内部統制の構成要素比較
こんにちは、丸山満彦です。内部統制の構成要素の比較表。各種報告書の各章の要約を抜粋しています。COSO、COSO ERMでは、構成要素についてのたくさんの定義のようなもの出てきます。COSO for Small PCは原則を羅列しているだけです。
・COSO
・GAO
・INTOSAI
・COSO ERM
・COSO for Small PC
|
COSO |
GAO |
INTOSAI |
ERM |
COSO for Small PC |
components |
1992 |
1999 |
2004 |
2004 |
2006 |
Control Environment |
The control environment sets the tone of an organization,
influencing the control consciousness of its people. It is the foundation for
all other components of internal control, providing discipline and structure.
Control environment factors include the integrity, ethical values and
competence of the entity's people; management's philosophy and operating
style; the way management assigns authority and responsibility, and organizes
and develops its people; and the attention and direction provided by the
board of directors. |
Management and employees should establish and maintain an
environment throughout the organization that sets a positive and supportive
attitude toward internal control and conscientious management. |
The control environment sets the tone of an organisation,
influencing the control consciousness of its staff. It is the foundation for
all other components of internal control, providing discipline and structure. Elements of the control environment are: (1) the personal and professional integrity and ethical values
of management and staff, including a supportive attitude toward internal
control at all times throughout the organisation; (2) commitment to competence; (3) the “tone at the top” (i.e. management’s philosophy and
operating style); (4) organisational structure; (5) human resource policies and
practices. |
The internal environment encompasses the tone of an
organization, influencing the risk consciousness of its people, and is the
basis for all other components of enterprise risk management, providing
discipline and structure. Internal environment factors include an entity’s
risk management philosophy; its risk appetite; oversight by the board of directors;
the integrity, ethical values, and competence of the entity’s people; and the
way management assigns authority and responsibility, and organizes and
develops its people. |
1. Integrity and Ethical Values Sound integrity
and ethical values, particularly of top management, are developed and set the
standard of conduct for financial reporting. 2. Board of Directors The board of
directors understands and exercises oversight responsibility related to
financial reporting and related internal control. 3. Management’s Philosophy and Operating Style Management’s
philosophy and operating style support achieving effective internal control
over financial reporting. 4. Organizational Structure The company’s
organizational structure supports effective internal control over financial
reporting. 5. Financial Reporting Competencies The company
retains individuals competent in financial reporting and related oversight
roles. 6. Authority and Responsibility Management and
employees are assigned appropriate levels of authority and responsibility to
facilitate effective internal control over financial reporting. 7. Human Resources Human resource
polices and practices are designed and implemented to facilitate effective
internal control over financial reporting. |
Risk Assessment |
Every entity faces a variety of risks from external and
infernal sources that must be assessed A precondition to risk assessment is
establishment of objectives, linked at different levels and internal4
consistent. Risk assessment is the identification and analysis of relevant
risks to achievement of the objectives, forming a 6asisfir determining how
the risks should be managed. Because economic, industry, regulatory and
operating conditions will continue to change, mechanisms are needed to
identify and deal with the special risks associated with change. |
Internal control should provide for an assessment of the risks
the agency faces from both external and internal sources. |
Risk assessment is the process of identifying and analysing
relevant risks to the achievement of the entity’s objectives and determining
the appropriate response. It implies: (1) risk identification: • related to the objectives of the entity; • comprehensive; • includes risks due to external and
internal factors, at both the entity and the activity levels; (2) risk evaluation: • estimating the significance of a risk; • assessing the likelihood of the risk
occurrence; (3) assessment of the risk appetite of the organisation; (4) development of responses: • four types of responses to risk must be
considered: transfer, tolerance, treatment or termination; of these, risk
treatment is the most relevant to these guidelines because effective internal
control is the major mechanism to treat risk; • the appropriate controls involved can be
either detective or preventive. As governmental, economic, industry, regulatory and operating
conditions are in constant change, risk assessment should be an ongoing
iterative process. It implies identifying and analysing altered conditions
and opportunities and risks (risk assessment cycle) and modifying internal
control to address changing risk. |
Risk assessment allows an entity to consider the extent to
which potential events have an impact on achievement of objectives.
Management assesses events from two perspectives − likelihood and impact− and
normally uses a combination of qualitative and quantitative methods. The
positive and negative impacts of potential events should be examined,
individually or by category, across the entity. Risks are assessed on both an
inherent and a residual basis. |
8. Financial Reporting Objectives Management
specifies financial reporting objectives with sufficient clarity and criteria
to enable the identification of risks to reliable financial reporting. 9. Financial Reporting Risks The company
identifies and analyzes risks to the achievement of financial reporting
objectives as a basis for determining how the risks should be managed. 10. Fraud Risk The potential for
material misstatement due to fraud is explicitly considered in assessing
risks to the achievement of financial reporting objectives. |
Control Activities |
Control activities are the policies and procedures that help
ensure management directives are carried out. They help ensure that necessary
actions are taken to address risks to achievement of the entity’s objectives.
Control activities occur throughout the organization, at all levels and in
all functions. They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties. |
Internal control activities help
ensure that management's directives are carried out. The control activities
should be effective and efficient in accomplishing the agency's control
objectives. • General Control • Application Control |
Control activities are the policies and procedures established
to address risks and to achieve the entity’s objectives. To be effective, control activities must be appropriate,
function consistently according to plan throughout the period, and be cost
effective, comprehensive,
reasonable and directly relate to the control objectives. Control activities occur throughout the organisation, at all
levels and in all functions. They include a range of detective and preventive
control activities as diverse, for example, as: (1) authorization and approval procedures; (2) segregation of duties (authorizing, processing, recording,
reviewing); (3) controls over access to resources and records; (4) verifications; (5) reconciliations; (6) reviews of operating performance; (7) reviews of operations, processes and activities; (8) supervision (assigning, reviewing
and approving, guidance and training). Entities should reach an adequate balance between detective
and preventive control activities. Corrective actions are a necessary complement to control
activities in order to achieve the objectives. |
Control activities are the policies and procedures that help
ensure that management’s risk responses are carried out. Control activities
occur throughout the organization, at all levels and in all functions. They
include a range of activities − as diverse as approvals, authorizations,
verifications, reconciliations, reviews of operating performance, security of
assets, and segregation of duties. |
11. Integration with Risk Assessment Actions are taken
to address risks to the achievement of financial reporting objectives. 12. Selection and Development of Control Activities Control
activities are selected and developed considering their cost and their
potential effectiveness in mitigating risks to the achievement of financial
reporting objectives. 13. Policies and Procedures Policies related
to reliable reporting are established and communicated throughout the company,
with corresponding procedures resulting in management directives being
carried out. 14. Information Technology Information
technology controls, where applicable, are designed and implemented to
support the achievement of financial reporting objectives. |
Information and Communication |
Pertinent information must be identified, captured and
communicated in a form and timeframe that enables people to carry out their
responsibilities. Information systems produce reports, containing operationu4
financial and compliance-related information, that make it possible to run
and control the business. They deal not only with internally generated data,
but also information about external events,' activities and conditions
necessary to informed business decision-making and external reporting.
Effective communication also must occur in a broader sense, flowing down,
across and up the organization. All personnel must receive a clear message
from top management that control responsibilities must be taken seriously. They
must understand their own role in the internal control system, as well as how
individual activities relate to the work of others. They must have a means of
communicating significant information upstream. There also needs to be
effective communication with external parties, such as customers, suppliers,
regulators and shareholders. |
Information should be recorded and communicated to management
and others within the entity who need it and in a form and within a time
frame that enables them to carry out their internal control and other
responsibilities. |
Information and communication are essential to realising all
internal control objectives. Information A precondition for reliable and relevant information is the
prompt recording and proper classification of transactions and events.
Pertinent information should be identified, captured and communicated in a
form and timeframe that enables staff to carry out their internal control and
other responsibilities (timely communication to the right people). Therefore,
the internal control system as such and all transactions and significant
events should be fully documented. Information systems produce reports that
contain operational, financial and non-financial,
and compliance-related information and that make it possible to run and
control the operation. They deal not only with internally generated data, but
also information about external events, activities and conditions necessary
to enable decision-making and reporting. Management’s ability to make
appropriate decisions is affected by the quality of information which implies
that the information should be appropriate, timely, current, accurate and
accessible. Communication Effective communication should flow down, across, and up the
organisation, throughout all components and the entire structure. All personnel should receive a clear message from top
management that control
responsibilities should be taken seriously. They should understand their own
role in the internal control system, as well as how their individual activities
relate to the work of others. There also needs to be effective communication with external
parties. |
Pertinent information is identified, captured, and
communicated in a form and timeframe that enable people to carry out their
responsibilities. Information systems use internally generated data, and information from external sources, providing
information for managing risks and making informed decisions relative to
objectives. Effective communication also occurs, flowing down, across, and up
the organization. All personnel receive a clear message from top management
that enterprise risk management responsibilities must be taken seriously.
They understand their own role in enterprise risk management, as well as how
individual activities relate to the work of others. They must have a means of
communicating significant information upstream. There is also effective
communication with external parties, such as customers, suppliers,
regulators, and shareholders. |
15. Financial Reporting Information Pertinent
information is identified, captured and used at all levels of a company, and
distributed in a form and timeframe that supports the achievement of
financial reporting objectives. 16. Internal Control Information Information used
to execute other control components is identified, captured, and distributed
in a form and timeframe that enables personnel to carry out their internal
control responsibilities. 17, Internal Communication Communication enable and support understanding and
execution of internal control objectives, processes, and individual
responsibilities at all levels of the organization. 18. External Communication Matters affecting
the achievement of financial reporting objectives are communicated with
outside parties. |
Monitoring |
Internal control systems need to be monitored a process that
assesses the quality of the system's performance over time. This is
accomplished through ongoing monitoring activities, separate evaluations or a
combination of the two. Ongoing monitoring occurs in the course of
operations. It includes regular management and supervisory activities, and
other actions personnel take in performing their duties. The scope and
frequency of separate evaluations will depend primarily on an assessment of
risks and the effectiveness of ongoing monitoring procedures. Internal
control deficiencies should be reported upstream, with serious matters
reported to top management and the board. |
Internal control monitoring should assess the quality of
performance over time and ensure that the findings of audits and other
reviews are promptly resolved. |
Internal control systems should be monitored to assess the
quality of the system’s performance over
time. Monitoring is accomplished through routine activities,
separate evaluations or a combination of both. (1) Ongoing monitoring Ongoing monitoring of internal control is built into the
normal, recurring operating activities of an entity. It includes regular
management and supervisory activities, and other actions personnel take in
performing their duties. Ongoing monitoring activities cover each of the internal
control components and involve action against irregular, unethical,
uneconomical, inefficient and ineffective internal control systems. (2) Separate evaluations The scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures. Specific separate evaluations cover the evaluation of the
effectiveness of the internal control system and ensure that internal control
achieves the desired results based on predefined methods and procedures. Internal control deficiencies should be reported to the
appropriate level of management. Monitoring should ensure that audit findings and
recommendations are adequately and promptly resolved. |
|
19. Ongoing and Separate Evaluations Ongoing and/or
separate evaluations enable management to determine whether internal control
over financial reporting is present and functioning. 20. Reporting Deficiencies Internal control
deficiencies are identified and communicated in a timely manner to those
parties responsible for taking corrective action, and to management and the
board as appropriate. |
Comments