商业银行内部控制简介

Click to edit Master title style,Click to edit Master text styles,Second Level,Third Level,Fourth Level,Fifth Level,*,Introduction to Internal Controls,内部控制简介,Federal Reserve System,1,Internal Control - Discussion Outline,内部控制研讨提纲,Definition of Internal Control,内部控制的定义,Explanation of Internal Control Concepts,内部控制概念的解释,Discussion of Internal Control Breakdowns,内部控制的缺陷,2,Definition of Internal Control,内部控制的定义,Current definition in the U.S. - adopted for world-wide use,美国现行定义已为世界各国采用,COSO - Internal control is a process effected by an entitys Board of Directors and Senior Management and other personnel designed to provide reasonable assurance regarding three objectives and five components,内部控制是为确保三项目标和五项元素而设计并由公司董事会和高级管理层以及有关人员执行的一种程序,3,Three Objectives of Internal Control,内部控制的三项目标,Effectiveness and efficiency of operations (including safeguarding of assets),运作有效（包括资产保护）,Reliability of financial reporting,财务报表可靠,Compliance with applicable laws and regulations,合法合规,4,Five Components - Internal Control,内部控制的五项元素,Control Environment - “tone at the top”,控制环境“至关重要”,Risk Assessment - managements identification of key risks,风险评估管理层对主要风险的认知,Control Activities - entity level and activity level,控制手段面向公司层面和具体经营活动的控制手段,Information and Communication - internal and external,内部之间以及对外的信息交流与沟通,Monitoring - adequacy of controls over time,监控持续充分的管理,5,Component 1 - Control Environment,元素一控制环境,Integrity & Ethical Values,品行与道德价值,Commitment to Competence,竞争力,Managements Philosophy/ Operating Style,管理哲学/经营风格,Organizational Structure,组织结构,Assignment of Authority& Responsibility,权力与责任的分配,Board of Directors or Audit Committee Participation,董事会或审计委员会的参与,Human Resources Policies & Procedures,人事政策与程序,6,Integrity and Ethical Values,品行与道德价值,Essential element,关键要素,Impacts design of internal controls,影响内部控制的设计,Prerequisite for ethical behavior,正当行为的先决条件,Difficult to achieve - balance between employees, shareholders and public,难点在员工、股东与公众间寻求平衡,Disincentives - pressure to meet targets, high-performance rewards,阻力实现目标的压力，表现优秀的回报,7,Commitment to Competence,竞争力,Appropriate levels of management and management review,恰当的管理与管理评价,Job criteria and job specific skills,工作守则与能力要求,Appropriate pay levels for work performed,按劳分配,Nature and degree of judgment required,评价的性质与程度,8,Managements Philosophy/Operating Style,管理哲学/经营风格,Formal versus informal management styles,正式与非正式的管理风格,Impacts the institutions operations including the risk profile,影响公司的经营，包括风险预测,Major impact on control issues,是控制问题的主要影响因素,Attitudes toward financial reporting:,对财务报告的态度：,conservative or aggressive,保守还是激进,9,Organizational Structure,组织结构,Framework for achieving entity-wide objectives,实现总体目标的框架,Define key areas of authority and responsibility,划分权责部门,Establish appropriate reporting lines,建立恰当的报告体系,Centralized versus decentralized,集权与分权,Depends on size and nature of activities,取决于业务的规模与性质,10,Assignment of Authority and Responsibility,权力与责任的分配,Responsibility for operating activities,各种经营活动的职责,Establishment of reporting relationships,建立报告关系,Authorization protocols,授权协议,Limits on authority,对权力的限制,Policies on business practices,经营政策,Pushing down of responsibility,职责的下放,11,Board of Director and Audit Committee Participation,董事会与审计委员会的参与,Independence of Board and/or Audit Committee from management,董事会与/或审计委员会独立于管理层,Experience and stature of Board members - new rules in the U.S. for SEC registrants,董事的资历与品行证券交易委员会对于注册人的新规定,Involvement of the Board - critical to an appropriate control environment,董事会的参与对良好控制环境十分关键,Appropriate information flows and scrutiny of management actions,良好的信息流动和对管理行为的审查,12,Human Resources Policies and Procedures,人事政策与程序,Critical message to employees,对员工非常重要的信息,Global written code of conduct,国际通行的书面行为准则,Additional requirements for traders,对交易员的附加要求,Practices on hiring, orientation, training, evaluating, counseling, promoting, compensating and remedial actions,录用、定岗、培训、考核、咨询、晋升、薪酬与福利的操作,Ongoing involvement critical,持续参与十分重要,13,Component 2 - Risk Assessment Objectives,元素之二风险评估的目标,Identification and analysis of objectives,目标的确定与分析,operations objectives,营运目标,financial reporting objectives,财务报告目标,compliance objectives,合规目标,Overlapping of objectives - complimentary and link,目标重叠补充与联系,14,Risk Assessment Objectives,风险评估的目标,Activities to achieve objectives,实现目标的行动,clear for each business line,对每项业务界定清晰,multiple objectives for each activity,每项活动的多重目标,Risk identification,风险识别,entity level,公司层面,activity level,经营层面,product level,产品层面,15,Risk Identification,风险识别,Entity level,公司层面,External: technology, changing customer needs, competition, legislation, economic changes,外部风险,：,技术风险，消费者需求变化的风险，竞争风险，法律风险，经济变化的风险,Internal: systems disruption, quality of personnel, management changes,内部风险：系统崩溃，人员素质，管理层变更,Activity level - Volume, automation levels,经营层面经营规模，自动化程度,Product level - Inherent risk, adequacy of controls,产品层面内在风险，控制的充分性,Analysis and management of risk exposure,风险敞口的分析与管理,16,Component 3 - Control Activities,元素之三控制手段,Wide variety and range,非常广泛,Can include preventative, investigative, manual or computer controls,包括预防性手段和调查性手段，人工手段和计算机手段,Two essential elements,两个重要因素,Policies,方针,Procedures,程序,17,Preventative vs. Detective Controls,预防性手段与调查性手段,Preventative - prevents undesirable events,预防性手段防止不利事件的发生,Detective - reveals errors & irregularities that have already occurred,调查性手段揭示已经发生的错误和反常情形,18,Examples of Types of Control Activities,控制手段例举,Authorization or approval,授权或批准,Verification,确认,Reconciliation,协调,Segregation of duties,职责分工,Operating performance reviews,绩效考评,Physical security of assets,资产的实际安全,Physical/logical security reviews,实际安全评估/理论安全评估,Supervisory reviews,监管评估,Two week vacation policy,两周休假政策,System checks,系统检查,Limits,限制,Review of MIS data,管理信息系统数据评价,19,Component 4 - Information and Communications,元素之四信息交流与沟通,Identification - performed at all levels within the organization,识别在公司内部各级进行,Capture - critical computer systems and MIS reports,获取重要的计算机系统和管理信息系统报告,Exchange - appropriate staff obtain the information,交换由专人获取信息,20,Component 5 Monitoring,元素之五监控,Ongoing Activities - performed by management,持续进行的活动由管理层进行,review of data and reports within the organization,评估机构内的数据和报告,discussions with external parties,与外部有关各方商讨,training seminars,培训研讨,Separate Evaluations - performed by an independent function,独立评估由独立方进行,internal audit, external audit, consulting, and peer review (small bank),内部审计，外部审计，咨询，同行意见（小银行）,21,Context of Controls,控制内容,Entitys,公司层面:,Size, organization, and ownership,规模、组织结构与所有权,Nature of business,业务性质,Diversity and complexity,多样性与复杂性,Methods of transmitting, processing and retaining information,信息的传递、处理与留存方式,Applicable laws and regulations,有关法规,22,Limitations,限制,Small Offices,小型办公室,Collusion,共谋,Ignorance,忽视,Pace of business,业务效率,Judgment,判断,Cost,成本,Managements override,管理层越权,23,International Emphasis on Internal Controls,各国对内部控制的关注,Basle Committee on Banking Supervision,巴塞尔银行监管委员会,Framework for the Evaluation of Internal Controls,内部控制评估体系,Policy Statement - Finalized September, 1998,政策声明1998年9月定稿,Identifies Causes of Recent Banking Problems,银行业新问题的产生原因,24,Internal Control Breakdowns - Basle Report,内部控制的缺陷巴塞尔委员会报告,Lack of adequate management oversight and accountability; failure to develop a strong internal control culture,管理层监控不够充分，没有形成稳健的内部控制文化,Inadequate assessment of the risks of certain banking activities or products,对部分银行业务、产品的风险的评估不够充分,Absence or failure of key control structures and activities,关键的控制环节和手段缺乏或者失效,25,Internal Control Breakdowns - Basle Report (Cont.),内部控制的缺陷巴塞尔委员会报告（续）,Inadequate communication of information between levels of management,不同层级的管理人员之间的信息交流不充分,Inadequate or ineffective audit programs and other monitoring activities,审计程序和监控活动不充分或无效,26,Examples - Internal Control Breakdowns,内部控制缺陷举例,Barings,巴林银行:,Hands-off management style,放任不管的管理风格,Lack of segregation of duties,缺乏职责分工制度,back office,后台,front office,前台,No Board of Directors involvement,董事会没有参与内部控制,Lack of response to audit issues,对审计发现的问题没有相应的整改措施,Use of fictitious account,做假帐,27,Recent examples - not in Basle report,新案例巴塞尔报告中没有提到,Allied Irish,联合爱尔兰,Remote location,地点偏远,Trader with incompatible duties,交易员责权不匹配,Lack of internal controls,内部控制缺乏,Lack of management understanding of risks,管理层对风险缺乏了解,Examples - Internal Control Breakdowns,内部控制缺陷举例,28,Other entities,其它公司,Inadequate evaluation of new business risks,对新业务的风险评估不充分,Insufficient segregation of duties,职责分工不充分,Ineffective management oversight,管理层监控无效,Absence of a separate monitoring mechanism,没有独立的监控机制,Examples - Internal Control Breakdowns,内部控制缺陷举例,29,Internal audit deficiencies -,内部审计不足,Untimely or piecemeal audits,审计不及时、不全面,Ineffective follow-up of significant audit issues,对重大审计问题缺乏有效的跟踪机制,Unfamiliarity with business procedures,不熟悉业务程序,No training in sophisticated areas,缺乏对复杂领域的培训,Examples - Internal Control Breakdowns,内部控制缺陷举例,30,Framework for the Evaluation of Internal Controls,内部控制评估框架,Purpose: Use by bank regulators in evaluating internal control systems,目的：供监管者在评估银行内部控制体系时使用,Consists of thirteen general principles applicable to all banking institutions,包括13条总则，适用于所有银行机构,31,Thirteen Principles,13,条原则,Management Oversight,管理层监控,1 - Board - Approves strategies, policies and risk appetite,董事会批准公司的经营战略、方针和风险偏好,2 - Senior management - Implements board strategies and policies,高级管理层执行董事会的战略决策和方针,3 - Board and Senior Management - Promote high ethical standards,董事会和高级管理层推动公司道德水平的提高,32,Risk Recognition Assessment,风险识别评估,4 - Senior Management - Identifies and evaluates risk factors,高级管理层识别并评估风险因素,Control Activities and Segregation of Duties,控制措施与职责分工,5 - Control Activities - Integral part of daily activities of institution,控制措施公司日常经营中不可或缺,6 - Senior Management - Ensures appropriate segregation of duties,高级管理层确保合理的职责分工,Thirteen Principles,13,条原则,33,Information and Communications,信息交流与沟通,7 - Senior Management - Evaluates adequate and comprehensive data,高级管理层对公司情况进行全面评估,8 - Senior Management - Provides effective channels of communication for relevant information concerning significant activities,高级管理层为重要信息提供有效沟通渠道,9 - Senior Management - Provides appropriate information systems for all activities,高级管理层为各种经营活动提供适宜的信息系统,Thirteen Principles,13,条原则,34,Monitoring Activities and Correcting Deficiencies,全程监控与错误纠正,10 - Senior Management - Monitors overall effectiveness of internal controls,高级管理层监控内部控制的整体效率,11 - Audit - Provides an effective and comprehensive audit,审计有效全面,12 - Audit - Ensures internal control deficiencies are promptly reported to senior management,审计确保内部控制不足能及时反映给高级管理层,Thirteen Principles,13,条原则,35,Evaluation of Internal Control Systems by Supervisory Authorities,监管当局对内部控制系统的评估,13 - Supervisors - Require all banks to have effective internal control systems,监管者要求所有银行都建立有效的内部控制体系,Thirteen Principles,13,条原则,36,