内部統制の構成要素比較

　こんにちは、丸山満彦です。内部統制の構成要素の比較表。各種報告書の各章の要約を抜粋しています。COSO、COSO ERMでは、構成要素についてのたくさんの定義のようなもの出てきます。COSO for Small PCは原則を羅列しているだけです。

・COSO
・GAO
・INTOSAI
・COSO ERM
・COSO for Small PC

	COSO	GAO	INTOSAI	ERM	COSO for Small PC
components	1992	1999	2004	2004	2006
Control Environment	The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.	Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management.	The control environment sets the tone of an organisation, influencing the control consciousness of its staff. It is the foundation for all other components of internal control, providing discipline and structure. Elements of the control environment are: (1) the personal and professional integrity and ethical values of management and staff, including a supportive attitude toward internal control at all times throughout the organisation; (2) commitment to competence; (3) the “tone at the top” (i.e. management’s philosophy and operating style); (4) organisational structure; (5) human resource policies and practices.	The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of enterprise risk management, providing discipline and structure. Internal environment factors include an entity’s risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity’s people; and the way management assigns authority and responsibility, and organizes and develops its people.	1. Integrity and Ethical Values   Sound integrity and ethical values, particularly of top management, are developed and set the standard of conduct for financial reporting. 2. Board of Directors   The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control. 3. Management’s Philosophy and Operating Style   Management’s philosophy and operating style support achieving effective internal control over financial reporting. 4. Organizational Structure   The company’s organizational structure supports effective internal control over financial reporting. 5. Financial Reporting Competencies   The company retains individuals competent in financial reporting and related oversight roles. 6. Authority and Responsibility   Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting. 7. Human Resources   Human resource polices and practices are designed and implemented to facilitate effective internal control over financial reporting.
Risk Assessment	Every entity faces a variety of risks from external and infernal sources that must be assessed A precondition to risk assessment is establishment of objectives, linked at different levels and internal4 consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a 6asisfir determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.	Internal control should provide for an assessment of the risks the agency faces from both external and internal sources.	Risk assessment is the process of identifying and analysing relevant risks to the achievement of the entity’s objectives and determining the appropriate response. It implies: (1) risk identification: • related to the objectives of the entity; • comprehensive; • includes risks due to external and internal factors, at both the entity and the activity levels; (2) risk evaluation: • estimating the significance of a risk; • assessing the likelihood of the risk occurrence; (3) assessment of the risk appetite of the organisation; (4) development of responses: • four types of responses to risk must be considered: transfer, tolerance, treatment or termination; of these, risk treatment is the most relevant to these guidelines because effective internal control is the major mechanism to treat risk; • the appropriate controls involved can be either detective or preventive. As governmental, economic, industry, regulatory and operating conditions are in constant change, risk assessment should be an ongoing iterative process. It implies identifying and analysing altered conditions and opportunities and risks (risk assessment cycle) and modifying internal control to address changing risk.	Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management assesses events from two perspectives − likelihood and impact− and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and a residual basis.	8. Financial Reporting Objectives   Management specifies financial reporting objectives with sufficient clarity and criteria to enable the identification of risks to reliable financial reporting. 9. Financial Reporting Risks   The company identifies and analyzes risks to the achievement of financial reporting objectives as a basis for determining how the risks should be managed. 10.  Fraud Risk   The potential for material misstatement due to fraud is explicitly considered in assessing risks to the achievement of financial reporting objectives.
Control Activities	Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.	Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. • General Control • Application Control	Control activities are the policies and procedures established to address risks and to achieve the entity’s objectives. To be effective, control activities must be appropriate, function consistently according to plan throughout the period, and be cost effective, comprehensive, reasonable and directly relate to the control objectives. Control activities occur throughout the organisation, at all levels and in all functions. They include a range of detective and preventive control activities as diverse, for example, as: (1) authorization and approval procedures; (2) segregation of duties (authorizing, processing, recording, reviewing); (3) controls over access to resources and records; (4) verifications; (5) reconciliations; (6) reviews of operating performance; (7) reviews of operations, processes and activities; (8) supervision (assigning, reviewing and approving, guidance and training). Entities should reach an adequate balance between detective and preventive control activities. Corrective actions are a necessary complement to control activities in order to achieve the objectives.	Control activities are the policies and procedures that help ensure that management’s risk responses are carried out. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities − as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.	11. Integration with Risk Assessment   Actions are taken to address risks to the achievement of financial reporting objectives. 12. Selection and Development of Control Activities   Control activities are selected and developed considering their cost and their potential effectiveness in mitigating risks to the achievement of financial reporting objectives. 13. Policies and Procedures  Policies related to reliable reporting are established and communicated throughout the company, with corresponding procedures resulting in management directives being carried out. 14. Information Technology   Information technology controls, where applicable, are designed and implemented to support the achievement of financial reporting objectives.
Information and Communication	Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operationu4 financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events,' activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.	Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities.	Information and communication are essential to realising all internal control objectives. Information A precondition for reliable and relevant information is the prompt recording and proper classification of transactions and events. Pertinent information should be identified, captured and communicated in a form and timeframe that enables staff to carry out their internal control and other responsibilities (timely communication to the right people). Therefore, the internal control system as such and all transactions and significant events should be fully documented. Information systems produce reports that contain operational, financial and non-financial, and compliance-related information and that make it possible to run and control the operation. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to enable decision-making and reporting. Management’s ability to make appropriate decisions is affected by the quality of information which implies that the information should be appropriate, timely, current, accurate and accessible. Communication Effective communication should flow down, across, and up the organisation, throughout all components and the entire structure. All personnel should receive a clear message from top management that control responsibilities should be taken seriously. They should understand their own role in the internal control system, as well as how their individual activities relate to the work of others. There also needs to be effective communication with external parties.	Pertinent information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems use internally generated data, and information from external sources, providing information for managing risks and making informed decisions relative to objectives. Effective communication also occurs, flowing down, across, and up the organization. All personnel receive a clear message from top management that enterprise risk management responsibilities must be taken seriously. They understand their own role in enterprise risk management, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There is also effective communication with external parties, such as customers, suppliers, regulators, and shareholders.	15. Financial Reporting Information   Pertinent information is identified, captured and used at all levels of a company, and distributed in a form and timeframe that supports the achievement of financial reporting objectives. 16. Internal Control Information   Information used to execute other control components is identified, captured, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities. 17, Internal Communication   Communication enable and support understanding and execution of internal control objectives, processes, and individual responsibilities at all levels of the organization. 18. External Communication   Matters affecting the achievement of financial reporting objectives are communicated with outside parties.
Monitoring	Internal control systems need to be monitored a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.	Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.	Internal control systems should be monitored to assess the quality of the system’s performance over time. Monitoring is accomplished through routine activities, separate evaluations or a combination of both. (1) Ongoing monitoring Ongoing monitoring of internal control is built into the normal, recurring operating activities of an entity. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. Ongoing monitoring activities cover each of the internal control components and involve action against irregular, unethical, uneconomical, inefficient and ineffective internal control systems. (2) Separate evaluations The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Specific separate evaluations cover the evaluation of the effectiveness of the internal control system and ensure that internal control achieves the desired results based on predefined methods and procedures. Internal control deficiencies should be reported to the appropriate level of management. Monitoring should ensure that audit findings and recommendations are adequately and promptly resolved.	Enterprise risk management is monitored – assessing the presence and functioning of its components over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the normal course of management activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Enterprise risk management deficiencies are reported upstream, with serious matters reported to top management and the board.	19. Ongoing and Separate Evaluations    Ongoing and/or separate evaluations enable management to determine whether internal control over financial reporting is present and functioning. 20. Reporting Deficiencies   Internal control deficiencies are identified and communicated in a timely manner to those parties responsible for taking corrective action, and to management and the board as appropriate.