董事会责任内部控制和风险管理(英文版)

Internal control and risk management1.Internal control --, standard and legislationIn 1985, the United States in order to curb the growing business of accounting fraud activities, formed a committee against financial fraud Treadway committee), (accounting fraud activities investigation led to reason and proposed solutions. The scheme emphasized the importance of internal control, requests and Suggestions of all listed companies should provide in the annals of internal control reports. The report shall include admit management authorities of financial reporting and internal control is responsible, and discuss the implementation of these responsibilities.In The end The mission Treadway Committee after The five, The commission launched organization jointly established a new Committee - The Com - mittee COSO (Sponsoring Organizations of The Treadway of ordinary), namely The organizing Committee Treadway Committee launched. It consists of the American public institute of certified public accountants (AICPA), American accounting association (AAA), international financial management association (FEI), internal auditors association (type IIA), international accounting association (NAA would) (a managerial accounting association jointly sponsored IMA predecessor). COSO continue to study and in 1992 it issued a programmatic document about the Internal Control, namely "Internal Control - the overall framework" (Internal Control - IntegratedFramework). The reports are put forward the COSO U.S. federal reserve, the United States securities and exchange commission, the Basel committee regulators or international organizations such as the recognition and adopted, many of these definitions, Suggestions and ideas absorbed into the legislation and regulations, worldwide has had a broad impact. Since THE end of 2001, THE United States broke with enron, worldcom, xerox and other companies financial cases of fraud as a representative of accounting scandals, hit U.S. capital markets and THE economy, also concentrated exposure for American companies in THE existing problem of internal control, thus causing THE United States adopted THE "sasha class nice --, THE extension of THE law (SARBANES OXLEY ACT) -. The bill made clear company managers CEO and CFO finance director of internal control, and will be held directly responsible shall undertake economic and criminal consequences; Greatly improve the punishment of accounting fraud; Strengthening the internal audit, external audit and audit supervision. This legislation represents a large capital marketsystem, also make the progress of the importance of internal control people have more deeply.2.The internal control and risk management comparisonInternal control and risk management has the close relation. COSO internal control is that part of the risk management. Therefore, the committee in the whole framework of internal control - the basis of, and in 2003 issued a new report --, "enterprise risk management framework". At present the report was only a rough draft, in public, revised later, is expected to formally released this year. The enterprise risk management framework "inherit and contains the whole framework of internal control - the main content also expanded the three elements, added a goal, updated some ideas for countries to provide a unified enterprise risk management terms and concepts of comprehensive application guide system.COSO internal control and risk management of the definition and elements were: Internal control: enterprise internal control is by the enterprise board of directors, managers, and other staff to implement, for financial reporting accuracy, business activity of efficiency and effect, the relevant laws and regulations such as the follow to achieve the goal of the process and provide reasonable assurance. It includes five elements: control environment, risk assessment, control activities, information and communication, the surveillance.Risk management: enterprise risk management is a process of the board of directors, the management of enterprises and other personnel to implement, applied in strategy formulation and enterprise all levels of activity, aims to identify possible influence enterprise various potential events, and according to enterprise's risk preference for enterprises to manage risk, to achieve the goal of providing reasonable assurance. It has eight elements: the internal environment, goal setting, event risk identification, risk assessment, countermeasures, control activities, information and communication, the surveillance.The two reports from the COSO perspective, the enterprise risk management and internal control has the following similar or different places:First, they are made by "enterprise board, management and other personnel to implement", emphasize the point, says the participation parties on the internal control and risk management has a corresponding roles and responsibilities.Second, they are all clearly is a "process", not as a static thing, such as system files, technical model and so on, also not be alone or extra activities, such asinspection, evaluation is best placed inside enterprise daily management process, as a kind of routine operation mechanism to construction.Third, they are for the realization of the goal of enterprise provide reasonable assurance. Risk management objectives are four categories, including three categories and internal control collocated, namely report targets, business targets and follow the targets. But the report targets have expanded, it not only include financial report, also requires all the accuracy of internal and external non-financial class report issued by the accurate and reliable. In addition, risk management increased the strategic target, namely and enterprise vision or mission related high-level objectives. This means that risk management is not only ensure management efficiency and effect, and intervention in the enterprise strategy (including business objectives) formulation process.Fourth, risk management and internal control elements have five aspects, i.e. (overlap is control or internal) environment, risk assessment, control activities, information and communication, the surveillance. These coincide most of their goals and realization mechanism coincide of similar decision. Risk management increased goal setting, event identification and risk countermeasures three factors. Coincide elements, connotation, for example, has been extended internal control environment including honest character and moral values, staff quality and ability, the board of directors and the audit committee, management philosophy and management style, the organizational structure, the power and the allocation of responsibility, human resource policies and practices seven aspects. Risk management "internal environment" in addition to include these seven aspects outside, still include risk management philosophy, risk preference (appetite) and risks associated cultural three new content. In the risk assessment elements, risk management requires the consideration of the inherent risk and residual risk, with expectations, worst case values or probability distribution measure risk and to consider time preferences and risk association between the role. In information and communication, risk management emphasized the past, present and future of the relevant data about obtaining and analysis, provides information of the depth and timeliness, etc.Fifth, risk management proposes risk portfolio and the overall risk management (in tegrated management) - are new idea. The enterprise risk management framework "in the theory of modern financial borrowing portfolio risk theory, this paper puts forward the concept of combination and overall management from enterprise level,demanding dispersed in the overall grasp all levels and departments of enterprise, the risk exposure with overall consideration risk countermeasures, prevent dispersed consider and coping by department, such as will risk the risk in technology, financial, separated by information technology, environment, safety, quality, auditing departments, and considering the interaction between risk events, prevent two tendencies: one is the department's risk in risk preference can withstand ability, but within the overall effect may be beyond sustaining limit, because individual risk influence is not always add, may be multiplied; Second is the risk of individual departments over its limits, but exposure to the overall risk level haven't beyond sustaining range, because sometimes has offset the effects of the event of the effect. At this time, and further, strive for higher return risk with room to grow. According to risk portfolio and the overall management point of view, need unification consideration risk events as risk countermeasures between interaction between, overall risk management plan formulated.3. Internal control and risk management inner linkEnterprise system evolution and risk associated with the development. The establishment of a limited liability system is running or partnership enterprise organization from the key turning into a modern shares, it enables shareholders steps possessions and enterprise property and enterprise economic responsibility independent, shareholder transformation will no longer affect the enterprise credit capacity for equity transactions, expanded range and increased liquidity, which reduces the risk of investment and promoting enterprise financing, contributed to today a giant corporation.In order to make equity trading and the shareholders transform business continuity, influence and to make capital and management ability realize more optimal combination of ownership and management, enterprise in the modern enterprise of altitude, which also separate brings new risks, namely professional operators might not perform its accountability and shareholders' expense. In addition, limited liability may also lure enterprise engaged in high risk and damage the project's creditors. Because in limited liability, the potential revenue mainly by the enterprise (shareholders) to obtain, and the risk of failure, the major that bankruptcy is borne by the obligee. The risk is not marketization, the market competition spontaneous constraints or market transactions, such as providing a hedge product quality or natural disasters, but mechanism, belongs to the organization or trade in agency issues,need to regulate rules and system. These systems include corporate governance in the liability system, such as financial report, an internal control and audit, etc.Internal control and risk management is the fundamental role maintenance, security enterprise asset investor interest, and create new value. Fama&Jensen (1983) analyzed under the board of directors of ownership and separation of the internal control functions; Jensen (1993) further analyzed the American board of directors in internal control with reasons for the failure of performance. Theoretically, the enterprise internal control is the enterprise system component, is in the enterprise management and ownership of the separation of investor benefit under the condition of the protection mechanism. Its purpose is to ensure the accuracy and reliability of the accounting information management, prevent manipulation of statements and fraud and protect the company's property security, comply with the law in order to maintain the company's reputation and avoid incur pecuniary loss, etc. The historical origin of internal control, the requirements to earlier more basic, easier or appropriate rise to legislative level. Enterprise risk management is in the new technology and the market conditions of natural extension of internal control. COSO in the enterprise risk management framework of risk management of significance about when this is the case discussion: "enterprise risk management strategy and organization used in the various levels activities. It enables managers in the face of uncertainty can identify, evaluate and manage risk, play the role of creation and maintain value. Risk management can make risk preference and strategic keeps consistent, will risk and growth and return overall consideration, promote the decision against risks and reduce the risk and losses, identify business management and enterprise crossover risk, for various risks to provide overall countermeasures, capture opportunities and make capital rationalization." COCO in explaining the generalized control and risk discusses way: "' leadership 'in the face of uncertainty include choice." risk "refers to individuals or organizations are making choices adverse consequences after the possibility of suffering. The risk is opportunity counterparts." Obviously, these discussions have realized that enterprise exists for shareholders or stakeholders (for nonprofit organization, etc.), and create value value creation is not only passive assets security, it should also include the use of opportunity. Moreover, the threat of shareholder value comes not from the operator internal factors such as accounting frauds, including from the market risk, etc.Technology and market conditions, promote the new progress of internal controlto risk management. In advanced information technology conditions, accounting records realized the electronic control, real-time update, make traditional error-detection and prevent disadvantages accounting control seems outdated. However, the risk is often caused by trading or organization innovation, these innovation comes from emerging market practice, such as enron will energy trading large developed into similar financial derivatives trading. On the other hand, environmental protection and the enforcement of protection of consumer rights, strengthened the social responsibility of the enterprise, if an enterprise may have inadvertently, suffer from commodity market or capital market for the enterprise, and punish the performance brand value, or the capital market capitalisation put-downs. Therefore, the enterprise need a daily operation function and structure to guard against risks, including abide by laws and regulations, and ensure the trust of investors and ensure financial information management efficiency, etc. Therefore, from maintenance and promote this basic function value creation standpoint, risk management and internal control target is consistent, just in new technology and the market conditions, in order to effectively protect the interests of investors need in the basis of the development of internal control more active and more comprehensive risk management.4.From internal control to risk managementThere is a debate that risk management include internal control, or internal control contains risk management. The author thinks that what kind of conclusion that is not very important, the most important is to clear risk management and internal control of the relation between the superposition place. Who's wider, may be with time, technology, market conditions, legal and regulatory practice and different, for example, in the early development of internal control, market risk management tools and technology conditions are not fully (such as computer systems, statistics theory, quantity model, hedge tools and insurance etc.), then the internal control contains (alternative) risk management function is very natural. Even in the same era, different industry their emphasis may also different, for example, in the financial industry regulatory strict or involving the people's lives and health pharmacy and medical industry, the urgency of risk management, enterprise stronger with risk management leading internal control may be more convenient. And in some other enterprise, in order to comply with information disclosure requirements of internal control reports with the internal control system, enterprise for leading, give attention to two ormorethings risk management may be more suitable.Because of the internal control and risk management is the intrinsic relation, countries with different ways were gradually integrate internal control and risk management connected. January 8, 2004, China's relevant aspects held the "commercial bank risk management and internal control BBS", this shows that our banking also began to internal control and risk management connected.The Basel committee "issued by the banking group of internal control system framework said:" the board of directors approved and regularly check the overall strategy, and important system, understand the main risk, the bank for these risks setting acceptable level, ensure management to take necessary steps to identifying, measuring, supervision and control these risks..." Here, the risk management is obviously the content into the internal control framework. In the UK the FSA comprehensive standards (TheCombined Code) about the internal control regulation, it is first in official documents containing definitely in risk management in internal under control. This code is that the board should keep sound internal control system to protect shareholders investment and enterprise assets (principle d. 2). The board of directors at least once a year, and check the effectiveness of enterprise internal control systems, and to shareholders and report. Reports should include all the control, such as financial, management, follow control and risk management (d. 2.1). This rule is listed on the London stock exchange enterprise must abide by.Canadian association of certified accountants control standards committee (COCO) think "control should include risk identification and reduce the risk of", in which not only include the risk of achieving specific goals related, but also include general, if can't identify and took advantage of the opportunity, cannot make enterprise in the face of not anticipate events and uncertain information while maintaining flexibility or resilient. In 1992 the COSO internal control - in the whole framework will risk assessment of the internal control as one of the five elements, in the latest on the introduction of the "enterprise risk management framework" and further integrate internal control expanded to risk management, clearly put risk management include internal control.The author believes that in the actual business process, risk management and internal control is inseparable in rule or legislative process, consideration scope and control strength, the requirements, the greater the control range will be weaker. For its core problems, such as financial reporting accurate and reliable, the most suitable forlegislation to form to constraint, and other more broad content may be more suitable for rules and guidelines. The different levels of the enterprise internal risk management and internal control, the leading relative order can also be different, for example, from the enterprise strategic risk in turn to the management risk, financial risk, and finally to the financial report, risk management and internal control the relative importance should vary. In strategic risk, the risk management should play a leading role play complexation and internal control. This role reversal to financial report, gradually level, should play a leading role is the internal control, risk management play complexation.Despite the risk management and internal control an inner link, but the reality of or on behalf of the current application level of internal control and risk management and lots of gap. The typical risk management attention in particular business with strategic choice or business decisions related to compare the benefits and risks of, for example, banking credit management or market (price) risk management such as exchange rate, interest rate risk, etc. The typical internal control refers to accounting control, audit activities, are generally confined to financial related department. What they all have in common is low level, small range, confined to a few functional departments, and no penetration or applied in enterprise management process and the whole management system, therefore, sometimes looks risk management and internal control or independent of each other two things. Along with the internal control and risk management constantly improve and become more comprehensive, they inevitably overlapping and fusion between until unity.内部控制与风险管理周兆生1、内部控制———标准与立法1985年美国为了遏制日益猖獗的会计舞弊活动,成立了一个反财务舞弊委员会(Treadway委员会),调查导致会计舞弊活动的原因,并提出了解决方案。

内部控制与审计风险（英）Chapter 1 General provisionsArticle 1This standard is prepared in accordance with the General Independent Auditing Standard to establish standards for Certified Public Accountants (“CPAs”) on the study and evaluation of an entity's internal controls in the audit of financial statements， to assess audit risk， to improve audit efficiency and to ensure a high standard of professional work.Article 2The term “internal controls” in this standard refers to the policies and procedures formulated and implemented by an entity with a view to ensuring the efficient conduct of the business activities， safeguarding assets， preventing， detecting and correcting error and fraud， and ensuring the truthfulness， legitimacy and completeness of accounting information.Internal controls include the control environment， accounting systems and control procedures.Article 3The term “audit risk” in this standard refers to the possibility of the CPA expressing an inappropriate audit opinion after performing an audit， when the financial statements contain material misstatements or omissions. Audit risk includes inherent risk， control risk and detection risk.Article 4Unless otherwise specified， CPAs should refer to this standard in performing audit work other than the audit of financial statements.Chapter 2 General principlesArticle 5When preparing the audit plan， the CPA should study and evaluate the entity's internal controls.Article 6The CPA should perform compliance tests on any internal controls， which are intended to be relied upon， to determine the impact on the nature， timing and extent of the substantive tests.Article 7The CPA should maintain professional scepticism， apply professional judgement reasonably to assess the audit risk and to design and perform relevant audit procedures in order to reduce the audit risk to an acceptable level.Article 8The CPA should document the work carried out and the results of the study and evaluation of the internal controls and the assessment of the audit risk in the audit working papers.Chapter 3 Internal controlsArticle 9It is the accounting responsibility of the entity's management to establish sound internal controls. The relevant internal controls should generally：(1) ensure that business activities are conducted in accordance with appropriate authorization;(2) ensure that all transactions and events are promptly recorded at the correct amount， in the appropriate accounts and in the proper accounting period， to enable preparation of financial statements in accordance with the relevant requirements of the accounting standards;(3) ensure that access to and handling of assets and records are permitted only in accordance with appropriate authorization; and(4) ensure that assets recorded are reconciled with the physical assets at regular intervals.Article 10When determining the reliability of internal controls， the CPA should maintain professional scepticism and pay adequate attention to the following inherent limitations of internal controls：(1) The design and implementation of internal controls are restricted by the principle of cost and benefit;(2) Internal controls tend to be directed at routine business activities;(3) Even perfectly designed internal controls may not operate effectively due to human carelessness， distraction， mis-judgement and the misunderstanding of instructions;(4) Internal controls may be circumvented through the collusion by relevant persons with parties inside or outside the entity;(5) Internal controls may be circumvented when a person responsible for exercising an internal control abuses that responsibility or submits to external pressure; and(6) Internal controls may deteriorate or become ineffective due to changes in the operating environment and the nature of the business.Article 11When preparing the audit plan， the CPA should understand the design and operating conditions of the entity's internal controls.When determining the nature， timing and extent of the audit procedures which should be performed to understand the internal controls， the CPA should mainly consider the following factors：(1) the size and business complexity of the entity;(2) the type and complexity of the entity's data processing system;(3) audit materiality;(4) the type of relevant internal controls;(5) the documentation of relevant internal controls; and(6) the result of the assessment of inherent risk.Article 12In understanding the internal controls， the CPA should make reasonable use of previous audit experience. With regard to significant internal controls， generally the CPA may also perform the following procedures：(1) make enquiries of the entity's relevant persons and inspect the relevant internal control documentation;(2) inspect the documents and records generated by the internal controls;(3) observe the entity's business activities and the operating conditions of the internal controls; and(4) choose certain typical transactions and events and perform walkthrough tests on them.Article 13The CPA should obtain and understanding of the control environment sufficient to assess the attitudes， awareness and actions of the entity's management regarding internal controls and their importance.Major factors affecting the control environment include：(1) philosophy， methods and style of management;(2) organisational structure and methods of assigning authority and responsibility; and(3) the control system.Article 14The CPA should obtain an understanding of the accounting system sufficient to identify and understand：(1) the major classes of transactions and activities of the entity;(2) how major classes of transactions and activities are initiated;(3) significant supporting documents， accounting records and items in the financial statements; and(4) the accounting and financial reporting process for significant transactions and events.Article 15The CPA should obtain an understanding of the following major control procedures sufficient to determine the relevant audit procedures reasonably：(1) the authorisation of transactions;(2) the assignment of responsibility;(3) the control of supporting documents and records;(4) access to assets and use of records; and(5) any independent checking.Article 16Internal audit is an important component of the entity's control system. The CPA should consider the following factors when studying and evaluating the quality of the internal audit work to determine whether to rely on the results of the internal audit work：(1) the independence of the internal auditors;(2) the experience and competence of the internal auditors;(3) the nature， timing and extent of the internal audit procedures;(4) the sufficiency and appropriateness of the audit evidence obtained by the internal auditors; and(5) the merit placed on the internal audit work by the management.Article 17The CPA may use various methods such as narrative descriptions， questionnaires， check lists， flow charts etc. to understand and evaluate internal controls and should include them in the audit working papers.Article 18The CPA should inform the entity's management of material internal control weaknesses identified during the audit. If necessary， a management letter may be issued.Chapter 4 Audit riskArticle 19In developing the overall audit plan， the CPA should assess inherent risk at the financial statement level. Inherent risk refers to the susceptibility of an account balance， or class of transactions， to material misstatements or omissions， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， assuming that there were no relevant internal controls.Article 20In developing the detailed audit plan， the CPA should consider the impact of the assessment of inherent risk on the material account balances or classes of transactions at the assertion level， or directly assume that inherent risk is high for the assertion.Article 21The CPA should exercise professional judgement reasonably and consider the following factors when assessing inherent risk：(1) the integrity and competence of management;(2) any changes in management， especially the financial staff;(3) any unusual pressures on management;(4) the nature of business;(5) the circumstances and factors affecting the industry in which the entity operates;(6) financial statement items likely to be susceptible to misstatements;(7) the complexity of important transactions and events which might require using the work of an expert;(8) the degree of estimation and judgement involved in determining account balances;(9) the susceptibility of assets to loss or misappropriation;(10) the occurrence of unusual or complex transactions during the accounting period，particularly near the accounting period end; and(11) the susceptibility of transactions and events to omissions in the routine accounting process.Article 22After understanding the internal controls and assessing inherent risk， the CPA should make a preliminary assessment of control risk， at the assertion level， for each material account balance or class of transactions. Control risk refers to the possibility that a misstatement or omission that could occur in an account balance or class of transactions，either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， will not be prevented， detected or corrected by the internal controls.Article 23The CPA should assess the control risk of material account balances or classes of transactions at a high level， for some or all assertions， when one or more of the following situations occurs：(1) the entity's internal controls are not effective;(2) it is difficult for the CPA to assess the effectiveness of internal controls; or(3) the CPA does not plan to perform compliance tests.Article 24When making a preliminary assessment of control risk for a financial statement assertion， the CPA should not assess the control risk at a high level when：(1) relevant internal controls are likely to prevent， detect or correct material misstatements or omissions; and(2) the CPA plans to perform compliance tests.Article 25if the CPA plans to rely on the internal controls， he should perform compliance procedures to assess the control risk. The lower the preliminary assessment of control risk， the more evidence the CPA should obtain to show that internal controls are suitably designed and operating effectively.Article 26The CPA may perform the following compliance procedures：(1) inspection of documents supporting transactions and events;(2) enquiries about， and observation of， internal control operations which leave no audit trail; and(3) reperformance of relevant internal control procedures.Article 27When one or more of the following situations occurs， the CPA may directly perform substantive procedures without performing compliance tests：(1) the relevant internal controls do not exist;(2) even though the relevant internal controls exist， the CPA， through preliminary study， discovers that the internal controls do not operate effectively; or(3) compliance tests require more work than the reduction of substantive tests that would have been achieved by performing compliance tests.Article 28Based on the results of the compliance tests， the CPA should assess whether the design and operation of the internal controls are in line with the conclusion drawn from the preliminary assessment of control risk. If there are discrepancies， the assessed level of control risk should be revised and the nature， timing and extent of substantive procedures should be modified accordingly.Article 29In a continuing engagement， the CPA may make use of the information relating to the study and evaluation of internal controls obtained in prior periods， but will need to update it.Article 30The CPA should understand whether the internal controls were applied consistently throughout the accounting period being audited. If there were obvious changes， the CPA should consider testing them separately.Article 31If compliance tests have been performed in the interim audit， the CPA， before deciding to rely entirely on their results， should consider the following factors to obtain further audit evidence for the period between interim period end and final period end：(1) the conclusion drawn from the compliance tests in the interim audit;(2) the length of the remaining period after the interim audit;(3) any changes in internal controls after the interim audit;(4) the nature and amount of the transactions and activities which occurred after the interim audit; and(5) the substantive procedures to be performed.Before concluding the audit， the CPA should， based on the results of substantive tests and other audit evidence， make a final assessment of the control risk and check whether it is in line with the conclusion drawn from the preliminary assessment of the risk. If not， the CPA should consider whether additional relevant audit procedures should be performed.Article 33As control risk and inherent risk are related， the CPA should make an overall assessment of inherent risk and control risk， and use the result as the basis for the assessment of detection risk.Detection risk refers to the possibility that substantive tests will not detect a misstatement or omission that exists in an account balance or class of transactions that could be material， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions.The assessment of inherent risk and control risk has a direct impact on the assessment of detection risk. For higher levels of inherent risk and control risk， the CPA should perform more detailed substantive procedures and should also consider their nature， timing and extent to reduce the detection risk to an acceptable level.Regardless of the result of the assessment of inherent risk and control risk， the CPA should perform substantive tests on all material account balances or classes of transactions.Article 35If， after performing relevant audit procedures， the CPA still believes that detection risk regarding an assertion for a material account balance or class of transactions cannot be reduced to an acceptable level， the CPA should express a qualified opinion or a disclaimer of opinion.Article 36The internal controls in small businesses are usually weaker， resulting in higher inherent risk and control risk. The CPA should heavily or entirely rely on substantive procedures to obtain audit evidence in order to reduce the detection risk to an acceptable level.Chapter 5 Supplementary provisionsArticle 37The Chinese Institute of Certified Public Accountants is responsible for the interpretation of this standard.Article 38This standard takes effect from 1 January 1997.。

内部控制与审计风险（英）Chapter 1 General provisionsArticle 1This standard is prepared in accordance with the General Independent Auditing Standard to establish standards for Certified Public Accountants (“CPAs”) on the study and evaluation of an entity's internal controls in the audit of financial statements， to assess audit risk， to improve audit efficiency and to ensure a high standard of professional work.Article 2The term “internal controls” in this standard refers to the policies and procedures formulated and implemented by an entity with a view to ensuring the efficient conduct of the business activities， safeguarding assets， preventing， detecting and correcting error and fraud， and ensuring the truthfulness， legitimacy and completeness of accounting information.Internal controls include the control environment， accounting systems and control procedures.Article 3The term “audit risk” in this standard refers to the possibility of the CPA expressing an inappropriate audit opinion after performing an audit， when the financial statements contain material misstatements or omissions. Audit risk includes inherent risk， control risk and detection risk.Article 4Unless otherwise specified， CPAs should refer to this standard in performing audit work other than the audit of financial statements.Chapter 2 General principlesArticle 5When preparing the audit plan， the CPA should study and evaluate the entity's internal controls.Article 6The CPA should perform compliance tests on any internal controls， which are intended to be relied upon， to determine the impact on the nature， timing and extent of the substantive tests.Article 7The CPA should maintain professional scepticism， apply professional judgement reasonably to assess the audit risk and to design and perform relevant audit procedures in order to reduce the audit risk to an acceptable level.Article 8The CPA should document the work carried out and the results of the study and evaluation of the internal controls and the assessment of the audit risk in the audit working papers.Chapter 3 Internal controlsArticle 9It is the accounting responsibility of the entity's management to establish sound internal controls. The relevant internal controls should generally：(1) ensure that business activities are conducted in accordance with appropriate authorization;(2) ensure that all transactions and events are promptly recorded at the correct amount， in the appropriate accounts and in the proper accounting period， to enablepreparation of financial statements in accordance with the relevant requirements of the accounting standards;(3) ensure that access to and handling of assets and records are permitted only in accordance with appropriate authorization; and(4) ensure that assets recorded are reconciled with the physical assets at regular intervals.Article 10When determining the reliability of internal controls， the CPA should maintain professional scepticism and pay adequate attention to the following inherent limitations of internal controls：(1) The design and implementation of internal controls are restricted by the principle of cost and benefit;(2) Internal controls tend to be directed at routine business activities;(3) Even perfectly designed internal controls may not operate effectively due to human carelessness， distraction， mis-judgement and the misunderstanding of instructions;(4) Internal controls may be circumvented through the collusion by relevant persons with parties inside or outside the entity;(5) Internal controls may be circumvented when a person responsible for exercising an internal control abuses that responsibility or submits to external pressure; and(6) Internal controls may deteriorate or become ineffective due to changes in the operating environment and the nature of the business.Article 11When preparing the audit plan， the CPA should understand the design and operating conditions of the entity's internal controls.When determining the nature， timing and extent of the audit procedures which should be performed to understand the internal controls， the CPA should mainly consider the following factors：(1) the size and business complexity of the entity;(2) the type and complexity of the entity's data processing system;(3) audit materiality;(4) the type of relevant internal controls;(5) the documentation of relevant internal controls; and(6) the result of the assessment of inherent risk.Article 12In understanding the internal controls， the CPA should make reasonable use of previous audit experience. With regard to significant internal controls， generally the CPA may also perform the following procedures：(1) make enquiries of the entity's relevant persons and inspect the relevant internal control documentation;(2) inspect the documents and records generated by the internal controls;(3) observe the entity's business activities and the operating conditions of the internal controls; and(4) choose certain typical transactions and events and perform walkthrough tests on them.Article 13The CPA should obtain and understanding of the control environment sufficient to assess the attitudes， awareness and actions of the entity's management regarding internal controls and their importance.Major factors affecting the control environment include：(1) philosophy， methods and style of management;(2) organisational structure and methods of assigning authority and responsibility; and(3) the control system.Article 14The CPA should obtain an understanding of the accounting system sufficient to identify and understand：(1) the major classes of transactions and activities of the entity;(2) how major classes of transactions and activities are initiated;(3) significant supporting documents， accounting records and items in the financial statements; and(4) the accounting and financial reporting process for significant transactions and events.Article 15The CPA should obtain an understanding of the following major control procedures sufficient to determine the relevant audit procedures reasonably：(1) the authorisation of transactions;(2) the assignment of responsibility;(3) the control of supporting documents and records;(4) access to assets and use of records; and(5) any independent checking.Article 16Internal audit is an important component of the entity's control system. The CPA should consider the following factors when studying and evaluating the quality of the internal audit work to determine whether to rely on the results of the internal audit work：(1) the independence of the internal auditors;(2) the experience and competence of the internal auditors;(3) the nature， timing and extent of the internal audit procedures;(4) the sufficiency and appropriateness of the audit evidence obtained by the internal auditors; and(5) the merit placed on the internal audit work by the management.Article 17The CPA may use various methods such as narrative descriptions， questionnaires， check lists， flow charts etc. to understand and evaluate internal controls and should include them in the audit working papers.Article 18The CPA should inform the entity's management of material internal control weaknesses identified during the audit. If necessary， a management letter may be issued.Chapter 4 Audit riskArticle 19In developing the overall audit plan， the CPA should assess inherent risk at the financial statement level. Inherent risk refers to the susceptibility of an account balance， or class of transactions， to material misstatements or omissions， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， assuming that there were no relevant internal controls.Article 20In developing the detailed audit plan， the CPA should consider the impact of the assessment of inherent risk on the material account balances or classes of transactions at the assertion level， or directly assume that inherent risk is high for the assertion.Article 21The CPA should exercise professional judgement reasonably and consider the following factors when assessing inherent risk：(1) the integrity and competence of management;(2) any changes in management， especially the financial staff;(3) any unusual pressures on management;(4) the nature of business;(5) the circumstances and factors affecting the industry in which the entity operates;(6) financial statement items likely to be susceptible to misstatements;(7) the complexity of important transactions and events which might require using the work of an expert;(8) the degree of estimation and judgement involved in determining account balances;(9) the susceptibility of assets to loss or misappropriation;(10) the occurrence of unusual or complex transactions during the accounting period，particularly near the accounting period end; and(11) the susceptibility of transactions and events to omissions in the routine accounting process.Article 22After understanding the internal controls and assessing inherent risk， the CPA should make a preliminary assessment of control risk， at the assertion level， for each material account balance or class of transactions. Control risk refers to the possibility that a misstatement or omission that could occur in an account balance or class of transactions，either individually or when aggregated with misstatements or omissions in other accountbalances or classes of transactions， will not be prevented， detected or corrected by the internal controls.Article 23The CPA should assess the control risk of material account balances or classes of transactions at a high level， for some or all assertions， when one or more of the following situations occurs：(1) the entity's internal controls are not effective;(2) it is difficult for the CPA to assess the effectiveness of internal controls; or(3) the CPA does not plan to perform compliance tests.Article 24When making a preliminary assessment of control risk for a financial statement assertion， the CPA should not assess the control risk at a high level when：(1) relevant internal controls are likely to prevent， detect or correct material misstatements or omissions; and(2) the CPA plans to perform compliance tests.Article 25if the CPA plans to rely on the internal controls， he should perform compliance procedures to assess the control risk. The lower the preliminary assessment of control risk， the more evidence the CPA should obtain to show that internal controls are suitably designed and operating effectively.Article 26The CPA may perform the following compliance procedures：(1) inspection of documents supporting transactions and events;(2) enquiries about， and observation of， internal control operations which leave no audit trail; and(3) reperformance of relevant internal control procedures.Article 27When one or more of the following situations occurs， the CPA may directly perform substantive procedures without performing compliance tests：(1) the relevant internal controls do not exist;(2) even though the relevant internal controls exist， the CPA， through preliminary study， discovers that the internal controls do not operate effectively; or(3) compliance tests require more work than the reduction of substantive tests that would have been achieved by performing compliance tests.Article 28Based on the results of the compliance tests， the CPA should assess whether the design and operation of the internal controls are in line with the conclusion drawn from the preliminary assessment of control risk. If there are discrepancies， the assessed level of control risk should be revised and the nature， timing and extent of substantive procedures should be modified accordingly.Article 29In a continuing engagement， the CPA may make use of the information relating to the study and evaluation of internal controls obtained in prior periods， but will need to update it.Article 30The CPA should understand whether the internal controls were applied consistently throughout the accounting period being audited. If there were obvious changes， the CPA should consider testing them separately.Article 31If compliance tests have been performed in the interim audit， the CPA， before deciding to rely entirely on their results， should consider the following factors to obtain further audit evidence for the period between interim period end and final period end：(1) the conclusion drawn from the compliance tests in the interim audit;(2) the length of the remaining period after the interim audit;(3) any changes in internal controls after the interim audit;(4) the nature and amount of the transactions and activities which occurred after the interim audit; and(5) the substantive procedures to be performed.Article 32Before concluding the audit， the CPA should， based on the results of substantive tests and other audit evidence， make a final assessment of the control risk and checkwhether it is in line with the conclusion drawn from the preliminary assessment of the risk. If not， the CPA should consider whether additional relevant audit procedures should be performed.Article 33As control risk and inherent risk are related， the CPA should make an overall assessment of inherent risk and control risk， and use the result as the basis for the assessment of detection risk.Detection risk refers to the possibility that substantive tests will not detect a misstatement or omission that exists in an account balance or class of transactions that could be material， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions.The assessment of inherent risk and control risk has a direct impact on the assessment of detection risk. For higher levels of inherent risk and control risk， the CPA should perform more detailed substantive procedures and should also consider their nature， timing and extent to reduce the detection risk to an acceptable level.Article 34Regardless of the result of the assessment of inherent risk and control risk， the CPA should perform substantive tests on all material account balances or classes of transactions.Article 35If， after performing relevant audit procedures， the CPA still believes that detection risk regarding an assertion for a material account balance or class of transactions cannot be reduced to an acceptable level， the CPA should express a qualified opinion or a disclaimer of opinion.Article 36The internal controls in small businesses are usually weaker， resulting in higher inherent risk and control risk. The CPA should heavily or entirely rely on substantive procedures to obtain audit evidence in order to reduce the detection risk to an acceptable level.Chapter 5 Supplementary provisionsArticle 37The Chinese Institute of Certified Public Accountants is responsible for the interpretation of this standard.Article 38This standard takes effect from 1 January 1997.。

内部控制报告英文版Internal Control Report.Introduction.Internal control is a system of policies and procedures that are designed to provide reasonable assurance that an organization's objectives are being achieved. These objectives can be categorized into four main areas:Effectiveness and efficiency of operations.Reliability of financial reporting.Compliance with applicable laws and regulations.Safeguarding of assets.Internal controls are essential for any organization, regardless of its size or industry. They help to ensurethat the organization is operating in a manner that is consistent with its goals and objectives.Components of Internal Control.The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a framework for internal control that identifies five key components:Control environment.Risk assessment.Control activities.Information and communication.Monitoring.Control Environment.The control environment is the foundation for internalcontrol. It sets the tone for the organization and influences the way that employees behave. The control environment includes the following elements:Integrity and ethical values.Board of directors and audit committee.Management's philosophy and operating style.Organizational structure.Assignment of authority and responsibility.Risk Assessment.Risk assessment is the process of identifying and evaluating the risks that could prevent an organization from achieving its objectives. The risk assessment process includes the following steps:Identifying risks.Assessing the likelihood and impact of risks.Prioritizing risks.Developing risk response strategies.Control Activities.Control activities are the policies and procedures that are implemented to mitigate the risks that have been identified. Control activities can be classified into three types:Preventive controls.Detective controls.Corrective controls.Information and Communication.Information and communication are essential for effective internal control. The organization must have a system in place to collect, process, and communicate information about its activities. This system must be designed to ensure that the information is accurate, reliable, and timely.Monitoring.Monitoring is the process of evaluating the effectiveness of internal control. The monitoring process includes the following steps:Establishing monitoring procedures.Performing ongoing monitoring activities.Evaluating the results of monitoring activities.Taking corrective action as necessary.Importance of Internal Control.Internal control is essential for any organization, regardless of its size or industry. It helps to ensure that the organization is operating in a manner that isconsistent with its goals and objectives. Internal control also helps to protect the organization's assets, prevent fraud, and ensure compliance with applicable laws and regulations.Conclusion.Internal control is a complex and ever-changing process. However, it is essential for any organization that wants to achieve its goals and objectives. By implementing a strong internal control system, organizations can help to ensure that they are operating in a manner that is consistent with their values and that they are protected from the risksthat they face.。

内部控制与审计风险（英）Chapter 1 General provisionsArticle 1This standard is prepared in accordance with the General Independent Auditing Standard to establish standards for Certified Public Accountants (“CPAs”) on the study and evaluation of an entity's internal controls in the audit of financial statements， to assess audit risk， to improve audit efficiency and to ensure a high standard of professional work.Article 2The term “internal controls” in this standard refers to the policies and procedures formulated and implemented by an entity with a view to ensuring the efficient conduct of the business activities， safeguarding assets， preventing， detecting and correcting error and fraud， and ensuring the truthfulness， legitimacy and pleteness of accounting information.Internal controls include the control environment， accounting systems and control procedures.Article 3The term “audit risk” in this standard refers to the possibility of the CPA expressing an inappropriate audit opinion after performing an audit， when the financial statements contain material misstatements or omissions. Audit risk includes inherent risk， control risk and detection risk.Article 4Unless otherwise specified， CPAs should refer to this standard in performing audit work other than the audit of financial statements.Chapter 2 General principlesArticle 5When preparing the audit plan， the CPA should study and evaluate the entity's internal controls.Article 6The CPA should perform pliance tests on any internal controls， which are intended to be relied upon， to determine the impact on the nature， timing and extent of the substantive tests.Article 7The CPA should maintain professional scepticism， apply professional judgement reasonably to assess the audit risk and to design and perform relevant audit procedures in order to reduce the audit risk to an acceptable level.Article 8The CPA should document the work carried out and the results of the study and evaluation of the internal controls and the assessment of the audit risk in the audit working papers.Chapter 3 Internal controlsArticle 9It is the accounting responsibility of the entity's management to establish sound internal controls. The relevant internal controls should generally：(1) ensure that business activities are conducted in accordance with appropriate authorization;(2) ensure that all transactions and events are promptly recorded at the correct amount， in the appropriate accounts and in the proper accounting period， to enable preparation of financial statements in accordance with the relevant requirements of the accounting standards;(3) ensure that access to and handling of assets and records are permitted only in accordance with appropriate authorization; and(4) ensure that assets recorded are reconciled with the physical assets at regular intervals.Article 10When determining the reliability of internal controls， the CPA should maintain professional scepticism and pay adequate attention to the following inherent limitations of internal controls：(1) The design and implementation of internal controls are restricted by the principle of cost and benefit;(2) Internal controls tend to be directed at routine business activities;(3) Even perfectly designed internal controls may not operate effectively due to human carelessness， distraction， mis-judgement and the misunderstanding of instructions;(4) Internal controls may be circumvented through the collusion by relevant persons with parties inside or outside the entity;(5) Internal controls may be circumvented when a person responsible for exercising an internal control abuses that responsibility or submits to external pressure; and(6) Internal controls may deteriorate or bee ineffective due to changes in the operating environment and the nature of the business.Article 11When preparing the audit plan， the CPA should understand the design and operating conditions of the entity's internal controls.When determining the nature， timing and extent of the audit procedures which should be performed to understand the internal controls， the CPA should mainly consider the following factors：(1) the size and business plexity of the entity;(2) the type and plexity of the entity's data processing system;(3) audit materiality;(4) the type of relevant internal controls;(5) the documentation of relevant internal controls; and(6) the result of the assessment of inherent risk.Article 12In understanding the internal controls， the CPA should make reasonable use of previous audit experience. With regard to significant internal controls， generally the CPA may also perform the following procedures：(1) make enquiries of the entity's relevant persons and inspect the relevant internal control documentation;(2) inspect the documents and records generated by the internal controls;(3) observe the entity's business activities and the operating conditions of the internal controls; and(4) choose certain typical transactions and events and perform walkthrough tests on them.Article 13The CPA should obtain and understanding of the control environment sufficient to assess the attitudes， awareness and actions of the entity's management regarding internal controls and their importance.Major factors affecting the control environment include：(1) philosophy， methods and style of management;(2) organisational structure and methods of assigning authority and responsibility; and(3) the control system.Article 14The CPA should obtain an understanding of the accounting system sufficient to identify and understand：(1) the major classes of transactions and activities of the entity;(2) how major classes of transactions and activities are initiated;(3) significant supporting documents， accounting records and items in the financial statements; and(4) the accounting and financial reporting process for significant transactions and events.Article 15The CPA should obtain an understanding of the following major control procedures sufficient to determine the relevant audit procedures reasonably：(1) the authorisation of transactions;(2) the assignment of responsibility;(3) the control of supporting documents and records;(4) access to assets and use of records; and(5) any independent checking.Article 16Internal audit is an important ponent of the entity's control system. The CPA should consider the following factors when studying and evaluating the quality of the internal audit work to determine whether to rely on the results of the internal audit work：(1) the independence of the internal auditors;(2) the experience and petence of the internal auditors;(3) the nature， timing and extent of the internal audit procedures;(4) the sufficiency and appropriateness of the audit evidence obtained by the internal auditors; and(5) the merit placed on the internal audit work by the management.Article 17The CPA may use various methods such as narrative descriptions， questionnaires， check lists， flow charts etc. to understand and evaluate internal controls and should include them in the audit working papers.Article 18The CPA should inform the entity's management of material internal control weaknesses identified during the audit. If necessary， a management letter may be issued.Chapter 4 Audit riskArticle 19In developing the overall audit plan， the CPA should assess inherent risk at the financial statement level. Inherent risk refers to the susceptibility of an account balance， or class of transactions， to material misstatements or omissions， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， assuming that there were no relevant internal controls.Article 20In developing the detailed audit plan， the CPA should consider the impact of the assessment of inherent risk on the material account balances or classes of transactions at the assertion level， or directly assume that inherent risk is high for the assertion.Article 21The CPA should exercise professional judgement reasonably and consider the following factors when assessing inherent risk：(1) the integrity and petence of management;(2) any changes in management， especially the financial staff;(3) any unusual pressures on management;(4) the nature of business;(5) the circumstances and factors affecting the industry in which the entity operates;(6) financial statement items likely to be susceptible to misstatements;(7) the plexity of important transactions and events which might require using the work of an expert;(8) the degree of estimation and judgement involved in determining account balances;(9) the susceptibility of assets to loss or misappropriation;(10) the occurrence of unusual or plex transactions during the accounting period，particularly near the accounting period end; and(11) the susceptibility of transactions and events to omissions in the routine accounting process.Article 22After understanding the internal controls and assessing inherent risk， the CPA should make a preliminary assessment of control risk， at the assertion level， for each material account balance or class of transactions. Control risk refers to the possibility that a misstatement or omission that could occur in an account balance or class of transactions，either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， will not be prevented， detected or corrected by the internal controls.Article 23The CPA should assess the control risk of material account balances or classes of transactions at a high level， for some or all assertions， when one or more of the following situations occurs：(1) the entity's internal controls are not effective;(2) it is difficult for the CPA to assess the effectiveness of internal controls; or(3) the CPA does not plan to perform pliance tests.Article 24When making a preliminary assessment of control risk for a financial statement assertion， the CPA should not assess the control risk at a high level when：(1) relevant internal controls are likely to prevent， detect or correct material misstatements or omissions; and(2) the CPA plans to perform pliance tests.Article 25if the CPA plans to rely on the internal controls， he should perform pliance procedures to assess the control risk. The lower the preliminary assessment of control risk， the more evidence the CPA should obtain to show that internal controls are suitably designed and operating effectively.Article 26The CPA may perform the following pliance procedures：(1) inspection of documents supporting transactions and events;(2) enquiries about， and observation of， internal control operations which leave no audit trail; and(3) reperformance of relevant internal control procedures.Article 27When one or more of the following situations occurs， the CPA may directly perform substantive procedures without performing pliance tests：(1) the relevant internal controls do not exist;(2) even though the relevant internal controls exist， the CPA， through preliminary study， discovers that the internal controls do not operate effectively; or(3) pliance tests require more work than the reduction of substantive tests that would have been achieved by performing pliance tests.Article 28Based on the results of the pliance tests， the CPA should assess whether the design and operation of the internal controls are in line with the conclusion drawn from the preliminary assessment of control risk. If there are discrepancies， the assessed level of control risk should be revised and the nature， timing and extent of substantive procedures should be modified accordingly.Article 29In a continuing engagement， the CPA may make use of the information relating to the study and evaluation of internal controls obtained in prior periods， but will need to update it.Article 30The CPA should understand whether the internal controls were applied consistently throughout the accounting period being audited. If there were obvious changes， the CPA should consider testing them separately.Article 31If pliance tests have been performed in the interim audit， the CPA， before deciding to rely entirely on their results， should consider the following factors to obtain further audit evidence for the period between interim period end and final period end：(1) the conclusion drawn from the pliance tests in the interim audit;(2) the length of the remaining period after the interim audit;(3) any changes in internal controls after the interim audit;(4) the nature and amount of the transactions and activities which occurred after the interim audit; and(5) the substantive procedures to be performed.Before concluding the audit， the CPA should， based on the results of substantive tests and other audit evidence， make a final assessment of the control risk and check whether it is in line with the conclusion drawn from the preliminary assessment of the risk. If not， the CPA should consider whether additional relevant audit procedures should be performed.Article 33As control risk and inherent risk are related， the CPA should make an overall assessment of inherent risk and control risk， and use the result as the basis for the assessment of detection risk.Detection risk refers to the possibility that substantive tests will not detect a misstatement or omission that exists in an account balance or class of transactions that could be material， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions.The assessment of inherent risk and control risk has a direct impact on the assessment of detection risk. For higher levels of inherent risk and control risk， the CPA should perform more detailed substantive procedures and should also consider their nature， timing and extent to reduce the detection risk to an acceptable level.Regardless of the result of the assessment of inherent risk and control risk， the CPA should perform substantive tests on all material account balances or classes of transactions.Article 35If， after performing relevant audit procedures， the CPA still believes that detection risk regarding an assertion for a material account balance or class of transactions cannot be reduced to an acceptable level， the CPA should express a qualified opinion or a disclaimer of opinion.Article 36The internal controls in small businesses are usually weaker， resulting in higher inherent risk and control risk. The CPA should heavily or entirely rely on substantive procedures to obtain audit evidence in order to reduce the detection risk to an acceptable level.Chapter 5 Supplementary provisionsArticle 37The Chinese Institute of Certified Public Accountants is responsible for the interpretation of this standard.Article 38This standard takes effect from 1 January 1997.。

更多企业学院：《中小企业管理全能版》183套讲座+89700份资料《总经理、高层管理》49套讲座+16388份资料《中层管理学院》46套讲座+6020份资料《国学智慧、易经》46套讲座《人力资源学院》56套讲座+27123份资料《各阶段员工培训学院》77套讲座+ 324份资料《员工管理企业学院》67套讲座+ 8720份资料《工厂生产管理学院》52套讲座+ 13920份资料《财务管理学院》53套讲座+ 17945份资料《销售经理学院》56套讲座+ 14350份资料《销售人员培训学院》72套讲座+ 4879份资料内部控制与审计风险（英）Chapter 1 General provisionsArticle 1This standard is prepared in accordance with the General Independent Auditing Standard to establish standards for Certified Public Accountants (“CPAs”) on the study and evaluation of an entity's internal controls in the audit of financial statements， to assess audit risk， to improve audit efficiency and to ensure a high standard of professional work.Article 2The term “internal controls” in this standard refers to the policies and procedures formulated and implemented by an entity with a view to ensuring the efficient conduct of the business activities， safeguarding assets， preventing， detecting and correcting errorand fraud， and ensuring the truthfulness， legitimacy and completeness of accounting information.Internal controls include the control environment， accounting systems and control procedures.Article 3The term “audit risk” in this standard refers to the possibility of the CPA expressing an inappropriate audit opinion after performing an audit， when the financial statements contain material misstatements or omissions. Audit risk includes inherent risk， control risk and detection risk.Article 4Unless otherwise specified， CPAs should refer to this standard in performing audit work other than the audit of financial statements.Chapter 2 General principlesArticle 5When preparing the audit plan， the CPA should study and evaluate the entity's internal controls.Article 6The CPA should perform compliance tests on any internal controls， which are intended to be relied upon， to determine the impact on the nature， timing and extent of the substantive tests.Article 7The CPA should maintain professional scepticism， apply professional judgement reasonably to assess the audit risk and to design and perform relevant audit procedures in order to reduce the audit risk to an acceptable level.Article 8The CPA should document the work carried out and the results of the study and evaluation of the internal controls and the assessment of the audit risk in the audit working papers.Chapter 3 Internal controlsArticle 9It is the accounting responsibility of the entity's management to establish sound internal controls. The relevant internal controls should generally：(1) ensure that business activities are conducted in accordance with appropriate authorization;(2) ensure that all transactions and events are promptly recorded at the correct amount， in the appropriate accounts and in the proper accounting period， to enable preparation of financial statements in accordance with the relevant requirements of the accounting standards;(3) ensure that access to and handling of assets and records are permitted only in accordance with appropriate authorization; and(4) ensure that assets recorded are reconciled with the physical assets at regular intervals.Article 10When determining the reliability of internal controls， the CPA should maintain professional scepticism and pay adequate attention to the following inherent limitations of internal controls：(1) The design and implementation of internal controls are restricted by the principle of cost and benefit;(2) Internal controls tend to be directed at routine business activities;(3) Even perfectly designed internal controls may not operate effectively due to human carelessness， distraction， mis-judgement and the misunderstanding of instructions;(4) Internal controls may be circumvented through the collusion by relevant persons with parties inside or outside the entity;(5) Internal controls may be circumvented when a person responsible for exercising an internal control abuses that responsibility or submits to external pressure; and(6) Internal controls may deteriorate or become ineffective due to changes in the operating environment and the nature of the business.Article 11When preparing the audit plan， the CPA should understand the design and operating conditions of the entity's internal controls.When determining the nature， timing and extent of the audit procedures which should be performed to understand the internal controls， the CPA should mainly consider the following factors：(1) the size and business complexity of the entity;(2) the type and complexity of the entity's data processing system;(3) audit materiality;(4) the type of relevant internal controls;(5) the documentation of relevant internal controls; and(6) the result of the assessment of inherent risk.Article 12In understanding the internal controls， the CPA should make reasonable use of previous audit experience. With regard to significant internal controls， generally the CPA may also perform the following procedures：(1) make enquiries of the entity's relevant persons and inspect the relevant internal control documentation;(2) inspect the documents and records generated by the internal controls;(3) observe the entity's business activities and the operating conditions of the internal controls; and(4) choose certain typical transactions and events and perform walkthrough tests on them.Article 13The CPA should obtain and understanding of the control environment sufficient to assess the attitudes， awareness and actions of the entity's management regarding internal controls and their importance.Major factors affecting the control environment include：(1) philosophy， methods and style of management;(2) organisational structure and methods of assigning authority and responsibility; and(3) the control system.Article 14The CPA should obtain an understanding of the accounting system sufficient to identify and understand：(1) the major classes of transactions and activities of the entity;(2) how major classes of transactions and activities are initiated;(3) significant supporting documents， accounting records and items in the financial statements; and(4) the accounting and financial reporting process for significant transactions and events.Article 15The CPA should obtain an understanding of the following major control procedures sufficient to determine the relevant audit procedures reasonably：(1) the authorisation of transactions;(2) the assignment of responsibility;(3) the control of supporting documents and records;(4) access to assets and use of records; and(5) any independent checking.Article 16Internal audit is an important component of the entity's control system. The CPA should consider the following factors when studying and evaluating the quality of the internal audit work to determine whether to rely on the results of the internal audit work：(1) the independence of the internal auditors;(2) the experience and competence of the internal auditors;(3) the nature， timing and extent of the internal audit procedures;(4) the sufficiency and appropriateness of the audit evidence obtained by the internal auditors; and(5) the merit placed on the internal audit work by the management.Article 17The CPA may use various methods such as narrative descriptions， questionnaires， check lists， flow charts etc. to understand and evaluate internal controls and should include them in the audit working papers.Article 18The CPA should inform the entity's management of material internal control weaknesses identified during the audit. If necessary， a management letter may be issued.Chapter 4 Audit riskArticle 19In developing the overall audit plan， the CPA should assess inherent risk at the financial statement level. Inherent risk refers to the susceptibility of an account balance， or class of transactions， to material misstatements or omissions， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， assuming that there were no relevant internal controls.Article 20In developing the detailed audit plan， the CPA should consider the impact of the assessment of inherent risk on the material account balances or classes of transactions at the assertion level， or directly assume that inherent risk is high for the assertion.Article 21The CPA should exercise professional judgement reasonably and consider the following factors when assessing inherent risk：(1) the integrity and competence of management;(2) any changes in management， especially the financial staff;(3) any unusual pressures on management;(4) the nature of business;(5) the circumstances and factors affecting the industry in which the entity operates;(6) financial statement items likely to be susceptible to misstatements;(7) the complexity of important transactions and events which might require using the work of an expert;(8) the degree of estimation and judgement involved in determining account balances;(9) the susceptibility of assets to loss or misappropriation;(10) the occurrence of unusual or complex transactions during the accounting period，particularly near the accounting period end; and(11) the susceptibility of transactions and events to omissions in the routine accounting process.Article 22After understanding the internal controls and assessing inherent risk， the CPA should make a preliminary assessment of control risk， at the assertion level， for each material account balance or class of transactions. Control risk refers to the possibility that a misstatement or omission that could occur in an account balance or class of transactions，either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， will not be prevented， detected or corrected by the internal controls.Article 23The CPA should assess the control risk of material account balances or classes of transactions at a high level， for some or all assertions， when one or more of the following situations occurs：(1) the entity's internal controls are not effective;(2) it is difficult for the CPA to assess the effectiveness of internal controls; or(3) the CPA does not plan to perform compliance tests.Article 24When making a preliminary assessment of control risk for a financial statement assertion， the CPA should not assess the control risk at a high level when：(1) relevant internal controls are likely to prevent， detect or correct material misstatements or omissions; and(2) the CPA plans to perform compliance tests.Article 25if the CPA plans to rely on the internal controls， he should perform compliance procedures to assess the control risk. The lower the preliminary assessment of control risk， the more evidence the CPA should obtain to show that internal controls are suitably designed and operating effectively.Article 26The CPA may perform the following compliance procedures：(1) inspection of documents supporting transactions and events;(2) enquiries about， and observation of， internal control operations which leave no audit trail; and(3) reperformance of relevant internal control procedures.Article 27When one or more of the following situations occurs， the CPA may directly perform substantive procedures without performing compliance tests：(1) the relevant internal controls do not exist;(2) even though the relevant internal controls exist， the CPA， through preliminary study， discovers that the internal controls do not operate effectively; or(3) compliance tests require more work than the reduction of substantive tests that would have been achieved by performing compliance tests.Article 28Based on the results of the compliance tests， the CPA should assess whether the design and operation of the internal controls are in line with the conclusion drawn from the preliminary assessment of control risk. If there are discrepancies， the assessed level of control risk should be revised and the nature， timing and extent of substantive procedures should be modified accordingly.Article 29In a continuing engagement， the CPA may make use of the information relating to the study and evaluation of internal controls obtained in prior periods， but will need to update it.Article 30The CPA should understand whether the internal controls were applied consistently throughout the accounting period being audited. If there were obvious changes， the CPA should consider testing them separately.Article 31If compliance tests have been performed in the interim audit， the CPA， before deciding to rely entirely on their results， should consider the following factors to obtain further audit evidence for the period between interim period end and final period end：(1) the conclusion drawn from the compliance tests in the interim audit;(2) the length of the remaining period after the interim audit;(3) any changes in internal controls after the interim audit;(4) the nature and amount of the transactions and activities which occurred after the interim audit; and(5) the substantive procedures to be performed.Article 32Before concluding the audit， the CPA should， based on the results of substantive tests and other audit evidence， make a final assessment of the control risk and check whether it is in line with the conclusion drawn from the preliminary assessment of the risk. If not， the CPA should consider whether additional relevant audit procedures should be performed.Article 33As control risk and inherent risk are related， the CPA should make an overall assessment of inherent risk and control risk， and use the result as the basis for the assessment of detection risk.Detection risk refers to the possibility that substantive tests will not detect a misstatement or omission that exists in an account balance or class of transactions that could be material， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions.The assessment of inherent risk and control risk has a direct impact on the assessment of detection risk. For higher levels of inherent risk and control risk， the CPA shouldperform more detailed substantive procedures and should also consider their nature， timing and extent to reduce the detection risk to an acceptable level.Article 34Regardless of the result of the assessment of inherent risk and control risk， the CPA should perform substantive tests on all material account balances or classes of transactions.Article 35If， after performing relevant audit procedures， the CPA still believes that detection risk regarding an assertion for a material account balance or class of transactions cannot be reduced to an acceptable level， the CPA should express a qualified opinion or a disclaimer of opinion.Article 36The internal controls in small businesses are usually weaker， resulting in higher inherent risk and control risk. The CPA should heavily or entirely rely on substantive procedures to obtain audit evidence in order to reduce the detection risk to an acceptable level.Chapter 5 Supplementary provisionsArticle 37The Chinese Institute of Certified Public Accountants is responsible for the interpretation of this standard.Article 38This standard takes effect from 1 January 1997.。