Detailed evaluation method
In the framework of enterprise internal control-integration, COSO pointed out that determining whether an internal control system is effective is based on the subjective judgment of evaluating the existence and effective function of five elements, which is also the standard of effective internal control. COSO also pointed out that determining whether an entity's enterprise risk management is "effective" is based on the evaluation of the existence and effective operation of eight elements, which is also the standard for judging the effectiveness of enterprise risk management. In the Implementation Rules of Section 404 of SOX Act (SEC, 2003) passed by the US Securities and Exchange Commission in June, 2003 and the Management Evaluation Guide issued subsequently, it is emphasized that the procedure of internal control evaluation must be sufficient to evaluate the design of internal control in financial reports and test the effectiveness of operation. Therefore, following this idea, many enterprises and companies have adopted detailed evaluation methods. The basic idea of this method is to evaluate the design effectiveness of internal control and test the operation effectiveness of internal control according to the elements of internal control framework with reference to internal control framework or standards. Finally, by integrating the evaluation of design and operation, the effectiveness of internal control is evaluated as a whole, the risk of achieving internal control objectives is evaluated, and whether there is a major loophole (MW) is judged to determine whether internal control is effective.
Risk-based assessment method
Another idea and method of enterprise internal control is not from control to risk, but from risk to control, that is, from the risk of achieving internal control related objectives to internal control. First of all, it is necessary to assess the risk of achieving related goals; Secondly, identify and determine whether the enterprise's internal control fully responds to these risks, that is, evaluate the effectiveness of internal control design to meet relevant objectives and realize risks; Third, identify and determine the evidence of the effectiveness of internal control operation, and evaluate whether the existing control has been effectively operated; Finally, the control defects are evaluated to determine whether they constitute substantive loopholes and whether the internal control is effective. For different objectives, the meaning of target risk and major internal control loopholes is different, and specific settings need to be made when evaluating each type of objectives.
Article 15 of the Guidelines for the Evaluation of Enterprise Internal Control stipulates that when the internal control evaluation working group conducts on-site tests on the evaluated unit, it can fully collect the evidence of the effectiveness of the internal control design and operation of the evaluated unit by means of individual interviews, questionnaires, special discussions, walk-through tests, on-site inspections, sampling and comparative analysis, and truthfully fill in the evaluation working papers according to the specific contents of the evaluation to study and analyze the internal control defects.
1. Personal access method
Individual access method is mainly used to understand the current situation of internal control in companies, and is often used in the understanding stage of enterprise-level evaluation and business-level evaluation. Before the interview, an interview outline should be formed according to the needs of internal control evaluation, and interview minutes should be written to record the interview contents. In order to ensure the authenticity of the interview results, people in different positions should be interviewed as much as possible to obtain more reliable evidence. For example, visiting the HR supervisor and grass-roots employees respectively, has the company established a long-term mechanism for employee training, and can the training meet the needs of employees and business positions?
2. Questionnaire method
Questionnaire method is mainly used for evaluation at the enterprise level. The scope of the questionnaire should be expanded as much as possible, including employees at all levels of the enterprise. Pay attention to confidentiality in advance, and try to keep the questions simple and easy to answer (for example, the answer only needs "yes", "no", "yes" and "no". ). For example, do you agree with the core values of the enterprise? Do you have confidence in the future development of the enterprise?
3. Walk-through test method
Walk-through test refers to the process of randomly selecting a transaction as a sample in the internal control process, tracking the transaction from its initial origin until it is finally reflected in the financial statements or other management reports, that is, the whole process from the beginning to the end, in order to understand the effectiveness of control measures design and identify key control points. For sales transactions, select a batch of orders, from order processing-approving credit status and credit terms-filling orders and preparing for delivery-preparing shipping documents-tracking order delivery/delivery to customers or delivery by customers-issuing sales invoices-checking the accuracy of invoices and mailing/sending them to customers-generating sales subsidiary ledger-summarizing sales subsidiary ledger and posting them to general ledger and accounts receivable subsidiary ledger.
4. Sampling method
Sampling methods are divided into random sampling and other sampling. Random sampling refers to extracting a certain number of samples from the sample base according to the principle of randomness; Other sampling refers to selecting a certain number of samples from the sample library manually or according to certain standards. When using the sampling method, we must first determine the integrity of the sample library, that is, the sample library should contain all the samples that meet the control test; Secondly, it is necessary to determine the adequacy of samples, that is, the number of samples should be able to verify the effectiveness of the control points tested; Finally, it is necessary to determine the appropriateness of the sample, that is, the evidence obtained should be related to the design and operation of the tested control points, and can reliably reflect the actual operation of the control.
5. On-site inspection method
On-site inspection method is mainly aimed at business level control. It conducts control testing by using a unified test worksheet and checking it with actual business and financial documents. Make an honest inventory of some kind of inventory.
6. Comparative analysis method
Comparative analysis refers to the method of identifying and evaluating concerns through data analysis. Data analysis can compare historical data, industry (company) standard data or industry optimal data. For example, compare the turnover rate of accounts receivable of specific customers horizontally or vertically, analyze the abnormal accounts receivable of customers, and then check the credit sales management control of these customers.
7. Thematic discussion method
Thematic discussion is mainly to convene relevant professionals to analyze the implementation of internal control or control problems, which can be a means of control evaluation or a way to form a defect rectification plan. Aiming at the control defects involving finance, business and information technology. At the same time, the internal control management department often needs to organize seminars to synthesize the opinions of internal institutions and parties and study and determine the defect rectification plan.
In practical evaluation, these methods can be combined. In addition, methods such as observation, inspection and re-execution can also be adopted, inspection methods can also be developed by using information systems, or actual work and inspection experience can be used. For enterprises to adopt automatic control and preventive control through the system, we should pay attention to the difference between manual control and discovery control in methods.