小规模上市公司内控报告指南.pdf

Internal Control – Integrated Framework Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting Executive Summary Guidance For Public Comment Please provide comments to www.ic.coso.org before December 31, 2005 October 2005 Committee of Sponsoring Organizations of the Treadway Commission Board Members Representative COSO Chair Larry E. RittenbergAmerican Accounting Association Mark BeasleyAmerican Institute of Certified Public Accountants Charles E. LandesFinancial Executives International Nick CyprusInstitute of Management Accountants Dennis L. NeiderThe Institute of Internal Auditors David A. RichardsPricewaterhouseCoopers LLP Principal Contributors Miles Everson Project Leader Partner New York City Mark Cohen Senior Manager Boston Chris Paul Senior Associate Boston Frank Frabizzio Partner Philadelphia Erinn Hansen Senior Manager Philadelphia Mario Patone Manager Philadelphia Tom Hyland Partner New York City Frank Martens Director Vancouver, Canada Shurjo Sen Manager New York City Paul Tarwater Partner Dallas Observer Jennifer Burns Professional Accounting Fellow Securities and Exchange Commission Project Task Force to COSO Guidance Deborah Lambert Chair Partner Johnson, Lambert however, the scale of the approaches to implement the principles may be different for a small company. COSO also emphasizes that the Framework is principles-based. This document has identified twenty-three principles fundamental to effective internal control for all companies, regardless of size. In addition, the Task Force has identified three principles to assist organizations, and their personnel, in understanding their roles and responsibilities in implementing effective internal control over financial reporting. These are collectively referred to as the twenty-six principles throughout this guidance and all are derived directly from the 1992 COSO Framework. Moreover, this document does not alter the original Framework or set a differing level of expectation as to what principles are required for smaller businesses. While all companies should adhere to these twenty-six principles, there are many different approaches used to apply them. This document illustrates, where appropriate, opportunities for companies to enhance internal control over financial reporting using different approaches that will satisfy the twenty-six principles. While these approaches are targeted for smaller companies, many of the approaches are also relevant to larger companies. COSO urges companies to reduce costs not by reducing the effectiveness of internal control, but by recognizing that internal control over financial reporting may be accomplished by choosing approaches to applying principles that best fit each company’s circumstances in the most cost effective manner. The guidance includes in each chapter a discussion of alternative approaches and provides detailed examples taken from smaller companies. The reader is encouraged to look at the approaches and examples and consider the cost effectiveness of these for their organization. Overview 4 Formalization of Controls and Documentation A common challenge for smaller companies is to strike a balance between formal and informal controls. Formal controls are those that are performed in accordance with policies established by a company and assist the company in carrying out is control procedures and training personnel. Formalization of controls provides structure and contributes to an understanding of each individual’s role and responsibility and thereby enhances the quality of controls. The formalization of controls has the important benefit of creating a source of evidence of the effectiveness of internal controls. Informal controls, on the other hand, are difficult to apply on a consistent basis. Each company’s management must determine the level and form of documentation required for its operations. A question remains as to “how formal” controls must be and, more explicitly, to what extent controls must be formally documented. In addition, management will also establish the formality with which it evidences controls as they occur. We have considered the formalization of controls in the context of three models. • Management reliance only – When management relies on internal controls solely for running the business, controls and supporting documentation are often less formal, in part due to greater concentration of decision-making authority, wider spans of control, and more direct channels of communication. Although less formal, controls must still be present to meet the company’s financial reporting objectives. For example, a smaller company may only verbally communicate internal control weaknesses noted through ongoing monitoring activities, not codify its authority for making decisions as all top management is directly engaged in all key decisions impacting re。