coso内部控制模型

coso内部控制模型

The COSO Internal Control Model

The COSO internal control framework was first introduced in 1992, and in 1994 a comprehensive four-section report on internal controls was issued, consisting of an executive summary, a framework, guidance to public companies on reporting on internal controls to third parties, and evaluation tools to help a company comprehensively assess its current control environment.

The COSO framework is relevant to achieving company objectives in three areas:

Operational goals: The framework relates to the effective and efficient usage of all of a company's resources.

Financial reporting goals: The construct gives guidance on the consistent production of reliable financial reports.

Compliance goals: The guidance creates a topology of the company’s compliance requirements as they relate to industry regulations or legal requirements for public entities.

coso内部控制框架提出三大目标，即运营的效率和效果,财务报告的可靠性,以及遵守适用的法律和规章

五大要素

1。控制环境

Control Environment

This element is the foundation of the COSO framework. It sets the overall tone of the organization with regard to the importance of internal controls. Ethical values, leadership resource allocation, staff competence at all levels, the dynamics of authority and responsibility within the organization, and management philosophy are all parts of this critical component.

In a sense, the control environment is the most difficult component to quantify, because much of it relates to the overall culture of the organization. But there are a number of clear goals that an organization can work toward to ensure that the framework rests on a foundation exemplifying market leadership.

Board and leadership involvement is the most crucial element in an organization seeking market leadership. As the board and leadership set expectations and measure progress against them, business units or department heads begin to

assign internal controls the priority they require. The specific strategies that can be employed to move to a market-leader position within an industry include the following:

Conveying the importance of ethical values道德价值 by setting an example and “walking the talk.” This includes relating stories of integrity and ethical values through presentations, newsletter stories, and any other means of getting the message to everyone that these values are important to the organization. Public companies are now required to have a code of conduct for the board under the requirements laid out by SOX. Nonprofits and private companies can also benefit from a code of conduct. The organization cannot tolerate violations of this standard. There are financial benefits to this approach as well. One research study performed by the Institute of Business Ethics (“Does Business Ethics Pay?,” April 2003) found that companies displaying a clear commitment to ethical conduct consistently outperform companies that do not display ethical conduct.

∙ Developing clear organizational guidelines relating to responsibility and authority with accountability checks is another clear hallmark of an market leader. Within the organization, leadership typically follows a distributed model, with individuals understanding the overall organizational goals and how the goals of their department or business unit relate to them. Individuals should also understand their responsibilities and the limit of their authority to ensure that the goals of the organization are achieved. When a leadership culture like this is achieved, the whole organization is focused on organizational objectives and committed to the maintenance of the control structure. A guiding coalition of leadership members believing in the need for change is one of the first steps typically taken by organizations that successfully make culture shifts, but changes will take effect slowly and steadily over time.

∙ Embedding the internal control framework within the organizational culture将内部控制框架融入企业文化. Management must clearly define roles and responsibilities for internal controls, including responsibility for the defining, documenting, testing, and monitoring of controls and the remediating of problems. The organization must incorporate these responsibilities into the responsible individuals’ performance management goals.

∙ The internal controls environment is no longer viewed as separate from the operating component of the business; controls are embedded in processes from the beginning. 内部控制环境不再独立于企业经营要素，要从一开始就执行This approach lowers the risk of inadequate controls and ensures that the control structure is in place from the outset of a process’s planning and launch.

∙ Supporting human resources policies and practices that provide clear corporate career paths. Human resources management plays a key role in ensuring that individuals are hired with the needed financial competencies and that career growth supports an increased level of financial reporting competencies.对人力资源/人才的要求 ∙

2。风险评估

Risk Assessment

Leading companies take a risk-based approach to SOX internal controls compliance as a key step in achieving a correct balance between costs and benefits. Recent guidance from the Public Company Accounting Oversight Board (PCAOB) supports this approach with specific recommendations, including the use of a risk-based method to determine which key controls are tested each year. The PCAOB also recommends that the viability of a company’s business model is an important consideration when evaluating risks. Companies that focus on these larger problems and risks will better meet the needs of all their stakeholders, including investors and analysts.

Market leaders with respect to internal controls expand the risk focus started under internal compliance efforts to a broader venue. One popular concept that often precedes a mature enterprise risk management initiative is the formation of a risk council. This council is generally composed of management representatives from different areas of the business. Some of the early objectives of risk council meetings are as follows:

Use of a common terminology for risk discussions throughout the organization;

Definition of a risk framework or structure for fostering risk management across the organization;

Characterization of the organization’s current risk capability as well as risk and performance indicators;

Identification of the company’s current spending on risk; and

Formulation of a plan to mitigate the operational risks of the organization. If they do not already have a risk program, some companies take the risk management process even further with a more formalized, enterprise-wide program headed by a chief risk officer. Under this approach, the organization embeds risk identification and mitigation into its culture in the same way it adopted its internal control framework. The goal is to intertwine risk and business strategy with other organizational systems such as performance management.

Another important aspect to risk assessment is continuous monitoring of the internal and external environment in which the entity operates. This periodic scan of the operational environment can highlight upcoming events affecting both internal controls and risk strategy. Events such as systems change, mergers a

nd acquisitions, loss of key personnel, and other events may require a closer look at existing controls and risk management

控制活动

Control Activities

Market leadership in the actual design of controls requires corporate-wide coordination and the involvement of ownership. Policies are set enterprise-wide, allowing an efficient implementation while avoiding duplicate efforts and definitions. Control design workshops or training can raise the knowledge and capability of management and staff to deal with defining, documenting, managing, testing, and reporting on internal controls. Global organizations have recently begun to roll these sessions out through online training sessions for foreign registrant compliance with SOX section 404. These modules can be used with more-experienced users to reinforce other objectives, such as a return to basic controls and an emphasis on continuous improvement. Leading organizations have moved to more-comprehensive training on basic accounting concepts, and in the process have improved the timing of their closing cycle, implemented process improvements, and reduced the error rate in accounting transactions.

Market leaders have focused controls on prevention rather than detection (see the Sidebar on types of controls). They have reengineered business processes, where needed, to incorporate prevention. Automating control checks by utilizing software features that can complete checks without any specific action is also beneficial. Internal auditing can help provide direction to business process owners searching for the best approach to use. Working closely with the board will help the internal audit function receive the company-wide exposure necessary for business process owners to recognize the value delivered to the organization. It will also make it more likely that business process owners will “buy in” to the process.

Leading-edge companies in internal controls implementation effectively utilize technology in several ways. First, they build in controls wherever cost-effective, because this one-time change activates a continual and long-lasting process of control testing. Automated control testing also brings about a quicker response time to potential problems and needed corrections.

Management can also utilize technology to support the documentation and testing components of their control activities. Numerous vendors (e.g., BWise, Methodware) provide customizable software to provide a consistent approach across the enterprise. The use of software to support these efforts is not limited to large companies, as many programs are scalable and affordable for small companies. These programs help ensure that the initial investment in documentation and testing is well maintained and that compliance efforts will be sustained

into the future. They can also serve as a basis for higher-value initiatives downstream, such as business process improvement and more-comprehensive risk management activities.

信息与交流

Information and Communication

An open flow of information and ease of communication within an organization are essential with any new initiative. Experienced project managers are well versed in the communications needed to disperse information to stakeholders. They also have experience with change management, which can contribute to the timelier acceptance of new processes and the continuous improvement needed to excel. Experienced project managers will build measurements into the plans to assess success.

Leading companies foster open communication between internal auditors, management, and external auditors. The first year of SOX implementation for accelerated filers resulted in less than ideal communications with external auditors, according to the SEC April 2005 Roundtable on Internal Control Reporting Provisions. Recent recommendations from the SEC and the PCAOB have clarified expectations regarding external auditor communications, with the specific goal of improving the quality of testing, documentation, and remediation in the control environment, thus adding business value.

Information overload is prevalent throughout business. In the “information economy,” management is frequently overwhelmed by the quantity of data available, often resulting in a failure to convert important business information into knowledge to support their competitive advantage in the marketplace. Leading companies have recognized that effective reporting of exceptions and an “executive dashboard” approach are the best ways to focus attention on important information, and they can avoid placing management adrift in a sea of meaningless data from endless sources.

5。监测

Monitoring

Control self-assessments (CSA) can play an important part in monitoring internal controls. CSAs place the responsibility for assurance that controls are in place and functioning with the business process owners, consigning ownership exactly where it belongs under the dynamics of typical organizational behavior.

Several questions from a CSA on a company’s accounts payable process are shown in Exhibit 2. The IIA website has numerous examples. Another CSA option is an interactive workshop, which uses a facilitator to draw out control information from management. This approach leaves control with management, allowing the organizational process owners to follow up downstream with surveys or questionnaires in subsequent periods, further refining the work product. Monitoring efforts are best focused on leading indicators that allow time for correction, rather than lagging indicators that do not. The best reports for monitoring internal controls contain integrated information from both internal and external sources. Software packages can facilitate pulling together data from disparate systems and processes.

In many organizations, the internal auditors are responsible for conducting a formal review of internal control work. Such a review should be conducted annually and should take advantage of “lessons learned” from SOX activities, as well as input from the external auditor.

coso内部控制模型

The COSO Internal Control Model

The COSO internal control framework was first introduced in 1992, and in 1994 a comprehensive four-section report on internal controls was issued, consisting of an executive summary, a framework, guidance to public companies on reporting on internal controls to third parties, and evaluation tools to help a company comprehensively assess its current control environment.

The COSO framework is relevant to achieving company objectives in three areas:

Operational goals: The framework relates to the effective and efficient usage of all of a company's resources.

Financial reporting goals: The construct gives guidance on the consistent production of reliable financial reports.

Compliance goals: The guidance creates a topology of the company’s compliance requirements as they relate to industry regulations or legal requirements for public entities.

coso内部控制框架提出三大目标，即运营的效率和效果,财务报告的可靠性,以及遵守适用的法律和规章

五大要素

1。控制环境

Control Environment

This element is the foundation of the COSO framework. It sets the overall tone of the organization with regard to the importance of internal controls. Ethical values, leadership resource allocation, staff competence at all levels, the dynamics of authority and responsibility within the organization, and management philosophy are all parts of this critical component.

In a sense, the control environment is the most difficult component to quantify, because much of it relates to the overall culture of the organization. But there are a number of clear goals that an organization can work toward to ensure that the framework rests on a foundation exemplifying market leadership.

Board and leadership involvement is the most crucial element in an organization seeking market leadership. As the board and leadership set expectations and measure progress against them, business units or department heads begin to

assign internal controls the priority they require. The specific strategies that can be employed to move to a market-leader position within an industry include the following:

Conveying the importance of ethical values道德价值 by setting an example and “walking the talk.” This includes relating stories of integrity and ethical values through presentations, newsletter stories, and any other means of getting the message to everyone that these values are important to the organization. Public companies are now required to have a code of conduct for the board under the requirements laid out by SOX. Nonprofits and private companies can also benefit from a code of conduct. The organization cannot tolerate violations of this standard. There are financial benefits to this approach as well. One research study performed by the Institute of Business Ethics (“Does Business Ethics Pay?,” April 2003) found that companies displaying a clear commitment to ethical conduct consistently outperform companies that do not display ethical conduct.

∙ Developing clear organizational guidelines relating to responsibility and authority with accountability checks is another clear hallmark of an market leader. Within the organization, leadership typically follows a distributed model, with individuals understanding the overall organizational goals and how the goals of their department or business unit relate to them. Individuals should also understand their responsibilities and the limit of their authority to ensure that the goals of the organization are achieved. When a leadership culture like this is achieved, the whole organization is focused on organizational objectives and committed to the maintenance of the control structure. A guiding coalition of leadership members believing in the need for change is one of the first steps typically taken by organizations that successfully make culture shifts, but changes will take effect slowly and steadily over time.

∙ Embedding the internal control framework within the organizational culture将内部控制框架融入企业文化. Management must clearly define roles and responsibilities for internal controls, including responsibility for the defining, documenting, testing, and monitoring of controls and the remediating of problems. The organization must incorporate these responsibilities into the responsible individuals’ performance management goals.

∙ The internal controls environment is no longer viewed as separate from the operating component of the business; controls are embedded in processes from the beginning. 内部控制环境不再独立于企业经营要素，要从一开始就执行This approach lowers the risk of inadequate controls and ensures that the control structure is in place from the outset of a process’s planning and launch.

∙ Supporting human resources policies and practices that provide clear corporate career paths. Human resources management plays a key role in ensuring that individuals are hired with the needed financial competencies and that career growth supports an increased level of financial reporting competencies.对人力资源/人才的要求 ∙

2。风险评估

Risk Assessment

Leading companies take a risk-based approach to SOX internal controls compliance as a key step in achieving a correct balance between costs and benefits. Recent guidance from the Public Company Accounting Oversight Board (PCAOB) supports this approach with specific recommendations, including the use of a risk-based method to determine which key controls are tested each year. The PCAOB also recommends that the viability of a company’s business model is an important consideration when evaluating risks. Companies that focus on these larger problems and risks will better meet the needs of all their stakeholders, including investors and analysts.

Market leaders with respect to internal controls expand the risk focus started under internal compliance efforts to a broader venue. One popular concept that often precedes a mature enterprise risk management initiative is the formation of a risk council. This council is generally composed of management representatives from different areas of the business. Some of the early objectives of risk council meetings are as follows:

Use of a common terminology for risk discussions throughout the organization;

Definition of a risk framework or structure for fostering risk management across the organization;

Characterization of the organization’s current risk capability as well as risk and performance indicators;

Identification of the company’s current spending on risk; and

Formulation of a plan to mitigate the operational risks of the organization. If they do not already have a risk program, some companies take the risk management process even further with a more formalized, enterprise-wide program headed by a chief risk officer. Under this approach, the organization embeds risk identification and mitigation into its culture in the same way it adopted its internal control framework. The goal is to intertwine risk and business strategy with other organizational systems such as performance management.

Another important aspect to risk assessment is continuous monitoring of the internal and external environment in which the entity operates. This periodic scan of the operational environment can highlight upcoming events affecting both internal controls and risk strategy. Events such as systems change, mergers a

nd acquisitions, loss of key personnel, and other events may require a closer look at existing controls and risk management

控制活动

Control Activities

Market leadership in the actual design of controls requires corporate-wide coordination and the involvement of ownership. Policies are set enterprise-wide, allowing an efficient implementation while avoiding duplicate efforts and definitions. Control design workshops or training can raise the knowledge and capability of management and staff to deal with defining, documenting, managing, testing, and reporting on internal controls. Global organizations have recently begun to roll these sessions out through online training sessions for foreign registrant compliance with SOX section 404. These modules can be used with more-experienced users to reinforce other objectives, such as a return to basic controls and an emphasis on continuous improvement. Leading organizations have moved to more-comprehensive training on basic accounting concepts, and in the process have improved the timing of their closing cycle, implemented process improvements, and reduced the error rate in accounting transactions.

Market leaders have focused controls on prevention rather than detection (see the Sidebar on types of controls). They have reengineered business processes, where needed, to incorporate prevention. Automating control checks by utilizing software features that can complete checks without any specific action is also beneficial. Internal auditing can help provide direction to business process owners searching for the best approach to use. Working closely with the board will help the internal audit function receive the company-wide exposure necessary for business process owners to recognize the value delivered to the organization. It will also make it more likely that business process owners will “buy in” to the process.

Leading-edge companies in internal controls implementation effectively utilize technology in several ways. First, they build in controls wherever cost-effective, because this one-time change activates a continual and long-lasting process of control testing. Automated control testing also brings about a quicker response time to potential problems and needed corrections.

Management can also utilize technology to support the documentation and testing components of their control activities. Numerous vendors (e.g., BWise, Methodware) provide customizable software to provide a consistent approach across the enterprise. The use of software to support these efforts is not limited to large companies, as many programs are scalable and affordable for small companies. These programs help ensure that the initial investment in documentation and testing is well maintained and that compliance efforts will be sustained

into the future. They can also serve as a basis for higher-value initiatives downstream, such as business process improvement and more-comprehensive risk management activities.

信息与交流

Information and Communication

An open flow of information and ease of communication within an organization are essential with any new initiative. Experienced project managers are well versed in the communications needed to disperse information to stakeholders. They also have experience with change management, which can contribute to the timelier acceptance of new processes and the continuous improvement needed to excel. Experienced project managers will build measurements into the plans to assess success.

Leading companies foster open communication between internal auditors, management, and external auditors. The first year of SOX implementation for accelerated filers resulted in less than ideal communications with external auditors, according to the SEC April 2005 Roundtable on Internal Control Reporting Provisions. Recent recommendations from the SEC and the PCAOB have clarified expectations regarding external auditor communications, with the specific goal of improving the quality of testing, documentation, and remediation in the control environment, thus adding business value.

Information overload is prevalent throughout business. In the “information economy,” management is frequently overwhelmed by the quantity of data available, often resulting in a failure to convert important business information into knowledge to support their competitive advantage in the marketplace. Leading companies have recognized that effective reporting of exceptions and an “executive dashboard” approach are the best ways to focus attention on important information, and they can avoid placing management adrift in a sea of meaningless data from endless sources.

5。监测

Monitoring

Control self-assessments (CSA) can play an important part in monitoring internal controls. CSAs place the responsibility for assurance that controls are in place and functioning with the business process owners, consigning ownership exactly where it belongs under the dynamics of typical organizational behavior.

Several questions from a CSA on a company’s accounts payable process are shown in Exhibit 2. The IIA website has numerous examples. Another CSA option is an interactive workshop, which uses a facilitator to draw out control information from management. This approach leaves control with management, allowing the organizational process owners to follow up downstream with surveys or questionnaires in subsequent periods, further refining the work product. Monitoring efforts are best focused on leading indicators that allow time for correction, rather than lagging indicators that do not. The best reports for monitoring internal controls contain integrated information from both internal and external sources. Software packages can facilitate pulling together data from disparate systems and processes.

In many organizations, the internal auditors are responsible for conducting a formal review of internal control work. Such a review should be conducted annually and should take advantage of “lessons learned” from SOX activities, as well as input from the external auditor.