Evaluation and Audit of Enterprise Internal Control
First, the enterprise internal control evaluation
The board of directors of an enterprise or similar authority shall regularly conduct a comprehensive evaluation of the effectiveness of internal control, form an evaluation conclusion and issue an evaluation report. The effectiveness of internal control refers to the extent to which the establishment and implementation of internal control provide reasonable guarantee for the realization of control objectives, including the effectiveness of internal control design and the effectiveness of internal control operation.
(A) the principles of internal control evaluation
Enterprises should follow the principles of comprehensiveness, importance and objectivity in evaluating the effectiveness of internal control design and operation.
(B) the content of internal control evaluation
Enterprises should start with the internal environment, risk assessment, control activities, information and communication, internal supervision and other elements, combine the business characteristics and management requirements of enterprises, determine the specific content of internal control evaluation, establish the core index system of internal control evaluation, and comprehensively evaluate the design and operation of internal control.
(3) Procedures for internal control evaluation
The general procedures for an enterprise to carry out internal control evaluation are as follows: setting up an internal control evaluation department, formulating an evaluation work plan, forming an evaluation working group, conducting on-site tests, summarizing evaluation results, and compiling evaluation reports.
(D) methods of internal control evaluation
In the process of internal control inspection and evaluation, enterprises should comprehensively use the methods of individual interviews, questionnaires, special discussions, walk-through tests, on-the-spot inspections, sampling and comparative analysis according to the evaluation content and the specific situation of the evaluated unit, and extensively collect evidence of whether the internal control design and operation of the evaluated unit are effective. The selection of evaluation methods should be conducive to ensuring the sufficiency and appropriateness of evidence.
(V) Identification of internal control defects
1. Definition and classification of internal control defects
(1) Internal control defects can be divided into design defects and operation defects according to their causes.
(2) Internal control defects are divided into financial reporting internal control defects and non-financial reporting internal control defects according to their manifestations.
(3) Internal control defects are divided into major defects, important defects and general defects according to their severity.
2. Identification criteria of internal control defects
Enterprises should comprehensively analyze the causes, manifestations and importance of internal control defects found in the process of internal control evaluation, and identify all internal control defects as major defects, important defects and general defects according to certain standards.
(1) The identification standard of internal control defects in financial reports is determined by the importance of the defects that may lead to misstatement of financial statements, which mainly depends on two factors: whether the defects may cause internal control to prevent, detect and correct misstatement of financial statements in time; The size of the potential misstatement amount that may be caused by this defect alone or in combination with other defects.
(2) Enterprises can reasonably determine the quantitative and qualitative identification standards of internal control defects in non-financial reports according to their own actual conditions and referring to the identification standards of internal control defects in financial reports.
(3) For common major defects in internal control, please refer to the relevant internal control evaluation guidelines.
3. Reporting and rectification of internal control defects
(1) The internal control defect report shall be in written form, and the enterprise shall report to the relevant departments according to the severity of the internal control defect, and also reasonably determine the time limit for the internal control defect report according to the influence degree of the internal control defect.
(2) For the identified internal control defects, the enterprise shall formulate a rectification plan for internal control defects, which shall be implemented after examination and approval according to the prescribed authority and procedures.
(six) internal control evaluation report
1. Contents of internal control evaluation report
The internal control evaluation report generally includes the following contents: the statement of the board of directors on the authenticity of the internal control report; The overall situation of internal control evaluation; The basis of internal control evaluation; Scope of internal control evaluation; Procedures and methods of internal control evaluation; Internal control defects and their identification; The rectification of internal control defects and the conclusion of internal control effectiveness.
2. Preparation of internal control evaluation report
(1) Internal control evaluation reports are divided into regular reports and irregular reports according to the different preparation time.
(2) The main body of the internal control evaluation report includes a single enterprise and the parent company of an enterprise group.
(3) The preparation procedure of internal control evaluation report includes: the internal control evaluation department rechecks the working papers and judges the effectiveness of internal control according to the defects of internal control; Collect and sort out the relevant information needed to prepare the internal control evaluation report; Write internal control evaluation report; Report the internal control evaluation report to the management for review and approval by the board of directors.
3. Submission of internal control evaluation report
After the internal control evaluation report is approved by the board of directors, it is disclosed to the outside world or submitted to the relevant competent authorities, usually within 4 months after the benchmark date.
4. The use of internal control evaluation report
Users of the internal control evaluation report include government supervision departments, investors and other stakeholders, intermediaries and research institutions.
Second, the enterprise internal control audit
(A) the meaning of internal control audit
Internal control audit refers to the audit of the effectiveness of internal control design and operation on a specific benchmark date by an accounting firm.
Internal control audit, internal control evaluation and financial statement audit are both intrinsically related and fundamentally different.
(B) internal control audit procedures
1. Plan the audit work
2. Implement the audit work
Certified public accountants carry out audit work according to the top-down method, and combine the test of enterprise-level control and business-level control.
3. Evaluate control defects
Certified public accountants need to evaluate the severity of the internal control defects identified by them to determine whether these defects alone or in combination constitute major defects and affect their audit conclusions.
4. Complete the audit work
Including obtaining a written statement signed by the enterprise, communicating with the enterprise to control defects, forming an audit opinion and issuing an audit report.
(3) Internal control audit report
The types of audit opinions include unqualified audit opinions, unqualified opinions with emphasized paragraphs, negative opinions and unqualified opinions.