文章来源 | ECONOMIA
围绕如何提升内部控制环境的这个话题，许多人会诉诸《萨班斯-奥克斯利法案》(Sarbanes-Oxley act) 寻找启发。我们首先需要明确内部控制所带来的影响。
在今年三月出版的《审计的未来》的报告中, 六大会计师事务所中有五所机构, 以及投资者和审计主席都表示CEO和CFO应当承担更多责任，这将“有助于改善审计依赖的财务报告, 提高整个生态报告系统的可靠性”。许多ICAEW成员都表达了这一观点。
我们不应该忘记, 英国公司治理要求（早于SOX系统）使英国公司的管理层负责内部控制的范围更加广泛，而不仅仅是为了财务报告内部控制（ICFR）。我们可以从美国的经验中吸取教训。美国在初期实施SOX体系时，不仅运行困难，成本还很高昂, 部分原因是过分的监管和疏于指导，十七年的试验让人们普遍认为，在SOX体系下的报告比COSO框架更能全面改善ICFR。
事实上，正如报告所揭示的那样， 许多首席财务官发现，他们原本认为有效的一些控制措施实际上是不存在、无效的或缺乏证明文件的。在ICAEW，我们认为即将取代英国财务报告委员会(FRC)的新监管机构——审计、报告和治理局 (Audit, Reporting and Governance Authority) 应该调查和咨询如何制定英国式框架，以提高关于董事和审计人员内部控制的公共报告质量。
The consequences surrounding internal control
The debate on how to improve the internal control environment in the UK is leading many to look to Sarbanes-Oxley for inspiration. We need to be clear what the consequences would be.
When we were all first learning about business and accountancy we were taught about the importance of internal controls, and of having a good control environment which protects the business from mistakes and malice.
The right business ethos and the right tone at the top not only give the owners of a business confidence that their capital is being looked after, they are critical to the effective operation of a good set of detailed control procedures. As our careers progress, most of us become less involved with the detailed control procedures, and we become more aware – whether as senior managers, directors or those charged with governance – of the importance of the control environment. One of the live debates in the UK is how our internal control framework can be improved, and to what extent we can learn from the experience of other jurisdictions, in particular the US.
The Sarbanes-Oxley (SOX) legislation on internal controls became law in the US in 2002, in the wake of the Enron and WorldCom crashes, to better protect investors from fraudulent financial reporting. Among other things, the legislation mandated annual, public and explicit reports by CEOS, CFOs and external auditors, on the effectiveness of internal controls over financial reporting (ICFR). Here in the UK, talk about support for a UK-style SOX regime has been animated.
In its report, The Future of Audit, published in March this year cited evidence from five of the top six accountancy firms, as well as investors and audit chairs, giving their backing to such a move as it would “help improve financial reporting, on which audits depend and, by placing more responsibility on CEOs and CFOs, improve the overall reliability of the eco-reporting system”. This view is reflected by many ICAEW members I have spoken to.
A poor control environment and inadequate control procedures have to be remedied, and members believe that the only way to bring focus on internal controls is to make them the direct responsibility of senior management. But we should not assume that what works elsewhere in the world is some sort of silver bullet. Since SOX was established in the US, versions have been adopted by countries including Australia, Canada, France, Germany, India, Japan and South Africa – not always successfully.
The overwhelming majority of US companies reporting under SOX use the “COSO” framework for internal controls – a voluntary framework, developed in the US – against which control effectiveness can be assessed. COSO, with its five basic ts, is not hard to translate at a high level, but the detailed requirements don’t always travel so well. The UK already has a framework for internal controls, as a new report from ICAEW – Internal Control Effectiveness: Who Needs to Know? – points out. Reporting on controls in the UK is wider in scope and covers more forward-looking information than it does in the US.
And we should not forget either that the UK corporate governance requirements – which predate SOX – make UK boards collectively responsible for internal controls more generally, and not just for ICFR. That’s not to say there aren’t lessons to be learned about the US experience. While implementation in the US was problematic and expensive at first, partly because of overzealous regulation and little guidance, 17 years on it is widely acknowledged that reporting under SOX against the COSO framework has resulted in an overall improvement in ICFR.
Indeed, as the report reveals: “Many CFOs discovered that some of the controls they had thought were in place and effective were, in fact, not there, or were ineffective or undocumented”. At ICAEW we believe that the new Audit, Reporting and Governance Authority, which will shortly replace the Financial Reporting Council, should investigate and consult on ways to develop the UK framework for better quality public reporting on internal controls by directors and auditors.
Our report provides questions for discussion, including what could be done to improve the UK framework, whether US-style requirements would help, and whether the scope of the UK regime should be narrowed to just ICFR. I strongly recommend reading the report. If the UK decides a more US-style regime would be more appropriate than the status quo, there will be consequences for all of us.