-
coso
内部控制模型
The
COSO
Internal
Control
Model
The
COSO
internal
control
framework
was
first
introduced
in
1992,
and
in
1994
a
comprehensive
four-section
report
on
internal
controls
was
issued,
con
sisting
of
an
executive
summary,
a
framework,
guidance
to
public
companies
o
n
reporting
on
internal
controls
to
third
parties,
and
evaluation
tools
to
help
a
company
comprehensively
assess
its
current
control
environment.
The
COSO
framework
is
relevant
to
achieving
company
objectives
in
three
areas:
Operational
goals:
The
framework
relates
to
the
effective
and
efficient
usag
e
of
all
of
a
company's
resources.
Financial
reporting
goals:
The
construct
gives
guidance
on
the
consistent
pr
oduction
of
reliable
financial
reports.
Compliance
goals:
The
guidance
creates
a
top
ology
of
the
company’s
compl
iance
requirements
as
they
relate
to
industry
regulations
or
legal
requirements
f
or
public
entities.
coso
内部控制框架提出三大目标,即运营的效率和效果
,
财务报告的可靠性
,
以及遵守适用的
法律和规章
五大要素
1
。控制环境
Control
Environment
This
element
is
the
foundation
of
the
COSO
framework.
It
sets
the
overall
tone
of
the
organization
with
regard
to
the
importance
of
internal
controls.
Et
hical
values,
leadership
resource
allocation,
staff
competence
at
all
levels,
the
d
ynamics
of
authority
and
responsibility
within
the
organization,
and
managemen
t
philosophy
are
all
parts
of
this
critical
component.
In
a
sense,
the
control
environment
is
the
most
difficult
component
to
quan
tify,
because
much
of
it
relates
to
the
overall
culture
of
the
organization.
But
t
here
are
a
number
of
clear
goals
that
an
organization
can
work
toward
to
ensu
re
that
the
framework
rests
on
a
foundation
exemplifying
market
leadership.
Board
and
leadership
involvement
is
the
most
crucial
element
in
an
organiz
ation
seeking
market
leadership.
As
the
board
and
leadership
set
expectations
a
nd
measure
progress
against
them,
business
units
or
department
heads
begin
to
assign
internal
controls
the
priority
they
require.
The
specific
strategies
that
c
an
be
employed
to
move
to
a
market-leader
position
within
an
industry
include
the
following:
Conveying
the
importance
of
ethical
values
道德价值
by
setting
an
exam
ple
and
“walking
the
talk.”
This
includes
relating
stories
of
integrity
and
ethica
l
values
through
presentations,
newsletter
stories,
and
any
other
means
of
gettin
g
the
message
to
everyone
that
these
values
are
important
to
the
organization.
Public
companies
are
now
required
to
have
a
code
of
conduct
for
the
board
u
nder
the
requirements
laid
out
by
SOX.
Nonprofits
and
private
companies
can
also
benefit
from
a
code
of
conduct.
The
organization
cannot
tolerate
violations
of
this
standard.
There
are
financial
benefits
to
this
approach
as
well.
One
re
search
study
performed
by
the
Institute
of
Business
Ethics
(“Does
Business
Eth
ics
Pay?,”
April
2003)
found
that
companies
displaying
a
clear
commitment
to
ethical
conduct
consistently
outperform
companies
that
do
not
display
ethical
conduct.
?
Developing
clear
organizational
guidelines
relating
to
responsibility
and
a
uthority
with
accountability
checks
is
another
clear
hallmark
of
an
market
lead
er.
Within
the
organization,
leadership
typically
follows
a
distributed
model,
wi
th
individuals
understanding
the
overall
organizational
goals
and
how
the
goals
of
their
department
or
business
unit
relate
to
them.
Individuals
should
also
un
derstand
their
responsibilities
and
the
limit
of
their
authority
to
ensure
that
the
goals
of
the
organization
are
achieved.
When
a
leadership
culture
like
this
is
achieved,
the
whole
organization
is
focused
on
organizational
objectives
and
co
mmitted
to
the
maintenance
of
the
control
structure.
A
guiding
coalition
of
lea
dership
members
believing
in
the
need
for
change
is
one
of
the
first
steps
typi
cally
taken
by
organizations
that
successfully
make
culture
shifts,
but
changes
will
take
effect
slowly
and
steadily
over
time.
?
Embedding
the
internal
control
framework
within
the
organizational
cultu
< br>re
将内部控制框架融入企业文化
.
Management
must
clearly
define
roles
and
res
ponsibilities
for
internal
controls,
including
responsibility
for
the
defining,
docu
menting,
testing,
and
monitoring
of
controls
and
the
remediating
of
problems.
The
organization
must
incorporate
these
responsibilities
into
the
responsible
indi
viduals’
performance
management
goals.
?
The
internal
controls
environment
is
no
longer
viewed
as
separate
from
the
operating
component
of
the
business;
controls
are
embedded
in
processes
fr
om
the
beginning.
内部
控制环境不再独立于企业经营要素,
要从一开始就执行
T
his
approach
lowers
the
risk
of
inadequate
controls
and
ensures
that
the
control
structure
is
in
place
from
the
outset
of
a
process’s
planning
and
launch.
?
Supporting
human
resources
policies
and
practices
that
provide
clear
cor
porate
career
paths.
Human
resources
management
plays
a
key
role
in
ensuring
that
individuals
are
hired
with
the
needed
financial
competencies
and
that
care
er
growth
supports
an
increased
level
of
financial
reporting
competencies.
对人
力资源
/
人才的要求
?
2
。风险评估
Risk
Assessment
Leading
companies
take
a
risk-based
approach
to
SOX
internal
controls
co
mpliance
as
a
key
step
in
achieving
a
correct
balance
between
costs
and
benef
its.
Recent
guidance
from
the
Public
Company
Accounting
Oversight
Board
(P
CAOB)
supports
this
approach
with
specific
recommendations,
including
the
us
e
of
a
risk-based
method
to
determine
which
key
controls
are
tested
each
year.
The
PCAOB
also
recommends
that
the
viability
of
a
company’s
business
mod
el
is
an
important
consideration
when
evaluating
risks.
Companies
that
focus
o
n
these
larger
problems
and
risks
will
better
meet
the
needs
of
all
their
stakeh
olders,
including
investors
and
analysts.
Market
leaders
with
respect
to
internal
controls
expand
the
risk
focus
starte
d
under
internal
compliance
efforts
to
a
broader
venue.
One
popular
concept
th
at
often
precedes
a
mature
enterprise
risk
management
initiative
is
the
formatio
n
of
a
risk
council.
This
council
is
generally
composed
of
management
represe
ntatives
from
different
areas
of
the
business.
Some
of
the
early
objectives
of
ri
sk
council
meetings
are
as
follows:
Use
of
a
common
terminology
for
risk
discussions
throughout
the
organizati
on;
Definition
of
a
risk
framework
or
structure
for
fostering
risk
management
a
cross
the
organization;
Characteriza
tion
of
the
organization’s
current
risk
capability
as
well
as
risk
and
performance
indicators;
Identification
of
the
company’s
current
spending
on
risk;
and
Formulation
of
a
plan
to
mitigate
the
operational
risks
of
the
organization.
If
they
do
not
already
have
a
risk
program,
some
companies
take
the
risk
management
process
even
further
with
a
more
formalized,
enterprise-wide
progr
am
headed
by
a
chief
risk
officer.
Under
this
approach,
the
organization
embe
ds
risk
identification
and
mitigation
into
its
culture
in
the
same
way
it
adopted
its
internal
control
framework.
The
goal
is
to
intertwine
risk
and
business
stra
tegy
with
other
organizational
systems
such
as
performance
management.
Another
important
aspect
to
risk
assessment
is
continuous
monitoring
of
the
internal
and
external
environment
in
which
the
entity
operates.
This
periodic
s
can
of
the
operational
environment
can
highlight
upcoming
events
affecting
bot
h
internal
controls
and
risk
strategy.
Events
such
as
systems
change,
mergers
a
-
-
-
-
-
-
-
-
-
上一篇:swot分析自己word版
下一篇:博弈论知识点总结完整版