內(nèi)部控制-整體框架【外文翻譯】

1、本科畢業(yè)論文（設(shè)計(jì)）外 文 翻 譯原文：internal control integrated frameworkrisksthe process of identifying and analyzing risk is an ongoing iterative process and is a critical component of an effective internal control system. managements must focus carefully on risks at all levels of the entity and take the necessar

2、y actions to manage them.risk identificationan entitys performance can be at risk due to internal or external factors. these factors, in turn, can affect either stated or implied objectives. risk increases as objectives increasingly differ from past performance. in a number of areas of performance,

3、an entity often does not set explicit entity-wide objectives because it considers its performance to be acceptable. although there might not be an explicit or written objective in these circumstances, there is an implied objective of “no change” or “as is.” this does not mean that an implied objecti

4、ve is without either internal or external risk. for example, an entity might view its service to customers as acceptable, yet, due to a change in a competitors practices, its service, as viewed by its customers, might deteriorate.regardless of whether an objective is stated or implied, an entitys ri

5、sk-assessment process should consider risks that may occur. it is important that risk identification be comprehensive. it should consider all significant interactions of goods, services and information between an entity and relevant external parties. these external parties include potential and curr

6、ent suppliers, investors, creditors, shareholders, employees, customers, buyers, intermediaries and competitors, as well as public bodies and news media.risk identification is an iterative process and often is integrated with the planning process. it also is useful to consider risk from a “clean she

7、et of paper” approach, and not merely relate the risk to the previous review.entity level. risks at the entity-wide level can arise from external or internal factors. examples include:external factorstechnological developments can affect the nature and timing of research and development, or lead to

8、changes in procurement. changing customer needs or expectations can affect product development, production process, customer service, pricing or warranties.competition can alter marketing or service activities.new legislation and regulation can force changes in operating policies and strategies. nat

9、ural catastrophes can lead to changes in operations or information systems and highlight the need for contingency planning.economic changes can have an impact on decisions related to financing, capital expenditures and expansion.internal factorsa disruption in information systems processing can adve

10、rsely affect the entitys operations. the quality of personnel hired and methods of training and motivation can influence the level of control consciousness within the entity. a change in management responsibilities can affect the way certain controls are effected. the nature of the entitys activitie

11、s, and employee accessibility to assets, can contribute to misappropriation of resources. an unassertive or ineffective board or audit committee can provide opportunities for indiscretions.many techniques have been developed to identify risks. the majority particularly those developed by internal an

12、d external auditors to determine the scope of their activities involve qualitative or quantitative methods to prioritize and identify higher-risk activities. other practices include: periodic reviews of economic and industry factors affecting the business, senior management business-planning confere

13、nces and meetings with industry analysts. risks may be identified in connection with short- and long-range forecasting and strategic planning. which methods an entity selects to identify risks is not particularly important. what is important is that management considers carefully the factors that ma

14、y contribute to or increase risk. some factors to consider include: past experiences of failure to meet objectives; quality of personnel; changes affecting the entity such as competition, regulations, personnel, and the like; existence of geographically distributed, particularly foreign, activities;

15、 significance of an activity to the entity; and complexity of an activity.to illustrate, an importer of apparel and footwear established an entity-wide objective of becoming an industry leader in high-quality fashion merchandise. risks considered at the entity-wide level included: supply sources, in

16、cluding the quality, number and stability of foreign manufacturers; exposures to fluctuations in the value of foreign currencies; timeliness of receiving shipments and effect of delays in customs inspections; availability and reliability of shipping companies and costs; likelihood of international h

17、ostilities and trade embargoes; and pressures from customers and investors to boycott doing business in a foreign country whose government adopts unacceptable policies. these were in addition to the more generic risks considered, such as the impact of a deterioration in economic conditions, market a

18、cceptance of products, new competitors in the entitys market, and changes in environmental or regulatory laws and regulations.identifying external and internal factors that contribute to risk at an entity-wide level is critical to effective risk assessment. once the major contributing factors have b

19、een identified, management can then consider their significance and, where possible, link risk factors to business activities.activity level. in addition to identifying risk at the entity level, risks should be identified at the activity level. dealing with risks at this level helps focus risk asses

20、sment on major business units or functions such as sales, production, marketing, technology development, and research and development. successfully assessing activity-level risk also contributes to maintaining acceptable levels at the entity-wide level. in most instances, for any stated or implied o

21、bjective, many different risks can be identified. in a procurement process, for example, an entity may have an objective related to maintaining adequate raw materials inventory. the risks to not achieving the activity objective might include goods not meeting specifications, or not being delivered i

22、n needed quantities, on time or at acceptable prices. these risks might affect the way specifications for purchased goods are communicated to vendors, the use and appropriateness of production forecasts, identification of alternative supply sources and negotiation practices.potential causes of faili

23、ng to achieve an objective range from the obvious to the obscure and from the significant to the insignificant in potential effect. certainly, readily apparent risks that significantly affect the entity should be identified. to avoid overlooking relevant risks, this identification is best made apart

24、 from assessment of the likelihood of the risk occurring. there are, however, practical limitations to the identification process, and often it is difficult to determine where to draw the line. it doesnt make much sense to consider the risk of a meteor falling from space onto a companys production f

25、acility, while it may be reasonable to consider the risk of an airplane crash for a facility located near an airport runway.risk analysisafter the entity has identified entity-wide and activity risks, a risk analysis needs to be performed.the methodology for analyzing risks can vary, largely because

26、 many risks are difficult to quantify.nonetheless, the process which may be more or less formal usually includes: estimating the significance of a risk; assessing the likelihood (or frequency) of the risk occurring; considering how the risk should be managed that is, an assessment of what actions ne

27、ed to be taken.a risk that does not have a significant effect on the entity and that has a low likelihood of occurrence generally does not warrant serious concern. a significant risk with a high likelihood of occurrence, on the other hand, usually demands considerable attention. circumstances in bet

28、ween these extremes usually require difficult judgments. it is important that the analysis be rational and careful.there are numerous methods for estimating the cost of a loss from an identified risk. management should be aware of them and apply them as appropriate. however, many risks are indetermi

29、nate in size. at best they can be described as “l(fā)arge,” “moderate” or “small.”once the significance and likelihood of risk have been assessed, management needs to consider how the risk should be managed. this involves judgment based on assumptions about the risk, and reasonable analysis of costs ass

30、ociated with reducing the level of risk. actions that can be taken to reduce the significance or likelihood of the risk occurring include a myriad of decisions management may make every day. these range from identifying alternative supply sources or expanding product lines to obtaining more relevant

31、 operating reports or improving training programs. sometimes actions can virtually eliminate the risk, or offset its effect if it does occur. examples are vertical integration to reduce supplier risk, hedging financial exposures and obtaining adequate insurance coverage.note that there is a distinct

32、ion between risk assessment, which is part of internal control, and the resulting plans, programs or other actions deemed necessary by management to address the risks. the actions undertaken, as discussed in the prior paragraph, are a key part of the larger management process, but not an element of

33、the internal control system.along with actions for managing risk is the establishment of procedures to enable management to track the implementation and effectiveness of the actions. for example, one action an organization might take to manage the risk of loss of critical computer services is to for

34、mulate a disaster recovery plan. procedures then would be affected to ensure that the plan is appropriately designed and implemented. those procedures represent “control activities”, discussed in chapter 4.before installing additional procedures, management should consider carefully whether existing

35、 ones may be suitable for addressing identified risks. because procedures may satisfy multiple objectives, management may discover that additional actions are not warranted; existing procedures may be sufficient or may need to be performed better.management also should recognize that it is likely so

36、me level of residual risk will always exist not only because resources are always limited, but also because of other limitations inherent in every internal control system. these are discussed in chapter 7.risk analysis is not a theoretical exercise. it is often critical to the entitys success. it is

37、 most effective when it includes identification of all key business processes where potential exposures of some consequence exist. it might involve process analysis, such as identification of key dependencies and significant control nodes, and establishing clear responsibility and accountability. ef

38、fective process analysis directs special attention to cross-organizational dependencies, identifying, for example: where data originate, where they are stored, how they are converted to useful information and who uses the information. large organizations usually need to be particularly vigilant in a

39、ddressing intracompany and intercompany transactions and key dependencies. these processes can be positively affected by quality programs which, with a “buy-in” by employees, can be an important element in risk containment.unfortunately, the importance of risk analysis is sometimes recognized too la

40、te, as in the case of a major financial services firm where a senior executive offered what amounted to a wistful epitaph: “we just didnt think we faced so much risk.”managing changeeconomic, industry and regulatory environments change, and entities activities evolve. internal control effective unde

41、r one set of conditions will not necessarily be effective under another. fundamental to risk assessment is a process to identify changed conditions and take actions as necessary.thus, every entity needs to have a process, formal or informal, to identify conditions that can significantly affect its a

42、bility to achieve its objectives. as discussed further in chapter 5, a key part of that process involves information systems that capture, process and report information about events, activities and conditions that indicate changes to which the entity needs to react. such information may involve cha

43、nges in customer preferences or other factors affecting demand for the companys products or services. or, it may involve new technology affecting production processes or other business activities, or competitive or legislative or regulatory developments. with the requisite information systems in pla

44、ce, the process to identify and respond to changing conditions can be established.this process will parallel, or be a part of, the entitys regular risk assessment process described above. it involves identifying the changed condition this requires having mechanisms in place to identify and communica

45、te events or activities that affect the entitys objectives and analyzing the associated opportunities or risks. such analysis includes identifying potential causes of achieving or failing to achieve an objective, assessing the likelihood that such causes will occur, evaluating the probable effect on

46、 achievement of the objectives and considering the degree to which the risk can be controlled or the opportunity exploited.although the process by which an entity manages change is similar to, if not a part of, its regular risk-assessment process, it is discussed separately. this is because of its c

47、ritical importance to effective internal control and because it can too easily be overlooked or given insufficient attention in the course of dealing with everyday issues.source: committee of sponsoring organizations of the treadway commission (coso), internal controlintegrated framework, 1992:p39-4

48、4譯文：內(nèi)部控制-整體框架風(fēng)險(xiǎn)識(shí)別和分析風(fēng)險(xiǎn)的過程是一個(gè)重復(fù)不斷的過稱，并且是有效內(nèi)部控制制度的關(guān)鍵組成部分。管理層必須仔細(xì)關(guān)注企業(yè)各層次的風(fēng)險(xiǎn)并采取行動(dòng)來管理風(fēng)險(xiǎn)。風(fēng)險(xiǎn)識(shí)別企業(yè)的經(jīng)營可能因內(nèi)部或外部的因素而存在風(fēng)險(xiǎn)。而這些因素，又能影響明示或隱含的目標(biāo)。如果目標(biāo)日益偏離過去的表現(xiàn)，風(fēng)險(xiǎn)就隨之增加。在一些行為領(lǐng)域，企業(yè)因考慮到所能接受的行為，常常不設(shè)立明示的企業(yè)層面目標(biāo)。雖然在這些情況下，可能沒有一個(gè)明示或書面的目標(biāo)，但卻有一個(gè)暗示的目標(biāo)“無變化”或者“就是這樣”。這不意味暗示的目標(biāo)不存在內(nèi)部或外部的風(fēng)險(xiǎn)。例如，一個(gè)企業(yè)可能認(rèn)為其對顧客提供的服務(wù)是可以接受的，但由于競爭對手做法的改變，其服務(wù)在

49、客戶看來，卻可能惡化了。無論一個(gè)目標(biāo)是明示或隱含的，企業(yè)風(fēng)險(xiǎn)評(píng)估的過程都應(yīng)該考慮到可能發(fā)生的風(fēng)險(xiǎn)。風(fēng)險(xiǎn)識(shí)別應(yīng)是全面而復(fù)雜的，這很重要。它必須考慮企業(yè)和相關(guān)外界之間的所有重大相互影響，包括有關(guān)商品、服務(wù)和信息等。這些外界包括潛在和現(xiàn)有的供應(yīng)商、投資者、債權(quán)人、股東、雇員、客戶、買方、中介、競爭對手、公共機(jī)構(gòu)和新聞媒體。風(fēng)險(xiǎn)識(shí)別是一個(gè)重復(fù)的過程并與計(jì)劃過程緊密結(jié)合。利用“白紙”法來考慮風(fēng)險(xiǎn)也是很有益的，而不僅將風(fēng)險(xiǎn)與過去的回顧相聯(lián)系。企業(yè)層面 企業(yè)層面的風(fēng)險(xiǎn)來自于外部或者內(nèi)部因素。包括：外部因素 技術(shù)發(fā)展會(huì)影響研發(fā)的性質(zhì)和時(shí)機(jī)，或帶來采購的變化。 不斷變化的客戶需求和期望會(huì)影響產(chǎn)品開發(fā)、生產(chǎn)流程、

50、客戶服務(wù)、定價(jià)或保修。 競爭會(huì)改變企業(yè)營銷或服務(wù)活動(dòng)。 新的法律和法規(guī)可能要求經(jīng)營政策和策略的改變。 自然災(zāi)害可能導(dǎo)致經(jīng)營或信息系統(tǒng)的改變以及強(qiáng)調(diào)對或有損失制定應(yīng)急計(jì)劃的需要。 經(jīng)濟(jì)形勢的變化可能對有關(guān)融資、資本支出和擴(kuò)張的決策產(chǎn)生影響。內(nèi)部因素 信息系統(tǒng)運(yùn)行的終端會(huì)對經(jīng)營產(chǎn)生負(fù)面影響。 雇員的素質(zhì)和培訓(xùn)、激勵(lì)的方法可能對企業(yè)中的控制理念產(chǎn)生影響。 管理層職責(zé)的改變可能影響實(shí)施某些控制的方式。 企業(yè)經(jīng)營活動(dòng)的性質(zhì)、員工對資產(chǎn)的接觸途徑可能對資源的挪用產(chǎn)生影響。 非強(qiáng)硬的或無效的董事會(huì)或?qū)徲?jì)委員會(huì)可能為輕率的行為提供機(jī)會(huì)。有許多技巧被發(fā)展用于識(shí)別風(fēng)險(xiǎn)。其中多數(shù)尤其是那些被內(nèi)外審計(jì)師發(fā)展用于確定審

51、計(jì)業(yè)務(wù)范圍的技巧涉及將風(fēng)險(xiǎn)排列優(yōu)先次序以及識(shí)別更高風(fēng)險(xiǎn)行為的定量或定性的方法。其他實(shí)踐包括：對影響企業(yè)業(yè)務(wù)的經(jīng)濟(jì)形勢和行業(yè)因素的定期復(fù)核，高層管理人員的商業(yè)計(jì)劃會(huì)議以及與行業(yè)分析師的會(huì)晤。識(shí)別風(fēng)險(xiǎn)與企業(yè)的短期、長期預(yù)測和戰(zhàn)略規(guī)劃密切相關(guān)。企業(yè)選擇何種方式識(shí)別風(fēng)險(xiǎn)并不特別重要。重要的是管理層必須仔細(xì)考慮那些導(dǎo)致或增加風(fēng)險(xiǎn)的因素。一些需要考慮的因素包括：過去未能實(shí)現(xiàn)目標(biāo)的教訓(xùn)；人員素質(zhì)；影響企業(yè)的變化因素，如競爭、法規(guī)、人事等；地理上業(yè)務(wù)活動(dòng)的分散程度，特別是國外業(yè)務(wù)；某一業(yè)務(wù)活動(dòng)對企業(yè)的重要性；以及業(yè)務(wù)活動(dòng)的復(fù)雜性。舉例說明：一個(gè)服飾和鞋子的進(jìn)口商確定了企業(yè)層面的目標(biāo)為成為高質(zhì)量時(shí)尚商品的行業(yè)帶

52、頭人。在企業(yè)層面需要考慮的風(fēng)險(xiǎn)因素包括：供應(yīng)商資源；國外制造商質(zhì)量、數(shù)量和穩(wěn)定性；外匯匯率變動(dòng)的風(fēng)險(xiǎn)；運(yùn)輸?shù)募皶r(shí)性和海關(guān)檢查延誤帶來的影響；運(yùn)輸公司的有效性、可靠性和成本；國籍?dāng)骋暫唾Q(mào)易禁運(yùn)的可能性；以及國外的當(dāng)?shù)卣扇×瞬唤邮艿恼邥r(shí)，客戶和投資者抵制經(jīng)營活動(dòng)的壓力。還有一些需要考慮的更具一般性的風(fēng)險(xiǎn)，如經(jīng)濟(jì)條件惡化的影響，產(chǎn)品的市場接受度，企業(yè)市場上出現(xiàn)新的競爭者，以及環(huán)境或監(jiān)管法規(guī)的變動(dòng)等。識(shí)別企業(yè)層面的導(dǎo)致風(fēng)險(xiǎn)的內(nèi)、外部因素對有效的風(fēng)險(xiǎn)評(píng)估非常重要。一旦確定了主要的風(fēng)險(xiǎn)因素，管理層就可以考慮它們的重要程度，并盡可能講這些風(fēng)險(xiǎn)因素與業(yè)務(wù)活動(dòng)聯(lián)系起來。操作層面 除了識(shí)別企業(yè)層面的風(fēng)險(xiǎn)外，

53、還應(yīng)識(shí)別操作層面的風(fēng)險(xiǎn)。應(yīng)對這個(gè)層面的風(fēng)險(xiǎn)有助于將風(fēng)險(xiǎn)評(píng)估的重點(diǎn)放在重要的業(yè)務(wù)和職能部門商，如銷售、生產(chǎn)、營銷、技術(shù)發(fā)展和研究開發(fā)。對操作層面風(fēng)險(xiǎn)的成功評(píng)估還有助于將企業(yè)層面風(fēng)險(xiǎn)保持在可以接受的水平。許多例子表明，針對明示或隱含的目標(biāo)，可以識(shí)別很多不同的風(fēng)險(xiǎn)。如在采購循環(huán)中，企業(yè)可能有一個(gè)保持充足原材料存貨相關(guān)的目標(biāo)。未實(shí)現(xiàn)這一操作目標(biāo)的風(fēng)險(xiǎn)可能包括商品不符規(guī)格，或送來的訂貨數(shù)量不足、不及時(shí)、價(jià)格不合理等。這些風(fēng)險(xiǎn)可能會(huì)影響與供應(yīng)商溝通訂貨規(guī)格的方式，產(chǎn)品預(yù)測的適當(dāng)性以及其利用，確定其他供貨源和進(jìn)行談判等。未能實(shí)現(xiàn)目標(biāo)的可能原因包括明顯或模糊的、對企業(yè)潛在影響中藥或不重要的風(fēng)險(xiǎn)。當(dāng)然，那些對企業(yè)有重大影響、明顯的風(fēng)險(xiǎn)應(yīng)該識(shí)別。為了避免忽略相關(guān)風(fēng)險(xiǎn)，這