The following aspects should be paid attention to when formulating the strategic plan of enterprise internal control:
1. Keep strict consistency with the strategic objectives of the enterprise.
The strategic goal of an enterprise is the basis for formulating all the specific business goals of the enterprise, and the strategic goal of internal control must also conform to the direction determined by the overall strategic goal of the enterprise. At present, the mainstream views on the strategic objectives, original scenes and core values of enterprises are basically determined around how to develop into a socially responsible enterprise.
The strategic goal of internal control can usually be determined according to the development level that the enterprise hopes to achieve. If the strategic goal of an enterprise is to become a leader in the industry within a certain period of time, and hope that the foundation will last forever, then the strategic goal of its internal control system must provide strong support to meet this requirement; Neither higher nor lower than this goal. Only in this way can it be accepted by all stakeholders in the enterprise and all participants in operation management.
In addition, the strategic objectives of internal control can be determined by stages according to the development of enterprises. For example, reaching the advanced level of the industry at a certain stage; Reach the advanced level of the same industry in China at a certain stage; Reach a certain international advanced level, etc.
2. Clear specific signs to achieve the goal.
Determining the specific signs of the realization of internal control strategy in advance can not only provide concrete basis for enterprises to formulate annual internal control work plans or performance appraisal objectives, but also provide evaluation basis for evaluating the realization of internal control strategic objectives in the future.
For example, the strategic goal of enterprise internal control is to reach the advanced level of the same industry in this province. Then, enterprises must understand the basic situation of internal control management in the same industry in this province. Then determine your own evaluation criteria or realization marks. The evaluation criteria can be specifically set as: (1) the construction of enterprise internal control management procedures; Construction of internal control organization system; The advanced and effective degree of internal control audit means; Loss index of fraud cases; Risk indicators of enterprises; All employees' understanding of internal control management and so on.
3. Accurate positioning based on the actual needs of enterprises
The so-called "accurate" positioning standard means that the target must conform to the actual situation of the enterprise and be clear. For example, there is no need for small enterprise groups to set the strategic objectives of internal control too high; The implementation of logo can be relatively simple; The business scope can be appropriately reduced. In this way, the predetermined control target can be achieved at a lower cost.
4. Clarify the concept of internal control.
This is the basic principle of enterprise internal control, otherwise, the internal control system will not only fail to play its due positive role, but will become an obstacle to enterprise development. For example, the establishment of the working concept of "supervision in service" can avoid the defect that simple supervision and audit are prone to conflict; According to the five elements of internal control, the principle of comprehensive risk prevention can provide specific evaluation basis for internal control.
identify
The process of determining the strategic objectives of internal control must be approved and confirmed by the owner or the top management. It is also necessary to seek the opinions and reach an agreement from the management of subordinate branches and subsidiaries before obtaining high-level approval. These measures can reduce resistance for the implementation of internal control management in the future. The main tasks of the internal control organization include: determining the name of the organization, hierarchy, reporting object, specific names of professionals, post setting, determination of work content, personnel selection and quality requirements, and specific principles of work. The following will mainly discuss the establishment of organizational structure, the specific content of internal control work and the determination of posts.
1. Organization Settings
At present, large state-owned or listed companies in China usually set up supervisors or independent directors and audit committees under the board of directors at the supervisory decision-making level; In the operation management, there are functional departments such as internal audit department or supervision department. It should be said that the internal control organization has been established. But the key point is that these institutions have many defects, which constitute one of the main obstacles to corporate governance at present. The specific performance is as follows:
:: Lack of specific implementing agencies
For example, there is usually no specific executive body in an enterprise to provide "hardware" conditions for supervisors or independent directors to realize their supervisory functions; This makes the position of supervisor or independent director often "reduced" to an external image function, and the personnel arrangement mainly focuses on arranging senior leaders before retirement. This is usually the case with audit committees, whose information sources are mainly senior managers such as the chairman and general manager, and they cannot really perform their supervisory functions.
* As far as the scope of work and reporting objectives are concerned, the internal audit department is usually in an awkward position.
The audit scope of general enterprises is limited to financial audit; Its work report object is usually only the chief financial officer or general manager of its supervision object. The author believes that an ideal internal control management organization should be able to specifically intervene in the daily operation and management of enterprises under certain independent conditions. This should be different from external audit. Some large international companies, such as BP, have used internal control departments instead of internal audit departments in their business organizations. On the surface, the names are different, but in fact they are very different. Mainly manifested in:
A. Different degrees of independence
Audit rules usually require the internal audit department. In order to maintain complete independence, it is forbidden to interfere with the daily business activities of enterprises. The internal control department can deeply intervene in the daily business activities of the enterprise, understand the situation in detail and provide management consulting services, so as to achieve the effect of "integration of supervision and service".
B. Different scope of audit inspection
Although the current internal audit department is also trying to break through the traditional financial audit and develop into business management audit, due to the qualifications and working background of employees, it can not really realize its effective supervision and inspection of business management. However, the internal control department has no restrictions on hiring personnel (those who fail in finance and audit can also participate in internal control audit inspection), so it can implement more effective supervision and inspection on the overall operation and management of the enterprise.
C. Different reporting objectives
The internal audit department usually only reports to the CEO of the enterprise and is responsible to the CEO. Therefore, many problems involving the CEO's own interests cannot be completely solved, or even solved at all. Although the internal control department can report its work to the CEO of an enterprise, it can also report its work directly to the audit committee, or even to the supervisor or independent director. This ensures the authenticity and reliability of the audit report to a certain extent. Before any enterprise carries out a new management mode, the biggest problem is how to quickly and effectively change the traditional working methods and concepts that people have become accustomed to. Because the specific operation methods of internal control management in modern enterprises will directly affect the existing power structure of enterprises, which means that they will encounter great resistance. Therefore, the internal control manager of an enterprise must conduct systematic internal control training for all relevant stakeholders to minimize the resistance before the system runs. The contents of training mainly include: compiling training materials, determining training plans and implementing training.
1. Prepare training materials
* Collect internal control management information and various cases through various channels. Internal control cases should be based on the events that have happened inside the enterprise, and social cases should be selected appropriately;
* according to the actual situation of enterprises, screening data;
* Use various demonstration means to organize the demonstration text, electronic version and paper version;
* Training materials should try to explain various concepts with various cases.
2. Determine the training plan
:: Setting training objectives
The target of internal control training should include all senior managers and ordinary managers such as directors (supervisors), chief executive officers and chief financial officers. Ordinary management personnel should include operators in sensitive positions such as warehouse keeping, weighing personnel, quality inspection personnel and safety officers.
:: Training methods
Full-time special training and on-the-job training, personal exchange training and work exchange training and other forms.
* Determine the training objectives and specific implementation time, and evaluate the training effect. Internal control training should be combined with other training plans of the enterprise.
3. Implement training
For the company's directors (supervisors), CEO or CFO, general manager and other senior managers, the main points of internal control management are usually introduced by means of separate communication;
For professional internal control managers, comprehensive full-time special training should be conducted in combination with other on-the-job and work exchange training;
For other ordinary managers, short-term full-time centralized training is combined with other on-the-job training on site.
In the whole training crowd, the training of senior managers is the focus of the whole training. In view of the importance of CFO in the internal control system, enterprises should choose financial personnel with internal control background as far as possible when considering hiring CFO. In some famous international enterprises, such as GE Company, the chief financial officer usually comes from people who have worked in internal control (internal audit). People with internal control (internal audit) background will become an important source of future financial directors.
Regarding internal control training, if an enterprise is limited to its own training strength, it can usually entrust experts from other professional management companies to assist. This kind of training is usually limited to centralized off-the-job training. But the daily training mainly depends on the internal strength of the enterprise. Strictly speaking, enterprises can be regarded as entering the implementation stage of internal control operation from the beginning of planning internal control strategy, which refers to the specific implementation stage of internal control operation. The contents of internal control operations mainly include:
1. Formulate internal control management procedures or operation management procedures.
The essence of internal control is legalization and procedural management. The biggest difference between internal control management program and traditional enterprise management program is to design business processes systematically and fully consider avoiding various potential management risks in advance. Therefore, when organizing various functional departments to prepare internal control management procedures, the internal control department should first evaluate all kinds of potential risks existing in all business processes and avoid them in the program design. This includes organizational containment, determination of authorization system, policy provisions and so on. The compatibility with the existing quality management system of the enterprise should be fully considered when formulating the internal control management procedures of the enterprise.
2. Evaluate and check the authorization management system of the enterprise.
No matter whether any enterprise has internal control management or not, it must have a set of authorization management system. However, the question is whether the existing authorization management systems are scientific, clear and reasonable, and whether there are potential risks of exceeding authority and leapfrog. This requires internal control professionals to evaluate the system and put forward suggestions for modification and adjustment. Internal control personnel need to cooperate with CEO, CFO, human resources department and various business departments to adjust their existing job responsibilities. Job responsibilities belong to the general authorization management in internal control management. Establish a temporary special authorization management system.
3. Investigation of potential conflicts of interest
In order to ensure the effective implementation of the organizational containment principle of internal control management, the current mainstream non-family enterprises usually need to avoid the conflict of interests between employees and enterprises in their daily operations. Therefore, the internal control managers of enterprises should design a set of investigation documents about conflicts of interest according to the actual situation of enterprises, and put forward specific measures to avoid potential conflicts of interest. Then organize subordinate enterprises to conduct a comprehensive conflict of interest investigation, and finally put forward suggestions according to the investigation results, including alternative control measures.
4. Prepare the annual internal control audit guide and implement the internal control audit.
Whether it is internal audit or internal control audit, audit guidelines should be formulated before the audit. The compilation of audit guidelines should be based on the requirements of general internal auditing standards and combined with the actual situation and needs of enterprises. Specific audit items should be classified according to the five elements of internal control (internal control framework). What needs to be emphasized again here is that the audit scope of internal control is different from that of traditional internal audit, including other operational management besides finance, such as employee safety and environmental protection, quality management and production site management, 6S management, 6Sigma management, lean production and so on. Therefore, when designing internal control audit guidelines, we should fully cooperate with relevant business departments to ensure the rationality of audit projects and audit resource allocation. In order to objectively and horizontally compare the internal control management of subordinate enterprises, the Internal Control Audit Guidelines can also establish a scoring system. In this way, internal control auditors can put forward objective and scientific evaluation results in the process of audit inspection.
After completing the annual audit of all subordinate companies, internal control managers can quantitatively analyze and compare the actual situation of each enterprise, providing an objective basis for analyzing the management risks of enterprises. The internal control audit guidelines shall be adjusted and updated regularly according to the changes in the business risks of enterprises. The implementation of annual internal control audit can usually require the participation of internal control personnel of subordinate enterprises, and conduct business training for internal control personnel of subordinate enterprises through cross-audit.
5. Organize risk assessment
Controlling management risk is the fundamental purpose of internal control. Therefore, the internal control department of an enterprise should regularly evaluate the management risks of its subordinate enterprises. Management risk assessment should be comprehensively planned in advance. Including the determination of risk assessment objects (various business processes and processing links), the determination of risk types, the assessment of risk levels, the composition of assessment personnel, the design of assessment forms, the analysis of assessment results, etc. Risk assessment is the basis of internal control work and an important basis for formulating internal control management procedures. Due to different industries, different regions, different degrees of competition and different product types, the business risks of each enterprise are also very different. Highlighting key points and grasping high-risk projects are important means to balance enterprise risk control and input cost.
6. Investigation of internal control problems
In order to ensure the effective implementation of enterprise internal control management, the subordinate institutions of enterprises should not only accept the internal control audit and external audit of headquarters, but also hold self-inspection regularly or irregularly. The main body of self-inspection is the general manager of each branch and subsidiary and the person in charge of each business department. Internal control management personnel of branches and subsidiaries take the lead in organizing the implementation. The internal control department of the headquarters should usually prepare an annual survey outline of internal control problems of enterprises according to the problems found in the previous year's audit and the latest changes of enterprise risks, and send it to all branches and subsidiaries for reference. Internal control personnel of branches and subsidiaries may supplement the contents of self-inspection according to the actual situation and needs of enterprises. The questionnaire of enterprise internal control should be adjusted according to the changes of enterprise operating risks and the common weak links found in previous annual audits.
7. Investigation of fraud cases
The loss caused by fraud is an important reason for the decline of enterprise efficiency and even the bankruptcy of enterprises. Therefore, of course, preventing fraud risks has become the main content of enterprise internal control management. The consequences of fraud can usually be reflected in the amount. The number of fraud losses is an important indicator of enterprise internal control management performance evaluation. Internal control personnel should investigate enterprise fraud cases regularly or irregularly, analyze and summarize the causes of fraud, and provide basis for managers to take preventive measures. For domestic enterprises, especially state-owned enterprises, fraud cases are usually investigated by the Ministry of Supervision or the Commission for Discipline Inspection. For foreign-funded enterprises or listed companies without these institutions, internal control departments and internal control personnel need to intervene in the investigation. The internal control department should summarize and analyze the internal fraud of the enterprise every year, and put forward corresponding preventive measures to the management.
8. Evaluation and evaluation of internal control work
The evaluation of internal control personnel in an enterprise includes two parts. The first is the performance completion of internal control personnel. According to the performance agreement signed with internal control personnel every year, evaluate their work; Secondly, commend the internal control personnel who have completed the internal control management. In order to ensure the relative independence and authority of internal control personnel, the internal control department will put forward opinions on the recruitment and dismissal of internal control personnel in subordinate branches and subsidiaries.
9. Attend the board meeting of the company, and put forward suggestions on rewards and punishments for the general manager and chief financial officer of subordinate enterprises to implement internal control policies and follow authorized management.
Participate in the company's important decision-making meetings, and put forward the management risk control plan for the implementation of major projects. For example, the concept of internal control first. As we all know, countless failure cases show that not establishing strict internal control system in advance and not operating according to procedures is one of the most important reasons for the failure of a good project in the future.
10. Organize insurance business
Buying enterprise insurance can not only make up for the losses caused by various emergencies, but also prevent and manage risks. To do a good job in internal control of enterprises, in addition to using internal resources, insurance business can also be an effective tool to promote internal control management of enterprises. How to choose insurance items, how to prepare in advance to prevent insurance accidents and how to prepare insurance claims materials are all related to the internal control management of enterprises.
1 1. Enterprise senior management training
An important part of internal control work is to train senior managers, especially chief financial officer. Practice shows that professionals with financial background are usually competent for the work of corporate finance director after internal control audit training. After working in internal control audit for a period of time, you usually have the opportunity to obtain many conditions needed to become a qualified financial controller. For example, good professional ethics, keen risk awareness, excellent communication skills, and more experience in dealing with difficult problems.
12. internal control work report
The report objects of the internal control department of an enterprise will include directors (supervisors), chief executive officers and general managers. Internal control work reports are divided into regular reports and irregular reports. The periodic report mainly analyzes the overall internal control of the enterprise, current high-risk issues and various audit results, and puts forward improvement opinions and suggestions for weak issues. Good internal control personnel can become the security assistant of the chairman and CEO of the enterprise.
With the breaking of the work scope of internal auditors, the items included in the implementation of internal control operations can be increased. What I want to put forward here is the concept of "internal control service". What we usually call "supervision in service" embodies this concept. It essentially changed the traditional concept of internal audit. From the practical experience, in order to make the enterprise internal control management system play a real role, we must abandon the concept of simple supervision and audit and pay equal attention to supervision, audit and service. The content of internal control services should mainly provide management advice and suggestions. According to the explanation of the five elements of internal control, inspection and evaluation are part of the internal control framework system. The inspection and evaluation here includes not only the daily inspection and evaluation of various business operations of the enterprise, but also the inspection and evaluation of the internal control system being implemented. Internal control departments and external auditors (including independent internal control system evaluation institutions established in the society in the future) will constitute the main body of inspection and evaluation. The main contents of entering this website are:
1. Internal self-inspection and evaluation
The internal control department of the Group is responsible for the comprehensive inspection and evaluation of the internal control work implemented by the enterprise. From strategic planning and annual internal control work plan, to organizational structure and operation, to training and implementation of internal control operation, conduct all-round inspection and evaluation, and then propose improvement measures. 2. Evaluation by external auditors
According to the company law, all enterprises must pass the annual audit of external audit institutions. In order to avoid audit risks, external auditors usually have to check and evaluate the internal control system of the audited object. Therefore, obtaining the evaluation opinions and suggestions of external auditors will provide an important basis for enterprises to improve their internal control management system from another angle.
3. In order to obtain more professional internal control evaluation opinions, the enterprise can also invite other independent third parties with certain qualifications to inspect and evaluate the enterprise.