内控的五要素Components-of-Internal-Control

ComponentsofInternalControl内部控制要素Internalcontrolconsistsoffiveintegratedcomponents.内部控制包括五个相关关联要素。ControlEnvironment控制环境Thecontrolenvironmentisthesetofstandards,processes,andstructuresthatprovidethebasisforcarryingoutinternalcontrolacrosstheorganization.Theboardofdirectorsandseniormanagementestablishthetoneatthetopregardingtheimportanceofinternalcontrolincludingexpectedstandardsofconduct.Managementreinforcesexpectationsatthevariouslevelsoftheorganization.Thecontrolenvironmentcomprisestheintegrityandethicalvaluesoftheorganization;theparametersenablingtheboardofdirectorstocarryoutitsgovernanceoversightresponsibilities;theorganizationalstructureandassignmentofauthorityandresponsibility;theprocessforattracting,developing,andretainingcompetentindividuals;andtherigoraroundperformancemeasures,incentives,andrewardstodriveaccountabilityforperformance.Theresultingcontrolenvironmenthasapervasiveimpactontheoverallsystemofinternalcontrol.控制环境是一套标准、流程和结构，能够为内部控制实施提供基础。董事会和高级管理层为内部控制重要性（包括期待行为准则）提供高层定调（thetoneatthetop）。组织各个层级管理活动强化了这种期望。控制环境包括了组织正直和道德价值观；促进董事会行使公司治理监控职责机制；吸引、开发和保留人才机制；严格绩效衡量、激励和汇报机制以保证绩效实现。控制环境会对内部控制整体体系产生全面影响。RiskAssessment风险评估Everyentityfacesavarietyofrisksfromexternalandinternalsources.Riskisdefinedasthepossibilitythataneventwilloccurandadverselyaffecttheachievementofobjectives.Riskassessmentinvolvesadynamicanditerativeprocessforidentifyingandassessingriskstotheachievementofobjectives.Riskstotheachievementoftheseobjectivesfromacrosstheentityareconsideredrelativetoestablishedrisktolerances.Thus,riskassessmentformsthebasisfordetermininghowriskswillbemanaged.每个组织都面临着来自内外部各类风险。风险是潜在事件发生并对组织实现其目标产生负面影响可能性。风险评估包括了根据组织要实现目标，动态和反复识别和评估风险过程。将全组织范围影响目标实现风险同已经建立风险容忍度一同考量后，风险评估就为决定风险如何进行管理打下了基础。Apreconditiontoriskassessmentistheestablishmentofobjectives,linkedatdifferentlevelsoftheentity.Managementspecifiesobjectiveswithincategoriesrelatingtooperations,reporting,andcompliancewithsufficientclaritytobeabletoidentifyandanalyzeriskstothoseobjectives.Managementalsoconsidersthesuitabilityoftheobjectivesfortheentity.Riskassessmentalsorequiresmanagementtoconsidertheimpactofpossiblechangesintheexternalenvironmentandwithinitsownbusinessmodelthatmayrenderinternalcontrolineffective.风险评估先决条件是组织各个层级目标确立。管理层要结合运营、报告和遵循三大类目标，明确相应具体目标，以便识别和分析相关风险。管理层也要考虑这些目标对于组织可持续性。风险评估还要求管理层考虑可能导致内控失效外部环境和内部商业模式可能变化。ControlActivities控制活动Controlactivitiesaretheactionsestablishedthroughpoliciesandproceduresthathelpensurethatmanagement’sdirectivestomitigateriskstotheachievementofobjectivesarecarriedout.Controlactivitiesareperformedatalllevelsoftheentity,atvariousstageswithinbusinessprocesses,andoverthetechnologyenvironment.Theymaybepreventiveordetectiveinnatureandmayencompassarangeofmanualandautomatedactivitiessuchasauthorizationsandapprovals,verifications,reconciliations,andbusinessperformancereviews.Segregationofdutiesistypicallybuiltintotheselectionanddevelopmentofcontrolactivities.Wheresegregationofdutiesisnotpractical,managementselectsanddevelopsalternativecontrolactivities.控制活动是通过和流程所确立行动，旨在确保管理层降低影响组织目标实现风险方针得以实现。在组织各个层级，业务各个环节，信息技术整个环境中都应实施控制活动。从性质上，可以是预防性，也可以是检查性；应覆盖手工和自动控制；包括授权和批准，复核，对账和业务绩效评估。不相容职责分离也是典型应选取和推进控制活动。如果不相容职责分离无法实施，管理层应选择和推进替代性控制活动。InformationandCommunication信息与沟通Informationisnecessaryfortheentitytocarryoutinternalcontrolresponsibilitiestosupporttheachievementofitsobjectives.Managementobtainsorgeneratesandusesrelevantandqualityinformationfrombothinternalandexternalsourcestosupportthefunctioningofothercomponentsofinternalcontrol.信息对于组织而言，对推进内控、促进其目标实现是非常必要。管理层从内外部获得或生成，并且使用相关有质量信息来支持内部控制其他要素正常运转。Communicationisthecontinual,iterativeprocessofproviding,sharing,andobtainingnecessaryinformation.Internalcommunicationisthemeansbywhichinformationisdisseminatedthroughouttheorganization,flowingup,down,andacrosstheentity.Itenablespersonneltoreceiveaclearmessagefromseniormanagementthatcontrolresponsibilitiesmustbetakenseriously.Externalcommunicationistwofold:itenablesinboundcommunicationofrelevantexternalinformation,anditprovidesinformationtoexternalpartiesinresponsetorequirementsandexpectations.沟通是一个持续和不断重复提供、分享和获得必要信息过程，。内部沟通是一个手段，使得信息能够在整个组织向上、向下和横向扩散，能够帮助员工接受来自高管层清晰信息——控制职责必须认真实施。外部沟通包括两个部分：将外部相关信息传入组织内部，以及根据其要求和期望，提供信息给外部相关方。MonitoringActivities监督活动Ongoingevaluations,separateevaluations,orsomecombinationofthetwoareusedtoascertainwhethereachofthefivecomponentsofinternalcontrol,includingcontrolstoeffecttheprincipleswithineachcomponent,ispresentandfunctioning.Ongoingevaluations,builtintobusinessprocessesatdifferentlevelsoftheentity,providetimelyinformation.Separateevaluations,conductedperiodically,willvaryinscopeandfrequencydependingonassessmentofrisks,effectivenessofongoingevaluations,andothermanagementconsiderations.Findingsareevaluatedagainstcriteriaestablishedbyregulators,recognizedstandard-settingbodiesormanagementandtheboardofdirectors,anddeficienciesarecommunicatedtomanagementandtheboardofdirectorsasappropriate.持续，独立评价，或者两者某种组合可以用来确认内部控制五个要素以及每个要素下原则是否存在并发挥作用。嵌入整个业务体系持续评价可以提供及时信息；独立评价需要定期开展，其范围和频率可能因风险评估，持续评价有效程度以及管理层其他考虑而有所不同。评价中发现应结合监管者、标准订立机构和管理层、董事会所设定标准进行评估；缺陷应当视情况传递给管理层和董事会。