引言

监督在内控五要素中的重要性显而易见，然而有不少企业却缺乏有效的监督程序、或者对其现有的监督程序没有很好的执行、或者对通过监督程序获得的结果或数据没有充分有效利用、或者采取了过度的监督程序，总而言之，监督效果不佳。COSO（全美反舞弊性财务报告委员会发起人委员会）继1992年发布了《Internal Control - Integrated Framework》，于2006年又发布了《Internal Control over Financial Reporting — Guidance for Smaller Public Companies》之后，在2009年1月份发布了本书。如书中所写，本书的主要目的：一是帮助组织提升其内部控制的效果和效率；二是提供一些具有实操性的监督工具，以充分地发挥内控五要素中监督的效力。

编者的话

内容提要

The COSO board recognizes that managements assessment of internal control often has been a time-consuming task that involves a significant amount of annual management andor internal audit testing.

Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control.

COSO’s Monitoring Guidance is designed to improve the use of monitoring by helping organizations:

Identify and maximize effective monitoring, and

Identify and improve ineffective or inefficient monitoring

In both instances, the internal control system may be improved, increasing the likelihood that organizational objectives will be achieved.

The culmination of two years of expert critical debate, the guidance brings together leading practices at large and small organizations and provides in-depth guidance for implementing the monitoring component of COSOs Internal Control—Integrated Framework

Guidance on Monitoring Internal Control Systems details:

COSOs Monitoring Guidance suggests that effective and efficient monitoring is best achieved by:

Establishing a foundation for monitoring, including a proper tone at the top, organizational structure and a baseline understanding of internal control effectiveness

Designing and executing monitoring procedures that seek to evaluate persuasive information about key controls addressing meaningful risks to organizational objectives

Assessing results and reporting them to appropriate parties
The guidance covers these and other topics in an easy-to–read, three-volume set.

The three-volume set includes:

Volume I: Presents the fundamental principles of effective monitoring and develops the linkage to the COSO Framework

Volume II: Presents in greater detail the principles outlined in Volume I and provides guidance to those responsible for implementing effective monitoring

Volume III: Contains examples of effective monitoring
A free summary of the guidance and its intended purpose is posted on the Excerpts tab above.

作者介绍

目录

Introduction 1
Establish a Foundation for Monitoring
Tone at the Top
Example 1: Consistent development and communication of expectations regarding internal control, including monitoring
Example 2: Use of a formal risk committee to develop and communicate monitoring expectations
Example 3: Internal audit policy that encourages self-assessment and self-reporting of potential control problems
Organizational Structure 4 Example 4: Clearly articulated roles and responsibilities through the establishment of preparerreviewer standards for key journal entries
Example 5: Use of a formal risk committee to develop and communicate expectations
Example 6: Creation of a Risk Control function to facilitate both the development of controls and the monitoring of those controls
Example 7: Clear assignment of oversight responsibilities
Example 8: Audit committees use of internal audit to address certain risks
Example 9: Use of self-assessments to instill monitoring responsibilities throughout the management structure
Example 10: Internal audit develops its plan in concert with the organizations strategic planning process
Example 11: Board of directors oversight adjusted based on risk
Example 12: Open lines of internal and external communication
Example 13: Modifications to monitoring to improve plant-level internal control oversight
Baseline Understanding of Internal Control Effectiveness
Example 14: Effective use of a control baseline
Example 15: Establishing a baseline that begins with a list of prioritized risks
Design and Execute Monitoring Procedures
Prioritize Risks
Example 16: Adjustment of type, timing and extent of monitoring based on the results of risk assessment
Example 17: Use of a formalized risk assessment methodology
Example 18: Linkage of a formalized risk assessment methodology to related controls
Identify Key Controls
Example 19: Development of an audit program based on an analysis of key controls
Example 20: Small manufacturing companys consideration of key controls
Identify Persuasive Information
Example 21: Integration of operations and finance into one technology platform
Example 22: Use of indirect information in addressing operational risks
Example 23: Balanced use of direct and indirect information in addressing operational risks
Example 24: Improved use of indirect information to monitor payroll
Implement Monitoring Procedures
Example 25: Necessary modifications to improve ongoing monitoring
Example 26: Employ ongoing self-assessment procedures with periodic reconfirmation by internal audit or others
Example 27: Identified changes in business operations lead to reconsideration of, and potential changes in, monitoring
Assess and Report Results
Prioritize and Communicate Results
Example 28: Use of a tool to help prioritize, track and report potential deficiencies
Example 29: Use of a tool to help prioritize, track and report potential deficiencies
Example 30: Use of qualified personnel to evaluate control deficiencies
Example 31: Use of people trained specifically to evaluate the severity of potential deficiencies
Report Internally
Example 32: Established reporting protocols for identified deficiencies
Example 33: Use of a spreadsheet to track and report deficiencies
Example 34: Established grading scale and reporting protocol for identified deficiencies
Report Externally
Example 35: Benefits of joint planning between the organization and the external auditor
Example 36: Consideration of the use of external specialists
Other Considerations
Monitoring Controls Outsourced to Others
Example 37: Obtain and evaluate outside partys independent internal control audit report
Using Technology for Effective Monitoring
Example 38: Use of a monitoring-status tracking tool and dashboard report
Example 39: Use of a monitoring-status tracking tool
Example 40: Continuous monitoring of segregation-of-duties controls
Example 41: Improved monitoring through the use of a reconciliation tracking tool
Example 42: Continuous monitoring using conditional tests of transaction data
Example 43: Continuous monitoring using conditional tests of transaction data
Example 44: Continuous monitoring using regression analysis
Example 45: Use of an IT tool to track system authorization changes and identify possible segregation-of-duties problems
Example 46: Selection of key IT-related controls
Comprehensive Examples
Large Retail Organizations Monitoring of Controls Over Store Inventory
Monitoring of Controls Over Certain Operational Risks in a Mid-Sized Manufacturing Organization
Monitoring Certain IT Controls
Appendices
Appendix A: ABC Company COSO Usage Document
Appendix B: Quarterly and Annual Management Representations
Appendix C: Quarterly and Annual Disclosure Committee Review Procedures Checklist
Appendix D: Enterprise-Wide Risk Matrix

预读

I. Purpose of the Guidance

1.The Committee of Sponsoring Organizations of the Treadway Commission (COSO) introduced the Internal Control — Integrated Framework (the COSO Framework) in 1992. Much has happened since the initial release. Most notably, some countries have implemented regulations requiring certain companies to publicly report on the effectiveness of internal control.COSO’s Guidance on Monitoring Internal Control Systems (COSO’s Monitoring Guidance) elaborates on the monitoring component of internal control discussed in the 1992 COSO Framework and in the subsequent Internal Control over Financial Reporting — Guidance for Smaller Public Companies issued in 2006 (COSO’s 2006 Guidance).

2.COSO initiated this project based on observations that many organizations were not fully utilizing the monitoring component of internal control. This fact became most clear as COSO witnessed the efforts of many companies to meet internal control certification and assertion requirements around the world.

3.COSO observed that some organizations had effective monitoring in certain areas, but were underutilizing the results of that monitoring to support their conclusions about the effectiveness of internal control, especially conclusions related to the effectiveness of internal control over financial reporting. Instead, they were adding redundant, often unnecessary procedures designed to evaluate controls for which management — through its existing monitoring efforts — already had sufficient support. Other organizations were not making the best use of ongoing monitoring1 procedures or lacked necessary monitoring procedures altogether, which may have caused them to implement inefficient year-end evaluations to support their conclusions about the effectiveness of internal control.

4.The objectives of COSO’s Monitoring Guidance are twofold:

•To help organizations improve the effectiveness and efficiency of their internal control2 systems. The COSO Framework emphasizes that organizations with effective internal control systems monitor the effectiveness of those systems over time3 — just as a manufacturing organization monitors the continued effectiveness and efficiency of its manufacturing procedures. This guidance is designed to help organizations

recognize and maximize the use of monitoring when it is effective and enhance monitoring in areas where improvement may be warranted.

•To provide practical guidance that illustrates how monitoring can be incorporated into an organization’s internal control processes. The Applying the Concepts” sections in Volume II of the guidance provide easy reference points — demonstrating how organizations might apply the general concepts of monitoring. Volume III goes further by providing a variety of monitoring examples from organizations interviewed during the project.

5.This guidance does not:

•Change the COSO Framework or COSO’s 2006 Guidance,

•Dictate risks or controls that organizations must consider,

•Mandate the exact monitoring procedures that organizations must follow,

•Increase the monitoring effort for organizations in areas where monitoring is already effective, or

•Mandate a certain level or formality of monitoring documentation, including the use of certain terms.4

6.This guidance should help management, board members, internal and external auditors, regulators, and others recognize effective monitoring where it exists and take into account its results with respect to their duties. In areas where monitoring is ineffective, this guidance should help organizations identify and correct weaknesses and move toward achieving effectiveness in monitoring. In so doing, organizations can improve their internal control system’s ability to provide reasonable assurance about the achievement of organizational objectives. Effective monitoring may also result in organizational improvements by (1) minimizing internal control failures and their errorsdefects that require correction, and (2) improving the quality and reliability of information used for decision making.

7.This guidance is designed to apply to all three objectives addressed in the COSO Framework: the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. However, recognizing that its initial application may be related to evaluating internal control over financial reporting (ICFR), most of the examples concentrate on the financial reporting objective.

8.The Monitoring Guidance comprises three volumes. Volume I, the Guidance volume, is designed to demonstrate succinctly the core concepts embodied in COSO’s monitoring component. Volume II, the Application volume, is integral to Volume I and contains a more detailed description of the principles contained in Volume I. The Application volume should be read by those responsible for implementing the guidance and by those who are interested in gaining a greater understanding of the related concepts. Volume III, the Examples volume, contains examples from organizations whose monitoring efforts are consistent with the Monitoring Guidance.

II. Nature and Purpose of Monitoring

9.The COSO Framework states that monitoring ensures that internal control continues to operate effectively.”5 COSO’s 2006 Guidance enhances the understanding of monitoring by articulating the following two related principles:

See Vol. II, ¶¶ 1–2.

•Ongoing andor separate evaluations enable management to determine whether the other components of internal control6 continue to function over time.

•Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action and to management and the board as appropriate.

10.COSO’s Monitoring Guidance builds on those two fundamental principles.

11.The COSO Framework recognizes that risks change over time and that management needs to determine whether the internal control system continues to be relevant and able to address new risks.”7 Thus, monitoring should evaluate (1) whether management reconsiders the design of controls when risks change, and (2) whether controls that have been designed to reduce risks to an acceptable level continue to operate effectively. Accordingly, this guidance continues to emphasize COSO’s belief that monitoring should be based on an analysis of risks to organizational objectives and an understanding of how controls may or may not manage or mitigate those risks.

See Vol. II, ¶¶ 38–41.

12.An overview of the framework and how its components work together is shown in Figure 1, which is an enhancement of the process approach to internal control developed in COSO’s 2006 Guidance. The enhancements include the explicit recognition that monitoring relates to all three internal control objectives and not just to the financial reporting objective.

13.This graphic also demonstrates that monitoring evaluates the internal control system’s ability, in its entirety, to manage or mitigate meaningful risks to organizational objectives.

See Vol. II, ¶¶ 11–19.

14.Each of the five components of internal control set forth in the COSO Framework is important to achieving an organization’s objectives. However, the fact that each component must be present and functioning does not mean that each must function perfectly. Accordingly, monitoring does not seek to conclude on the effectiveness of individual internal control components operating in isolation.