下载文档原格式
sap进阶系列(36):第一篇:财务总览之公司治理(1)2002 年7 月30 日,美国国会批准了萨班斯-奥克斯莱法案(Sarbanes-Oxley Act, 简称SOA)。
这一法案是之前安然(Enron)和世界通讯(WorldCom)等一系列审计丑闻的直接后果,它标志着国际资本市场上一个加强公司治理和审计监管时代的来临。
美国上市公司必须于2004 年6 月前符合该法案,在美国的股票交易所挂牌交易的外国公司必须于2005 年6月前符合该法案。
由于美国公司治理新规则带来的高成本,创新科技(Creative Technology)在今年成为第一家退出纳斯达克(Nasdaq)的亚洲公司。
创新科技是全球最大的计算机声卡制造商。
它已在纳斯达克上市11 年,它做出退市决定的同时,有几家非美国的上市公司也在考虑是否退出美国股票交易所,或者在2005年的期限到来前,满足SOA的广泛要求。
大约有50 家亚洲公司在美国的证券交易所上市,其中包括一些大型公司总部,如中国水泥行业股份有限公司(Petrochina)和香港企业公司总部和记黄埔(HutchisonbWhampoa)等。
AMR Research 最近的一项调查发现85%的上市公司正在计划按照符合SOA 的要求改造其IT 系统。
同时它发现财富1000 强公司会支出25 亿美元在SOA 相关的工作上。
很多公司一方面正在快速推进项目以满足SEC(美国证券交易委员会)的时间表,另一方面他们也在借SOA的机会清理一些长期问题,改善和标准化业务流程。
2.14.1 内控管理MIC 内控管理(Management of Internal Control) 是SAP 的一个专门的产品。
它是企业内部流程和内部控制本身的生命周期管理。
如下图所示,内控管理包含1)项目范围和项目建立(Scoping & Project Set-up);2)内控文档(Documentation of Internal Controls);3)评估和纠正(Assessment and Remediation);4)测试和纠正(Testing &Remediation);5)报告和签署(Reporting & Sign-off) 等五大部分。
![关于萨班斯—奥克斯利法案ERP系统能告诉我们什么[外文翻译]](https://img.taocdn.com/s1/m/d5e60f7443323968011c9253.png)
外文翻译What ERP systems can tell us aboutSarbanes-OxleyMaterial Source: Information Management&Computer Security Vol,13 No.4, 2005 Author: William Brown Frank Nasuti Key sections of SOX compliance that directly involve IT include Sections 302, 404, 409, and 802 (PCAOB, 2002). Section 302 requires the officers of the company to make representations related to the disclosure of internal controls, procedures, and assurance from fraud. Section 404 requires an annual assessment of the effectiveness of internal controls. Section 409 requires disclosures to the public on a “rapid and current basis” of material changes to the firm’s financial condition. Section 802 requires authentic and immutable record retention. As a change agent, the Securities and Exchange Commission (SEC) is very effective and will assert itself in the future if these four sections or other sections require additional compliance measures (Mead and McGraw, 2004).The SEC has effectively imposed requirements for SOX on senior management and simultaneously aligned the same requirements on the CIO and the IT organization.The scope of impact is not limited to the CEO, CFO, and auditor, nor is it limited to SEC registrants (i.e. public companies). More and more of SOX’s provisions are becoming applicable to private companies as well (Heffes, 2005). More and more lenders and states are asking private companies about the status of their internal control environments.While the CEO and the board of directors are accountable for overall corporate management, SOX also impacts on the IT administration, including organization governance, the responsibilities of CIOs, budgets, vendors, outsourcers, and business continuity plans. Among the most widely hyped, in terms of impacts, are reporting content and the timeliness of reports (Garretson, 2003; Marlin, 2003). CEOs and CFOs require their IT organizations to provide them with proof that automated portions of financial processes have appropriate controls, computer generated financial reports are accurate and complete, and any exceptions are being captured and reported to them in a timely manner (Kaarst-Brown and Kelly, 2005).Section 404, in conjunction with the related SEC rules and Auditing StandardNo. 2 established by the Public Company Accounting Oversight Board (PCAOB) (2005), is driving pervasive change in the internal controls of the enterprise and requires the management of a public company and the company’s independent auditor to issue two new reports at the end of every fiscal year (PCAOB, 2002). These reports must be included in the company’s annual report filed with the SEC. The internal control report must include:٠A statement of management’s responsibility for establishing and maintaining adequate internal control.٠Managem ent’s assessment of the effectiveness of the company’s internal control.٠A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control.٠A statement that a registered public accounting firm audite d the company’s financial statements included in the annual report.٠An attestation report on management’s assessment of the company’s internal control over financial reporting.Under Section 404, management must also disclose any material weaknesses in internal control. If a material weakness exists, management may not be able to conclude that the company’s internal control over financial reporting is effective (PCAOB, 2002). These management statements are not enough, however; the company’s auditor must also attest to the truthfulness of these management internal control assertions.The Committee of Sponsoring Organizations (COSO) of the Treadway Commission recommended the enterprise risk management – integrated framework (ERM) to manage and reduce risks, to be applicable to all industries, and to encompass all types of risk (COSO, 2005). Moreover, the ERM framework recognizes that an effective enterprise risk management process must be applied within the context of strategy setting. ERM is fundamentally different from most risk models used in that it starts with the top of the organization and supports the organization’s major mission (COSO, 2005; Louwers et al., 2005).The COSO framework describes five interrelated components of internal control in Section 404. The CEO and the CFO in concert with the CIO are responsible for (Ramos, 2004):٠“tone at the top” that positively influences the attitude of the personnel;٠identification of risks, objectives, and the methods to manage the risks;٠activities and procedures that are established and executed to address risks;٠information systems to capture and exchange the information needed to conduct, manage, and control its operations; and٠the monitoring of and responses to changing conditions as warranted.COSO creates a framework that divides IT controls into two types (Ramos, 2004):(1) general computer controls; and(2) application-specific controls.General controls include:٠data center operations (e.g. job scheduling, backup and recovery);٠systems software controls (e.g. acquisition and implementation of systems);٠access security; and٠application system development and maintenance controls.Application controls are designed to:٠control data processing;٠ensure the integrity of transactions, authorization, and validity; and٠encompass how different applications interface and exchange data.The ERM framework, a cornerstone of Section 404 and COSO, requires ongoing feedback of information from throughout the company. This information must be current and accurate and must be sufficiently robust to support the analysis of different risk responses (COSO, 2005). ERP systems and integrated systems must have the highest levels of integrity and controls. Enterprise risk management cannot be effective if the technology that provides the data used to manage the enterprise risk are flawed, corrupted, or not available. Many firms are implementing risk management applications to assist with internal control and assessment processes (Decker and Lepeak, 2003). A main objective of these tools is to lower external audit verification costs. Consistent with that objective, tools that have more automation and tighter integration with ERP processes are favored.The ongoing assessment of Section 404 requirements requires a critical evaluation of legacy processes including ERP, operational and off-line management processes. An ERP SOX solution for financial and operational areas will be critical for a company that has moved to consolidated financial and operational processes (Decker and Lepeak, 2003). ERP centered risk management applications (e.g. Oracle Internal Controls Manager, PeopleSoft Enterprise Internal Controls Enforcer, SAP), as well as solutions that have effective integration with ERP (e.g. Movaris),have pre-built diagnostic tools to test and continuously monitor configuration changes. The opportunities for corruption of transactional data include the timing of interface-validation tables, manual intervention, and overlap of security rights.Firms must continually assess operational processes such as SCM and CRM that drive financial transactions and the risks associated with those transactions. Self-assessment processes where managers can certify that the appropriate review/corrective actions are taken must be directed to the broken operational processes (e.g. SCM and CRM) that can correlate with broader financial risk for the enterprise.Little academic literature has been published that investigates the utilization of COBIT (Ridley et al., 2004). COBIT and related sources are produced by the Information Systems Audit and Control Association (ISACA, 2005) and the IT Governance Institute (2005) and are not referred to by many academic authors. A handful of studies that benchmark the adoption or use of COBIT has been published by peer reviewed sources (Guldentops et al., 2002; Fedorowicz, and Ulric, 1998; Tongren and Warigon, 1997). The IT Governance Institute does provide the investigator an excellent source of case studies on COBIT outcomes. Case studies from the IT Governance Institute, as well as personal contacts in companies that are currently following COBIT, are two primary sources available to assist in the evaluation of the implementation of COBIT in an IT organization.IT governance describes the selection and use of organizational processes to make decisions about how to obtain and deploy IT resources and competencies (Luftman et al., 2004). IT governance is about who makes these decisions (power), why they make them (alignment), and how they make them (decision process). Symptoms of ineffective IT governance include low project success rates and the ineffective IT alignment with business objectives. Overall IT project success rates have only recently improved to 34 percent while “challenged projects” still remain at 51 percent (The Standish Group, 2003). Potential alignment issues in IT governance for SOX compliance are indicated by two recent surveys. A survey of top Fortune 100 companies conducted by Worthen (2003) reports that most executives viewed compliance with SOX as a finance issue and that it was premature for the CIO to be involved. A Gartner survey of 75 senior compliance executives found that 37 percent of companies have no IT representation on SOX compliance teams (Leskeia and Logan, 2003). A consistent theme throughout the recent history of enterprise systems development is the lack of systematiccompetencies in several related disciplines. Change management, project management, reporting procedures, process engineering, and prioritization of resources are among those skills that have been identified with underperforming ERP applications. Outsourcing of programming and services and enterprise architectural modeling requires effective execution of project management and related disciplines and is consistent with the themes cited by Deloitte & Touche (1999), Deloitte Consulting(1999), Benesh (1999), Somers and Nelson (2001) and Reich and Nelson (2003).A linear extension of ERP history suggests that IT governance may be a roadblock in the adoption of SOX and COSO. Software and practice implementations to manage risk to comply with SOX require all of the ERP competencies described earlier plus the complete integration of SOX and COSO. As we move into the period following the first year of SOX compliance and as research identifies SOX compliance failures, we will begin to understand whether the same issues that plagued ERP systems continue unabated in a new environment. A significant incentive for SOX compliance is the punitive measures for the CEO and CFO specified in SOX and may play a role in the success rates.COSO describes internal control as a process that is affected by people (COSO, 2005; Damianides, 2005). The IT organization must be able to support the internal controls of the organization on a systematic and repeatable level – the controls are integral to the operation of the enterprise. (Table III).The ERP competencies cited by Deloitte & Touche (1999), Deloitte Consulting (1999), Benesh (1999), Somers and Nelson (2001), and Reich and Nelson (2003) are necessary to implement software and processes to support SOX, EA, outsourcing of programming or activities, enterprise security, and enterprise initiatives such as COBIT or the IDEAL model. Among all variables including technology, process, and personnel, Barry Boehm led the early discussion to demonstrate the dramatic differences that personnel and competencies have on performance (Boehm, 1981). Consistent with Boehm and ERP research cited in this paper, Xia and Lee (2004) identified the influence of organization and personnel in large IT projects. In their study of 541 large IT projects across several industries, organizational aspects, including the use of qualified personnel were the leading factor contributing to project success. CIOs should attend to organizational factors including the recruitment and retention of qualified personnel to establish competencies as a very high priority in the execution of SOX and subsequent compliance activities.译文关于萨班斯—奥克斯利法案ERP系统能告诉我们什么资料来源:信息管理和计算机安全学作者:威廉·布朗弗兰克·纳苏缇萨班斯-奥克斯利法案的关键部分涉及第302、404、409和802 部分(美国上市公司会计监管委员会,2002)。
萨班斯-奥克斯利法案中文译本萨班斯法案正文目录第一章 公众公司会计监察委员会第101节 组建、管理条款第102节 在委员会注册第103节 审计、质量控制和独立性准则及规定第104节 对注册的会计师事务所的检查第105节 调查和惩戒程序第106节 外国注册的会计师事务所第107节 SEC对委员会的监管第108节 会计准则第109节 资金第二章 审计师的独立性第201节 审计师执业范围之外的业务第202节 事前许可第203节 负责审计合伙人的轮换第204节 审计师向审计委员会报告第205节 保持一致性的修订第206节 利益的冲突第207节 关于强制轮换注册的会计师事务所的研究 第208节 对SEC的授权第209节 州级管理当局的考虑第三章 公司的责任第301节 公众公司审计委员会第302节 公司对财务报告的责任第303节 对审计不正当的影响第304节 没收奖金及收益第305节 对公司官员及董事的处罚第306节 禁止在养老基金的管制期内进行内部交易 第307节 关于律师职业责任的规定第308节 投资者公平基金第四章 强化财务信息披露第401节 定期报告中的披露第402节 强化利益冲突的信息披露第403节 同管理层和主要股东有关的经济业务的披露第404节 管理层对内部控制的评价第405节 例外情形第406节 高级财务管理人员的道德守则第407节 同审计委员会财务专家有关的信息披露第408节 加强定期信息披露的复核第409节 实时信息披露第五章 利益冲突的分析第501节 如何管理执业证券分析师及证券交易所第六章 委员会的组成及其权利第601节 财政拨款方面的权利第602节 SEC的执业权限第603节 联邦法院规定的市场禁入权第604节 证券经纪人和交易商的从业资格第七章 研究及报告第701节 审计总署对会计师事务所合并行为的研究及报告第702节 SEC对评级机构的研究及报告第703节 关于违法者和违法行为的研究和报告第704节 执法行为研究第705节 投资银行研究第八章 公司欺诈及其刑事责任第801节 小标题第802节 篡改文件的刑事责任第803节 违反证券欺诈法不能免除债务第804节 证券欺诈的限制性条款第805节 对联邦判决指南关于妨碍司法公正和广义欺诈犯罪的回顾 第806节 保护提供欺诈证据的公众公司的雇员第807节 公众公司欺骗股东的刑事责任第九章 强化白领刑事责任第901节 小标题第902节 企图和阴谋进行欺诈犯罪活动第903节 邮件及电传欺诈的刑事责任第904节 违反美国《1974年退休雇员收入保障法》的刑事责任第905节 修改关于白领犯罪行为的判决指南第906节 公司对财务报告的责任第十章 公司纳税申报表第1001节 参议院要求考虑公司首席执行官签署纳税申报表第十一章 公司欺诈责任第1101节 小标题第1102节 篡改记录或者阻止官方调查第1103节 SEC的暂时冻结权第1104节 联邦判决指南的修改第1105节 SEC有权禁止有关人士担任公司官员或者董事第1106节 按照《1934年证券交易法》加重刑事责任第1107节 对举报人打击报复萨班斯法案正文第一章 公众公司会计监察委员会第101节 组建、管理条款(a) 委员会的组建——为了保护投资者以及公众的利益,兹组建公众公司会计监察委员会。
萨班斯—奥克斯利法案下公司内部控制的思考引言2002年,由于一系列公司丑闻的爆发,美国国会通过了《萨班斯—奥克斯利法案》(Sarbanes-Oxley Act, SOX),该法案旨在加强公司内部控制,提高财务报告的透明度和可靠性。
作为一项具有重要影响的法案,SOX对公司的内部控制提出了更高的要求。
本文将探讨萨班斯—奥克斯利法案下公司内部控制的思考。
什么是公司内部控制?首先,我们需要理解什么是公司内部控制。
公司内部控制是指一个组织为实现其目标而采取的一系列措施和制度,以确保财务报告的准确性、资产的保护,以及遵守相关法律法规和道德规范。
公司内部控制的目的是确保公司运营的合法性、可靠性和透明度。
萨班斯—奥克斯利法案对公司内部控制的要求萨班斯—奥克斯利法案对公司内部控制提出了一系列要求,以确保公司的财务报告的真实性和公正性。
以下是一些关键要求:1.独立的董事会:SOX要求上市公司的董事会中有至少一半的成员是独立董事,独立董事不受公司的影响,能够独立监督和决策,确保公司的利益得到保护。
2.高级管理层的证明:公司的首席执行官(CEO)和首席财务官(CFO)必须对公司的财务报告的准确性和完整性做出书面承诺,并对其内部控制的有效性负责。
3.内部控制审计:SOX要求公司进行内部控制审计,以评估公司内部控制的有效性。
审计必须由独立的注册会计师事务所完成,并向董事会和审计委员会提供审计报告,报告中要包含对公司内部控制的评价和建议。
4.涉及财务报告的违法行为的举报机制:SOX要求公司建立有效的举报机制,鼓励员工主动报告可能存在的财务报告欺诈行为。
举报者有权享受法律保护,并且公司不能以任何方式打压或报复举报者。
5.对财务报告的内部控制进行评估:公司必须定期对其财务报告的内部控制进行评估,并在年度报告中披露评估结果和相关改进措施。
公司内部控制的思考萨班斯—奥克斯利法案督促着公司认真对待内部控制,并采取一系列措施来确保其有效性。
萨班斯法案一、萨班斯法案正文目录二、萨班斯法案正文三、萨班斯法案关于SEC的规定及执行四、萨班斯法案有关定义萨班斯法案摘要萨班斯法案主要包括以下几个方面的内容:一、成立独立的公众公司会计监察委员会,监管执行公众公司审计职业公众公司会计监察委员会(以下简称PCAOB)负责监管执行公众公司审计的会计师事务所及注册会计师。
法案规定:(一)PCAOB拥有注册、检查、调查和处罚权限,保持独立运作,自主制定预算和进行人员管理,不应作为美国政府的部门或机构,遵从哥伦比亚非赢利公司法,其成员、雇员及所属机构不应视为联邦政府的官员、职员或机构。
(二)授权美国证券交易委员会(以下简称SEC)对PCAOB实施监督。
PCAOB由5名专职委员组成,由SEC与美国财政部长和联邦储备委员会主席商议任命,任期5年。
5名委员应熟悉财务知识,其中可以有2名是或曾经是执业注册会计师,其余3名必须是代表公众利益的非会计专业人士。
(三)要求执行或参与公众公司审计的会计师事务所须向PCAOB注册登记。
PCAOB将向登记会计师事务所收取“注册费”和“年费”,以满足其运转的经费需要。
(四)PCAOB有权制定或采纳有关会计师职业团体建议的审计与相关鉴证准则、质量控制准则以及职业道德准则等。
PCAOB如认为适当,将与指定的、由会计专家组成的、负责制定准则或提供咨询意见的专业团体保持密切合作,有权对这些团体建议的准则进行补充、修改、废除或否决。
PCAOB须就准则制定情况每年向SEC提交年度报告。
(五)根据《1934年证券交易法》和修订《1933年证券法》的有关要求,授权SEC对会计准则制定机构的会计原则是否达到“一般公认”的目标进行认定。
该准则制定机构必须符合如下要求:第一,应是民间机构;第二,由某个理事会(或类似机构)管理,该理事会多数成员在过去两年内未在任何会计师事务所任职;第三,经费获取方式与PCAOB相似;第四,通过多数票的方式确保会计原则及时反映新的会计问题和商业实务;第五,制定准则时考虑准则适应商业环境的变动性,以及高质量会计准则国际趋同的必要性或适当性。
萨班斯-奥克斯利法案《萨班斯-奥克斯利法案》概要101条款:公众公司会计监察委员合的建立及其成员公众公司会计监察委员会(PCAOB)将设五个位财务的成员,任期五年。
其中两个是或者曾经是注册公共会计师(CPA),其余三个必须不是CPA。
主席可以由CPA中的一员组成,前提是他或她已有五年没有从事CPA业务。
委员会的成员全职服务。
禁止成员在服务期内,除“固定的连续收入”如退休金之外,“分享任何利润,或者从任何公共会计事务所收取报酬”,委员会成员由证券交易委员会(sEc)“咨询联邦储备委员会主席和财政部长意见后”任命。
成员可以由委员会用“正当理由”罢免。
103条款;审计、质量控制及独立的标准和准则公众公司会计监察委员会(PCAOB)将:(1)对公共会计事务所进行登记;(2)按规章建立或采纳“审计、质量控制、操守、独立性.及其他与准备审计报告相关的标准”;(3)对会计师事务所进行检查;(4)进行调查和纪律检查活动,并执行适当的惩罚;(5)执行其他必要或者适当职责或功能;(6)强制执业行为与本法案、会计监察委员会规则、职业标准,以及与审计报告准备和发布相关的证券法律、会计师义务和责任保持一致;(7)制定预算,管理委员会的运作和委员会的员工。
审计标准。
委员会必须“在长期合作的基础上”与为设定标准而召集的指定专业会计师群体和任何咨询群体合作。
委员会虽然能够“以它认为合适的程度”采纳这些团体提出的标准建议,但有补充、修改、废除以及拒绝这些团体提出的标准、建议的权力。
委员会必须每年向SEC报告其设定标准的活动。
委员会必须要求注册公众会计事务所“准备并保存不少于7年的审计工作文件和其他与审计报告有关的信息,以提供足够的细节支持其在这些报告中做出的结论”。
委员会必须要求联席合伙人审核和认可审计报告,注册会计事务所必须施行质量控制的标推。
委员会必须采用一个审计标准来进行内部控制的审核。
这个标准要求审计者评估内部控制的结构和程序是否包括了冶确公正地反映交易的记录,是否合理地保证了记录交易的方式能确保财务报表的编制与通用会计原则(GAAP)一致,并能反映内部控制中的实际缺陷。
萨班斯-奥克斯利法案的背景、内容及意义(doc 12页)《萨班斯-奥克斯利法案》背景、内容及影响2001年年底以来,美国安然、世通、施乐、默克制药等一批大公司会计丑闻接连曝光,诚信危机震撼着美国及国际社会,使人们对美国式自由市场经济制度产生质疑,全球舆论的焦点集中于美国企业的假账丑闻。
为了提高民众对美国金融市场、政府经济政策的信心,2002年7月30日美国总统布什签署了《萨班斯-奥克斯利法案》。
该法案对渎职和做假账的企业主管实行严厉的制裁,对上市公司实行更为严格的监管(附:萨班斯-奥克斯利法案302、404条款)。
一、《萨班斯-奥克斯利法案》出台的背景1、假账丑闻导致诚信危机是《萨班斯•奥克斯利法案》出台的直接原因2001年11月下旬,美国最大的能源企业安然承认自1997年以来,通过非法手段虚报利润5.86亿美元;在与关联公司内部交易中,不断隐藏债务和损失,管理层从中非法获益。
消息传出,立刻引起美国金融市场的巨大动荡。
安然股价从近90美元跌至不足1美元,许多中小投资者损失惨重。
自安然公司财务欺诈行为被揭露以来,美国大公司会计丑闻频频曝光,投资者信心连遭打击,美国股市因此受到重创,主要股指一度跌至9·11恐怖袭击事件以来的最低水平。
世界通信-这只技术股中闪耀的明星,也被逐出纳斯达克市场。
美国魏斯评级公司在调查了7000家公司发布的财务报告后认为,有多达1/3的美国上市公司不同程度存在捏造盈利的问题,信用危机震惊华尔街。
美国布鲁金斯学会一项研究估计,会计丑闻使2002年美国经济损失了约370-420亿美元。
假帐丑闻使投资者对美国资本市场和会计公司的职业道德失去了信心。
加强金融监管以恢复投资者信心已成为美国国会、政府和公众的一致呼声。
2、美国企业制度的缺陷是《萨班斯-奥克斯利法案》出台的根本原因一系列公司假账丑闻的发生,已经不是个别公司的问题,而是美国公司制度的缺陷。
这个缺陷主要表现在公司治理结构的不平衡和外部监督的缺失。
