野外吮她的花蒂,国产精品久久久久久久久久久久午衣片,欧美猛少妇色xxxxx猛叫,YYY6080韩国三级理论

 譯聲翻譯公司提供專業(yè)COSO報告翻譯服務(wù)

美國COSO英文報告-內(nèi)部控制翻譯

COSO報告是美國COSO委員會（由美國AICPA、AAA、IIA、IMA、FEI五個組織成立的“發(fā)起人委員會”）于1992年提出的報告，是目前世界上最具權(quán)威性的關(guān)于內(nèi)部控制的文獻(xiàn)和標(biāo)準(zhǔn)。許多會計論文都引用了COSO報告的內(nèi)容，但是我們一直沒有機(jī)會看到COSO報告的原文。最近筆者有幸得到一份COSO報告的英文原件，并翻譯了其中的第一部分：實(shí)施綱要。本譯稿得到了國際內(nèi)部審計師協(xié)會理事張翌軒先生的指點(diǎn)和認(rèn)可。

COSO報告

內(nèi)部控制整體框架               1994年第二版

◆實(shí)施綱要

◆框架

◆對外部當(dāng)事人的報告          1992年9月

◆對外部當(dāng)事人的報告的附錄    1994年5月

                                              COSO 委員會

實(shí)施綱要

高級經(jīng)理們需要很長的探索道路去更好地控制他們所管理的企業(yè)。內(nèi)部控制被放在保持公司在經(jīng)營過程中有助于收益率目標(biāo)和它的使命的業(yè)績的位置上，以及使前進(jìn)方向上的突發(fā)事件（的影響）最小化。他們能夠在迅速變化的經(jīng)濟(jì)和競爭環(huán)境中管理交易、精明的客戶的需求和優(yōu)先要求，并重構(gòu)未來的成長。內(nèi)部控制促進(jìn)效率、減少資產(chǎn)損失的風(fēng)險和有助于保證財務(wù)報表的可信度以及對法律和規(guī)章制度的遵守。

由于內(nèi)部控制服務(wù)于許多重要的目的，更好的內(nèi)部控制系統(tǒng)和他們的報告的需求日益增加，內(nèi)部控制顯得能越來越多地解決各種潛在的問題。

內(nèi)部控制是什么

內(nèi)部控制對于不同的人有不同的理解，它引起了商人、立法機(jī)構(gòu)、監(jiān)管機(jī)構(gòu)和其他人之間的混亂，因而在企業(yè)內(nèi)部發(fā)生了錯誤的傳遞和期望的差異。如果不清晰地進(jìn)行定義，那么，當(dāng)它們被寫進(jìn)法律、規(guī)章、規(guī)則時，問題是被混淆的。

這個報告兼顧了經(jīng)理層和其他人的需要和期望，它定義和描述內(nèi)部控制：

● 建立一個通用的定義服務(wù)于不同群體的需要；

● 提供一個針對商業(yè)或其他企業(yè)（大的或小的；私人的或公眾的的部門；營利的或不是營利的）的標(biāo)準(zhǔn)——能夠評估他們的控制系統(tǒng)和討論怎樣去改進(jìn)它們。

內(nèi)部控制廣泛地被定義為由企業(yè)董事會、經(jīng)理層和其他人員實(shí)施的一個過程，它被設(shè)計為達(dá)到所關(guān)注的以下領(lǐng)域的目標(biāo)提供合理的保證：

●                                     有效率和效益的經(jīng)營運(yùn)作；

●                                     可靠的財務(wù)報告；

●                                     遵循可適用的法律和規(guī)章。

第一個領(lǐng)域是一個基于商業(yè)目的的實(shí)體所從事的活動，包括經(jīng)營業(yè)績、收益率目標(biāo)和資源保護(hù)；第二個領(lǐng)域關(guān)系到被公布的可靠的財務(wù)報告的制作，包括中期的和簡化的財務(wù)報表以及選自每張報表的財務(wù)數(shù)據(jù)，例如：收入的放棄、所報告的政策；第三個領(lǐng)域是處理遵守這些法律和規(guī)章對企業(yè)的影響。那些特殊的、然而領(lǐng)域互相交叉的不同需要，允許直接集中于特殊的需要。

內(nèi)部控制系統(tǒng)在不同的有效性水平上開展，各自地，如果董事會和經(jīng)理層有以下的合理的保證，內(nèi)部控制在三個領(lǐng)域中的每一個都可以被認(rèn)為是有效的：

●                                     他們了解企業(yè)經(jīng)營目標(biāo)已經(jīng)達(dá)到的范圍和程度；

●                                     公布的財務(wù)報表已經(jīng)被可靠地編制；

●                                     適用的法律和規(guī)章已經(jīng)得到了遵守。

整個內(nèi)部控制是一個過程，它的有效性是（體現(xiàn)）在一個或多個時點(diǎn)上運(yùn)作過程的狀態(tài)和情況。

內(nèi)部控制由五個相關(guān)的要素組成，這是來自經(jīng)理層管理一個企業(yè)的思路和完整的管理過程。雖然這些要素適用于所有的實(shí)體（企業(yè)），小型或中型公司執(zhí)行它們可能要比大型企業(yè)困難一些，它的控制可能少一些形式和少一些結(jié)構(gòu)，然而小型公司仍然能夠有一個有效的內(nèi)部控制。這些要素是：

●                                     控制環(huán)境——控制環(huán)境建立于一個組織的最高層，影響它的員工的控制理念，它是所有其他內(nèi)部控制要素的基礎(chǔ)，提供了（控制的）紀(jì)律和結(jié)構(gòu)�？刂骗h(huán)境要素包括企業(yè)員工的正直誠實(shí)、倫理價值觀和能力；管理的哲學(xué)和經(jīng)營風(fēng)格；經(jīng)營者分配權(quán)力和責(zé)任的路徑；以及它的人力資源的組織和發(fā)展和由董事會提供的關(guān)注和指導(dǎo)。

●                                     風(fēng)險評估——每個企業(yè)都面臨各種來自內(nèi)部和外部的必須進(jìn)行評估的風(fēng)險，風(fēng)險評估的前提是確定在不同水平上有限的和內(nèi)部協(xié)調(diào)一致的目標(biāo)，風(fēng)險評估是鑒別和分析成功達(dá)到目標(biāo)的有關(guān)風(fēng)險，形成怎樣管理風(fēng)險的討論基礎(chǔ)。由于經(jīng)濟(jì)、行業(yè)、管理和經(jīng)營條件將繼續(xù)發(fā)生變化，必須有一個鑒別和處理這種與變化相關(guān)的特殊風(fēng)險的機(jī)制。

●                                     控制活動——控制活動是幫助保證管理措施得以實(shí)現(xiàn)的政策和程序。它們幫助采取必要的行動去應(yīng)對風(fēng)險，成功達(dá)到企業(yè)的目標(biāo)。控制活動發(fā)生于企業(yè)的各個層面、所有水平和所有職能，它們包括的活動范圍擴(kuò)展到審核、批準(zhǔn)、復(fù)查、核對、運(yùn)作執(zhí)行的檢查、資產(chǎn)保護(hù)和職責(zé)分工等。

●                                     信息和溝通——有關(guān)的信息必須被鑒別、記載和以一定形式和適當(dāng)?shù)臅r間與有能力去完成他們的職責(zé)的人員之間交流。信息系統(tǒng)產(chǎn)生包括經(jīng)營、財務(wù)和有關(guān)部門信息的報告，以管理和控制企業(yè)。它不僅涉及內(nèi)部產(chǎn)生的信息，而且有關(guān)外部活動、行為和條件的信息必須提供給企業(yè)作出決策和對外報告。有效的溝通同樣必須在廣闊的領(lǐng)域發(fā)生——向下、平行、向上流動于一個組織內(nèi)。所有的人都必須收到來自最高層關(guān)于控制責(zé)任必須被嚴(yán)肅對待的清晰的信息，他們必須理解他們自己在控制系統(tǒng)中的角色和任務(wù)，以及個人的活動如何與其他人的工作相聯(lián)系，他們必須有一種與上層溝通特殊信息的方法，他們同樣需要有效地與外部組織，例：客戶、供應(yīng)商、立法機(jī)構(gòu)和股東進(jìn)行溝通。

●                                     監(jiān)督——內(nèi)部控制系統(tǒng)必須受到監(jiān)督——這個系統(tǒng)在過去時期執(zhí)行質(zhì)量的測試過程。它通過不斷的監(jiān)督活動、獨(dú)立的評價，或二者都進(jìn)行來完成。持續(xù)的監(jiān)督活動發(fā)生于經(jīng)營的過程之中，它包括常規(guī)的管理和運(yùn)行管理活動，以及員工執(zhí)行他們的職務(wù)的其他活動。獨(dú)立的評價的范圍和頻率，主要取決于對于風(fēng)險的評價和持續(xù)監(jiān)督執(zhí)行的效率。內(nèi)部控制的差異應(yīng)當(dāng)向上級報告，嚴(yán)重事項(xiàng)的報告應(yīng)當(dāng)給最高管理當(dāng)局和董事會。

這些要素的每一個都是互相協(xié)調(diào)和聯(lián)系的，一個完整的系統(tǒng)能有效地對變化的條件作出反應(yīng)，內(nèi)部控制系統(tǒng)與企業(yè)的經(jīng)營活動纏結(jié)在一起，并基于商業(yè)的理由而存在。當(dāng)控制建筑于企業(yè)的基層和作為企業(yè)的基礎(chǔ)的一部分時，內(nèi)部控制就有了更高的效益。得到有質(zhì)量的和積極授權(quán)支持的內(nèi)在的控制，避免了不必要的成本和能夠?qū)ψ兓�的條件迅速作出反應(yīng)。

企業(yè)要達(dá)到的三個領(lǐng)域的目標(biāo)和達(dá)到目標(biāo)需要描述的要素是直接相關(guān)的，所有要素與每一個領(lǐng)域的目標(biāo)相關(guān)，當(dāng)觀察任何一個領(lǐng)域——例如運(yùn)作的效率和效益，所有五個要素都必須被提出和有效執(zhí)行，對包括運(yùn)作全過程的內(nèi)部控制都是有效的。

內(nèi)部控制的定義——與它的潛在的過程的基本概念、人員的效率、由目標(biāo)領(lǐng)域和要素以及有效性標(biāo)準(zhǔn)共同提供的合理保證、相關(guān)的討論，構(gòu)筑了內(nèi)部控制的框架。

內(nèi)部控制能做什么

內(nèi)部控制能幫助企業(yè)達(dá)到它的績效和收益目標(biāo)，并預(yù)防資源的損失，它能幫助保證可靠的財務(wù)報告，它能幫助企業(yè)遵守法律和規(guī)章制度，避免對它的名譽(yù)的損害和其他后果，總之它能幫助一個企業(yè)在想去做的地方達(dá)到它的目的和避免缺陷，并令人驚訝地向前進(jìn)。

內(nèi)部控制不能做什么

不幸地，一些人抱有太大和不切實(shí)際的期望。他們完全地、絕對地期待，相信：

●                                     內(nèi)部控制能保證一個企業(yè)成功——那就是它將保證達(dá)到基本的經(jīng)營目標(biāo)，或?qū)⒅辽俦ＷC（在競爭中）生存。

恰當(dāng)、有效的內(nèi)部控制僅僅能幫助一個企業(yè)達(dá)到這些目標(biāo)，它將提供給經(jīng)理層關(guān)于企業(yè)發(fā)展或它的缺陷的信息，以利于他們達(dá)到（這些目標(biāo)）。但是內(nèi)部控制不能將一個天生蹩腳的管理者變成一個好的，以及改變政府的政策和程序、競爭者的行為或超出管理者所能控制的經(jīng)濟(jì)條件。內(nèi)部控制不能保證成功，甚至生存。

●                                     內(nèi)部控制能保證財務(wù)報告的可靠性和遵從法律和規(guī)章。

這種信任同樣是毫無根據(jù)的。一個內(nèi)部控制系統(tǒng)，無論怎樣設(shè)計和運(yùn)作，它僅僅能提供合理的——不是絕對的——對經(jīng)理層和董事會提供關(guān)于達(dá)到企業(yè)目標(biāo)保證。由于所有的內(nèi)部控制系統(tǒng)固有的局限性，達(dá)到的可能性是虛假的。這包括決策判斷可能不完善、和可能由于簡單的誤差或誤解而導(dǎo)致失敗這種現(xiàn)實(shí)；此外，控制也可能由于二個或更多的人共謀而被繞過；經(jīng)營者有權(quán)力無視這個系統(tǒng)；另一個限制性因素是一個內(nèi)部控制系統(tǒng)的設(shè)計必須反映資源約束的事實(shí)，以及控制的利益必須與它的成本相匹配。

因而，內(nèi)部控制在整體上能幫助企業(yè)達(dá)到它的目的，但它不是萬應(yīng)靈藥。

角色和責(zé)任

組織的每一個人對內(nèi)部控制都負(fù)有責(zé)任。

●                                     經(jīng)理層——行政部門的首長是負(fù)有最終的責(zé)任的，將表現(xiàn)為系統(tǒng)的“所有者”。比任何其他個人更多的，行政首長要建立影響正直、道德和確立控制環(huán)境其他要素的“來自最高層的聲音”。在大多數(shù)公司，行政首長通過提供對高級管理人員的領(lǐng)導(dǎo)和指導(dǎo)以及檢查他們的控制這個企業(yè)的做法來履行職責(zé)。高級管理人員，事實(shí)上，為設(shè)立大多數(shù)特殊的內(nèi)部控制政策和對單元職能的個人職責(zé)程序分配責(zé)任。在較小的企業(yè)，行政首長的影響力，通常經(jīng)理就是業(yè)主，常常是更直接的。在任何情況下，在一個層疊的責(zé)任（結(jié)構(gòu)）中，一個經(jīng)理是他或她的責(zé)任范圍內(nèi)的有效的行政首長，特別重要的是財務(wù)官員和他們的員工的控制活動在上下之間直通經(jīng)營和企業(yè)的其他單元。

●                                     董事會——經(jīng)理層有責(zé)任向董事會提供治理、指導(dǎo)和失誤（的情況）。有效的董事會的成員是客觀的、有能力的和“好問”的，他們同樣有關(guān)于企業(yè)活動和環(huán)境的知識，并有履行他們的董事會的責(zé)任的必要的時間。經(jīng)理層也許處于一個無視控制的位置，忽視或窒息與下屬的溝通，授權(quán)給一個故意誤導(dǎo)結(jié)果去掩蓋其痕跡的不誠實(shí)的管理人員。一個強(qiáng)有力的、活躍的董事會，特別是當(dāng)他結(jié)合了有效的向上溝通的渠道、財務(wù)能力、法律和內(nèi)部審計職能時，是能夠經(jīng)常地和最好地識別和糾正那些問題。

●                                     內(nèi)部審計師——內(nèi)部審計師在評價控制系統(tǒng)的有效性中扮演了重要的角色，貢獻(xiàn)了推進(jìn)的效率。因?yàn)榻M織的地位和在一個企業(yè)中的威信，內(nèi)部審計職能經(jīng)常扮演一個重要的提出忠告的角色。

●                                     其他人員——內(nèi)部控制在一定程度上是組織里每個人的責(zé)任，因此每個人的工作的明確的或隱含的部分都將被描述。實(shí)際上每一個員工都將產(chǎn)生用于內(nèi)部控制系統(tǒng)的信息，或從事其他必須被控制的活動。同樣，所有的人都有責(zé)任向上溝通運(yùn)行中的問題，例如，不遵守行為準(zhǔn)則、其他對政策的違反或非法活動。

外部組織的成員常常對達(dá)到組織的目標(biāo)作出貢獻(xiàn)，外部審計師進(jìn)行獨(dú)立的和客觀的檢查，直接通過對財務(wù)報表的審計和間接地由對董事會和經(jīng)理層提供有用的信息來實(shí)施他們的責(zé)任。其他提供對企業(yè)有效的內(nèi)部控制有用的信息的人是立法機(jī)構(gòu)、監(jiān)管機(jī)構(gòu)、客戶和其他與企業(yè)有商業(yè)交往的人、財務(wù)分析師、債券持有人、新聞媒體。外部組織，無論如何，對此沒有責(zé)任，他們不屬于企業(yè)的內(nèi)部控制系統(tǒng)。

這個報告的結(jié)構(gòu)

這個報告共有4卷（注：COSO報告在1992年9月出版共4卷，一個關(guān)于外部組織的報告作為附件在1994年5月出版，在1994版中，前三卷和附件合訂為一冊，“評價工具”在第二冊），第一卷是實(shí)施綱要，一個高水平的內(nèi)部控制框架的概要用以指導(dǎo)行政首長和其他高級行政官員、董事會成員、立法機(jī)構(gòu)、監(jiān)管機(jī)構(gòu)。

第二卷，框架，定義內(nèi)部控制，描述它的組成部分，提供針對經(jīng)理層、董事會成員或其他人評估他們的控制系統(tǒng)的準(zhǔn)則。

第三卷，對外部組織的報告是對在準(zhǔn)備他們發(fā)表的財務(wù)報表的內(nèi)部控制（情況）的公開報告的那些實(shí)體提供指導(dǎo)的補(bǔ)充文件。

第四卷，評價工具，提供對執(zhí)行內(nèi)部控制系統(tǒng)的有用的材料。

去做什么

可以因這個報告帶來成果的活動取決于這個階層的角色和定位，包括：

●                                     高級管理層——大多數(shù)對這項(xiàng)研究作出貢獻(xiàn)的高級行政官員相信他們主要是使他們的組織處于“控制之下”。許多人說，他們的公司的范圍無論怎樣劃分，一個部門，或貫穿活動的一個控制單元——控制在處于早期發(fā)展階段的地方或其他地方都需要加強(qiáng)，他們不喜歡感到意外。這個研究建議行政首長開始一項(xiàng)對控制活動的自我評估。利用這個框架，一個CEO，與關(guān)鍵的運(yùn)作和財務(wù)執(zhí)行官一起，能把注意的焦點(diǎn)集中于必要的地方。有一種方法，行政首長將與經(jīng)營單元領(lǐng)導(dǎo)人和關(guān)鍵職能的員工進(jìn)行討論，開始控制評估，為這些個人提供指令去和他們的領(lǐng)導(dǎo)人討論這個報告的概念，提供在他們的責(zé)任范圍內(nèi)最初評估過程的缺陷，反饋發(fā)現(xiàn)的結(jié)果。其他的方法，可以包括一項(xiàng)對公司和經(jīng)營單元政策和內(nèi)部審計程序的最初檢查。無論它的形式是什么，最初的自我評估將決定它是否需要，怎樣運(yùn)作一項(xiàng)更為廣泛的、深入得多的評估。它將同樣確保正在進(jìn)行的監(jiān)測過程是適當(dāng)?shù)��；ㄙM(fèi)時間評價內(nèi)部控制被稱為一項(xiàng)投資，但它是有高回報的一項(xiàng)。

●                                     董事會成員——董事會成員將與高級管理人員討論企業(yè)內(nèi)部控制系統(tǒng)的狀況和提出其缺點(diǎn)是必要的。他們將從內(nèi)部和外部審計師那里尋求所獲。

●                                     其他人員——管理人員和其他人員將考慮他們的控制責(zé)任怎樣存在于按照這個框架的管理行為中，并與更多的高層人員討論加強(qiáng)控制的主意。內(nèi)部審計師將考慮在內(nèi)部控制系統(tǒng)中他們要關(guān)注的寬度和可能希望去比較他們的評價資料和評價工具。

●                                     立法機(jī)構(gòu)和監(jiān)管機(jī)構(gòu)——起草和執(zhí)行法律的政府官員承認(rèn)事實(shí)上任何公布（的文件）都可能有誤解和不同的預(yù)期。內(nèi)部控制在二個方面存在非常廣泛的預(yù)期，第一，他們對控制系統(tǒng)能完成什么有不同想法，要注意，一些觀察者相信內(nèi)部控制系統(tǒng)必須或應(yīng)該預(yù)防經(jīng)濟(jì)損失，或至少防止企業(yè)的經(jīng)營失��；第二，甚至當(dāng)內(nèi)部控制系統(tǒng)能夠和不能夠做什么以及關(guān)于“合理保證”概念的效力達(dá)成一致時，對概念的意義和怎樣被利用仍然有完全不同的見解，公司行政官員在一項(xiàng)所主張的控制失敗之后，后見之明地表示對涉及監(jiān)管機(jī)構(gòu)可以怎樣解釋公開報告主張的“合理保證”的重視。在立法者或執(zhí)法者與經(jīng)理層交流內(nèi)部控制運(yùn)行不正常的報告之前，將就共同的內(nèi)部控制框架包括內(nèi)部控制的局限性達(dá)成一致，這個框架將有助于達(dá)成一致，

●                                     專業(yè)組織——制定的規(guī)則和其他專業(yè)組織提供的財務(wù)管理指南，審計和根據(jù)這個框架考慮他們的標(biāo)準(zhǔn)和指南的有關(guān)主題，在這個范圍內(nèi)，概念和術(shù)語的差異將被消除。

●                                     教育和培訓(xùn)機(jī)構(gòu)——這個框架是學(xué)術(shù)研究和分析的課題，能夠預(yù)見將有進(jìn)一步的提高。根據(jù)推測，這個報告已在被共同理解的基礎(chǔ)上被接受。它的概念和術(shù)語將找到進(jìn)入大學(xué)課程的它們的道路。

      我們相信，這個報告提供了大量的利益。在相互理解的基礎(chǔ)上，所有的部分將以共同的語言和更有效的溝通進(jìn)行交流。企業(yè)行政部門將定位于對照標(biāo)準(zhǔn)評價控制系統(tǒng)，加強(qiáng)這個系統(tǒng)和使他們的企業(yè)接近于被接受的目標(biāo)。進(jìn)一步的研究能影響被接受的基礎(chǔ)。立法機(jī)構(gòu)和監(jiān)管機(jī)構(gòu)將能得到內(nèi)部控制、它的利益和局限的增加的理解。所有的部門利用共同的內(nèi)部控制框架，這些利益將被實(shí)現(xiàn)。

Legislators and Regulators

-Government officials who write or enforce laws recognize that there can be misconceptions and different expectations about virtually any issue. Expectations for internal control vary widely in two respects. First, they differ regarding what control systems can accomplish. As noted, some observers believe internal control systems will, or should, prevent economic loss, or at least prevent companies from going out of business. Second, even when there is agreement about what internal control systems can and can't do, and about the validity of the "reasonable assurance" concept, there can be disparate views of what that concept means and how it will be applied. Corporate executives have expressed concern regarding how regulators might construe public reports asserting "reasonable assurance" in hindsight after an alleged control failure has occurred. Before legislation or regulation dealing with management reporting on internal control is acted upon, there should be agreement on a common internal control framework, including limitations of internal control. This framework should be helpful in reaching such agreement.

Professional Organizations

--Rule-making and other professional organizations providing guidance on financial management, auditing and related topics should consider their standards and guidance in light of this framework. To the extent diversity in concept and terminology is eliminated, all parties will benefit.

Educators

--This framework should be the subject of academic research and analysis, to see where future enhancements can be made. With the presumption that this report becomes accepted as a common ground for understanding, its concepts and terms should find their way into university curricula.

We believe this report offers a number of benefits. With this foundation for mutual understanding, all parties will be able to speak a common language and communicate more effectively. Business executives will be positioned to assess control systems against a standard, and strengthen the systems and move their enterprises toward established goals. Future research can be leveraged off an established base. Legislators and regulators will be able to gain an increased understanding of internal control, its benefits and limitations. With all parties utilizing a common internal control framework, these benefits will be realized.

Senior Management

--Most senior executives who contributed to this study believe they are basically "in control" of their organizations. Many said, however, that there are areas of their company--a division, a department or a control component that cuts across activities--where controls are in early stages of development or otherwise need to be strengthened. They do not like surprises. This study suggests that the chief executive initiate a self-assessment of the control system. Using this framework, a CEO, together with key operating and financial executives, can focus attention where needed. Under one approach, the chief executive could proceed by bringing together business unit heads and key functional staff to discuss an initial assessment of control. Directives would be provided for those individuals to discuss this report's concepts with their lead personnel, provide oversight of the initial assessment process in their areas of responsibility and report back findings. Another approach might involve an initial review of corporate and business unit policies and internal audit programs. Whatever its form, an initial self-assessment should determine whether there is a need for, and how to proceed with, a broader, more in-depth evaluation. It should also ensure that ongoing monitoring processes are in place. Time spent in evaluating internal control represents an investment, but one with a high return.

Board Members

--Members of the board of directors should discuss with senior management the state of the entity's internal control system and provide oversight as needed. They should seek input from the internal and external auditors.

Other Personnel

--Managers and other personnel should consider how their control responsibilities are being conducted in light of this framework, and discuss with more senior personnel ideas for strengthening control. Internal auditors should consider the breadth of their focus on the internal control system, and may wish to compare their evaluation materials to the evaluation tools.

This report is in four volumes. The first is this Executive Summary, a high-level overview of the internal control framework directed to the chief executive and other senior executives, board members, legislators and regulators.

The second volume, the Framework, defines internal control, describes its components and provides criteria against which managements, boards or others can assess their control systems. The Executive Summary is included.

The third volume, Reporting to External Parties, is a supplemental document providing guidance to those entities that report publicly on internal control over preparation of their published financial statements, or are contemplating doing so.

The fourth volume, Evaluation Tools, provides materials that may be useful in conducting an evaluation of an internal control system.

What to Do

Actions that might be taken as a result of this report depend on the position and role of the parties involved:

Internal Auditors

--Internal auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Because of organizational position and authority in an entity, an internal audit function often plays a significant monitoring role.

Other Personnel

--Internal control is, to some degree, the responsibility of everyone in an organization and therefore should be an explicit or implicit part of everyone's job description. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.

A number of external parties often contribute to achievement of an entity's objectives. External auditors, bringing an independent and objective view, contribute directly through the financial statement audit and indirectly by providing information useful to management and the board in carrying out their responsibilities. Others providing information to the entity useful in effecting internal control are legislators and regulators, customers and others transacting business with the enterprise, financial analysts, bond raters and the news media. External parties, however, are not responsible for, nor are they a part of, the entity's internal control system.

Organization of this Report

This belief is also unwarranted. An internal control system, no matter how well conceived and operated, can provide only reasonable--not absolute--assurance to management and the board regarding achievement of an entity's objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the realities that judgments in decision-making can be faulty, and that breakdowns can occur because of simple error or mistake. Additionally, controls can be circumvented by the collusion of two or more people, and management has the ability to override the system. Another limiting factor is that the design of an internal control system must reflect the fact that there are resource constraints, and the benefits of controls must be considered relative to their costs.

Thus, while internal control can help an entity achieve its objectives, it is not a panacea.

Roles and Responsibilities

Everyone in an organization has responsibility for internal control.

Management

--The chief executive officer is ultimately responsible and should assume "ownership" of the system. More than any other individual, the chief executive sets the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. In a large company, the chief executive fulfills this duty by providing leadership and direction to senior managers and reviewing the way they're controlling the business. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions. In a smaller entity, the influence of the chief executive, often an owner-manager, is usually more direct. In any event, in a cascading responsibility, a manager is effectively a chief executive of his or her sphere of responsibility. Of particular significance are financial officers and their staffs, whose control activities cut across, as well as up and down, the operating and other units of an enterprise.

Board of Directors--Management is accountable to the board of directors, which provides governance, guidance and oversight. Effective board members are objective, capable and inquisitive. They also have a knowledge of the entity's activities and environment, and commit the time necessary to fulfill their board responsibilities. Management may be in a position to override controls and ignore or stifle communications from subordinates, enabling a dishonest management which intentionally misrepresents results to cover its tracks. A strong, active board, particularly when coupled with effective upward communications channels and capable financial, legal and internal audit functions, is often best able to identify and correct such a problem.

The internal control definition--with its underlying fundamental concepts of a process, effected by people, providing reasonable assurance--together with the categorization of objectives and the components and criteria for effectiveness, and the associated discussions, constitute this internal control framework.

What Internal Control Can Do

Internal control can help an entity achieve its performance and profitability targets, and prevent loss of resources. It can help ensure reliable financial reporting. And it can help ensure that the enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences. In sum, it can help an entity get to where it wants to go, and avoid pitfalls and surprises along the way.

What Internal Control Cannot Do

Unfortunately, some people have greater, and unrealistic, expectations. They look for absolutes, believing that:

? Internal control can ensure an entity's success--that is, it will ensure achievement of basic business objectives or will, at the least, ensure survival.

Even effective internal control can only help an entity achieve these objectives. It can provide management information about the entity's progress, or lack of it, toward their achievement. But internal control cannot change an inherently poor manager into a good one. And, shifts in government policy or programs, competitors' actions or economic conditions can be beyond management's control. Internal control cannot ensure success, or even survival.

Internal control can ensure the reliability of financial reporting and compliance with laws and regulations.

Monitoring

--Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

 There is synergy and linkage among these components, forming an integrated system that reacts dynamically to changing conditions. The internal control system is intertwined with the entity's operating activities and exists for fundamental business reasons. Internal control is most effective when controls are built into the entity's infrastructure and are a part of the essence of the enterprise. "Built in" controls support quality and empowerment initiatives, avoid unnecessary costs and enable quick response to changing conditions.

 There is a direct relationship between the three categories of objectives, which are what an entity strives to achieve, and components, which represent what is needed to achieve the objectives. All components are relevant to each objectives category. When looking at any one category--the effectiveness and efficiency of operations, for instance--all five components must be present and functioning effectively to conclude that internal control over operations is effective.

Control Environment

--The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.

Risk Assessment--Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Control Activities

--Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Information and Communication

--Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

The first category addresses an entity's basic business objectives, including performance and profitability goals and safeguarding of resources. The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to which the entity is subject. These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs.

Internal control systems operate at different levels of effectiveness. Internal control can be judged effective in each of the three categories, respectively, if the board of directors and management have reasonable assurance that:

They understand the extent to which the entity's operations objectives are being achieved.

Published financial statements are being prepared reliably.

Applicable laws and regulations are being complied with.

While internal control is a process, its effectiveness is a state or condition of the process at one or more points in time.

 Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated with the management process. Although the components apply to all entities, small and mid-size companies may implement them differently than large ones. Its controls may be less formal and less structured, yet a small company can still have effective internal control. The components are:

Internal Control - Integrated Framework

Executive Summary

Senior executives have long sought ways to better control the enterprises they run. Internal controls are put in place to keep the company on course toward profitability goals and achievement of its mission, and to minimize surprises along the way. They enable management to deal with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth. Internal controls promote efficiency, reduce risk of asset loss, and help ensure the reliability of financial statements and compliance with laws and regulations.

Because internal control serves many important purposes, there are increasing calls for better internal control systems and report cards on them. Internal control is looked upon more and more as a solution to a variety of potential problems.

What Internal Control Is

Internal control means different things to different people. This causes confusion among businesspeople, legislators, regulators and others. Resulting miscommunication and different expectations cause problems within an enterprise. Problems are compounded when the term, if not clearly defined, is written into law, regulation or rule.

This report deals with the needs and expectations of management and others. It defines and describes internal control to:

 Establish a common definition serving the needs of different parties.

 Provide a standard against which business and other entities--large or small, in the public or private sector, for profit or not--can assess their control systems and determine how to improve them.

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations.

Reliability of financial reporting.

Compliance with applicable laws and regulations.

 美國COSO英文報告翻譯-內(nèi)部控制翻譯