内部控制带来的影响

文章来源 | ECONOMIA


围绕如何提升内部控制环境的这个话题,许多人会诉诸《萨班斯-奥克斯利法案》(Sarbanes-Oxley act) 寻找启发。我们首先需要明确内部控制所带来的影响。


当我们第一次接触商业和会计领域时,就会了解到内部控制的重要性,以及拥有一个良好的控制环境可以帮助企业避免许多错误和恶意行为。


正确的企业精神和基调不仅让企业所有者相信他们的资本得到了有效的看管,而且对于运营一套具体内部控制流程也起着至关重要的作用。随着我们职业生涯的发展,我们大多数人参与具体控制流程的机会越来越少,我们逐渐意识到——无论是作为高级经理、董事还是那些经营管理者而言——控制环境的重要性。英国国内目前热议的一个话题是如何改进我们的内部控制框架,以及我们能在多大程度上借鉴其他司法管辖区(尤其是美国)的经验。


受美国安然公司和世通公司崩溃的警示,2002年美国通过《萨班斯-奥克斯利法案》(SOX)将内部控制写入美国法律,以更好地保护投资者免受财务报告欺诈。此外,该法案还要求首席执行官、首席财务官和外部审计师就财务报告的内部控制的有效性提交年度、公开和明确的报告。在英国, 要求建立英国特色的SOX管理体系呼声越来越高。


在今年三月出版的《审计的未来》的报告中, 六大会计师事务所中有五所机构, 以及投资者和审计主席都表示CEO和CFO应当承担更多责任,这将“有助于改善审计依赖的财务报告, 提高整个生态报告系统的可靠性”。许多ICAEW成员都表达了这一观点。

较差的控制环境和不恰当的控制程序需要及时修补。ICAEW成员认为, 注重内部控制的唯一方法就是让高级管理人员直接负责。但我们不应想当然地认为这个举措能够适用于所有地方。自美国建立SOX管理体系以来,它的各种变化形式已在其他国家应用,包括澳大利亚、加拿大、法国、德国、印度、日本和南非,但是它在这些国家的应用并不全是成功的。


绝大多数美国公司在SOX体系下使用“COSO内部控制框架”(一个在美国开发的框架)进行报告,它可以评估控制有效性。COSO拥有5个基本的控制组,在高水平上的迁移并不困难,但是具体的控制要求并不总是适用于别的国家。英国已经有了内部控制的框架,ICAEW的一份新报告“内部控制的有效性:谁需要知道?”指出,英国的内部控制报告系统比美国覆盖更广泛,更具前瞻性。


我们不应该忘记, 英国公司治理要求(早于SOX系统)使英国公司的管理层负责内部控制的范围更加广泛,而不仅仅是为了财务报告内部控制ICFR。我们可以从美国的经验中吸取教训。美国在初期实施SOX体系时,不仅运行困难,成本还很高昂, 部分原因是过分的监管和疏于指导,十七年的试验让人们普遍认为,在SOX体系下的报告比COSO框架更能全面改善ICFR。


事实上,正如报告所揭示的那样, 许多首席财务官发现,他们原本认为有效的一些控制措施实际上是不存在、无效的或缺乏证明文件的。在ICAEW,我们认为即将取代英国财务报告委员会(FRC)的新监管机构——审计、报告和治理局 (Audit, Reporting and Governance Authority) 应该调查和咨询如何制定英国式框架,以提高关于董事和审计人员内部控制的公共报告质量。


我们的报告提供了讨论议题,包括如何改善现有框架,美国式的要求是否会有所帮助,以及英国框架制度的范围是否应该缩小到ICFR。我强烈建议阅读此篇报告。 假如一个美式的制度被认为比现有制度更合适,这对我们所有人来说会产生一定的后果和影响。




The consequences surrounding internal control


The debate on how to improve the internal control environment in the UK is leading many to look to Sarbanes-Oxley for inspiration. We need to be clear what the consequences would be.


When we were all first learning about business and accountancy we were taught about the importance of internal controls, and of having a good control environment which protects the business from mistakes and malice. 


The right business ethos and the right tone at the top not only give the owners of a business confidence that their capital is being looked after, they are critical to the effective operation of a good set of detailed control procedures. As our careers progress, most of us become less involved with the detailed control procedures, and we become more aware – whether as senior managers, directors or those charged with governance – of the importance of the control environment. One of the live debates in the UK is how our internal control framework can be improved, and to what extent we can learn from the experience of other jurisdictions, in particular the US. 


The Sarbanes-Oxley (SOX) legislation on internal controls became law in the US in 2002, in the wake of the Enron and WorldCom crashes, to better protect investors from fraudulent financial reporting. Among other things, the legislation mandated annual, public and explicit reports by CEOS, CFOs and external auditors, on the effectiveness of internal controls over financial reporting (ICFR). Here in the UK, talk about support for a UK-style SOX regime has been animated. 


In its report, The Future of Audit, published in March this year cited evidence from five of the top six accountancy firms, as well as investors and audit chairs, giving their backing to such a move as it would “help improve financial reporting, on which audits depend and, by placing more responsibility on CEOs and CFOs, improve the overall reliability of the eco-reporting system”. This view is reflected by many ICAEW members I have spoken to.


A poor control environment and inadequate control procedures have to be remedied, and members believe that the only way to bring focus on internal controls is to make them the direct responsibility of senior management. But we should not assume that what works elsewhere in the world is some sort of silver bullet. Since SOX was established in the US, versions have been adopted by countries including Australia, Canada, France, Germany, India, Japan and South Africa – not always successfully. 


The overwhelming majority of US companies reporting under SOX use the “COSO” framework for internal controls – a voluntary framework, developed in the US – against which control effectiveness can be assessed. COSO, with its five basic ts, is not hard to translate at a high level, but the detailed requirements don’t always travel so well. The UK already has a framework for internal controls, as a new report from ICAEW – Internal Control Effectiveness: Who Needs to Know? – points out. Reporting on controls in the UK is wider in scope and covers more forward-looking information than it does in the US. 


And we should not forget either that the UK corporate governance requirements – which predate SOX – make UK boards collectively responsible for internal controls more generally, and not just for ICFR. That’s not to say there aren’t lessons to be learned about the US experience. While implementation in the US was problematic and expensive at first, partly because of overzealous regulation and little guidance, 17 years on it is widely acknowledged that reporting under SOX against the COSO framework has resulted in an overall improvement in ICFR.


Indeed, as the report reveals: “Many CFOs discovered that some of the controls they had thought were in place and effective were, in fact, not there, or were ineffective or undocumented”. At ICAEW we believe that the new Audit, Reporting and Governance Authority, which will shortly replace the Financial Reporting Council, should investigate and consult on ways to develop the UK framework for better quality public reporting on internal controls by directors and auditors. 


Our report provides questions for discussion, including what could be done to improve the UK framework, whether US-style requirements would help, and whether the scope of the UK regime should be narrowed to just ICFR. I strongly recommend reading the report. If the UK decides a more US-style regime would be more appropriate than the status quo, there will be consequences for all of us.