中小型民營企業(yè)內(nèi)部控制研究外文翻譯、中英文翻譯、外文文獻翻譯

本科畢業(yè)設計（論文）   外文參考文獻譯文及原文     學     院                        專     業(yè)                       年級班別                       學     號                       學生姓名                       指導教師                              年    月     日   目錄  摘要 1 1 選題背景 2 2 內(nèi)部控制理論的概述   . .3 2.1 內(nèi)部控制的根本性質(zhì) .3 2.2 內(nèi)部控制的責任 . .3 3 確保內(nèi)部控制的充分性 . .5 4 先天的內(nèi)部控制 9 5 結(jié)論 11 Abstract.12 1 Background Topics.13 2 Internal control theory outlined . 15 2.1 The Fundamental Nature Of  Intaral Control .15 2.2 Responsibillty For Internal Control .15 3 Ensuring that the internal control adequacy . .17 4 Inherent limitations of internal control 22 5 Conclusion .25 摘  要  內(nèi)部控制這個概念已經(jīng)不是一個新概念。這篇文章將研究每個公共部門財政經(jīng)理和董事會成員應該了解的關于內(nèi)部控制的內(nèi)容。在分析了虛假的財政報告的根本原因以后， Treadway 委員會把大部分的責任歸咎于內(nèi)部控制管理的不足。作為回應，建立 Treadway 委員會的各個組織成立了一個贊助組織委員會（ COSO），設法補救 的 Treadway 委員會揭露出來的問題。  COSO 為了確保此架構(gòu)足夠及全面的內(nèi)部控制，確定了 5 個重要組成部分：1、控制環(huán)境； 2、風險評估； 3、政策及程序； 4、溝通； 5、監(jiān)測與追蹤。一個健全的架構(gòu)與內(nèi)部控制是必要的，同時必須意識到這類框架是難于達到一個完美的境界。內(nèi)部控制在本質(zhì)上是一種管理責任。   1 選題背景  內(nèi)部控制這個概念已經(jīng)是毫無新意的。同樣，由于私營部門最近的丑聞事件使得聯(lián)邦法律重申了這個經(jīng)常被忽略和議題的重要性，這篇文章將研究每一個公共部門的財政經(jīng)理及董事會成員還 應當了解內(nèi)部控制的哪些制度。  直到最近幾年，基本問題“什么是內(nèi)部控制？”這個問題可以引出一系列的例子：不同職責的分離，定期進行銀行對賬，獲取的報告的利用等概念，但是這些并不是內(nèi)部控制的準確定義。也就是說，內(nèi)部控制往往被視為一個集體名詞來形容不同種類的政策和程序，而不是作為一個獨立和統(tǒng)一的概念。這就是八十年代中期 Treadway 委員會在面對虛假財政報告，需要履行職責時所面臨的形勢。  經(jīng)調(diào)查分析提供虛假的財政報告的根本原因后，該 Treadway 委員會把大部分的責任歸咎于內(nèi)部控制缺乏管理上，但是在企業(yè)管理者不能夠 清楚地了解內(nèi)部控制的真正含義和為什么要重視內(nèi)部控制這個問題上，該委員會要負一定的責任。  針對這些調(diào)查結(jié)果，發(fā)起組織 Treadway 委員會的各個機構(gòu)成立了一個協(xié)調(diào)委員會，設法補救 Treadway 委員會揭露出來的問題，這一努力的結(jié)果，是 1992年 COSO 發(fā)布的開創(chuàng)性報告中提到的內(nèi)部控制綜合框架。直到今天，“ COSO 報告”依然是在正規(guī)和嚴肅場合開展內(nèi)部控制的討論的重要基礎。  在私營部門， COSO 報告規(guī)定的標準通常用于評價內(nèi)部控制，包括授權(quán)公司進行公開交易，這是由于安然和世界通訊的丑聞，使聯(lián)邦的 Sarbanes-Oxley 法規(guī)對內(nèi)部控制進行了規(guī)定。在公共部門，政府財政官員協(xié)會在最近推薦的做法中的立場是政府的財政管理為了履行自己的道德責任，應“獲取信息和負責內(nèi)部控制所需的有意義的培訓”、特別是正確理解內(nèi)部控制（ COSO）的規(guī)定。   2 內(nèi)部控制理論的概述  2.1 內(nèi)部控制的根本性質(zhì)  無論是哪種性質(zhì)的組織（即公、私、或非營利性），所有的管理者都必須致力于：（ 1）、經(jīng)營效率；（ 2）、制作真實可靠的外部財務報告；（ 3）、遵守適用的法律和法規(guī)。  負責任的管理人員不能脫離這些目標，相反，他們必須采取具體行動，以確保經(jīng)營運 作的有效性和高效率、財務報告的真實可靠并且不違背法律法規(guī)的規(guī)定。也就是這些行為構(gòu)成的內(nèi)部控制。不同的是，內(nèi)部控制可以定義為管理上使用的用以確保實現(xiàn)其目標的工具和技術的總稱。因此，在本質(zhì)上，內(nèi)部控制在根本上是一個管理問題。  2.2 內(nèi)部控制的責任  以下一個類比可能有助于指派負責內(nèi)部控制的管理者、董事會成員和審計員正確理解內(nèi)部控制的責任和職能?！皩W生主要是負責完成功課?！苯o學生分配這種首要的責任是實際的，因為完成功課任務的目標是提高學生的技能，為學生完成功課而又不影響學生技能的提高的情況是不可能存在的。家長、導師 或同學可以在學生完成某一項任務時提供幫助，但是最終只有學生本人的直接參與，才能達到提高技能的目的。當然，這并不是說，父母或監(jiān)護人以功課是學生的主要責任為理由來為自己開脫責任。父母或監(jiān)護人的最終職責是確保學生為他自己的功課負責，雖然家長或監(jiān)護人實際上不能幫助學生完成功課，但他們有權(quán)利監(jiān)督學生完成功課。最后，教師和輔導員，他們?yōu)閷W生和家長、監(jiān)護人提供寶貴的幫助，是不能取代的。最終，如果學生的功課不能按時完成，最終的責任由家長或監(jiān)護人來承擔。  這個比喻表明了內(nèi)部控制實際的含義，我們可以將上述例子中的學生、家長或監(jiān) 護人、教師分別代表管理、理事會委員和內(nèi)部審計師，這有助于理解內(nèi)部控制中各人的職責所在。正如我們剛才解釋的，內(nèi)部控制是一個根本的管理問題（即管理者用工具和技術來實現(xiàn)管理目標），因此，管理是內(nèi)部控制的主要責任所在。但是董事會的成員不能因為內(nèi)部管理是管理層的主要職責而對內(nèi)部管理袖手旁觀，因為它的工作是確保管理符合其所有責任。因此，內(nèi)部控制的最終責任由董事會來承擔。獨立的內(nèi)部審計師，就像一位老師，他可以為管理的成功提供必要的援助（制作真實可靠的財務報表），但即使是最好的老師也無法幫助學生、家長或監(jiān)護人完成原本屬于他 們的責任及任務。最后，內(nèi)部審計師，作為一個重要的角色，像老師一樣幫助他們達到目標。盡管如此，內(nèi)部審計員在內(nèi)部控制制度中能做的也只是協(xié)助管理，而不取代它。  當然，有一件事必須堅持的是，理事會要承擔內(nèi)部控制的最終責任。主要的問題仍然是：“理事會怎么有效地履行它在這方面的責任？”最現(xiàn)實的辦法是成立一個審計委員會，最好能做為中心點，在董事會的內(nèi)部控制方面努力，確保整個內(nèi)部控制的問題能夠定期提交給董事會進行及時處理。同樣，內(nèi)部審計員的作用是，可幫助經(jīng)理人，完成他們內(nèi)部控制的主要任務，尤其是一個綱領性而非金融背景的主管 ，他們可能不熟悉內(nèi)部控制。   3 確保內(nèi)部控制的充分性  一旦管理與理事會在內(nèi)部控制中共同承擔各自的責任，怎樣才能知道自己是否真正履行了自己的義務？多少控制才是合適的呢？  在 COSO 報告中，內(nèi)部控制（復數(shù)）比內(nèi)部控制（單數(shù)）更常見，然而，COSO 中內(nèi)部控制更多地被視為它各部分的總和（個別政策和程序）。在美國，COSO 憧憬將內(nèi)部控制的個人控制元件或部件都集成一個統(tǒng)一的結(jié)構(gòu)或架構(gòu)納入其中，即 COSO 提供一個整體內(nèi)部控制的概念來代替早期的零敲碎打。 COSO為確保架構(gòu)內(nèi)的內(nèi)部控制是否足夠或全 面，還確定了需要加以實施的五項重要組成部分：  1、必須有完善的控制環(huán)境（企業(yè)文化）；  2、必須有一個定期的連續(xù)的風險評估；  3、必須設計、實施、維持相關的政策和程序，從而確定風險的處理；  4、必須有充分的溝通；  5、必須設計一個定期和持續(xù)地監(jiān)測防治相關的政策和程序，以確保它們能持續(xù)發(fā)揮作用，使得任何問題都可以得到妥善處理。  控制環(huán)境。用比喻更可能有助于了解主要的控制環(huán)境。小孩子不是在孤立的環(huán)境中長大的，而是在被特定的人所包圍的特定環(huán)境中長大的。這樣的環(huán)境可能會對孩子的成長產(chǎn)生深遠的影響，因此，一個只有有限潛 能的孩子也許是在一個充滿生機和機會的富裕環(huán)境中成長并發(fā)揮潛能，一個擁有巨大潛能的孩子也許會在不利的環(huán)境中成長，潛能被埋沒了。  內(nèi)部控制也并非是在真空狀態(tài)。內(nèi)部控制無可避免的會受到周圍環(huán)境或企業(yè)文化或好或壞的影響。事實上，最終要取得成功的內(nèi)部控制是不可能夸大到對周遭環(huán)境的控制的。在周遭對內(nèi)部控制持冷漠態(tài)度甚至充滿敵意（這么多的“繁文縟節(jié)”需要“穿越”才能辦妥工作）的環(huán)境下，就算有最佳的政策和程序，也沒有多大的希望得到有效的發(fā)展。反之，一種顯然是支持內(nèi)部控制的環(huán)境可以得到最妥善的甚至是最基本的控制政策和程序。  關鍵在于健全的內(nèi)部控制環(huán)境以及積極支持的環(huán)境。管理難以支持的東西，它不理解（因此，管理在內(nèi)部控制上必須對 COSO 的指導性內(nèi)容相當熟悉，這是 GFOA 在較早前提出的要求）。同樣地，有效的支持不是空談，時間和資源也是其中的重要部分。  此外，管理者的以身作則是非常重要的。很多時候，經(jīng)理人似乎認為，內(nèi)部控制僅僅是對他們的部屬 ,那就是經(jīng)理人采取措施對那些向他們匯報的下屬實施控制。當然，這種做法可能的結(jié)果就是員工會把內(nèi)部控制視為一種規(guī)避（證明其級別和重要性的組織），而不是視作一種避免。  一個特別重要的例子，該原則只是針對 違反相關政策和程序的控制討論關于管理的問題。管理人員為了避免發(fā)生沖突，并沒有對某些措施采取有效的紀律處分，即使某些情況是涉及欺詐的。無可避免的是，這樣的做法對其他人發(fā)出了一個明確且危險的訊息：內(nèi)部控制和管理并不是很嚴格。  當然，一個積極的審計委員會和有效的內(nèi)部審計部門，都是宏觀控制環(huán)境中重要的積極因素。  風險評估。在管理者實現(xiàn)其目標（即風險）的過程當中，挑戰(zhàn)是永遠存在的。此外，昨天的風險和今天的、明天的風險不一定相同。因此，風險評估是不可能憑“一次性”的努力就可以完成，而必須是定期的、持續(xù)進行的過程。同樣， 為了使他們能夠避免或減輕風險，風險必須是可預期的。打個比方，在鐵道路口設置路燈可避免一個重大事故的發(fā)生 ,同樣，如果此前的入口或交通情況發(fā)生變化，路燈在鐵道路口設置就顯得越來越有必要。  那么，經(jīng)理人需怎樣才能設法找出以前未知的風險呢？首先，管理應把注意力集中在改變上，因為所有的變化都會涉及一定程度的風險。可以帶來高風險的變化包括以下：  1、經(jīng)營環(huán)境的改變（例如，改變企業(yè)內(nèi)部的規(guī)章制度）；  2、人事變動（特別是敏感職位的變動）；  3、信息系統(tǒng)和技術的改變（例如，如果過程已被重新設計，控制程度是否仍然足夠？）  4、快速增長（例如，為應付需求增加而施加的壓力）；  5、新的項目和服務（例如，缺乏經(jīng)驗）；  6、結(jié)構(gòu)變化（例如，取消原項目的實施）。  經(jīng)理也應考慮目前的固定風險，并處理高風險的情況。一般的內(nèi)存高風險包括以下：  1、復雜度（越復雜越容易出錯）；  2、現(xiàn)金收入；  3、直接第三方受益人（現(xiàn)金支付幫助個人）；  4、以前遇到的問題（過去存在問題的項目很可能會繼續(xù)遇到相同的問題）；  5、事先確定的控制弱點（查明的問題在過去沒有得到糾正的情形）。  政策及程序。作為管理者必須分析當前和今后潛在的風險。由于其進行風險評估，所以 他們必須采取切實有效的措施來設計和實施具體的相關政策和程序，以避免和盡量減少這些風險。傳統(tǒng)上，與控制相關的財政政策和程序通常可劃分為以下幾個基本類別：  1、授權(quán)（所有交易需適當授權(quán)）；  2、妥善記錄（記錄應旨在突出遺失物品）；  3、安全的資產(chǎn)和檔案（資產(chǎn)和檔案，應該受到保護，且只提供給有需要的人）；  4、不相容職務（理想的情況下，個別員工不應該在的職位上犯下隱瞞違規(guī)的事）；  5、定期核對（會計記錄應定期加以對比和調(diào)和）；  6、定期復查（會計數(shù)據(jù)應定期比較它們代表的實際項目）；  7、分析性復核（比較各項財務數(shù) 據(jù)，并評估這些數(shù)據(jù)和其他數(shù)據(jù)，包括金融的、非金融的，以及預期的）。  具體防治 的 相關政策及程序 ,也可以分為兩派 ,旨在消除實際問題（如消防系統(tǒng)）；以局部的目標，使管理人員注意到潛在的問題，使他們能夠及時發(fā)現(xiàn)問題（如煙霧報警器）。這個重要的區(qū)別會在討論中顯示出來。  溝通。與其他四個組成部分不同的是，溝通通常不是單獨存在的。相反，它是其余各部分能夠有效運作的基礎。舉例來說，一個良好的控制環(huán)境，需要各級管理部門之間以及管理人員與非管理人員之間良好的溝通才能形成。的確，COSO 為了強調(diào)溝通的重要性，把它作為一個單獨的組 件與其他幾個部分共同組成了一個全面的框架。  尤為要注意的是，財務經(jīng)理是從消費者的角度記錄與會計有相關的和政策和程序。傳統(tǒng)的會計政策和程序手冊就是普遍應用于此目的。最近，政府已經(jīng)開始使用內(nèi)部網(wǎng)絡，以確保工作人員能夠隨時獲得最新的信息。當然，經(jīng)理人也有能力左右控制它們的建立。  因為萬一發(fā)生不可避免的管理風險，給員工提供一個明確的沒有經(jīng)理左右的溝通方式是非常重要的。  并非所有類型的信息都是同樣具有緊迫性的。舉例說，違規(guī)和舞弊，是必須立即傳達給有關部門的，而定期報告則可能需要準備較多相對不敏感的與控制相關的資料才能 傳達。良好的溝通可以確保信息的加速傳達也是符合這樣的考慮。  監(jiān)測。第五個也就是最后一個內(nèi)部控制綜合性框架的組成部分是監(jiān)測。正如再好的房屋也需要定期保養(yǎng)和不定期保養(yǎng)，有關控制的政策和程序也會隨著時間的推移而變得不相適應。因此，管理者必須定期評價其與控制相關的政策和程序，以確保他們能得到很好的落實，并確保的業(yè)務能夠充分的展開。  同樣重要的是，許多與控制有關的政策和程序，都旨在提醒管理過程中潛在發(fā)生的問題，而不是真正的杜絕問題。因此，監(jiān)測的一個重要因素是，如何評價從過去的跡象顯示可能發(fā)生的錯誤和違反相關政策和程序 有關規(guī)定的問題已被處理。   4 先天的內(nèi)部控制  一個健全的架構(gòu)，內(nèi)部控制是必不可少的，但重要的是要記住，沒有這種框架，將永遠不會完美。例如，像前面解釋過的，經(jīng)理通常有能力建立凌駕一切與控制相關的政策和程序。另外，控制的不相容職務通常可以通過合作而避開（即個人會以控制他人來代替共同工作）。最后，也是最重要的，不宜實行與控制相關的政策或程序，從而結(jié)束了耗資超過合理預期實現(xiàn)的收益的情況。所以，舉例來說，它有時未必可全面貫徹不相容職務，在這種情況下可能需要進行改聘的方法（可能不太有效）來替代。  企 業(yè)內(nèi)部控制的風險管理  如前所述，  COSO 報告是在 1992 年關于內(nèi)部控制的嚴格討論中形成的。COSO 從未改變過在 1992 年發(fā)表的內(nèi)部控制綜合框架的使命，相反，安理會決定加強其關于企業(yè)風險管理的內(nèi)部控制工作。這樣的結(jié)果是美國在 2004 年出版了企業(yè)風險管理 整合框架（ COSO）。  COSO論述了企業(yè)的風險管理：  一個過程會受到公司董事會、管理人員和其他人員的影響，跨企業(yè)的應用策略的制訂，旨在找出可能會發(fā)生的影響組織的事件，而風險管理可對實現(xiàn)組織目標提供合理的保證。這個過程必然會涉及到組織中的個體以及組織這個 整體。  根據(jù) COSO，綜合性的企業(yè)風險管理架構(gòu)，是指提供合理的保證：（ 1）組織目標的實現(xiàn)；（ 2）風險管理就是意識到風險可能影響了他們的業(yè)績。  COSO相對于原 COSO 報告，重申了三個基本管理目標：行動（效益和效率）；報導（擴大到包括財政和內(nèi)部報告）；服從。而且還確定了新的第四類戰(zhàn)略目標，這可以描述為一個“高層次”，因為所有的其他目標將需要加以調(diào)整來適應它。  COSO為強調(diào)企業(yè)風險管理，把由四個單獨部分（其中包括被稱為“風險評估”的部分）組成的架構(gòu)，擴大到由八個部分組成的完整的企業(yè)風險管理架構(gòu)：  1、內(nèi) 部環(huán)境（包括一個組織對損失和風險的容忍度）；  2、目標設定（為風險評估提供支持，風險被定義為能妨礙一個組織實現(xiàn)其目標的因素）；  3、事件識別（包括積極的機會和消極的風險）；  4、風險評估（風險反應 -內(nèi)在風險）；  5、風險反應（決定減少、分享或接受固有的風險，使剩余的風險與組織的風險相符）；  6、活動控制（應對風險的具體步驟）；  7、信息和溝通（專門有一條規(guī)定：管理凌駕于“上級匯報”之上）；  8、監(jiān)測。   5 結(jié)論  內(nèi)部控制，就其性質(zhì)而言，基本上是一種管理責任。管理部門的職 責，已大大加劇了后期私 營部門對 內(nèi)部控制的 重視，如聯(lián) 邦政府的 法律法規(guī)Sarbanes-Oxley。 GFOA 已明確表示公共部門的財務經(jīng)理，有義務去了解 GFOA 的實務專業(yè)理論，并履行其在內(nèi)部控制中的責任。首先，履行這些義務是為了讓各管理人員熟悉 COSO 報告中對內(nèi)部控制的理解。同樣，公共部門的理事，因為其最終責任是確保管理人員完成其內(nèi)部控制問題中的責任，因此他應更熟悉 COSO報告中完善內(nèi)部控制架構(gòu)的內(nèi)容，才能更好地進行管理問責。   Abstract The concept of internal control is hardly new. This article will examine what every public sector financial manager and board member should know about internal control. After examining the underlying causes of fraudulent financial reporting, the Treadway Commission placed much of the blame on inadequate managerial involvement with internal control. In response, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations (COSO) that sought to remedy the deficiencies exposed by the Treadway Commission.  COSO identified five essential components that needed to be in place to ensure that such a framework of internal control is adequate or comprehensive: 1. control environment, 2. assessment of risk, 3. policies and procedures, 4. communication, and 5. monitoring. While a sound framework of internal control is essential, it is important to bear in mind that no such framework can ever be perfect. Internal control, by its very nature, is essentially a managerial responsibility. 1 Background Topics The concept of internal control is hardly new. All the same, recent private sector scandals and subsequent federal legislation have significantly renewed interest in this important, but frequently neglected topic. This article will examine what every public sector financial manager and board member should know about internal control. Until recent years, a response to the basic question, "What is internal control?" likely would have elicited a series of examples-segregation of incompatible duties, periodic bank reconciliations, use of receiving reports - rather than a true definition. That is to say, internal control tended to be viewed as a collective term used to describe a disparate assortment of policies and procedures rather than as a separate and coherent concept in its own right. Such was the situation that confronted the Treadway Commission on Fraudulent Financial Reporting when it first took up its mandate in the mid-1980s. After examining the underlying causes of fraudulent financial reporting, the Treadway Commission placed much of the blame on inadequate managerial involvement with internal control. The commission assigned at least partial responsibility for this lack of involvement to a general failure to provide managers with a clear understanding of what internal control really is and why it should be a matter of concern to them. In response to these findings, the various organizations that sponsored the Treadway Commission formed an ongoing Committee of Sponsoring Organizations that sought to remedy the deficiencies exposed by the Treadway Commission. The result of this effort was the groundbreaking report Internal Control - Integrated Framework, which was released by COSO in 1992. To this day, the "COSO Report" serves as the essential foundation for any serious discussion of internal control. In the private sector, the COSO Report provides the criteria normally used for evaluating internal control, including the internal control assessments mandated for publicly traded companies by the federal Sarbanes-Oxley legislation that was passed in the wake of the Enron and WorldCom scandals. In the public sector, the Government Finance Officers Association in a recent recommended practice has taken the position that government financial managers, in fulfillment of their ethical responsibilities, should "obtain the information and training needed to meaningfully take responsibility for internal control," and "in particular" should obtain "a sound understanding of. internal control as set forth by COSO."1 2 Internal control theory outlined 2.1 THE FUNDAMENTAL NATURE OF INTERNAL CONTROL Regardless of the sector within which they serve (i.e., public, private, or not-for-profit), all managers must strive to: ( 1 ) operate effectively and efficiently, (2) produce reliable external financial reports, and (3) comply with applicable laws and regulations. Responsible managers cannot leave the achievement of these objectives to chance. Rather, they must take concrete action to ensure the effectiveness and efficiency of operalions, reliable financial reporting, and legal and regulatory compliance. It is the sum of these actions that constitute internal control. Put differently, internal control could be defined as the sum of the tools and techniques used by management to ensure that it achieves its objectives. Thus, by its very nature, internal control is fundamentally a managerial concern. 2.2 RESPONSIBILITY FOR INTERNAL CONTROL An analogy may be useful in understanding the proper assignment of responsibility for internal control among managers, board members, and auditors. A student is primarily responsible for completing homework assignments. The reason for assigning primary responsibility to the student is as much practical as it is ethical； since the purpose of a homework assignment is to sharpen the student's skills, no one else can do a student's homework for the student without fundamentally compromising that objective. While a parent, tutor, or fellow student may provide valuable help to the student in completing an assignment, in the end, only the student's direct involvement can achieve the desired end. That is not to say, of course, that parents or guardians can somehow absolve themselves of their own responsibility for the completion of their charges' homework on the grounds that it is the student who is primarily responsible. Parents or guardians remain ultimately responsible for ensuring that a student meets his or her responsibility for homework. Although parents or guardians cannot actually do the homework for the student, they have a duty to make sure the student does so. Finally, teachers and tutors, while they can be of invaluable assistance to both students and their parents or guardians, cannot replace either. In the end, homework remains the primary responsibility of the student and the ultimate responsibility of the parents or guardians. This analogy holds true for internal control if the students, parents or guardia ns, teachers, and tutors of the previous example are replaced by management, the governing board, the independent auditor, and the internal auditor. Management is primarily responsible for internal control, because internal control, as explained earlier, is, by its very nature, fundamentally a management concern (i.e., the tools and techniques used by managers to achieve management objectives). Board members, in turn, cannot wash their hands of responsibility for internal control on the grounds that management is primarily responsible, because it is the job of a governing board to ensure that management meets all of its responsibilities. Thus, the governing board is ultimately responsible for internal control. The independent auditor of the financial statements, like a teacher, validates management's success (in preparing reliable financial statements) and is avai able to provide assistance, as needed. Still, even the best teacher cannot make up for a disengaged student or uninvolved parents or guardians. Finally, the role of internal auditors, like that of tutors, is to help those whom they serve to succeed. Nonetheless, an inter- nal auditor can only assist management, not replace it, with regard to internal control. It is one thing, of course, to insist that the governing board is ultimately responsible for internal control. The real issue remains: "How can a governing board effectively fulfill its responsibility in this regard?" The most practical solution is to establish an audit committee, which ideally can serve the focal point for the board's internal control-related efforts, ensuring that the whole matter of internal control is regularly brought before the board for its attention and dealt with appropriately.2 Similarly, an internal audit function can be invaluable in helping managers, especially those managers with a programmatic rather than a financial background, who may be less familiar with internal control.3 3 Ensuring that the internal control adequacy Once management and the governing board have assumed their respective responsibility for internal control, how can they know that they have truly fulfilled their obligations? How much control is enough? Before the COSO Report, it was more common to speak of internal controls (plural) than of internal control (singular). COSO, however, viewed internal control as much more than the sum of its parts (individual policies and procedures). COSO envisioned internal control as a unified structure or framework into which individual control elements or components are integrated. That is, COSO offered a conceptually holistic approach to internal control in place of the earlier, essentially piecemeal approach. COSO also identified five essential components that needed to be in place to ensure that such a framework of internal control is adequate or comprehensive: * There must be a sound control environment ("corporate culture") * There must be a regular, ongoing assessment of risk * Control-related policies and procedures must be designed, implemented, and maintained to address the risks thus identified * There must be adequate communication * There must be a regular and ongoing monitoring of control-related policies and procedures to ensure that they continue to function as designed and that any problems disclosed are handled appropriately Control environment. An analogy once again may be useful for understanding the importance of the control environment. Children do not grow up in isolation, but rather surrounded by specific individuals in specific circumstances. This environment can have a profound impact on a child's development. Thus, a child with only limited gifts may flourish in a supportive and opportunity-rich environment, whereas a child with much greater potential may languish in a dysfunctional setting. Internal control also does not function in a vacuum. It is inevitably affected, for better or worse, by the surrounding environment or "corporate culture." Indeed, it is impossible to exaggerate the importance of the ambient control environment to the ultimate success of internal control. The best designed policies and procedures have little hope of being effective in an environment where internal control is viewed with indifference or even hostility (so much "red tape" to be "cut through" to get the job done). Conversely, an environment that is clearly supportive of control will tend to get the most out of even the most basic control-related policies and procedures. The key to a sound control environment is management's informed and active support for internal control. Management can hardly be supportive of something it does not understand (thus the GFOA recommendation mentioned earlier regarding the need for management to become familiar with the COSO guidance on internal control). Likewise, effective support must involve more than just words； time and resources also have to be a part of the equation. In addition, there is no substitute for management leading by example. All too often, managers appear to believe in internal control - but only for their subordinates! That is, managers wish to exempt themselves from the very controls they place on those who report to them. Of course, the likely outcome of such an approach is that employees will view the circumvention of internal control as something to be desired (evidence of their rank and importance within the organization) rather than as something to be avoided. One particularly important example of the principle just discussed is management's response to violations of control-related policies and procedures. All too frequently, managers seek to avoid confrontation, even in situations involving fraud, and thus fail to take effective disciplinary action. Almost inevitably, such a response sends the clear and dangerous message to others that management is not really serious about internal control. Naturally, an active audit committee and an effective internal audit function are significant positive factors in an entity's control environment. Assessment of risk. There will always be challenges in the path of management's achieving its objectives (i.e., risks). Moreover, yesterday's risks will not necessarily be the same as today's or tomorrow's. Accordingly, risk assessment cannot be a "one-time" effort, but must be a regular, ongoing process. Likewise, risks must be anticipated so they can be avoided or mitigated to the greatest extent possible. To revert to analogy, the time to install lights at a railway crossing is before a major accident occurs. Likewise, lights may become necessary at a railway crossing where none were needed previously because of changes in population or traffic patterns. How then should managers go about the process of trying to identify previously unidentified risks? First, management should focus its attention on change, because all change involves some element of risk. Examples of types of change that can entail a high degree of risk include the following: * Changes in the operating environment (e.g., changes in regulations) * Changes in personnel (especially in sensitive positions) * Changes in information systems and technology (e.g., if processes have been reengineered, are control procedures still adequate?) * Rapid growth (e.g., pressure to "cut comers" to meet increased demand) * New programs and services (e.g., lack of experience) * Changes in structure (e.g., elimination of a program) Managers also should consider inherent risk, which involves the notion that certain situations, even when they are ongoing, involve heightened levels of risk. Examples of situations that typically involve a high degree of inherent risk include the following: * Complexity (the more that can go wrong, the more that will go wrong) * Cash receipts ("when cash passes hands it tends to stick") * Direct third-party beneficiaries (cash payments of assistance to individuals) * Prior problems (programs with a "problem past" are likely to continue to experience problems) * Prior unresponsiveness to identified control weaknesses (situations where problems identified in the past have still not been remedied) Policies and procedures. As managers identify current and future potential risks as a result of their ongoing risk assessments, they must take practical steps to design and implement specific control-related policies and procedures to avoid or mitigate those risks. Traditionally, control-related policies and procedures related to finance are classified into one of the following basic categories: * Authorization (all transactions need to be properly authorized) * Properly designed records (records should be designed to highlight missing items) * security of assets and records (assets and records should be protected and available only to those who need them) * Segregation of incompatible duties (ideally, individual employees should not be in the position to both commit and conceal an irregularity) * Periodic reconciliations (accounting records should regularly be compared and reconciled) * Periodic verifications (accounting data should regularly be compared with the actual items they represent) * Analytical review (the reasonabiliry of financial data should be assessed by comparing that data with other data, both financial and nonfinancial, as well as with expectations) Specific control-related policies and procedures also can be divided between those designed to actually eliminate a problem (like a fire sprinkler system) and those designed with the more limited goal of alerting managers to a potential problem so they can eliminate it (like a smoke alarm). The importance of this distinction will become apparent later in the discussion of monitoring. Communication. Unlike the other four components of a comprehensive framework of internal control, communication does not really exist separately. Rather, it is a pervasive and necessary characteristic of each of the remaining components if they are to function effectively. For example, a sound control environment requires good communication among levels of management as well as between managerial and non-managerial staff. Indeed, it was to underscore the importance of communicatio n to each of the other components of a comprehensive framework of internal control that COSO chose to treat it as a separate component in its own right. Of special importance to good communication from the perspective of financial managers is the documentation of accounting-related policies and procedures. Traditionally an accounting policies and procedures manual has generally been used for this purpose. More recently, governments have begun to use internal Web sites to ensure that staff has ready access to the most updated information.4 Managers, of course, are in a position to override whatever controls they establish. Because of this unavoidable risk of management override, it is important that staff be provided with a clear way of communicating around managers in situations where management override does occur. Not all types of information have the same urgency. For example, indications of irregularities or fraud need to be communicated to the appropriate parties immediately, whereas periodic reporting may be sufficient for many less sensitive types of control-related information. Good communication will ensure that the speed of communication is consistent with such considerations. Monitoring. The fifth and final component of a comprehensive framework of internal control is monitoring. Just as even the best-constructed house may reasonably be expected to require regular upkeep and occasional repairs, control-related policies and procedures tend naturally to deteriorate over time. Therefore, managers must periodically evaluate their control-related policies and procedures to ensure that they have been properly implemented and remain fully operational. Just as important, many control-related policies and procedures are designed to alert managers to a potential problem rather than to actually eliminate the problem. Therefore an essential element of monitoring is to evaluate how past indications of possible errors and irregularities signaled by control-related policies and procedures have been dealt with. 4 Inherent limitations of internal control While a sound framework of internal control is essential, it is important to bear in mind that no such framework can ever be perfect. For example, as already explained, managers normally are in a position to override whatever control-related policies and procedures they establish. Also, controls dependent upon the segregation of incompatible duties typically could be circumvented through collusion (i.e., individuals intended to act as a control upon one another could instead work together to frustrate the control). Finally, and most important, it would be inappropriate to implement a control-related policy or procedure that would end up costing more than the benefit it was reasonably expected to achieve. Thus, for instance, it sometimes may not be feasible to fully implement the segregation of incompatible duties, in which case alternative (and potentially less effective) methods may need to be employed instead. FROM INTERNAL CONTROL TO ENTERPRISE RISK MANAGEMENT As noted earlier, COSO's 1992 report was groundbreaking and has served ever since as the basis for all serious discussion of internal control. For all that, COSO did not abandon its mission with the 1992 publication of Internal Control - an Integrated Framework. Rather, it decided to enhance its work on internal control by placing it within the even broader context of enterprise risk management. The result was COSO's 2004 publication Enterprise Risk Management - an Integrated Framework (COSO II). COSOII describes enterprise risk management as: a process effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. This process necessarily involves both individual units within an organization and the organization as a whole. A comprehensive enterprise risk management framework, according to COSOII, is one that provides reasonable assurance (1) that an entity's objectives are being achieved or (2) that management is made aware of risks that could impede their achievement: COSO