)有效的措施來設(shè)計(jì)和實(shí)施具體的相關(guān)政策和程序，以避免和盡量減少這些風(fēng)險(xiǎn)。傳統(tǒng)上，與控制相關(guān)的財(cái)政政策和程序通?？蓜澐譃橐韵聨讉€(gè)基本類別：  1、授權(quán)（所有交易需適當(dāng)授權(quán)）；  2、妥善記錄（記錄應(yīng)旨在突出遺失物品）；  3、安全的資產(chǎn)和檔案（資產(chǎn)和檔案，應(yīng)該受到保護(hù)，且只提供給有需要的人）；  4、不相容職務(wù)（理想的情況下，個(gè)別員工不應(yīng)該在的職位上犯下隱瞞違規(guī)的事）；  5、定期核對(duì)（會(huì)計(jì)記錄應(yīng)定期加以對(duì)比和調(diào)和）；  6、定期復(fù)查（會(huì)計(jì)數(shù)據(jù)應(yīng)定期比較它們代表的實(shí)際項(xiàng)目）；  7、分析性復(fù)核（比較各項(xiàng)財(cái)務(wù)數(shù) 據(jù)，并評(píng)估這些數(shù)據(jù)和其他數(shù)據(jù)，包括金融的、非金融的，以及預(yù)期的）。  具體防治 的 相關(guān)政策及程序 ,也可以分為兩派 ,旨在消除實(shí)際問題（如消防系統(tǒng)）；以局部的目標(biāo)，使管理人員注意到潛在的問題，使他們能夠及時(shí)發(fā)現(xiàn)問題（如煙霧報(bào)警器）。這個(gè)重要的區(qū)別會(huì)在討論中顯示出來。  溝通。與其他四個(gè)組成部分不同的是，溝通通常不是單獨(dú)存在的。相反，它是其余各部分能夠有效運(yùn)作的基礎(chǔ)。舉例來說，一個(gè)良好的控制環(huán)境，需要各級(jí)管理部門之間以及管理人員與非管理人員之間良好的溝通才能形成。的確，COSO 為了強(qiáng)調(diào)溝通的重要性，把它作為一個(gè)單獨(dú)的組 件與其他幾個(gè)部分共同組成了一個(gè)全面的框架。  尤為要注意的是，財(cái)務(wù)經(jīng)理是從消費(fèi)者的角度記錄與會(huì)計(jì)有相關(guān)的和政策和程序。傳統(tǒng)的會(huì)計(jì)政策和程序手冊(cè)就是普遍應(yīng)用于此目的。最近，政府已經(jīng)開始使用內(nèi)部網(wǎng)絡(luò)，以確保工作人員能夠隨時(shí)獲得最新的信息。當(dāng)然，經(jīng)理人也有能力左右控制它們的建立。  因?yàn)槿f一發(fā)生不可避免的管理風(fēng)險(xiǎn)，給員工提供一個(gè)明確的沒有經(jīng)理左右的溝通方式是非常重要的。  并非所有類型的信息都是同樣具有緊迫性的。舉例說，違規(guī)和舞弊，是必須立即傳達(dá)給有關(guān)部門的，而定期報(bào)告則可能需要準(zhǔn)備較多相對(duì)不敏感的與控制相關(guān)的資料才能 傳達(dá)。良好的溝通可以確保信息的加速傳達(dá)也是符合這樣的考慮。  監(jiān)測。第五個(gè)也就是最后一個(gè)內(nèi)部控制綜合性框架的組成部分是監(jiān)測。正如再好的房屋也需要定期保養(yǎng)和不定期保養(yǎng)，有關(guān)控制的政策和程序也會(huì)隨著時(shí)間的推移而變得不相適應(yīng)。因此，管理者必須定期評(píng)價(jià)其與控制相關(guān)的政策和程序，以確保他們能得到很好的落實(shí)，并確保的業(yè)務(wù)能夠充分的展開。  同樣重要的是，許多與控制有關(guān)的政策和程序，都旨在提醒管理過程中潛在發(fā)生的問題，而不是真正的杜絕問題。因此，監(jiān)測的一個(gè)重要因素是，如何評(píng)價(jià)從過去的跡象顯示可能發(fā)生的錯(cuò)誤和違反相關(guān)政策和程序 有關(guān)規(guī)定的問題已被處理。   4 先天的內(nèi)部控制  一個(gè)健全的架構(gòu)，內(nèi)部控制是必不可少的，但重要的是要記住，沒有這種框架，將永遠(yuǎn)不會(huì)完美。例如，像前面解釋過的，經(jīng)理通常有能力建立凌駕一切與控制相關(guān)的政策和程序。另外，控制的不相容職務(wù)通?？梢酝ㄟ^合作而避開（即個(gè)人會(huì)以控制他人來代替共同工作）。最后，也是最重要的，不宜實(shí)行與控制相關(guān)的政策或程序，從而結(jié)束了耗資超過合理預(yù)期實(shí)現(xiàn)的收益的情況。所以，舉例來說，它有時(shí)未必可全面貫徹不相容職務(wù)，在這種情況下可能需要進(jìn)行改聘的方法（可能不太有效）來替代。  企 業(yè)內(nèi)部控制的風(fēng)險(xiǎn)管理  如前所述，  COSO 報(bào)告是在 1992 年關(guān)于內(nèi)部控制的嚴(yán)格討論中形成的。COSO 從未改變過在 1992 年發(fā)表的內(nèi)部控制綜合框架的使命，相反，安理會(huì)決定加強(qiáng)其關(guān)于企業(yè)風(fēng)險(xiǎn)管理的內(nèi)部控制工作。這樣的結(jié)果是美國在 2004 年出版了企業(yè)風(fēng)險(xiǎn)管理 整合框架（ COSO）。  COSO論述了企業(yè)的風(fēng)險(xiǎn)管理：  一個(gè)過程會(huì)受到公司董事會(huì)、管理人員和其他人員的影響，跨企業(yè)的應(yīng)用策略的制訂，旨在找出可能會(huì)發(fā)生的影響組織的事件，而風(fēng)險(xiǎn)管理可對(duì)實(shí)現(xiàn)組織目標(biāo)提供合理的保證。這個(gè)過程必然會(huì)涉及到組織中的個(gè)體以及組織這個(gè) 整體。  根據(jù) COSO，綜合性的企業(yè)風(fēng)險(xiǎn)管理架構(gòu)，是指提供合理的保證：（ 1）組織目標(biāo)的實(shí)現(xiàn)；（ 2）風(fēng)險(xiǎn)管理就是意識(shí)到風(fēng)險(xiǎn)可能影響了他們的業(yè)績。  COSO相對(duì)于原 COSO 報(bào)告，重申了三個(gè)基本管理目標(biāo)：行動(dòng)（效益和效率）；報(bào)導(dǎo)（擴(kuò)大到包括財(cái)政和內(nèi)部報(bào)告）；服從。而且還確定了新的第四類戰(zhàn)略目標(biāo)，這可以描述為一個(gè)“高層次”，因?yàn)樗械钠渌繕?biāo)將需要加以調(diào)整來適應(yīng)它。  COSO為強(qiáng)調(diào)企業(yè)風(fēng)險(xiǎn)管理，把由四個(gè)單獨(dú)部分（其中包括被稱為“風(fēng)險(xiǎn)評(píng)估”的部分）組成的架構(gòu)，擴(kuò)大到由八個(gè)部分組成的完整的企業(yè)風(fēng)險(xiǎn)管理架構(gòu)：  1、內(nèi) 部環(huán)境（包括一個(gè)組織對(duì)損失和風(fēng)險(xiǎn)的容忍度）；  2、目標(biāo)設(shè)定（為風(fēng)險(xiǎn)評(píng)估提供支持，風(fēng)險(xiǎn)被定義為能妨礙一個(gè)組織實(shí)現(xiàn)其目標(biāo)的因素）；  3、事件識(shí)別（包括積極的機(jī)會(huì)和消極的風(fēng)險(xiǎn)）；  4、風(fēng)險(xiǎn)評(píng)估（風(fēng)險(xiǎn)反應(yīng) -內(nèi)在風(fēng)險(xiǎn)）；  5、風(fēng)險(xiǎn)反應(yīng)（決定減少、分享或接受固有的風(fēng)險(xiǎn)，使剩余的風(fēng)險(xiǎn)與組織的風(fēng)險(xiǎn)相符）；  6、活動(dòng)控制（應(yīng)對(duì)風(fēng)險(xiǎn)的具體步驟）；  7、信息和溝通（專門有一條規(guī)定：管理凌駕于“上級(jí)匯報(bào)”之上）；  8、監(jiān)測。   5 結(jié)論  內(nèi)部控制，就其性質(zhì)而言，基本上是一種管理責(zé)任。管理部門的職 責(zé)，已大大加劇了后期私 營部門對(duì) 內(nèi)部控制的 重視，如聯(lián) 邦政府的 法律法規(guī)Sarbanes-Oxley。 GFOA 已明確表示公共部門的財(cái)務(wù)經(jīng)理，有義務(wù)去了解 GFOA 的實(shí)務(wù)專業(yè)理論，并履行其在內(nèi)部控制中的責(zé)任。首先，履行這些義務(wù)是為了讓各管理人員熟悉 COSO 報(bào)告中對(duì)內(nèi)部控制的理解。同樣，公共部門的理事，因?yàn)槠渥罱K責(zé)任是確保管理人員完成其內(nèi)部控制問題中的責(zé)任，因此他應(yīng)更熟悉 COSO報(bào)告中完善內(nèi)部控制架構(gòu)的內(nèi)容，才能更好地進(jìn)行管理問責(zé)。   Abstract The concept of internal control is hardly new. This article will examine what every public sector financial manager and board member should know about internal control. After examining the underlying causes of fraudulent financial reporting, the Treadway Commission placed much of the blame on inadequate managerial involvement with internal control. In response, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations (COSO) that sought to remedy the deficiencies exposed by the Treadway Commission.  COSO identified five essential components that needed to be in place to ensure that such a framework of internal control is adequate or comprehensive: 1. control environment, 2. assessment of risk, 3. policies and procedures, 4. communication, and 5. monitoring. While a sound framework of internal control is essential, it is important to bear in mind that no such framework can ever be perfect. Internal control, by its very nature, is essentially a managerial responsibility. 1 Background Topics The concept of internal control is hardly new. All the same, recent private sector scandals and subsequent federal legislation have significantly renewed interest in this important, but frequently neglected topic. This article will examine what every public sector financial manager and board member should know about internal control. Until recent years, a response to the basic question, "What is internal control?" likely would have elicited a series of examples-segregation of incompatible duties, periodic bank reconciliations, use of receiving reports - rather than a true definition. That is to say, internal control tended to be viewed as a collective term used to describe a disparate assortment of policies and procedures rather than as a separate and coherent concept in its own right. Such was the situation that confronted the Treadway Commission on Fraudulent Financial Reporting when it first took up its mandate in the mid-1980s. After examining the underlying causes of fraudulent financial reporting, the Treadway Commission placed much of the blame on inadequate managerial involvement with internal control. The commission assigned at least partial responsibility for this lack of involvement to a general failure to provide managers with a clear understanding of what internal control really is and why it should be a matter of concern to them. In response to these findings, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations that sought to remedy the deficiencies exposed by the Treadway Commission. The result of this effort was the groundbreaking report Internal Control - Integrated Framework, which was released by COSO in 1992. To this day, the "COSO Report" serves as the essential foundation for any serious discussion of internal control. In the private sector, the COSO Report provides the criteria normally used for evaluating internal control, including the internal control assessments mandated for publicly traded companies by the federal Sarbanes-Oxley legislation that was passed in the wake of the Enron and WorldCom scandals. In the public sector, the Government Finance Officers Association in a recent recommended practice has taken the position that government financial managers, in fulfillment of their ethical responsibilities, should "obtain the information and training needed to meaningfully take responsibility for internal control," and "in particular" should obtain "a sound understanding of. internal control as set forth by COSO."1 2 Internal control theory outlined 2.1 THE FUNDAMENTAL NATURE OF INTERNAL CONTROL Regardless of the sector within which they serve (i.e., public, private, or not-for-profit), all managers must strive to: ( 1 ) operate effectively and efficiently, (2) produce reliable external financial reports, and (3) comply with applicable laws and regulations. Responsible managers cannot leave the achievement of these objectives to chance. Rather, they must take concrete action to ensure the effectiveness and efficiency of operalions, reliable financial reporting, and legal and regulatory compliance. It is the sum of these actions that constitute internal control. Put differently, internal control could be defined as the sum of the tools and techniques used by management to ensure that it achieves its objectives. Thus, by its very nature, internal control is fundamentally a managerial concern. 2.2 RESPONSIBILITY FOR INTERNAL CONTROL An analogy may be useful in understanding the proper assignment of responsibility for internal control among managers, board members, and auditors. A student is primarily responsible for completing homework assignments. The reason for assigning primary responsibility to the student is as much practical as it is ethical； since the purpose of a homework assignment is to sharpen the student's skills, no one else can do a student's homework for the student without fundamentally compromising that objective. While a parent, tutor, or fellow student may provide valuable help to the student in completing an assignment, in the end, only the student's direct involvement can achieve the desired end. That is not to say, of course, that parents or guardians can somehow absolve themselves of their own responsibility for the completion of their charges' homework on the grounds that it is the student who is primarily responsible. Parents or guardians remain ultimately responsible for ensuring that a student meets his or her responsibility for homework. Although parents or guardians cannot actually do the homework for the student, they have a duty to make sure the student does so. Finally, teachers and tutors, while they can be of invaluable assistance to both students and their parents or guardians, cannot replace either. In the end, homework remains the primary responsibility of the student and the ultimate responsibility of the parents or guardians. This analogy holds true for internal control if the students, parents or guardia ns, teachers, and tutors of the previous example are replaced by management, the governing board, the independent auditor, and the internal auditor. Management is primarily responsible for internal control, because internal control, as explained earlier, is, by its very nature, fundamentally a management concern (i.e., the tools and techniques used by managers to achieve management objectives). Board members, in turn, cannot wash their hands of responsibility for internal control on the grounds that management is primarily responsible, because it is the job of a governing board to ensure that management meets all of its responsibilities. Thus, the governing board is ultimately responsible for internal control. The independent auditor of the financial statements, like a teacher, validates management's success (in preparing reliable financial statements) and is avai able to provide assistance, as needed. Still, even the best teacher cannot make up for a disengaged student or uninvolved parents or guardians. Finally, the role of internal auditors, like that of tutors, is to help those whom they serve to succeed. Nonetheless, an inter- nal auditor can only assist management, not replace it, with regard to internal control. It is one thing, of course, to insist that the governing board is ultimately responsible for internal control. The real issue remains: "How can a governing board effectively fulfill its responsibility in this regard?" The most practical solution is to establish an audit committee, which ideally can serve the focal point for the board's internal control-related efforts, ensuring that the whole matter of internal control is regularly brought before the board for its attention and dealt with appropriately.2 Similarly, an internal audit function can be invaluable in helping managers, especially those managers with a programmatic rather than a financial background, who may be less familiar with internal control.3 3 Ensuring that the internal control adequacy Once management and the governing board have assumed their respective responsibility for internal control, how can they know that they have truly fulfilled their obligations? How much control is enough? Before the COSO Report, it was more common to speak of internal controls (plural) than of internal control (singular). COSO, however, viewed internal control as much more than the sum of its parts (individual policies and procedures). COSO envisioned internal control as a unified structure or framework into which individual control elements or components are integrated. That is, COSO offered a conceptually holistic approach to internal control in place of the earlier, essentially piecemeal approach. COSO also identified five essential components that needed to be in place to ensure that such a framework of internal control is adequate or comprehensive: * There must be a sound control environment ("corporate culture") * There must be a regular, ongoing assessment of risk * Control-related policies and procedures must be designed, implemented, and maintained to address the risks thus identified * There must be adequate communication * There must be a regular and ongoing monitoring of control-related policies and procedures to ensure that they continue to function as designed and that any problems disclosed are handled appropriately Control environment. An analogy once again may be useful for understanding the importance of the control environment. Children do not grow up in isolation, but rather surrounded by specific individuals in specific circumstances. This environment can have a profound impact on a child's development. Thus, a child with only limited gifts may flourish in a supportive and opportunity-rich environment, whereas a child with much greater potential may languish in a dysfunctional setting. Internal control also does not function in a vacuum. It is inevitably affected, for better or worse, by the surrounding environment or "corporate culture." Indeed, it is impossible to exaggerate the importance of the ambient control environment to the ultimate success of internal control. The best designed policies and procedures have little hope of being effective in an environment where internal control is viewed with indifference or even hostility (so much "red tape" to be "cut through" to get the job done). Conversely, an environment that is clearly supportive of control will tend to get the most out of even the most basic control-related policies and procedures. The key to a sound control environment is management's informed and active support for internal control. Management can hardly be supportive of something it does not understand (thus the GFOA recommendation mentioned earlier regarding the need for management to become familiar with the COSO guidance on internal control). Likewise, effective support must involve more than just words； time and resources also have to be a part of the equation. In addition, there is no substitute for management leading by example. All too often, managers appear to believe in internal control - but only for their subordinates! That is, managers wish to exempt themselves from the very controls they place on those who report to them. Of course, the likely outcome of such an approach is that employees will view the circumvention of internal control as something to be desired (evidence of their rank and importance within the organization) rather than as something to be avoided. One particularly important example of the principle just discussed is management's response to violations of control-related policies and procedures. All too frequently, managers seek to avoid confrontation, even in situations involving fraud, and thus fail to take effective disciplinary action. Almost inevitably, such a response sends the clear and dangerous message to others that management is not really serious about internal control. Naturally, an active audit committee and an effective internal audit function are significant positive factors in an entity's control environment. Assessment of risk. There will always be challenges in the path of management's achieving its objectives (i.e., risks). Moreover, yesterday's risks will not necessarily be the same as today's or tomorrow's. Accordingly, risk assessment cannot be a "one-time" effort, but must be a regular, ongoing process. Likewise, risks must be anticipated so they can be avoided or mitigated to the greatest extent possible. To revert to analogy, the time to install lights at a railway crossing is before a major accident occurs. Likewise, lights may become necessary at a railway crossing where none were needed previously because of changes in population or traffic patterns. How then should managers go about the process of trying to identify previously unidentified risks? First, management should focus its attention on change, because all change involves some element of risk. Examples of types of change that can entail a high degree of risk include the following: * Changes in the operating environment (e.g., changes in regulations) * Changes in personnel (especially in sensitive positions) * Changes in information systems and technology (e.g., if processes have been reengineered, are control procedures still adequate?) * Rapid growth (e.g., pressure to "cut comers" to meet increased demand) * New programs and services (e.g., lack of experience) * Changes in structure (e.g., elimination of a program) Managers also should consider inherent risk, which involves the notion that certain situations, even when they are ongoing, involve heightened levels of risk. Examples of situations that typically involve a high degree of inherent risk include the following: * Complexity (the more that can go wrong, the more that will go wrong) * Cash receipts ("when cash passes hands it tends to stick") * Direct third-party beneficiaries (cash payments of assistance to individuals) * Prior problems (programs with a "problem past" are likely to continue to experience problems) * Prior unresponsiveness to identified control weaknesses (situations where problems identified in the past have still not been remedied) Policies and procedures. As managers identify current and future potential risks as a result of their ongoing risk assessments, they must take practical steps to design and implement specific control-related policies and procedures to avoid or mitigate those risks. Traditionally, control-related policies and procedures related to finance are classified into one of the following basic categories: * Authorization (all transactions need to be properly authorized) * Properly designed records (records should be designed to highlight missing items) * security of assets and records (assets and records should be protected and available only to those who need them) * Segregation of incompatible duties (ideally, individual employees should not be in the position to both commit and conceal an irregularity) * Periodic reconciliations (accounting records should regularly be compared and reconciled) * Periodic verifications (accounting data should regularly be compared with the actual items they represent) * Analytical review (the reasonabiliry of financial data should be assessed by comparing that data with other data, both financial and nonfinancial, as well as with expectations) Specific control-related policies and procedures also can be divided between those designed to actually eliminate a problem (like a fire sprinkler system) and those designed with the more limited goal of alerting managers to a potential problem so they can eliminate it (like a smoke alarm). The importance of this distinction will become apparent later in the discussion of monitoring. Communication. Unlike the other four components of a comprehensive framework of internal control, communication does not really exist separately. Rather, it is a pervasive and necessary characteristic of each of the remaining components if they are to function effectively. For example, a sound control environment requires good communication among levels of management as well as between managerial and non-managerial staff. Indeed, it was to underscore the importance of communicatio n to each of the other components of a comprehensive framework of internal control that COSO chose to treat it as a separate component in its own right. Of special importance to good communication from the perspective of financial managers is the documentation of accounting-related policies and procedures. Traditionally an accounting policies and procedures manual has generally been used for this purpose. More recently, governments have begun to use internal Web sites to ensure that staff has ready access to the most updated information.4 Managers, of course, are in a position to override whatever controls they establish. Because of this unavoidable risk of management override, it is important that staff be provided with a clear way of communicating around managers in situations where management override does occur. Not all types of information have the same urgency. For example, indications of irregularities or fraud need to be communicated to the appropriate parties immediately, whereas periodic reporting may be sufficient for many less sensitive types of control-related information. Good communication will ensure that the speed of communication is consistent with such considerations. Monitoring. The fifth and final component of a comprehensive framework of internal control is monitoring. Just as even the best-constructed house may reasonably be expected to require regular upkeep and occasional repairs, control-related policies and procedures tend naturally to deteriorate over time. Therefore, managers must periodically evaluate their control-related policies and procedures to ensure that they have been properly implemented and remain fully operational. Just as important, many control-related policies and procedures are designed to alert managers to a potential problem rather than to actually eliminate the problem. Therefore an essential element of monitoring is to evaluate how past indications of possible errors and irregularities signaled by control-related policies and procedures have been dealt with. 4 Inherent limitations of internal control While a sound framework of internal control is essential, it is important to bear in mind that no such framework can ever be perfect. For example, as already explained, managers normally are in a position to override whatever control-related policies and procedures they establish. Also, controls dependent upon the segregation of incompatible duties typically could be circumvented through collusion (i.e., individuals intended to act as a control upon one another could instead work together to frustrate the control). Finally, and most important, it would be inappropriate to implement a control-related policy or procedure that would end up costing more than the benefit it was reasonably expected to achieve. Thus, for instance, it sometimes may not be feasible to fully implement the segregation of incompatible duties, in which case alternative (and potentially less effective) methods may need to be employed instead. FROM INTERNAL CONTROL TO ENTERPRISE RISK MANAGEMENT As noted earlier, COSO's 1992 report was groundbreaking and has served ever since as the basis for all serious discussion of internal control. For all that, COSO did not abandon its mission with the 1992 publication of Internal Control - an Integrated Framework. Rather, it decided to enhance its work on internal control by placing it within the even broader context of enterprise risk management. The result was COSO's 2004 publication Enterprise Risk Management - an Integrated Framework (COSO II). COSOII describes enterprise risk management as: a process effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. This process necessarily involves both individual units within an organization and the organization as a whole. A comprehensive enterprise risk management framework, according to COSOII, is one that provides reasonable assurance (1) that an entity's objectives are being achieved or (2) that management is made aware of risks that could impede their achievement: COSO