SOX合规与内部控制

TopITServiceManagement!CosoluVersion1.0Copyright©2007CosoluSOX合规与内部控制Copyright©2007CosoluCosoluAgenda•SOX法案及404条款•内部控制•COSO内控框架•IT控制•COBIT框架•SOXIT合规Copyright©2007CosoluCosoluSOX法案•美国国会2002出台《公众公司会计改革与投资者保护法案》，又被称作Sarbanes-Oxley法案。–第一章公众公司会计监察委员会–第二章审计师的独立性–第三章公司的责任–第四章强化财务信息披露–第五章利益冲突的分析–第六章委员会的组成及其权利–第七章研究及报告–第八章公司欺诈及其刑事责任–第九章强化白领刑事责任–第十章公司纳税申报表–第十一章公司欺诈责任Copyright©2007CosoluCosoluSOX法案404条款－管理层对内部控制的评价TheCommissionshallprescriberulesrequiringeachannualreportrequiredbysection13(a)or15(d)oftheSecuritiesExchangeActof1934tocontainaninternalcontrolreport,whichshall—(1)statetheresponsibilityofmanagementforestablishingandmaintaininganadequateinternalcontrolstructureandproceduresforfinancialreporting;and(2)containanassessment,asoftheendofthemostrecentfiscalyearoftheissuer,oftheeffectivenessoftheinternalcontrolstructureandproceduresoftheissuerforfinancialreporting.TheCommissionshallprescriberulesrequiringeachannualreportrequiredbysection13(a)or15(d)oftheSecuritiesExchangeActof1934tocontainaninternalcontrolreport,whichshall—(1)statetheresponsibilityofmanagementforestablishingandmaintaininganadequateinternalcontrolstructureandproceduresforfinancialreporting;and(2)containanassessment,asoftheendofthemostrecentfiscalyearoftheissuer,oftheeffectivenessoftheinternalcontrolstructureandproceduresoftheissuerforfinancialreporting.Withrespecttotheinternalcontrolassessmentrequiredbysubsection(a),eachregisteredpublicaccountingfirmthatpreparesorissuestheauditreportfortheissuershallattestto,andreporton,theassessmentmadebythemanagementoftheissuer.AnattestationmadeunderthissubsectionshallbemadeinaccordancewithstandardsforattestationengagementsissuedoradoptedbytheBoard.Anysuchattestationshallnotbethesubjectofaseparateengagement.Withrespecttotheinternalcontrolassessmentrequiredbysubsection(a),eachregisteredpublicaccountingfirmthatpreparesorissuestheauditreportfortheissuershallattestto,andreporton,theassessmentmadebythemanagementoftheissuer.AnattestationmadeunderthissubsectionshallbemadeinaccordancewithstandardsforattestationengagementsissuedoradoptedbytheBoard.Anysuchattestationshallnotbethesubjectofaseparateengagement.(a):RulesRequired(b):InternalControlEvaluationandReportingSource:Sarbanes-OxleyActof2002.Copyright©2007CosoluCosolu内部控制概念-1•内部会计控制是指单位为了提高会计信息质量，保护资产的安全、完整，确保有关法律法规和规章制度的贯彻执行等而制定和实施的一系列控制方法、措施和程序。–《内部会计控制规范》财政部会计准则委员会2002-12-27•内部控制，是指被审计单位为了维护资产的安全、完整，确保会计信息的真实、可靠，保证其管理或者经营活动的经济性、效率性和效果性并遵守有关法规，而制定和实施相关政策、程序和措施的过程。–《审计机关内部控制测评准则》审计署2003-12-15Copyright©2007CosoluCosolu内部控制概念-2•内部控制是指上市公司为了保证公司战略目标的实现，而对公司战略制定和经营活动中存在的风险予以管理的相关制度安排。它是由公司董事会、管理层及全体员工共同参与的一项活动。–《上海证券交易所上市公司内部控制指引》2006-07-01•COSO–1992《内部控制整体框架》–2004《企业风险管理整体框架》•企业内部控制标准－中国的SOX–“企业内部控制标准委员会”2006-07-15正式在北京成立Copyright©2007CosoluCosoluCOSO对内部控制的定义•Internalcontrolisbroadlydefinedasaprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:–Effectivenessandefficiencyofoperations–Reliabilityoffinancialreporting–CompliancewithapplicablelawsandregulationsCommitteeOfSponsoringOrganizationsoftheTreadwayCommission隶属于美国国会的反舞弊财务报告委员会(TheNationalCommissiononFraudulentFinancialReporting)发起者:AAA（美国会计学会）、AICPA（美国注册会计师协会）、FEI（财务经理协会）、IIA（内部审计师协会）和NAA（全国会计师协会，现为IMA、管理会计师协会）Copyright©2007CosoluCosoluCOSOEnterpriseRiskManagement“ERM:aprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofentityobjectives.”Source:COSOEnterpriseRiskManagement–IntegratedFramework.2004.COSO.Copyright©2007CosoluCosoluCOSO内部控制整体框架ControlActivities•PoliciesandProcedures•InformationSystemControls•Entity-SpecificControlsMonitoring•OngoingMonitoring•SeparateEvaluations•ReportingDeficienciesRiskAssessment•Objectives•RiskIdentification&Analysis•ManagingChangeInformationandCommunication•Information•CommunicationControlEnvironment•Integrity&EthicalValues•CommitmenttoCompetence•BoardofDirectorsorAuditCommittee•Management’sPhilosophyandOperatingStyle•OrganizationalStructure•AssignmentofAuthorityandResponsibility•HumanResourcePoliciesandPracticesAllfivecomponentsmustbeinplaceforacontroltobeeffective.风险评估控制活动控制环境信息和沟通监控Copyright©2007CosoluCosoluInformationSystemControls•GeneralControls–DataCenterOperations–SystemSoftware–AccessSecurity–SystemDevelopmentMethodologyBusinessProcessesApplicationsITInfrastructure&ITServices(OS,DB,Network,Telecom)•ApplicationControls–Completenessandaccuracyoftransactionprocessing–Authorization–Validity–ApplicationinterfacesCopyright©2007CosoluCosoluCOBIT-IT治理最佳实践InterrelationshipsofCOBITComponentsSource:COBIT4.0,ISACA被企业实践证明的一套行之有效的IT治理模型和开放性标准。能够有效地管理和控制与IT相关的风险，指导IT内控建设ControlObjectivesforInformationandrelatedTechnologyCopyright©2007CosoluCosoluCOBITCubeFulfillmentoftheCOSOrequirementsfortheITcontrolenvironmentSource:COBIT4.0,ISACAControlisdefinedasthepolicies,pro