附录 A：原文：Internal Controls and Managing Enterprise-Wide RisksBy John FarrellIn addition to complying with the sweeping reforms in corporate governance and financial reporting following the Sarbanes-Oxley Act, companies can benefit further by adopting a broader view that encompasses an enterprise-wide risk-management outlook. This approach is especially applicable to section 404 of the Sarbanes-Oxley Act, which deals with managements assertion regarding the effectiveness of its internal controls over financial reporting. As companies work to comply with these new rules, they can build their section 404 work into an opportunity to address other aspects of risk throughout the organization, including financial, legal, and operational.The emerging trend of evaluating and monitoring the range of business risksincluding those assessed in an internal control reviewmay help companies simultaneously meet strategic goals, boost shareholder and stakeholder value, and focus on good governance.Self-AssessmentFulfilling the mandates of section 404 need not be an obstacle to implementing an enterprise risk-management effort. Instead, the compliance process can enable companies to focus on enterprise-wide risks through a distributed evaluationthat is, a self-assessment of risk and control. This evaluation assigns responsibility for the assessment to those who are “closest to the action”in other words, those most directly involved in the control over each process. Such an approach can help companies achieve a better-balanced risk and control status.Conventional wisdom formerly held that responsibility for internal controls was delegated to an organizations financial group. According to current thinking, however, internal controls are owned by those within the business who manage daily operations and who depend on the controls for achieving their goals. These control process owners are well prepared to perform the distributed evaluation of identifying, evaluating, and managing pertinent risks to assist the business in achieving its financial goals. The Sarbanes-Oxley rules reinforce the value of such risk-based evaluations.If a company looks ahead one year, how can it measure success beyond mere compliance with regulatory requirements? For multinational companies, one sign of success would be a worldwide standardization of internal controls that allows the organization to orient itself toward a widely accepted set of control criteria, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework or the COSO enterprise risk- management (ERM) framework issued in 2003. Coining a “controls language” shared throughout the organization can help a company take greatest advantage of its set of controlsdeciding which key controls to keep and which it can discard because they do not add value or are otherwise unnecessary.Process ImprovementIn addition, companies may use the section 404 assertion rules to help them achieve a company-wide transformation of business processes. The internal-control assessment may produce several improvements: Greater use of automated, or system-based, controls; Better evaluation of process risks and mitigation of risk; More uniform controls throughout the organization; and Greater responsibility for controls assessment for the process owners. The compliance procedures can also be used to weed out nonessential tasks and determine good practices within each business process: Comparing controls between different business units, or within a companys operations in different countries; Cutting the risk of error by using a more technology-based method of control rather than manual processes; Using key performance indicators to gauge the effectiveness of a process across a span of risks and time periods; and Getting feedback from control procedures on a worldwide basis, which can lead to better reporting capabilities. In examining their sets of controls, companies may find it valuable and cost-effective to consider an automated system rather than a manual review. The internal control assessment, performed through an automated self-assessment, is more than a simple questionnaire. It can gather information from control owners about the status of key controls. The assessment is based not on the frequency of the assertion but on the type of controlautomated or manualand how vulnerable to risk the controls may be.Using an automated system for internal control assessment offers several other advantages. It consolidates internal control information and status, as well as being a repository of all organizational risks and controls. The repository is useful not only for section 404 reporting responsibilities but also for any ERM initiatives.Role of the Internal AuditorThe internal auditor can play a vital role in linking internal control reporting with ERM. The internal auditor can foster an environment that allows the company to link the eff