2024年3月22日发(作者：win7怎么进入pe系统)

Components of Internal Control

内部控制的要素

Internal control consists of five integrated components.

内部控制包括五个相关关联的要素。

Control Environment

控制环境

The control environment is the set of standards, processes, and structures that

provide the basis for carrying out internal control across the organization. The

board of directors and senior management establish the tone at the top regarding

the importance of internal control including expected standards of conduct.

Management reinforces expectations at the various levels of the organization. The

control environment comprises the integrity and ethical values of the organization;

the parameters enabling the board of directors to carry out its governance

oversight responsibilities; the organizational structure and assignment of authority

and responsibility; the process for attracting, developing, and retaining competent

individuals; and the rigor around performance measures, incentives, and rewards

to drive accountability for performance. The resulting control environment has a

pervasive impact on the overall system of internal control.

控制环境是一套标准、流程和结构，能够为内部控制的实施提供基础。董事会和高级

管理层为内部控制的重要性（包括期待的行为准则）提供高层定调（the tone at the top）。

组织各个层级的管理活动强化了这种期望。控制环境包括了组织正直和道德的价值观；促

进董事会行使公司治理的监控职责的机制；吸引、开发和保留人才的机制；严格的绩效衡

量、激励和汇报机制以保证绩效实现。控制环境会对内部控制的整体体系产生全面影响。

Risk Assessment

风险评估

Every entity faces a variety of risks from external and internal sources. Risk is

defined as the possibility that an event will occur and adversely affect the

achievement of objectives. Risk assessment involves a dynamic and iterative

process for identifying and assessing risks to the achievement of objectives. Risks

to the achievement of these objectives from across the entity are considered

relative to established risk tolerances. Thus, risk assessment forms the basis for

determining how risks will be managed.

每个组织都面临着来自内外部的各类风险。风险是潜在事件发生并对组织实现其目标

产生负面影响的可能性。风险评估包括了根据组织要实现的目标，动态和反复的识别和评

估风险的过程。将全组织范围的影响目标实现的风险同已经建立的风险容忍度一同考量后，

风险评估就为决定风险如何进行管理打下了基础。

A precondition to risk assessment is the establishment of objectives, linked at

different levels of the entity. Management specifies objectives within categories

relating to operations, reporting, and compliance with sufficient clarity to be able

to identify and analyze risks to those objectives. Management also considers the

suitability of the objectives for the entity. Risk assessment also requires

management to consider the impact of possible changes in the external

environment and within its own business model that may render internal control

ineffective.

风险评估的先决条件是组织各个层级的目标的确立。管理层要结合运营、报告和遵循

的三大类目标，明确相应的具体目标，以便识别和分析相关的风险。管理层也要考虑这些

目标对于组织的可持续性。风险评估还要求管理层考虑可能导致内控失效的外部环境和内

部商业模式的可能变化。

Control Activities

控制活动

Control activities are the actions established through policies and procedures

that help ensure that management’s directives to mitigate risks to the

achievement of objectives are carried out. Control activities are performed at all

levels of the entity, at various stages within business processes, and over the

technology environment. They may be preventive or detective in nature and may

encompass a range of manual and automated activities such as authorizations and

approvals, verifications, reconciliations, and business performance reviews.

Segregation of duties is typically built into the selection and development of

control activities. Where segregation of duties is not practical, management

selects and develops alternative control activities.

控制活动是通过制度和流程所确立的行动，旨在确保管理层降低影响组织目标实现的

风险的方针得以实现。在组织的各个层级，业务的各个环节，信息技术的整个环境中都应

实施控制活动。从性质上，可以是预防性的，也可以是检查性的；应覆盖手工和自动控制；

包括授权和批准，复核，对账和业务绩效评估。不相容职责分离也是典型的应选取和推进

的控制活动。如果不相容职责分离无法实施，管理层应选择和推进替代性的控制活动。

Information and Communication

信息与沟通

Information is necessary for the entity to carry out internal control

responsibilities to support the achievement of its objectives. Management obtains

or generates and uses relevant and quality information from both internal and

external sources to support the functioning of other components of internal

control.

信息对于组织而言，对推进内控、促进其目标实现是非常必要的。管理层从内外部获

得或生成，并且使用相关的有质量的信息来支持内部控制其他要素的正常运转。

Communication is the continual, iterative process of providing, sharing, and

obtaining necessary information. Internal communication is the means by which

information is disseminated throughout the organization, flowing up, down, and

across the entity. It enables personnel to receive a clear message from senior

management that control responsibilities must be taken seriously. External

communication is twofold: it enables inbound communication of relevant external

information, and it provides information to external parties in response to

requirements and expectations.

沟通是一个持续和不断重复的提供、分享和获得必要的信息的过程，。内部沟通是一个

手段，使得信息能够在整个组织向上、向下和横向扩散，能够帮助员工接受来自高管层的

清晰的信息——控制的职责必须认真实施。外部沟通包括两个部分：将外部的相关信息传

入组织内部，以及根据其要求和期望，提供信息给外部的相关方。

Monitoring Activities

监督活动

Ongoing evaluations, separate evaluations, or some combination of the two

are used to ascertain whether each of the five components of internal control,

including controls to effect the principles within each component, is present and

functioning. Ongoing evaluations, built into business processes at different levels

of the entity, provide timely information. Separate evaluations, conducted

periodically, will vary in scope and frequency depending on assessment of risks,

effectiveness of ongoing evaluations, and other management considerations.

Findings are evaluated against criteria established by regulators, recognized

standard-setting bodies or management and the board of directors, and

deficiencies are communicated to management and the board of directors as

appropriate.

持续的评价，独立的评价，或者两者的某种组合可以用来确认内部控制的五个要素以

及每个要素下的原则是否存在并发挥作用。嵌入整个业务体系的持续评价可以提供及时的

信息；独立的评价需要定期开展，其范围和频率可能因风险评估，持续评价的有效程度以

及管理层的其他考虑而有所不同。评价中的发现应结合监管者、标准订立机构和管理层、

董事会所设定的标准进行评估；缺陷应当视情况传递给管理层和董事会。