-
The construction of enterprise internal control should take the efficiency and effectiveness of operation as the leading goal, and the reliability of financial report, the safety of assets and the compliance of operation as the three major guarantee goals. On this basis, the construction practice will focus on the establishment of internal control organization and the five elements of internal control construction.
(1) internal control organization
Organization is the basic guarantee of system operation. The usual internal control organization includes two levels: the board of directors and the management. It is emphasized that the board of directors is responsible for the construction and implementation of internal control, and a special audit (risk) management Committee is set up to strengthen management. In addition, the establishment of internal control organization emphasizes that managers are the concrete implementers and responsible persons of the internal control construction of enterprises, and all management departments carry out the construction and implementation of internal control according to their functions. Among them, whether to set up a full-time internal control department is the focus of the business community, and the usual setting methods include three:
Method 1: Establish a separate internal control department. The advantage is to improve the initial efficiency of internal control construction, but the disadvantage is that the internal control department is separated from the management department, which fails to reflect the integration of internal control responsibility and management responsibility. This method is widely used in financial enterprises. For the real economy, there is usually no full-time internal control department.
Method 2: Internal control is led by the internal audit department. The advantage is that after the initial construction of the system is completed and the system runs smoothly, internal audit, as the supervision department of internal control, can take the lead in coordinating all departments to conduct internal control self-evaluation on a regular basis on the basis of the whole company, and constantly improve the construction of internal control system. The disadvantage is that the internal audit department of domestic enterprises is often short of talents, and it may be inadequate to undertake this important task independently in the initial stage of internal control construction.
Mode 3: set up an internal control construction office during the centralized period of internal control construction, and the office will deploy personnel from all major departments to engage in the construction of internal control system full-time. When the system is officially put into operation, the office will be dissolved, the personnel will return to all management departments, and the lead function will also return to the internal audit department. The advantage of this method is that it can concentrate the strength of all departments to complete the systematic construction of internal control. After the system runs smoothly, the relevant personnel will return to the backbone positions of the management department, which is conducive to promoting the understanding of the internal control system and the integration of internal control and management in various management departments. Practice shows that the third internal control mode is better for real economy enterprises with weak management foundation.
Of course, there are no certain rules for the establishment of organizations. Enterprises should set up internal control organizations according to their own characteristics and clarify relevant management responsibilities.
(2) Diagnosis and improvement of internal environment
Internal environment is the carrier of enterprise internal control construction and operation. When establishing internal control mechanism, enterprises should first diagnose and improve the internal environment. On the one hand, the improvement of internal environment can lay the foundation for the design and operation of control activities; On the other hand, the diagnosis of internal environment can strengthen the matching between control activities and internal environment, which is conducive to the smooth progress of control activities.
Usually, the diagnosis and improvement of internal environment includes six aspects: governance structure, institutional setup, power and responsibility distribution, internal audit, human resources policy and corporate culture. Among them, we must first improve the organizational setting, power and responsibility distribution and positioning of internal audit, so that the design and operation of subsequent control activities will be smooth. Governance structure, human resource policy and corporate culture can be improved synchronously with the operation of control activities.
(3) Dynamic risk assessment
Risk assessment is an important embodiment of the systematic construction of internal control, and it is also an important basis for the design of subsequent internal control measures. According to the principle of cost-effectiveness, enterprises should strengthen internal control measures to effectively reduce risks. For secondary risks, enterprises should simplify control activities and process design, bear related risks, and embody the concept of internal control construction with the efficiency and effect of operation as the leading goal.
Risk assessment includes two stages: risk identification and risk assessment. In the risk identification stage, enterprises should identify the uncertain factors that affect the realization of internal control objectives, identify and classify enterprise risks, and form an enterprise risk management database. Generally speaking, the risks of enterprises can be divided into five categories: strategic risk, market risk, operational risk, financial risk and legal risk, and further subdivided on this basis. In the risk assessment stage, enterprises should use the two-dimensional risk assessment coordinate diagram to assess risks from two dimensions: destructiveness and frequency, and define risk points as major risk, medium risk and low risk. Enterprises should set the standards for risk assessment according to the characteristics and objectives of the industry, and the evaluation standards should pay attention to the combination of quantitative and qualitative standards.
In practice, we emphasize that enterprises in different industries, or different enterprises in the same industry, or the same enterprise is at different stages of development, the results of risk assessment are different. Therefore, enterprises should conduct risk assessment at least once a year, discover new risks brought by new environment and new business in time, dynamically adjust the risk assessment results, and then dynamically adjust the norms of control activities, so as to make the original static internal control system move and always set foot on the pace of enterprise development.
(4) Design of control activities
Control activity is the core element of implementing internal control system. In the process of standardizing control activities, enterprises shall form internal control policies and procedures manuals (hereinafter referred to as internal control manuals).
When designing control activities, enterprises should establish a design concept that is integrated with management activities. Firstly, the cycle of enterprise control activities is defined, then the internal control measures are embedded in the control activities, the system flow design of management activities is improved, and the enterprise internal control manual is formed. The internal control manual adopts module design, and each module generally includes five aspects:
First, management objectives. Focusing on the objectives of internal control, when designing an internal control manual, enterprises should first make clear the management objectives of control activities. For example, the management objectives of the procurement payment cycle should include ensuring material supply, improving procurement efficiency, reducing capital occupation, controlling procurement costs, and ensuring accurate accounting.
Second, the management organization and responsibilities. This part clearly defines the organizations and responsibilities involved in the control activities to ensure the smooth operation of the follow-up process.
Third, the authorization approval matrix. This part should clearly divide all rights related to control activities among the board of directors, managers and functional departments, and clarify the responsibility for examination and approval at all levels.
Fourth, control activity requirements. This part is generally written in the form of system text, which clarifies the internal control requirements of each control link of control activities and serves as the basis for the design of related business management processes.
Fifth, according to the above parts, all business management departments should reorganize and improve business processes, strengthen control measures for key risk points, and ensure that organizational responsibilities, authorization approval and internal control requirements are implemented in business processes to ensure the realization of management objectives.
In the process of designing the internal control manual, the design concept of integration with the existing business management activities of the enterprise is particularly emphasized, and it is forbidden to design an isolated internal control manual that is divorced from the original system process, so as to avoid the phenomenon that the business department still refers to the original process and the internal control manual is shelved in practice.
(5) Information and communication run through.
Information and communication refers to ensuring that the right position can get the right information at the right time in the construction of internal control. The design of information and communication should run through the internal environment, risk assessment and control activities, such as the reporting procedure of risk assessment report and the design of control documents in control activities, which all reflect the establishment and perfection of information and communication elements.
(6) means of internal supervision.
Internal supervision is placed at the end of the five elements, which is the embodiment of the closed loop of internal control management. Therefore, internal supervision can also be regarded as the first of the five elements, which is the basis for continuous improvement of internal environment, risk assessment, control activities, information and communication elements. Internal supervision means include risk early warning, internal evaluation and performance appraisal, all of which are indispensable.
Risk early warning is a relatively new management tool. Through the report and tracking of early warning indicators, we can break through the time and space limitation of traditional internal audit of enterprises, and use the efficient information collection means of modern enterprises to help managers extract key information from massive data, capture key data that enterprises tend to ignore or lower-level managers try to hide, and find and take measures to prevent risks in time. The design of risk early warning system includes four tasks: selecting index items, setting critical values, tracking and analyzing reports and correcting key data. Enterprises should set risk early warning indicators according to their own industry characteristics and management priorities, and gradually accumulate critical values.
Self-evaluation of internal control is the requirement of basic norms and an important part of management audit. The key to improving internal evaluation means is to establish evaluation standards and evaluation processes, clarify the identification standards of internal control defects and standardize evaluation reports.
In addition, performance appraisal emphasizes that the effectiveness of internal control construction and operation should be included in enterprise performance appraisal to promote the implementation of internal control system.