内部控制和管理企业范围的风险.doc

附录A： 原文：Internal Controls and Managing Enterprise-Wide Risks By John Farrell In addition to complying with the sweeping reforms in corporate governance and financial reporting following the Sarbanes-Oxley Act, companies can benefit further by adopting a broader view that encompasses an enterprise-wide risk-management outlook. This approach is especially applicable to section 404 of the Sarbanes-Oxley Act, which deals with management’s assertion regarding the effectiveness of its internal controls over financial reporting. As companies work to comply with these new rules, they can build their section 404 work into an opportunity to address other aspects of risk throughout the organization, including financial, legal, and operational. The emerging trend of evaluating and monitoring the range of business risks—including those assessed in an internal control review—may help companies simultaneously meet strategic goals, boost shareholder and stakeholder value, and focus on good governance. Self-Assessment Fulfilling the mandates of section 404 need not be an obstacle to implementing an enterprise risk-management effort. Instead, the compliance process can enable companies to focus on enterprise-wide risks through a distributed evaluation—that is, a self-assessment of risk and control. This evaluation assigns responsibility for the assessment to those who are “closest to the action”—in other words, those most directly involved in the control over each process. Such an approach can help companies achieve a better-balanced risk and control status. Conventional wisdom formerly held that responsibility for internal controls was delegated to an organization’s financial group. According to current thinking, however, internal controls are owned by those within the business who manage daily operations and who depend on the controls for achieving their goals. These control process owners are well prepared to perform the distributed evaluation of identifying, evaluating, and man